HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Fake Perplexity Chrome Extension Hijacks Search Queries, Sends Data to Attacker Servers

A rogue Chrome extension posing as Perplexity AI reroutes users' search queries to attacker servers, exposing browsing data. The incident highlights gaps in extension control policies and the need for SOC 2‑aligned access‑control and awareness measures.

LiveThreat™ Intelligence · 📅 July 02, 2026· 📰 techrepublic.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
techrepublic.com

Fake Perplexity Chrome Extension Hijacks Search Queries, Sends Data to Attacker Servers

What Happened — Microsoft disclosed a malicious Chrome extension masquerading as the “Perplexity AI” assistant. The extension intercepts users’ omnibox searches and forwards the queries to attacker‑controlled servers, effectively harvesting browsing intent and any entered credentials.

Why It Matters for Compliance & Audit Readiness

  • Unapproved software installations bypass logical‑access controls, a direct violation of SOC 2 CC6.1 (System Operations) and CC6.2 (Change Management).
  • The incident underscores the need for documented policies on third‑party browser extensions and continuous monitoring of endpoint configurations.
  • Demonstrates the importance of Security Awareness Training to prevent users from installing rogue extensions that can lead to data exfiltration.

Who Is Affected — Enterprises across all sectors that allow employees to use Chrome on corporate devices, especially SaaS‑heavy tech firms and remote‑work environments.

Recommended Actions

  • Conduct an immediate inventory of installed Chrome extensions and remove any that are not on an approved list.
  • Enforce a policy that blocks installation of extensions from unverified sources; map this to SOC 2 CC6.1 and CC6.2 controls.
  • Update Security Awareness Training to include a module on vetting browser extensions and recognizing social‑engineering lures.
  • Enable continuous endpoint monitoring to capture unauthorized extension installations as audit evidence. Source: TechRepublic

Technical Notes – The extension hijacks Chrome’s omnibox search feature, redirects the query to attacker‑controlled URLs, and logs the payload. No CVE is associated; the threat vector is a malicious browser extension (malware). Data types captured include search terms, URLs, and any credentials typed into search fields. Source: TechRepublic

📰 Original Source
https://www.techrepublic.com/article/news-fake-perplexity-chrome-extension-searches/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →