Microsoft has identified a malicious Chrome extension masquerading as the popular AI-powered search platform Perplexity AI. The investigation revealed that the primary objective of the extension was to covertly collect users’ search queries and information entered into the browser’s address bar.
According to the findings, the extension, named “Search for perplexity ai” (ID: flkebkiofojicogddingbdmcmkpbplcd), utilized the deceptive domain perplexity-ai[.]online to imitate the legitimate Perplexity service and mislead users. Following Microsoft's disclosure, the extension was removed from the Google Chrome Web Store.
The investigation demonstrated that, once installed, the extension configured itself as the browser’s default search engine. Whenever a user submitted a search query, the request was first transmitted to a server controlled by the threat actor. The server recorded the query along with the user’s IP address, browser headers and user-agent information before redirecting the user to legitimate search platforms such as Perplexity, Google or Bing. As a result, users continued to receive normal search results and were unlikely to detect any suspicious activity.
A more concerning aspect of the threat involved the monitoring of data entered into the browser’s address bar. The extension redirected Chrome’s live search suggestion functionality (suggest_url) to an attacker-controlled domain, enabling the transmission of every character typed by the user before the Enter key was pressed. Consequently, not only completed search queries but also information entered during the typing process was collected.
Furthermore, researchers discovered disabled redirection rules targeting Google and Bing services within the extension’s code. This finding indicates that the same mechanism could potentially be activated against additional search engines in the future. The investigation also revealed provisions for the future execution of WebAssembly code, a capability that is generally unnecessary for a conventional search-related extension.
This incident represents another example of the growing trend of malicious browser extensions distributed under the guise of artificial intelligence tools. Such campaigns are designed to monitor users’ search activities and, in some cases, their interactions with AI platforms. A previous Microsoft investigation linked similar activities to approximately 900,000 installations across more than 20,000 corporate networks.
Microsoft recommends that users immediately remove the “Search for perplexity ai” extension and verify that their browser’s default search engine settings have not been modified. The company further advises organizations and individuals to exercise caution when installing AI-branded tools and to verify the legitimacy of publishers and associated domains before deployment.
© 2011-2026 All rights reserved