A dormant Microsoft Outlook add-in has been weaponized by attackers to steal thousands of login credentials and credit card numbers.
The incident, identified by security researchers as the first known malicious Office add-in found in the wild, exposed a critical flaw in how Microsoft distributes third-party tools.
The “Zombie” App
In 2022, a developer published “AgreeTo,” a legitimate meeting scheduling tool, to the Microsoft Office Add-in Store.
The project was eventually abandoned, and its hosting domain expired.
Because Office add-ins are not installed code but rather web pages loaded inside Outlook (via an iframe), they rely on live URLs.
The AgreeTo add-in pointed to a subdomain on Vercel (outlook-one.vercel.app). When the developer deleted their project, that subdomain became available for anyone to claim.
An attacker simply registered it and instantly gained control over what every existing user saw inside their Outlook sidebar.
The Attack Mechanism
Microsoft’s security review process checks the add-in’s “manifest” (a settings file) only upon initial submission.
Since the manifest for AgreeTo was approved in 2022, Microsoft did not re-verify the add-in when the content behind the URL changed.
Instead of a scheduling tool, the attacker deployed a fake Microsoft sign-in page. When users opened the add-in, they were prompted to log in.
The malicious script captured their emails, passwords, and IP addresses, sending the data directly to the attacker via a Telegram bot.
Security researchers at Koi Security discovered the operation and accessed the attacker’s exfiltration channel. They recovered data from over 4,000 victims, including:
- Microsoft account credentials
- Credit card numbers
- Banking security answers.
The attackers were actively testing these stolen credentials when the breach was discovered.
While Microsoft has since removed the add-in from the store, the attacker’s phishing infrastructure remained active outside the store.
This attack highlights a major architectural weakness in modern software supply chains. Office add-ins act as “remote dynamic dependencies”.
Unlike a downloaded file that stays the same, an add-in’s content can change at any moment without Microsoft’s knowledge.
The AgreeTo manifest had ReadWriteItem permissions, granting it the ability to read and modify users’ emails.
While the attackers only used a simple phishing page, they technically had the access to silently read inboxes or send emails on behalf of victims.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
