The first malicious plugin for Outlook seen in free exposes credentials and emails

A team of cyber security researchers has put an unusual but worrying case on the table: the detection of which, according to their findings, would be the first malicious complement for Microsoft Outlook seen at large. The affected piece, an extension called AgreeTo, stopped keeping up with its developer and that window was enough for an attacker to take advantage of its remote infrastructure and turn the experience within Outlook into a suplanting trap.

To understand why this was possible, we need to review how the extensions or "add-ins" of Office. Unlike a packed application that delivers all your code at the time of installation, Outlook add-ins publish a manifesto that points to a remote URL. Each time the user opens the plugin, Outlook loads the content that that URL returns into an iframe. This flexibility is useful for cloud updates and services, but also implies that the real behavior of the complement depends entirely on what that server serves in each access. Microsoft describes this flow in its documentation on the use of plugins for Outlook: https: / / support.microsoft.com /....

In the incident analyzed by the firm Koi Security, the complement manifesto pointed to a URL hosted in Vercel that was made available when the original developer removed its deployment after leaving the project. With that available host name, the attacker uploaded a phishing kit that presented a forged Microsoft login page. The credentials introduced by the victims were sent out of the platform through the Telegram Bot API and then the victim was redirected to Microsoft's legitimate page to cover the trail. According to the Koi researchers, this campaign would have obtained more than 4,000 stolen credentials; Koi details his findings in his technical report: https: / / www.koi.ai / blog / agreetos-....

The case becomes more serious for the permissions with which the add-in was configured. The supplement in question requested the readWriteItem permit, which allows you to read and modify the user's emails from within Outlook. With that level of access, a malicious actor could have done much more than stolen passwords: It would have been possible to exfilter entire mail messages or inject code for undercover operations. Microsoft explains the scope of these authorizations in its Additional Permissions Guide: https: / / learn.microsoft.com /... / understanding-outlooks-add-in-permissions.

From the point of view of the software supply chain, the episode illustrates a structural vulnerability: markets that allow dynamic dependencies are, by design, giving confidence to artifacts that can change after an initial evaluation. Koi and media experts have stressed that this is not unique to Outlook; similar patterns have been seen in browser extensions, npm packages and development environment supplements. The typical process - to review a manifesto at the time of publication and to give approval - does not guarantee that the content later served is the same.

The containment measures proposed by the researchers combine technical controls with platform policies. These include mechanisms that detect deviations between the revised content and that the URL is returning in real time, domain property validations to check that the original author continues to manage the infrastructure, and policies to mark or withdraw supplements that do not receive updates after long periods of abandonment. They also recommend increasing visibility by showing, for example, the number of facilities to assess the scope of a possible incident.

Meanwhile, there are practical actions that users and administrators can take today to reduce the risk. Review regularly the plugins installed in Outlook, remove add-ins that are no longer used, limit permissions to the minimum necessary and activate account protections such as authentication of multiple factors are common sense measures that complicate the life of attackers. For organizations, auditioning third-party integrations and applying access and monitoring controls around accounts with high privilege helps to mitigate the impact if a credential becomes leaked.

This event is also a wake-up call for marketplaces operators: to approve a manifesto once it does not replace the need for continuous monitoring of what external URLs serve after. Shared responsibility between developers, platforms and users is key to containing this type of risk in services that depend on dynamic remote content. Microsoft requires developers to create an account and submit their solution to the Partner Center process for initial review, but the challenge is now to complement that gatekeeping with permanent controls; the solution sending guide to AppSource explains part of the publication flow: https: / / learn.microsoft.com /... / submit-to-appsource-via-partner-center.

Finally, it should be recalled that the techniques used by this attacker - phishing housed in infrastructure claimed after the abandonment, exfiltration by public APIs such as Telegram ( https: / / chore.telegam.org / bots / api) and the forwarding to legitimate pages to avoid detection - are tactics already known, but applied here to a new surface: the ecosystem of add-ins of Outlook. The findings published by Koi and the coverage of specialized media are an invitation to rethink how remote components are managed in the markets and to demand more transparency and continuous controls on these platforms. To read Koi's analysis and to deepen the technique used, your report is a good reading: report of Koi Security.

If you are responsible for IT or manage business accounts, take this as a practical reminder: review and tighten third-party integration today, and ask those responsible for your favorite marketers to adopt continuous controls. The convenience of the supplements should not become a back door for information theft.