The Ghost in the Sidebar: How a Dead Side Project Became Outlook’s Most Dangerous Trojan

1. The Trusted Trap

Imagine it’s a Tuesday morning in February 2026. You open your Outlook inbox to tackle a backlog of communications. In the sidebar, a familiar, Microsoft-branded login prompt appears. It looks native, professional, and entirely expected within the ecosystem of a trusted enterprise application. Without a second thought, you enter your credentials.

In reality, you have just handed your digital identity to a professional threat actor who, as researchers watched, was actively testing stolen credentials in real-time. This was the mechanism of the “AgreeTo” incident — a sophisticated hijacking of a legitimate Microsoft Office add-in. By leveraging the inherent trust users place in the Outlook interface, an attacker transformed an abandoned side project into a phishing powerhouse. The toll was staggering: over 4,000 sets of credentials, credit card numbers, and banking security answers were exfiltrated before the alarm was raised. To understand this failure, we must look past the UI and into the fragile architecture of Office Web Add-ins.

2. They Aren’t Apps — They’re Windows to Elsewhere

The fundamental misunderstanding most users — and many IT professionals — have about Office Add-ins is that they are “installed” software. They are not. Technical analysis from researchers at MDSec and Koi Research reveals a much more fluid reality: an add-in is essentially a manifest file (an XML document) that instructs Outlook to load a remote URL inside an iframe.

Because the HTML, CSS, and JavaScript are hosted on the developer’s infrastructure rather than Microsoft’s, these add-ins represent a high-risk “Orphaned Dependency.” This architecture allows for Mutable Remote Execution; the content can be swapped or replaced instantly without leaving a local footprint on the user’s machine. As Koi Research starkly notes: “There’s no static bundle to audit. No hash to verify.” Whatever the remote server serves at the moment of execution is what the user interacts with, all within the trusted perimeter of the application.

3. The “Microsoft Blessed” Phish: A Subdomain Takeover

The most alarming aspect of the AgreeTo attack is that the adversary never had to bypass Microsoft’s security reviews. The AgreeTo add-in began its life in 2022 as a legitimate, well-reviewed meeting scheduling tool. Microsoft reviewed the manifest, signed it, and listed it in the official Office Store.

The structural failure occurred when the original developer moved on, allowing their hosting deployment to lapse. This left the Vercel-hosted URL — outlook-one.vercel.app—orphaned and claimable. The attacker performed a classic Subdomain Takeover, registering the abandoned address and deploying a four-page phishing kit.

Crucially, the attacker inherited the original manifest’s ReadWriteItem permission. While this level of access was "appropriate for a meeting scheduler" to manage calendar invites, it gave the subsequent hijacker full authority to read and modify a victim's emails. Because the Microsoft-signed manifest still pointed to that now-compromised URL, Microsoft’s own infrastructure continued to serve the malicious content, effectively "blessing" a Trojan.

4. The Persistence Paradox: Surviving the Password Reset

The danger of these add-ins extends beyond simple credential harvesting. Research from MDSec highlights how the architecture facilitates deep, persistent access that renders traditional defenses like password rotation obsolete.

• Cross-Device Persistence via Pinning: By leveraging the SupportsPinning element in the manifest, an attacker can force the malicious UI to remain visible and execute automatically every time a user opens their mail. Because this state is synchronized across the O365 account, the malicious sidebar follows the user across every browser session and device they use.
• The Token Scope: Malicious add-ins can use JavaScript APIs to request a “Bearer token” for Exchange Web Services (EWS). This token provides the attacker with the ability to access message content and attachments. While these tokens are often scoped to specific attachment IDs — a nuance that limits total mailbox traversal — they remain valid even if the victim changes their password, as the token lives within the authenticated session context.

5. Social Engineering in High Definition

The psychological advantage of the sidebar is unparalleled. Because the attacker operates within the “trusted sidebar,” they achieve a level of social engineering that traditional email phishing cannot match.

The AgreeTo hijacker was no amateur; they operated a professional arsenal of at least 12 distinct phishing kits targeting Canadian ISPs and major banks. For the Outlook campaign, they used a simple fetch() call to exfiltrate data via Telegram’s Bot API—an audacious move that bypassed traditional Command & Control (C2) detection.

Victims saw a pixel-perfect Microsoft sign-in page, followed by a seamless redirect to the legitimate login.microsoftonline.com. This visual legitimacy is bolstered by historical precedents; MDSec previously demonstrated how easily an add-in could be styled to mimic "Windows Defender 365 Email Security." As James Williams of MDSec warned years ago: "Microsoft also allow developers to push these add-ins to a store... I’m sure you can see the potential problem there."

6. Conclusion: A Seven-Year Prophecy Fulfilled

The AgreeTo attack is the realization of a prophecy. In 2019, MDSec specifically identified the Office Store as the ultimate potential failure point for this architecture. Seven years later, we have seen exactly how an abandoned side project can be weaponized against 4,000 victims without a single line of malicious code ever being “installed” on a target machine.

This incident forces a reckoning with the safety of “self-provisioned” software. We are currently operating in a landscape where a “signed” manifest is merely a pointer to a location that may no longer be who it claims to be.

Final Thought: The shift toward cloud-hosted software components has created a dangerous gap between point-in-time security audits and the reality of live, mutable code. In an era of dynamic dependencies, we must treat every “trusted” sidebar not as a part of the application, but as a window to an unverified world.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html