RESEARCHERS found a malicious Microsoft Outlook add-in, AgreeTo, that stole 4,000 sets of credentials along with credit card numbers and banking security answers. The attack occurred after an abandoned open‑source meeting scheduler tool left a Vercel URL in the add-in, which attackers seized when the subdomain became free to claim.
The phishing kit loaded inside Outlook’s sidebar used ReadWriteItem permissions to read and modify email, then redirected users to the real Microsoft login after harvesting credentials sent to the attacker’s Telegram bot. Investigators recovered more than 4,000 stolen Microsoft account credentials, plus payment data, indicating the campaign was active as part of a broader multi‑brand phishing operation.
The incident follows Google's removal of a dead Chrome extension in February 2025, while the Outlook add-in remained listed in Microsoft’s Office Store, still pointing to the abandoned Vercel URL. Users are advised to remove the add-in, change Microsoft account passwords, review sign‑ins and security activity, and monitor payment statements for unusual activity.