RESEARCHERS at KOI Security have revealed a new abuse of an abandoned Outlook add‑in called “AgreeTo,” which was resurrected by cybercriminals as a stealthy credential-stealing tool. The attackers claimed the abandoned Vercel URL and replaced the legitimate scheduling tool with a phishing kit, with the add‑in still listed in Microsoft’s Office Add‑in Store.
The phishing page was loaded inside a trusted Outlook process and served from a legitimate domain, allowing it to bypass typical security checks and present a fake Microsoft login screen to thousands of users. By accessing the attackers’ exfiltration channel, the researchers recovered over 4,000 stolen Microsoft account credentials, credit card numbers, and banking security answers.
The incident highlights an architectural weakness in how modern Office add‑ins function, where content can change after submission and potentially be used as malware without further review. 13 February 2026.