AgreeToSteal: First Malicious Outlook Add In Abuses Microsoft Marketplace Trust

Du'aine Davis · 2026-02-13T12:02:56+00:00

Observed in the wild * In February, Koi Security disclosed AgreeToSteal, the first known malicious Microsoft Outlook add‑in in the wild. A legitimate but abandoned scheduling add‑in (“AgreeTo”), originally published in December 2022, was hijacked, leading to the theft of over 4,000 Microsoft account credentials (and some…

Du'aine Davis

Observed in the wild

In February, Koi Security disclosed AgreeToSteal, the first known malicious Microsoft Outlook add‑in in the wild. A legitimate but abandoned scheduling add‑in (“AgreeTo”), originally published in December 2022, was hijacked, leading to the theft of over 4,000 Microsoft account credentials (and some payment data) from unsuspecting Outlook users worldwide.
An unknown threat actor claimed an orphaned Vercel URL referenced in the add‑in’s Microsoft‑approved manifest. Because Outlook add‑ins load live web content, the attacker silently replaced the UI with a fake Microsoft login page inside Outlook, exfiltrating credentials via a Telegram bot and redirecting victims to the real login to reduce suspicion, without re‑submitting anything to Microsoft.
Organisations are advised to audit and remove unused Outlook add‑ins, monitor for anomalous sign‑in behaviour, enforce MFA, and rotate credentials for affected users. Use Microsoft Defender for Office 365 and Defender for Identity to detect suspicious authentication patterns, token misuse, and risky add‑in permissions, and restrict add‑ins to approved publishers via tenant controls.

AgreeToSteal: The First Malicious Outlook Add-In Leads to 4,000 Stolen Credentials

Find more posts tagged with

Threat Landscape

Sign in to participate and unlock exclusive content 🔓

It looks like you're new here! Sign in or register to be able to comment, access member-only content and follow the spaces relevant to you.

Comments

Du'aine Davis

When Trusted Extensions Turn Hostile: The Extension Marketplace Supply‑Chain Risk
Observed in the wild

A legitimate Chrome extension (QuickLens, ~7,000 users, Google‑featured) was sold via an extension marketplace in October 2025, then weaponised after an ownership change. In February, a silent update transformed it into a remote code execution platform affecting all users, highlighting systemic risk posed by extension resale rather than a one‑off compromise.
An anonymous buyer acquired a trusted extension with an existing user base, added new permissions, stripped browser security headers, and used a hidden 1×1 pixel to load C2‑delivered JavaScript on every page. This supply‑chain model exploits user trust, auto‑updates, and extension marketplaces as an initial access vector.
Organisations are advised to inventory and control browser extensions, monitor permission changes, and treat ownership or publisher changes as high‑risk events. Use Microsoft Defender for Endpoint to detect anomalous browser behaviour (e.g. header stripping, injected scripts, unusual network calls) and enforce policies limiting unsanctioned extensions across endpoints

Pixel Perfect: Sold Extension Injects Code Through Pixel | Annex Blog

See what's trending

Click on a tag to discover all the published content related to it.