When Microsoft embraced the Outlook add-in known as AgreeTo, the idea was to make it easy for people to connect all their different calendars into a single location.

This is the story of how it became a phishing kit that allowed hackers to steal the account credentials of 4,000 Microsoft users.

AgreeTo was an open-source add-in with a Chrome extension, developed by an outside developer. It was popular at one point but eventually the developer abandoned it. The problem was that, when its back-end URL expired, a hacker claimed it and started using the leftover ReadWriteItem permissions to modify users’ emails.

In February 2025, Google removed the dead Chrome extension, but the Outlook add-in remained available in Microsoft’s Office Store – so some people continued to open the available URL thinking they were getting the legitimate add-in. Instead, when they entered their log-in credentials into the very real-looking website they found, they were handing the credentials over to the attacker.

Not only did the attacker get the log-in credentials, but the users’ payment and banking data as well – since they entered that information thinking they were paying Microsoft for the add-in.

So how would an unsuspecting person avoid having their information stolen in a situation like this? The add-in was listed in the Microsoft store, and the URL to which they were directed looked completely legitimate.

• First of all, I would say to be very cautious about adding add-ins to Outlook, or extensions to Chrome. Many of them are produced by outside developers, and while Microsoft and Google review them before making them available, they don’t continue to monitor them.

• Most people figure that Microsoft and Google are trustworthy places from which to download or enter log-in credentials. Do not assume that.

• If you have AgreeTo in your Outlook, uninstall it immediately and change the password to your Microsoft account – as well as any other passwords for accounts you might have used there.

• Also, scan your e-mail to make sure there aren’t messages that look suspicious, and absolutely do not click any links or open any attachments unless you are 100 percent sure they came from a trusted source. (And before you say, “Oh, it’s from Joe! I trust Joe” examine the sender’s email carefully to make sure it really came from Joe.)

It’s difficult not to fall into a hacker’s trap at some point, especially when they’re commandeering URLs that have been forgotten by the big players and give every appearance of being safe and legitimate. As Deep Throat used to tell Mulder on the X-Files: Trust no one.

If you’d like help with issues like these, email dacarey@cybersynergies.io or call 616.600.4180.