Microsoft has uncovered a malicious Chrome extension that masqueraded as the AI search engine Perplexity, surreptitiously logging users' search queries and all characters typed into the browser's address bar. The extension, according to Microsoft's findings, intercepted every query and address bar keystroke, routing that data through an attacker-controlled server before redirecting users to legitimate search results.
The threat's severity lies in its complete interception of user input, capturing sensitive information such as URLs, search terms, and potentially credentials entered into the address bar. Microsoft confirmed that Google removed the extension from the Chrome Web Store after the company reported it through responsible disclosure protocols. The fact that it impersonated a trusted AI-branded extension likely lowered user suspicion, increasing its potential reach.
The attack vector relied on social engineering: users seeking the Perplexity AI search tool were tricked into installing the counterfeit extension, which then silently monitored all browser input. Indicators of compromise include unexpected redirects to search results and any unusual data usage patterns, though Microsoft has not released specific IoCs publicly. The malicious payload operated transparently, forwarding traffic to the attacker's server without visibly altering the user experience.
Microsoft advised users to verify extension developers and review permissions, but did not announce a specific patch for the issue itself. Google's removal of the extension from the store serves as the primary mitigation, though users who previously installed it should manually remove it from their browser and reset any credentials that may have been exposed during its activity.
No attribution for the attack has been published, and the broader threat landscape includes a rising trend of malicious browser extensions impersonating AI tools. This incident reinforces the risk of third-party extensions handling sensitive browser data.