Fake Perplexity AI Extension Hijacked Browser Searches

Malicious extension exploited AI branding

Microsoft Threat Intelligence has identified and reported a malicious Chromium browser extension that masqueraded as Perplexity AI, the legitimate AI-powered search engine. The extension used a typosquatted domain—perplexity-ai[.]online instead of the authentic perplexity[.]ai—to deceive users into installation. Google has since removed the extension from distribution following Microsoft's responsible disclosure.

The extension's primary function was search traffic interception and data collection. Unlike traditional search hijackers that simply redirect users to monetized pages, this threat combined modern browser capabilities with intermediary infrastructure to transparently capture search queries while maintaining the appearance of normal search results.

How the attack worked

The malicious extension forced itself as the browser's default search provider, routing all address bar queries through attacker-controlled servers before redirecting users to legitimate search engines like Google, Bing, or the real Perplexity AI. This two-hop architecture allowed operators to log complete search queries, HTTP headers, IP addresses, and user-agent strings on the first hop, while the immediate redirect to legitimate sites masked the data theft.

More concerning, the extension captured real-time search suggestions—every character typed in the address bar—through its suggest_url configuration. This constituted keystroke-level surveillance beyond simple search redirection.

The extension requested powerful declarativeNetRequest permissions that enabled traffic redirection and URL rewriting, capabilities inconsistent with a legitimate AI search assistant. Microsoft researchers found the extension even shipped with its own server-side code (server.js) that explicitly logged all incoming requests, confirming intentional data collection rather than incidental capture.

Why it matters

This campaign demonstrates how threat actors are weaponizing AI brand recognition as a social engineering vector. Browser extensions represent significant attack surface because of their privileged access to browser APIs and user behavior, yet users often install them with minimal scrutiny—especially when they appear to offer popular AI functionality. The extension's use of Manifest Version 3, the latest Chromium extension standard, shows attackers adapting to evolving browser security models. Organizations face elevated risk as employees install AI-themed tools without proper vetting, potentially exposing corporate search activity and browsing patterns to unauthorized collection.

Detection and defense

Microsoft recommends organizations restrict untrusted extension installations through enterprise policy controls and allow-listing. Security teams should monitor for unauthorized changes to browser search settings and outbound traffic to non-standard domains associated with search activity.

Microsoft Edge includes built-in protections designed to identify extensions that manipulate browser behavior, including search redirection. The Edge Add-ons store uses automated and manual review processes to assess extensions before and after publication.

Microsoft provided advanced hunting queries for Defender customers to detect the extension through file artifacts and network communication to the intermediary infrastructure. The queries search for the specific extension ID and connections to perplexity-ai[.]online.

These details were first reported by Microsoft Threat Intelligence, with research conducted by the Microsoft Defender Security Research team including Asutosha Panigrahi, Ashwani Kumar, and Mohd Sadique.