Add the Outlook plugin that became a phishing kit and stole thousands of credentials

A few days ago, a disturbing incident revealed how much the chain of confidence in mail extensions can be broken when a project is "orphaned." A legitimate complement to Outlook called AgreeTo, originally created to facilitate meeting programming, was hijacked and turned into a phishing kit that, according to research, came to collect more than 4,000 Microsoft account credentials, as well as sensitive data such as card numbers and answers to security questions.

It was not a bug in Outlook, but the way Office addresses work: These supplements are basically web pages hosted on developer servers and are loaded into Microsoft's client. Microsoft reviews the add-in manifesto at the time of publication and signs it, but except for exceptions there is no continuous control over the content that this URL serves once the plugin is already published. The official documentation explains how these supplements are integrated and why their content can come from any external server: this is part of Office Add-ins architecture.

In the case of AgreeTo, the original developer published the supplement in December 2022 and used a URL hosted in Vercel. Over time the application was abandoned and the domain associated with this deployment was available for claim. A malicious actor took this opportunity to point the URL to a set of pages designed to fool the user: a replica of Microsoft's login page, a page to collect passwords, a script to send that data to the attacker and a readdress after the legitimate page to disguise the theft.

The exfiltration mechanism was surprisingly direct: The stolen data were sent through the Telegram Bot API, a channel that Koi Security researchers managed to locate and use to confirm the scale of the attack. As a result of this access, analysts found that the operators had collected thousands of credentials and were also actively testing the stolen accounts to verify their validity. The technical report of the team that discovered the incident contains all the findings and analysis of the phishing kit: Koi Security: investigation by AgreeTo.

The news was collected by specialized media that have pointed to the scope and uniqueness of the case: according to reports, it could be the first documented instance of a malicious complement operating from the official Microsoft store and exploiting the implicit confidence that users place in the marketplace. Among other covers, BleepingComputer reported on research and initial reaction.

From the technical point of view, the add-in retained permissions that would have allowed him to read and modify messages (ReadWriteItem). Although Koi found no evidence that the actor had used them to manipulate mail or create forwarding rules, the mere possession of these permits increases the risk: a malicious extension with the ability to modify the mailbox could steal additional information or open persistent routes in a compromised account.

How did you take advantage of the situation? The flow of the scam was simple and effective. When a user opened the extension on the Outlook side bar, instead of seeing the expected programming interface, a form appeared to be the true Microsoft authentication screen. When they introduced credentials, they were sent to the server controlled by the attacker and, then, the victim was redirected to the real login page so that the behavior seemed legitimate and the user did not immediately suspect.

The attackers also demonstrated a pattern: Koi Security points out that the operator behind this kit manages multiple collections of phishing pages addressed to service providers, banks and web mails. This suggests a recurring business model based on reusable kits that are deployed where there is an opportunity, and in this case the opportunity arose because an approved complement was left without maintenance and its URL was claimed.

What did Microsoft and the researchers do? Koi analysts detected the activity, accessed the exfiltration channel and documented the extent of the robbery. After the disclosure, Microsoft removed the store's plugin. It is important to remember that the rapid withdrawal of an add- in does not automatically repair the already committed accounts; therefore the communication of findings and recommendations to users are critical in these cases.

If you have the AgreeTo extension installed in your Outlook or suspicion that your account might have been affected, act quickly. First, delete the plugin and change your Microsoft account password. It activates multifactor authentication (MFA) if you have not yet activated it: additional protection strongly reduces the effectiveness of stolen credentials. Microsoft explains how MFA works and why it is an essential barrier: more about multifactor authentication. It is also appropriate to review the recent login activity, to close open sessions and to check whether there are any forwarding rules or suspicious permissions in the mailbox.

This case leaves several clear lessons for users and platforms: Extensions markets should improve their continuous controls over the content of an approved URL, especially when that URL changes its owner or the developer stops maintaining it. For users, caution goes by limiting permissions to the strictly necessary, distrusting login forms inserted in sites or applications that you did not expect and using unique passwords along with managers and MFA. For managers and security officials, it is essential to regularly audit extensions installed in corporate environments and to implement policies that prevent the installation of unverified supplements by the IT department.

If you want to go into the technical details of the attack, the Koi Security investigation offers detailed analysis of the kit and the commitment indicators. To understand how the API used by the attackers to exfilter data works, Telegram's official documentation on bots and his API clarifies why that channel was chosen: Telegram Bot API. And if you need to manage organizational supplements, Microsoft has management guides on how to control and remove add-ins in Microsoft 365 environments: management of add-ins in Microsoft 365.

In short, the AgreeTo episode is a reminder that security does not end when a software is published in an official store: continuous surveillance, both by platforms and users, is essential for the ecosystem of supplements to remain useful and safe. If you have doubts about concrete steps to take after a possible exposure, consult the official support or your security team and prioritize blocking immediate access by changing keys and activating MFA.