AgreeToSteal: A Dead Outlook Add-In Became Microsoft's First Marketplace Phishing Weapon

Koi Security disclosed AgreeToSteal (Feb 2026), the first known malicious Outlook add-in in the wild: an attacker claimed an abandoned Vercel subdomain referenced by a Microsoft-approved add-in manifest and served a four-page phishing kit inside Outlook's sidebar, exfiltrating >4,000 Microsoft account credentials, credit card numbers, and banking answers via a Telegram bot. The report explains the core architectural flaw (Office add-ins load mutable remote URLs approved once at submission), outlines why email gateways, EDR, URL filtering, and identity protections miss this vector, and recommends mitigations such as content re-validation, domain ownership checks, abandonment detection, allowlisting, and phishing-resistant authentication.