{"id":212469,"date":"2026-02-11T12:45:00","date_gmt":"2026-02-11T17:45:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/02\/11\/first-malicious-outlook-add-in-found-stealing-4000-microsoft-credentials\/"},"modified":"2026-02-11T19:05:08","modified_gmt":"2026-02-12T00:05:08","slug":"first-malicious-outlook-add-in-found-stealing-4000-microsoft-credentials","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/02\/11\/first-malicious-outlook-add-in-found-stealing-4000-microsoft-credentials\/","title":{"rendered":"First Malicious Outlook Add-In Found Stealing 4,000+ Microsoft Credentials"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/02\/first-malicious-outlook-add-in-found.html\">First Malicious Outlook Add-In Found Stealing 4,000+ Microsoft Credentials<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/02\/first-malicious-outlook-add-in-found.html\">https:\/\/thehackernews.com\/2026\/02\/first-malicious-outlook-add-in-found.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-11 12:45:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Cybersecurity researchers have discovered what they said is the first known malicious Microsoft Outlook add-in detected in the wild.<\/p>\n<p>In this unusual supply chain attack detailed by Koi Security, an unknown attacker claimed the domain associated with a now-abandoned legitimate add-in to serve a fake Microsoft login page, stealing over 4,000 credentials in the process. The activity has been codenamed <strong>AgreeToSteal<\/strong> by the cybersecurity company.<\/p>\n<p>The Outlook add-in in question is AgreeTo, which is advertised by its developer as a way for users to connect different calendars in a single place and share their availability through email. The add-in was last updated in December 2022.<\/p>\n<p>Idan Dardikman, co-founder and CTO of Koi, told The Hacker News that the incident represents a broadening of supply chain attack vectors.<\/p>\n<p>&#8220;This is the same class of attack we&#8217;ve seen in browser extensions, npm packages, and IDE plugins: a trusted distribution channel where the content can change after approval,&#8221; Dardikman said. &#8220;What makes Office add-ins particularly concerning is the combination of factors: they run inside Outlook, where users handle their most sensitive communications, they can request permissions to read and modify emails, and they&#8217;re distributed through Microsoft&#8217;s own store, which carries implicit trust.&#8221;<\/p>\n<p>&#8220;The AgreeTo case adds another dimension: the original developer did nothing wrong. They built a legitimate product and moved on. The attack exploited the gap between when a developer abandons a project and when the platform notices. Every marketplace that hosts remote dynamic dependencies is susceptible to this.&#8221;<\/p>\n<p>At its core, the attack exploits how Office add-ins work and the lack of periodic content monitoring of add-ins published to the Marketplace. According to Microsoft&#8217;s documentation, add-in developers are required to create an account and submit their solution to the Partner Center, following which it is subjected to an approval process.<\/p>\n<p>What&#8217;s more, Office&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/02\/first-malicious-outlook-add-in-found.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>First Malicious Outlook Add-In Found Stealing 4,000+ Microsoft Credentials https:\/\/thehackernews.com\/2026\/02\/first-malicious-outlook-add-in-found.html Publish Date: 2026-02-11 12:45:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":212470,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjGH5OFCdEH8WLDQvMuU6qAbaI73kVMtx4uASqujZ12UAb3Q-yJX3ZsFCpc1uJuUE4ah_z24WgRv_1JhOem_ISHdoYtPzZPy6o5HwRuoBGjThyru3WAtrcOqyA9hDvSNgSKIgaYUTdIOUJHL7HCRUEZgt9Z8fP6F8oINDt4LkeziTnTW6cx_Qw_DJ2FLMmo\/s1600\/outlook.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,35],"class_list":["post-212469","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-hacker"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/212469"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=212469"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/212469\/revisions"}],"predecessor-version":[{"id":212471,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/212469\/revisions\/212471"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/212470"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=212469"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=212469"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=212469"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}