By The Hacker News
Publication Date: 2026-02-11 17:45:00
Cybersecurity researchers have discovered what they said is the first known malicious Microsoft Outlook add-in detected in the wild.
In this unusual supply chain attack detailed by Koi Security, an unknown attacker claimed the domain associated with a now-abandoned legitimate add-in to serve a fake Microsoft login page, stealing over 4,000 credentials in the process. The activity has been codenamed AgreeToSteal by the cybersecurity company.
The Outlook add-in in question is AgreeTo, which is advertised by its developer as a way for users to connect different calendars in a single place and share their availability through email. The add-in was last updated in December 2022.
Idan Dardikman, co-founder and CTO of Koi, told The Hacker News that the incident represents a broadening of supply chain attack vectors.
“This is the same class of attack we’ve seen in browser extensions, npm packages, and IDE plugins: a trusted distribution channel where the content can change after…