A fake Perplexity extension turned an AI brand into a search wiretap
Microsoft found a Chromium extension impersonating Perplexity that rerouted every address-bar keystroke through an attacker's server before showing real results — no browser bug, just abused trust and Manifest V3 permissions.
What is this?
On June 29, 2026, Microsoft Threat Intelligence published an analysis of a malicious Chromium extension that dressed itself up as the AI answer engine Perplexity to get people to install it. The extension — listed as “Search for perplexity ai” — did not exploit any browser flaw. It abused the trust users place in a popular AI brand, then used ordinary, documented browser APIs to sit between the user and their search engine. Coverage followed from BleepingComputer, CSO Online, and The Hacker News. Microsoft reported it to Google, which removed it from the Chrome Web Store.
Microsoft assessed the extension’s primary objective as search-traffic interception and data collection. The genuine Perplexity extension is named “Perplexity – AI Search”; the impostor leaned on a look-alike domain, perplexity-ai[.]online, instead of the real perplexity.ai. The gap it exploited is not technical — it is the space between how fast employees adopt AI tools and how slowly organizations learn to govern browser extensions.
How it works
Once installed, the extension quietly rewired where the browser sends what you type. It used Chromium’s chrome_settings_overrides to replace the default search provider, and — more invasively — pointed the address bar’s live suggestion endpoint at the attacker’s infrastructure. That second detail is the sharp edge: your input is forwarded before you press Enter, character by character, as the browser fetches suggestions. Every finished query and every partial keystroke went first to the operator’s server, tagged with browser headers, IP address, and user agent, and only then on to a real search provider.
You type in the omnibox -> attacker server logs it -> real search results returned
(per keystroke) (headers, IP, user agent) (looks completely normal)
Because victims still received the results they expected, nothing looked wrong. Microsoft noted the extension requested powerful declarativeNetRequest (DNR) permissions — traffic redirection, URL rewriting, and selective request filtering — that are not consistent with what an AI assistant needs to do its job. The server-side logging code, Microsoft said, pointed to deliberate design rather than sloppy analytics. No credential theft was observed, but the permission set would have allowed the operator to widen the take at will. As one researcher put it, the attack doesn’t depend on a browser vulnerability: the user is the initial access vector.
Why it matters
Search history is intent data. A running log of what someone types into their browser — half-formed questions included — exposes projects, health concerns, deal names, vendor evaluations, and internal jargon that maps a whole organization. Collected quietly and correlated with IP and user agent, it is a rich profiling feed and a springboard for targeted phishing.
The broader pattern is what should worry defenders. Attackers are following user trust into the browser: as generative-AI tools flood the workplace, AI-branded extensions are becoming high-value social-engineering bait, because users already expect AI tools to ask for broad permissions. Most organizations maintain a mature software inventory yet have almost no visibility into which extensions employees install. The browser is now the primary workspace for email, SaaS, and AI assistants — and it is under-governed. This sits in the same family as other marketplace-trust abuses like malicious agent skills and rogue MCP servers: a trusted distribution channel turned into a data-collection layer.
Defenses
The extension is gone, but the technique is repeatable. The durable defenses are about governance and behavior, not one blocklist entry.
- Install AI extensions only from the verified publisher. Check the developer identity and match it against the vendor’s official page, not the extension’s own name or icon. A look-alike domain in the listing (
perplexity-ai[.]onlinevsperplexity.ai) is a tell. - Read the permissions against the job. An AI search helper has no legitimate need for network-redirection or URL-rewriting permissions (DNR). Permissions that could reroute or rewrite traffic are the ones to refuse.
- Treat extensions as third-party software suppliers. Bring them under the same review, approval, and inventory process as any other vendor software — enterprise extension allowlisting, blocking installs from unverified publishers.
- Monitor for the behaviors, not just known-bad IDs. Watch for changes to the default search provider, requests for access to all sites, extensions talking to domains unrelated to their stated publisher, and extensions that request new permissions after install.
- If you installed it, clean up. Remove the extension, confirm your default search engine has been reset to a trusted provider, and rotate critical passwords as a precaution given what search traffic can reveal.
Status
| Item | Reference | Date | Notes |
|---|---|---|---|
| Disclosure | Microsoft Threat Intelligence | 2026-06-29 | Extension “Search for perplexity ai” (ID flkebkiofojicogddingbdmcmkpbplcd) |
| Impersonated brand | Perplexity AI | — | Look-alike domain perplexity-ai[.]online vs perplexity.ai |
| Removal | Google / Chrome Web Store | 2026-06 | Taken down after Microsoft’s responsible disclosure |
| Observed impact | Microsoft | 2026-06 | Search interception + data collection; no credential theft observed, permissions allowed it |
The honest framing is not “an AI extension was malicious” — it is that a browser extension can become a wiretap on your search bar without touching a single vulnerability, purely by borrowing a trusted brand and asking for permissions users no longer question. Until extensions are governed like the third-party software they are, the defense is yours: verify the publisher, read the permissions, and watch what your browser talks to.
Sources
- → https://www.microsoft.com/en-us/security/blog/2026/06/29/chromium-extension-uses-airelated-branding-redirect-browser-search/
- → https://www.bleepingcomputer.com/news/security/fake-perplexity-extension-on-chrome-web-store-tracked-searches/
- → https://www.csoonline.com/article/4191060/malicious-chromium-extension-spoofs-perplexity-ai-to-hijack-browser-searches.html
- → https://thehackernews.com/2026/06/malicious-perplexity-chrome-extension.html