Inzamam Nizam Jul 15, 2026

Microsoft Warns: Fake Perplexity Extension Abused Chrome Search Features

Key Takeaways

  • A malicious Chrome extension impersonating Perplexity AI silently rerouted users' address-bar searches and autocomplete suggestions through an attacker-controlled server before forwarding them to the real search engine.
  • The extension didn't exploit a browser vulnerability; it abused legitimate Chromium APIs (notably chrome_settings_overrides and Declarative Net Request/DNR permissions), which is what let it evade detection for so long.
  • Google removed the extension (ID: flkebkiofojicogddingbdmcmkpbplcd) after Microsoft disclosed the findings.
  • This is part of a broader pattern: official app stores (Chrome Web Store, Google Play) have repeatedly hosted malware that passed review and reached large user bases before being caught.
  • "Only download from official stores" is no longer sufficient security advice on its own; extensions need the same scrutiny as any other software.

What Happened

Attackers built a fake version of the Perplexity AI extension and distributed it via a lookalike domain (perplexity-ai[.]online instead of the legitimate perplexity.ai). Posing as a trusted AI assistant let them request sensitive, search-related permissions without raising user suspicion.

Once installed, the extension intercepted address-bar search queries. Instead of going straight to the user's default search provider, requests were first routed to a server controlled by the attackers, logged, and then forwarded on to the legitimate search engine. So from the user's point of view, search results looked completely normal.

Microsoft flagged the extension because it requested powerful DNR permissions, capabilities for traffic redirection, URL rewriting, and selective request filtering that don't match what a typical AI assistant extension would need. The chrome_settings_overrides setting was central to the abuse, effectively turning a native Chrome feature into an interception tool.

How the Attack Worked: Breakdown

Normal Chrome search flow:

  1. User types a query into the address bar.

  2. Chrome sends that input in real time to the configured search provider.

  3. The provider returns autosuggestions and, on submit, search results.

What the malicious extension changed:

  1. User types a query into the address bar, same as normal, no visible difference.

  2. The extension, using DNR (Declarative Network Request) permissions and the chrome_settings_overrides setting, intercepts the request before it leaves the browser.

  3. The query is routed first to an attacker-controlled server, which logs the search input.

  4. The server then forwards the request on to the legitimate search engine, which returns normal results to the user.

The critical design choice was by completing the round trip to the real search engine, the extension preserved a completely normal-looking search experience. There was no broken functionality, no odd redirect page, no visible delay, nothing to tip off the user that their queries were being logged in transit. That's precisely why the attack's success is attributed to how little it altered the browsing experience rather than to any single technical exploit.

Related Incidents

This case sits within a broader pattern of malware slipping past official store review:

Incident

Vector

Scale

Fake Perplexity AI extension (this report)

Chrome Web Store

Not yet disclosed

Malicious Android apps (McAfee, April)

Google Play Store

~2.3 million downloads across 50 apps

Fake extensions stealing ChatGPT/DeepSeek chats (January)

Chrome Web Store

~900,000 users compromised

Extensions masquerading as helper tools

Chrome Web Store

~20,000 victims across 108 extensions

The common thread: Each of these passed through an official marketplace's review process before being caught, undermining the assumption that store presence alone signals safety.

Expert View

Microsoft identified a permission–behaviour mismatch as the key detection signal. An extension requesting powerful capabilities such as traffic redirection, URL rewriting, and request filtering is a clear red flag when it claims to be only a conversational AI assistant. The gap between what an extension says it does and what it is allowed to do remains one of the most reliable indicators of disguised malware.

This campaign is notable because it operated entirely within Chrome's intended extension architecture. Nothing was exploited; legitimate permissions were simply abused, making the activity far harder for automated store reviews to detect than a traditional code-level exploit.

Microsoft notes that AI-branded extensions can benefit from an inherent level of user trust:

"Users associate AI tools with productivity and legitimacy... and are less suspicious of browser-integrated AI assistants." — Microsoft Threat Intelligence Team

From a security awareness perspective, the lesson is straightforward:

"The hardest habit to build is permission literacy... The fix isn't telling people to 'be more careful'; it's teaching them three seconds of friction: check the publisher, check the domain, check what it's asking to control." — Inzamam Nizam, Cyber Security & Security Engineer, Edoxi

What Organisations and Professionals Should Do

Immediate Action Checklist

  • Search all browsers (personal and managed/enterprise) for extension ID flkebkiofojicogddingbdmcmkpbplcd and remove it if found.
  • Rotate passwords as a precaution, even though Microsoft found no evidence of credential theft.
  • Confirm any Perplexity-branded extension currently installed links back to the legitimate perplexity.ai domain, not a lookalike such as perplexity-ai[.]online.
  • Notify affected users/teams if the extension is found in a managed environment, and log the finding for incident tracking.

Security Best Practices 

  • Review extension permissions critically, especially anything touching browser settings, search behaviour, or network requests.
  • Run a periodic audit of installed extensions across the organisation and remove unused ones.
  • Prefer official websites/web apps over browser extensions where functionality allows.
  • Keep Chrome (and other browsers) patched and current.
  • For IT/security teams: consider enterprise policies that restrict extension installs to an allowlist, and monitor for DNR-permission or chrome_settings_overrides usage in deployed extensions.

What This Means for Professionals

The recurring theme across these incidents, including Android apps, Chrome extensions, and AI-assistant impersonators, is that official distribution channels reduce risk but don't eliminate it. Review processes catch known malware signatures and obvious policy violations, but attackers adapt by using legitimate APIs in illegitimate ways, which is much harder to flag automatically. Given how fast AI-tool extensions have proliferated, expect more impersonation attempts targeting popular AI brands (Perplexity, ChatGPT, DeepSeek, etc.); this is likely to be a repeating pattern rather than an isolated incident.

To stay ahead of these evolving threats, professionals should complement security best practices with continuous upskilling through industry-recognised certifications such as CEH, CISSP, CISA, CompTIA Security+, CompTIA CySA+, GIAC, and emerging AI Security and LLM Security courses. Building both technical defences and cybersecurity expertise is essential to effectively detect, prevent, and respond to modern browser- and AI-based attacks. 

 

Cyber Security & Security Engineer

Inzamam Nizam is a Cyber Security & Security Engineer with over six years of experience in offensive cybersecurity, vulnerability research, and application security. His expertise includes mobile (iOS/Android), web, and network penetration testing, secure code review, red teaming, exploit development, and secure architecture assessments. Recognised in the SynAck Hall of Fame for discovering critical security vulnerabilities, he is passionate about helping organisations strengthen their security posture through practical, research-driven approaches.

Throughout his career, Inzamam has led security assessments, adversary emulation exercises, and secure development initiatives across diverse industries, including banking and enterprise environments. He has contributed to innovative cybersecurity projects such as SPELL-BOUND, an open-source adversary emulation framework, GHOSTWARE AI, an AI-powered security assessment platform, and KAEDAE, a behaviour-based keylogger detection solution. Through his writing, he shares practical insights, emerging attack techniques, and defensive strategies to help security professionals stay ahead of the evolving threat landscape.

Tags
Technology
Education