A basic URL trick enabled the very first detected malicious add-in to circumvent a flawed approval system.
Security researchers have uncovered how a hacker exploited a vulnerability in Microsoft’s app and add-in marketplace, seizing control of a discarded Outlook add-in to launch phishing scams that affected 4,000 individuals.
AgreeTo, a meeting scheduling application initially launched in 2022, was later abandoned by its creator. However, it remained available on Microsoft’s platform even after its developer ceased support.
Spotting its inactive status, a cybercriminal commandeered the defunct add-in, leveraging its 4.71-star rating to execute a phishing scheme. The firm that exposed the incident, Koi Security, a specialist in plug-in security, subsequently revealed that this campaign had successfully pilfered thousands of Microsoft account credentials.
Was this a sophisticated plot orchestrated by an advanced adversary? On the contrary, Koi Security reported that the takeover was surprisingly simple, made possible by flaws in Microsoft’s add-in submission process for its marketplace.
Developers only need to provide a straightforward XML manifest to Microsoft, outlining the add-in’s name, description, download URL, and required permissions.
Crucially, no actual code is uploaded for vetting. AgreeTo’s manifest, for instance, contained only a link to a subdomain, outlook-one.vercel.app, hosted on the Vercel development platform, where the software itself resided.
As stated by Koi Security researchers, “Microsoft examines and approves the manifest, then lists the add-in in its store. However, the true substance – including the user interface and underlying logic – is retrieved directly from the developer’s server each time the add-in is activated.”
Exploiting an Abandoned URL
The attacker secured the discarded subdomain, thereby gaining command over the content referenced by the initial manifest’s URL. This legitimate link was then redirected to a phishing kit, which included a counterfeit Microsoft login page designed to harvest passwords, a data exfiltration script, and a redirection mechanism. Furthermore, the original manifest had already bestowed upon the attacker privileges to access and alter emails.
Koi Security explained, “The perpetrators didn’t submit anything new to Microsoft, nor did they undergo any review process. They didn’t even create a new store entry; the listing was already present – vetted, signed, and distributed by Microsoft. The attacker merely took over an unclaimed URL, and Microsoft’s own systems completed the exploit.”
Koi Security reported that the stolen credentials and the IP addresses of the victims were automatically relayed to the attacker using a straightforward Telegram bot, eliminating the need for an intricate command-and-control setup.
Gaining access to this malicious infrastructure, the researchers found that 4,000 individuals had been ensnared by the attacker’s phishing operation. Koi Security subsequently reached out to all these victims to alert them about their compromised credentials.
Koi Security also noted that the same attacker managed 12 distinct phishing kits, masquerading as numerous banks and webmail services. Information pilfered from these deceptive sites encompassed credit card details, CVVs, PINs, banking security questions for Interac e-Transfer payments, and, naturally, login passwords.
The AgreeTo takeover highlighted a fundamental flaw in Microsoft’s add-in distribution model: it merely provides a basic, and thus potentially insecure, URL. As Koi Security highlighted, this means “an add-in deemed safe on Monday could deliver a phishing page by Tuesday – or, as demonstrated here, even years down the line. Microsoft inspects the manifest during initial submission, yet the underlying content can be altered at any point without subsequent scrutiny.”
Remarkably, this vulnerability had already been identified in 2019 by another security firm, MDSec. AgreeTo is thought to be the inaugural malicious Outlook add-in detected on the Microsoft Marketplace, which could account for the lack of more rigorous URL verification following earlier research.
Effective February 12, the AgreeTo add-in has been removed from the Microsoft Marketplace. Users who still have AgreeTo installed are strongly advised to uninstall it immediately and to change their Microsoft account passwords.
Furthermore, a distinct AgreeTo extension for Chrome ceased functionality in 2024, with Google ultimately removing it in February 2025.
