Researchers have documented the inaugural instance of a deleterious Microsoft Outlook extension proliferating through the official Office Add-in Store. The focal point of this incursion is AgreeTo, a legacy scheduling utility. While the original developers bear no culpability, the abandonment of the project allowed an adversary to commandeer the linked subdomain, transmuted the add-in into a potent phishing engine embedded directly within the Outlook interface.
AgreeTo emerged in 2022 as a sophisticated solution for meeting coordination, featuring a Chrome extension and an Outlook add-in. The project appeared exemplary, boasting a high user rating, a public TypeScript repository, and integrations with the Microsoft Graph API, Google Calendar, and Stripe. However, development stagnated following a final update in May 2023. As the agreeto.app domain lapsed, the Chrome iteration was purged from its respective store in early 2025, yet the Outlook add-in persisted within Microsoft’s ecosystem.
The fundamental architecture of Office add-ins facilitated this exploitation. Unlike traditional software, these modules do not reside locally as fixed code. Instead, developers submit an XML manifest—a blueprint detailing permissions and a remote URL intended for rendering within Outlook’s side panel. Once Microsoft validates and signs this manifest, the interface is dynamically fetched from the specified URL upon every execution. Consequently, the add-in functions as a trusted conduit with predefined administrative rights.
The AgreeTo manifest, sanctioned in late 2022, was granted ReadWriteItem privileges, an authorization that permits the reading and modification of a user’s correspondence. While seemingly innocuous for a scheduling tool, these permissions remain static regardless of the content subsequently served by the remote host. The platform lacks a mechanism for version pinning or checksum verification; whatever resides at the linked address is executed with full authority inside Outlook.
Following the project’s dissolution, the Vercel deployment was decommissioned, leaving the outlook-one.vercel.app subdomain vacant for adversarial seizure. The antagonist exploited this vacancy to host a multi-stage phishing kit featuring fraudulent Microsoft login portals and exfiltration scripts. Because the AgreeTo entry already existed within the trusted Microsoft infrastructure, no further publication or vetting was required.
The structure of the malicious files confirms a distinct rupture between the original creator and the interloper. Legacy assets and design files are absent, replaced entirely by pages designed for credential harvesting. When an unsuspecting user engages the AgreeTo add-in, they are confronted with a deceptive Microsoft authentication prompt. Upon inputting their credentials, a script harvests the data alongside the victim’s IP address, transmitting the cache to the attacker via the Telegram Bot API. To preserve the illusion of legitimacy, the user is then seamlessly redirected to the authentic login.microsoftonline.com, mimicking a routine re-authentication request.
This “in-context” phishing is exceptionally effective. By appearing within the official Outlook interface and bypassing standard mail filters—since no external malicious link is required—it frequently evades traditional defensive arrays. Workstation security identifies the activity as a legitimate Outlook process, and URL filtering often fails to flag the common vercel.app hosting domain.
Investigation into the poorly secured Telegram exfiltration channel revealed the identities of over 4,000 victims, including Microsoft account credentials, financial data, and security inquiry responses. This campaign is part of a broader operation involving at least twelve distinct phishing kits targeting diverse financial and telecommunications brands.
The core of this vulnerability is systemic: Office add-ins are fundamentally reliant on remote content that can be altered post-moderation. A module may be pristine during its inaugural review yet turn malicious years later. In the case of AgreeTo, the persistent “ReadWriteItem” permission granted the attacker potential access to read private correspondence or disseminate messages on behalf of the victim. Indicators of compromise, including the domain outlook-one.vercel.app and the add-in identifier WA200004949, have been disseminated to Microsoft, Vercel, and Telegram to dismantle the adversarial infrastructure.
