A recently uncovered cybersecurity incident has revealed a malicious attack carried out through a trusted Microsoft Outlook add-in — one that managed to steal more than 4,000 Microsoft account credentials, along with credit card information and banking security answers.

The add-in in question, called AgreeTo, was originally developed as a legitimate meeting scheduling tool that integrated with Outlook and other calendar services. Designed to make it easier for users to coordinate availability and appointments, AgreeTo once enjoyed a modest user base and favorable reception.

How a Legitimate Tool Became a Phishing Vector

The incident highlights a significant supply-chain weakness in how Office add-ins operate. Unlike traditional software that is bundled and delivered as compiled code, Outlook add-ins are essentially manifests — small XML files that tell Outlook to load a specific web URL inside its interface. Once Microsoft reviews and signs the manifest, the add-in becomes available in the Office Store.

Crucially, Microsoft does not continuously re-verify what that URL serves after initial approval. This created a dangerous gap: when AgreeTo’s backend URL (hosted on Vercel) expired after the developer abandoned the project, a cybercriminal seized the opportunity to claim that same URL. From that point on, Outlook users loading the AgreeTo add-in were unwittingly loading a malicious phishing kit.

The Phishing Operation

Once the attacker controlled the backend URL, they deployed a simple four-page phishing kit that impersonated Microsoft’s real sign-in page. When users opened the add-in in Outlook and were prompted to log in, they saw what appeared to be a legitimate Microsoft authentication screen. In reality, the credentials they entered were captured and sent directly to the attacker via a Telegram bot, along with associated IP address data. After that, users were seamlessly redirected to the real Microsoft login page, leaving them unaware that their information had been compromised.

Researchers investigating the campaign were able to access the attacker’s poorly secured Telegram channel and recover over 4,000 stolen Microsoft account credentials — including email addresses and passwords. Disturbingly, the haul also contained credit card numbers, CVVs, banking PINs, and security answers, suggesting this was part of a larger phishing network targeting multiple brands, including banks and internet service providers.

Why This Case Matters

Security experts say this incident underscores a broader problem with remote dependencies in modern software ecosystems. Because Outlook add-ins load code dynamically over the web, what users execute inside their Outlook client may change over time — even years after the add-in was first approved. The attacker didn’t need to send a suspicious email or lure users with trickery; instead, they leveraged Microsoft’s own trusted infrastructure to deliver the malicious content from a seemingly legitimate source.

Moreover, the permissions granted to AgreeTo when it was legitimate — including the ability to read and modify email — could have allowed far deeper abuses, such as covertly harvesting inbox contents or automating phishing emails directly from the victim’s account.

Immediate Steps for Users

If you installed the AgreeTo add-in at any point since May 2023, cybersecurity experts recommend taking the following precautions:

• Uninstall the add-in from Outlook if it is still present.
• Change your Microsoft account password immediately.
• Update passwords on any other accounts that used the same or similar login credentials.
• Review your recent sign-in activity for any unfamiliar logins or locations.
• Check your email settings for unauthorized rules or forwarding settings.
• Monitor all financial statements for unusual transactions or unauthorized payment activity.

Broader Lessons

This case should be a wake-up call for software marketplaces that host remote-content add-ins and extensions. While initial review processes weed out obviously malicious submissions, continuous monitoring of hosted content is necessary to mitigate the risk of after-the-fact compromise — especially when developers abandon their projects.

For end users and organizations alike, the incident is a reminder that even trusted platforms can be co-opted into attack chains, and that regular account hygiene — like using unique passwords and multifactor authentication — remains essential in defending against credential theft.