Inzamam Nizam
Jul 15, 2026
Attackers built a fake version of the Perplexity AI extension and distributed it via a lookalike domain (perplexity-ai[.]online instead of the legitimate perplexity.ai). Posing as a trusted AI assistant let them request sensitive, search-related permissions without raising user suspicion.
Once installed, the extension intercepted address-bar search queries. Instead of going straight to the user's default search provider, requests were first routed to a server controlled by the attackers, logged, and then forwarded on to the legitimate search engine. So from the user's point of view, search results looked completely normal.
Microsoft flagged the extension because it requested powerful DNR permissions, capabilities for traffic redirection, URL rewriting, and selective request filtering that don't match what a typical AI assistant extension would need. The chrome_settings_overrides setting was central to the abuse, effectively turning a native Chrome feature into an interception tool.
Normal Chrome search flow:
User types a query into the address bar.
Chrome sends that input in real time to the configured search provider.
The provider returns autosuggestions and, on submit, search results.
What the malicious extension changed:
User types a query into the address bar, same as normal, no visible difference.
The extension, using DNR (Declarative Network Request) permissions and the chrome_settings_overrides setting, intercepts the request before it leaves the browser.
The query is routed first to an attacker-controlled server, which logs the search input.
The server then forwards the request on to the legitimate search engine, which returns normal results to the user.
The critical design choice was by completing the round trip to the real search engine, the extension preserved a completely normal-looking search experience. There was no broken functionality, no odd redirect page, no visible delay, nothing to tip off the user that their queries were being logged in transit. That's precisely why the attack's success is attributed to how little it altered the browsing experience rather than to any single technical exploit.
This case sits within a broader pattern of malware slipping past official store review:
|
Incident |
Vector |
Scale |
|---|---|---|
|
Fake Perplexity AI extension (this report) |
Chrome Web Store |
Not yet disclosed |
|
Malicious Android apps (McAfee, April) |
Google Play Store |
~2.3 million downloads across 50 apps |
|
Fake extensions stealing ChatGPT/DeepSeek chats (January) |
Chrome Web Store |
~900,000 users compromised |
|
Extensions masquerading as helper tools |
Chrome Web Store |
~20,000 victims across 108 extensions |
The common thread: Each of these passed through an official marketplace's review process before being caught, undermining the assumption that store presence alone signals safety.
Microsoft identified a permission–behaviour mismatch as the key detection signal. An extension requesting powerful capabilities such as traffic redirection, URL rewriting, and request filtering is a clear red flag when it claims to be only a conversational AI assistant. The gap between what an extension says it does and what it is allowed to do remains one of the most reliable indicators of disguised malware.
This campaign is notable because it operated entirely within Chrome's intended extension architecture. Nothing was exploited; legitimate permissions were simply abused, making the activity far harder for automated store reviews to detect than a traditional code-level exploit.
Microsoft notes that AI-branded extensions can benefit from an inherent level of user trust:
"Users associate AI tools with productivity and legitimacy... and are less suspicious of browser-integrated AI assistants." — Microsoft Threat Intelligence Team
From a security awareness perspective, the lesson is straightforward:
"The hardest habit to build is permission literacy... The fix isn't telling people to 'be more careful'; it's teaching them three seconds of friction: check the publisher, check the domain, check what it's asking to control." — Inzamam Nizam, Cyber Security & Security Engineer, Edoxi
The recurring theme across these incidents, including Android apps, Chrome extensions, and AI-assistant impersonators, is that official distribution channels reduce risk but don't eliminate it. Review processes catch known malware signatures and obvious policy violations, but attackers adapt by using legitimate APIs in illegitimate ways, which is much harder to flag automatically. Given how fast AI-tool extensions have proliferated, expect more impersonation attempts targeting popular AI brands (Perplexity, ChatGPT, DeepSeek, etc.); this is likely to be a repeating pattern rather than an isolated incident.
To stay ahead of these evolving threats, professionals should complement security best practices with continuous upskilling through industry-recognised certifications such as CEH, CISSP, CISA, CompTIA Security+, CompTIA CySA+, GIAC, and emerging AI Security and LLM Security courses. Building both technical defences and cybersecurity expertise is essential to effectively detect, prevent, and respond to modern browser- and AI-based attacks.
Cyber Security & Security Engineer
Inzamam Nizam is a Cyber Security & Security Engineer with over six years of experience in offensive cybersecurity, vulnerability research, and application security. His expertise includes mobile (iOS/Android), web, and network penetration testing, secure code review, red teaming, exploit development, and secure architecture assessments. Recognised in the SynAck Hall of Fame for discovering critical security vulnerabilities, he is passionate about helping organisations strengthen their security posture through practical, research-driven approaches.
Throughout his career, Inzamam has led security assessments, adversary emulation exercises, and secure development initiatives across diverse industries, including banking and enterprise environments. He has contributed to innovative cybersecurity projects such as SPELL-BOUND, an open-source adversary emulation framework, GHOSTWARE AI, an AI-powered security assessment platform, and KAEDAE, a behaviour-based keylogger detection solution. Through his writing, he shares practical insights, emerging attack techniques, and defensive strategies to help security professionals stay ahead of the evolving threat landscape.