HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Malicious Chromium Extension Spoofs Perplexity AI to Hijack Browser Searches

A Chromium‑based extension masquerading as Perplexity AI redirects search queries to attacker‑controlled servers, exposing organizations to data leakage and phishing. The incident underscores the need for SOC 2‑aligned extension controls and security‑awareness training.

LiveThreat™ Intelligence · 📅 June 30, 2026· 📰 microsoft.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
4 recommended
📰
Source
microsoft.com

Malicious Chromium Extension Spoofs Perplexity AI to Hijack Browser Searches

What Happened — Researchers at Microsoft discovered a Chromium‑based browser extension that masquerades as the AI‑powered answer engine Perplexity AI. The extension uses Manifest V3 APIs to silently redirect users’ search queries to attacker‑controlled infrastructure, harvesting search terms and potentially steering victims to phishing sites.

Why It Matters for Compliance & Audit Readiness

  • SOC 2 CC6.1 (System Operations) requires documented controls for third‑party software and continuous monitoring of endpoint assets; a rogue extension bypasses those controls.
  • Access‑control policies (CC5.1) must cover browser‑level privileges, ensuring only approved extensions can run.
  • Security Awareness Training (CC1.2) is a core defense against social‑engineering vectors that rely on trusted‑looking UI cues.

Who Is Affected – Any organization that allows employees to install Chrome/Edge extensions, spanning technology SaaS, financial services, healthcare, and retail.

Recommended Actions

  • Conduct an inventory of all installed browser extensions and enforce an allow‑list.
  • Update endpoint‑security policies to block unsigned or unvetted extensions.
  • Incorporate extension‑review logs into your continuous‑compliance evidence pipeline.
  • Refresh security‑awareness curricula to highlight “AI‑branding” phishing tactics.

Source: Microsoft Security Blog

Technical Notes – The malicious add‑on leverages MV3 background service workers, intercepts chrome.search calls, and forwards queries to a remote server that returns fabricated search results. No public CVE is associated, but the technique demonstrates how legitimate extension APIs can be abused.

Source: same as above

📰 Original Source
https://www.microsoft.com/en-us/security/blog/2026/06/29/chromium-extension-uses-airelated-branding-redirect-browser-search/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Phishing and social engineering are a people-and-policy problem.

The Verisq AI Trust Operations platform pairs Security Awareness Training with policy adoption tracking, so human-risk controls are documented and audit-ready.

Explore the Verisq AI Trust Operations platform →