Microsoft Store Outlook add-in hijacked to steal 4,000 Microsoft accounts

Microsoft Store Outlook add-in hijacked to steal 4,000 Microsoft accounts

By Bill Toulas
Publication Date: 2026-02-11 21:53:00

The AgreeTo add-in for Outlook has been hijacked and turned into a phishing kit that stole more than 4,000 Microsoft account credentials.

Originally a legitimate meeting scheduling tool for Outlook users, the module was developed by an independent publisher and has been on the Microsoft Office Add-in Store since December 2022.

Office add-ins are just URLs pointing to content loaded into Microsoft products from the developer’s server. In the case of AgreeTo, the developer used a Vercel-hosted URL (outlook-one.vercel.app) but abandoned the project, despite the userbase it formed.

Wiz

However, the add-in continued to be listed on Microsoft’s store, and a threat actor claimed its orphaned URL to plant a phishing kit.

AgreeTo add-in on Microsoft Marketplace
AgreeTo add-in on Microsoft Marketplace
Source: Koi Security

According to researchers at supply-chain security company Koi say that the threat actor taking over the project deployed a fake Microsoft sign-in page, a password collection page, an…