Cybersecurity researchers from Check Point have discovered what’s described as the first known malicious Microsoft Outlook add-in operating in the wild. The AgreeTo add-in is available through the Microsoft Marketplace until 2/12/2026. It was then slapped down for its evil-doing. A targeted attacker used this technique to compromise a domain associated with a valid but abandoned add-in. They built a bogus Microsoft login page, causing the theft of more than 4,000 user credentials.
It used the Telegram Bot API to exfiltrate the stolen data, emphasizing a worrisome trend in cyber threats. The add-in was most recently updated in December 2022. Even with Microsoft’s thorough review process for the initial submissions, vulnerabilities remained in the live content streamed in real-time from developers’ servers.
Exploiting Trust and Abandonment
Idan Dardikman, co-founder and CTO of Koi, noted that this incident illustrates a significant shift in supply chain attack vectors. The AgreeTo case introduces a troubling new dimension: the original developer had no malicious intent, as they had created a legitimate product but subsequently abandoned it.
The AgreeTo case adds another dimension: the original developer did nothing wrong. They created a somewhat believable product and left the station. Dardikman explained, “The attack exploited the gap between when a developer abandons a project and when the platform notices.”
Yet this shocking reality highlights a persistent flaw in any marketplace—or any public forum—that allows for dynamic content. Once an add-in gets approved, there’s usually an assumption of trust going forward that might not be deserved long-term.
Implications for Security
The ramifications of such attacks are especially troubling under the umbrella of Office add-ins. Dardikman underscored the importance of that because these tools work right inside of Outlook, which is where people conduct their most sensitive conversations. These add-ins can ask for permission to read and change your emails. This raises the danger enormously, given that they’re being pushed out through Microsoft’s own store.
“What makes Office add-ins particularly concerning is the combination of factors: they run inside Outlook, where users handle their most sensitive communications,” Dardikman stated. “They can request permissions to read and modify emails, and they’re distributed through Microsoft’s own store, which carries implicit trust.”
He went on to articulate that this event is indicative of a bigger pattern. We have experienced similar problems in other downstream distribution channels, including with browser extensions and npm packages.
“This is the same class of attack we’ve seen in browser extensions, npm packages, and IDE plugins: a trusted distribution channel where the content can change after approval,” he said.
Recommendations for Mitigation
Through their advocacy work, Koi Security has found a number of actions for Microsoft to address. These actions will begin to address the security vulnerabilities that recent threats have caused. These recommendations would help increase the robustness of the review process and minimize consumer risks from abandoned or compromised add-ins.
Dardikman pointed out that Microsoft has very clear mechanisms for that. These mechanisms can activate re-reviews whenever an add-in’s URL starts showing something other than what it showed at the time of the original review. He continued, it’s not enough to react after the fact and stronger steps must be taken to protect all users.
The structural problem is the same across all marketplaces that host remote dynamic dependencies: approve once, trust forever, he stated. Office add-ins are a unique breed, unlike traditional software.