Hackers Hijack Outlook Add-In to Steal 4,000+ Microsoft Accounts

A legitimate Outlook add-in listed in Microsoft’s marketplace was hijacked and transformed into a phishing kit, resulting in thousands of stolen Microsoft credentials.

Security researchers at Koi Security report that the AgreeTo Outlook add-in was compromised after a threat actor took control of an abandoned hosting URL. The incident reportedly led to the theft of more than 4,000 Microsoft account credentials, along with additional sensitive data.

Legit Outlook add-in abused to steal Microsoft credentials

AgreeTo originally launched as a legitimate meeting scheduling tool developed by an independent publisher. Microsoft had listed it in the Office Add-in Store since December 2022.

Office add-ins do not run directly from Microsoft’s infrastructure. Instead, they load content from developer-hosted URLs. In this case, AgreeTo relied on a Vercel-hosted domain: outlook-one.vercel.app.

After the original developer abandoned the URL, a threat actor claimed control of the orphaned address and replaced its content with a phishing kit. Because Microsoft signs and reviews add-in manifest files but does not continuously verify hosted content after approval, the malicious content went unnoticed.

Fake Microsoft login inside Outlook

According to Koi researchers, the compromised add-in displayed a fake Microsoft sign-in page within Outlook’s sidebar. The page closely mimicked the legitimate Microsoft login interface to capture credentials.

After victims entered their details, the add-in redirected them to the real Microsoft login page to reduce suspicion. Researchers say attackers actively tested stolen credentials and also collected credit card numbers and banking security answers in some cases.

The malicious version reportedly remained available in the Microsoft Store until it was removed today.

First confirmed Marketplace malware case

Koi researchers describe the incident as the first confirmed malware campaign hosted through Microsoft’s official Marketplace and the first malicious Outlook add-in detected in the wild.

The operator behind the campaign allegedly runs at least a dozen other phishing kits, suggesting a broader infrastructure designed for credential harvesting.

Users who still have AgreeTo installed should remove the add-in immediately. Affected individuals should reset their Microsoft account passwords, enable multi-factor authentication, and review recent account activity for suspicious behavior.

The incident follows other recent security concerns in Microsoft’s ecosystem, including phishing campaigns abusing SharePoint and a recently patched Notepad vulnerability that allowed remote script execution.

In separate news, Exchange Online has reportedly been incorrectly flagging legitimate emails as phishing attempts. Microsoft has acknowledged the issue and is currently working on a fix.

Microsoft had not issued a public statement at the time of reporting.

Via BleepingComputer