"Microsoft calls that proof the collection was deliberate, not a side effect of the redirect," the company's Defender research team wrote after analyzing a Chrome extension that posed as the AI search engine Perplexity and quietly logged searches and what users typed into the address bar.
Microsoft Defender research team: what was discovered
Microsoft identified a malicious Chrome extension named "Search for perplexity ai" (ID flkebkiofojicogddingbdmcmkpbplcd) that used a look-alike domain, perplexity-ai[.]online, to mimic the real service at perplexity.ai. Once installed, the extension set itself as the browser's default search engine and routed queries through the attacker-controlled perplexity-ai[.]online server. Microsoft reported that Google removed the extension from the store after responsible disclosure.
The Defender team said the attacker's server logged each query along with browser headers, IP address, and user agent. Microsoft found no proof of password theft, but concluded the extension had "far more access than a search box should ever need." The company also did not name an operator or disclose how many users installed the extension before the takedown.
How searches and address-bar input were intercepted
The extension redirected searches first to perplexity-ai[.]online, where the attacker's server recorded the requests, and then bounced users to a real search engine (Perplexity, Google, or Bing) so results appeared normal. The theft occurred on that initial stop — before the redirect.
Worse, the extension rewrote the browser's live search suggestions (the suggest_url) to point at the same attacker domain. That meant every character typed into the address bar went to the attacker's server before Enter was pressed, not just completed search queries.
Technical signals that the collection was intentional
Microsoft highlighted several implementation choices as evidence the collection was deliberate. The extension requested the declarativeNetRequest family of permissions — the Chrome capability that lets an extension override search-provider behavior — and shipped server-side code that logged every request. Defender noted the extension also shipped disabled redirect rules for Google and Bing, leaving the option to expand collection to those engines, and left room to run WebAssembly code later — functionality a simple search tool has no reason to include.
How this fits into a broader pattern of malicious AI-branded extensions
Microsoft placed this extension in a continuing trend of malicious browser add-ons that hide behind AI branding. Some of those extensions have swapped default search engines or hijacked providers to capture typed input; others have skimmed AI chat transcripts. Microsoft tied a prior chat‑skimming wave to roughly 900,000 installs across more than 20,000 company networks. The Defender team emphasized the difference in this case: the target was not AI chats but searches and every character typed into the address bar, collected through Chrome's own extension machinery.
What this means for technologists, security teams, and end users
- Technologists and security teams: Microsoft recommends allowing only approved extensions through browser or company policy and watching for changed search settings, strange extension permissions, and traffic to unfamiliar domains.
- Enterprises and procurement leaders: Treat AI-branded tools with extra suspicion; verify the publisher and the domain before installing or approving extensions for use on company devices, per Microsoft's guidance.
- End users: If you installed "Search for perplexity ai," remove it and check that your default search engine has not been changed.
The mechanics are straightforward and stark: AI branding drew installs, and a search-provider override did the collecting. Google removed the extension after responsible disclosure, but Microsoft did not identify who operated the site or say how many users were affected. Those unanswered details leave the incident as a clear technical lesson — and a concrete reminder that a seemingly small browser setting can expose far more data than users intend to share.
