Microsoft has found a malicious Chrome extension that masquerades as AI search engine Perplexity and silently logs what people search. It routed every query and every character typed into the address bar through an attacker-controlled server before redirecting users to actual results.
Microsoft says that Google removed it from the store after responsible disclosures. The extension was called “Search for Perplexity AI” (id flkebkiofojicogddingbdmcmkpbplcd) and used a similar-looking domain, perplexity-ai.[.]To get real service online, visit perplexity.ai.
Microsoft’s Defender research team says the purpose was to intercept searches and collect data. It found no evidence of password theft, but would require far more access than a search box.
Once installed, the extension sets itself as the browser’s default search engine. When you searched, the first query came to perplexity-ai[.]Online, where the attacker’s server logs it with your browser headers, IP address, and user agent.
Then a rule takes you to a real search engine (Perplexity, Google, or Bing), so the results look normal. The theft occurred at that first stop, before the redirect.
The address bar made it even worse. The extension also pointed the browser’s live search suggestions (suggestions_urls) to the same attack domain. So before you press enter, your input goes to the attacker’s server. Find not only the ending, but also every letter you type.
Chrome allows search-provider overrides, and legitimate extensions use them. Rewriting and redirecting your traffic is the part the search box has no business doing. It asked for permission from the DeclarativeNetRequest family to do just that, then sent server-side code that logged every request. Microsoft says this is evidence that the collection was intentional, and not a side effect of the redirect.
The extension also sent disable redirect rules for Google and Bing, so the same setup can be turned on for those engines. This also left room for running WebAssembly code later, which a simple search tool has no reason to do.
This is suitable for persistent running of malicious extensions hidden behind AI branding. Some people swap out the default search engine to capture what you type. Others hijack search providers or skim ChatGPT and DeepSeek chats. Microsoft’s own research narrowed that chat-skimming wave to about 900,000 installs across more than 20,000 company networks.
The difference here is the target: not your AI chats, but your searches and the letters you type in the address bar, collected through Chrome’s own extension machinery.
If you have installed “Search for perplexity ai”, remove it and check that your default search engine has not been changed. For Teams, Microsoft suggests the basics:
- Allow only extensions approved through browser or company policy.
- Keep an eye on changed search settings, strange extension permissions, and traffic on unfamiliar domains.
- Treat AI-branded tools with extra suspicion and check the publisher and domain before installing.
No one has been named as an operator, and Microsoft did not say how many people had installed it before it was removed. AI branding established. Search override archived.
