Google has removed a malicious browser extension masquerading as Perplexity AI after Microsoft researchers found it was intercepting users’ search traffic and routing queries through attacker-controlled servers before forwarding them to legitimate search engines.

Microsoft Threat Intelligence said the extension masqueraded as the AI-powered answer engine to trick users into installing it. Based on its analysis, the company said the extension’s primary objective was to intercept search traffic and collect browsing data while maintaining a normal browsing experience, making the activity difficult for users to detect.

“Microsoft Threat Intelligence has identified a malicious Chromium-based extension that spoofs the AI-powered answer engine Perplexity AI to trick unsuspecting users into installing it,” the company’s threat intelligence team said in a blog post. “Based on our observation of the extension’s behavior, we assess its primary objective to be search traffic interception and data collection, which might enable downstream use cases such as profiling, targeted advertising, or other forms of misuse depending on operator intent.”

Microsoft said it reported the extension to Google, which subsequently removed it.

The incident reflects a broader trend identified by Microsoft’s researchers, who earlier this month warned that attackers were increasingly abusing the names and branding of popular AI platforms in phishing and malware campaigns.

Extension quietly intercepted browser searches

Unlike traditional browser hijackers that alter search results or flood users with advertisements, the extension operated less conspicuously.

According to Microsoft, it abused Chromium’s Manifest V3 APIs to intercept searches entered through the browser’s address bar, forwarding those queries through intermediary infrastructure controlled by the attacker before redirecting users to legitimate search providers. Because victims ultimately received the expected search results, the activity could remain largely unnoticed, the blog post added.

“The use of intermediary infrastructure allows the operator to observe search traffic while maintaining the expected browsing experience,” Microsoft Threat Intelligence said.

The attack also relied on user trust rather than exploiting a browser vulnerability.

“What makes this interesting is that the attack doesn’t really depend on exploiting a browser vulnerability. The user becomes the initial access vector,” said Vibhum Dubey, an independent cybersecurity researcher and red teamer.

Employees routinely install browser-based productivity tools, password managers, and AI assistants, making AI-branded extensions appear legitimate, Dubey said. “Users also expect AI tools to request broad permissions to access websites and browser content, allowing malicious permission requests to blend in with legitimate functionality.”

Why AI brands make good bait

For attackers, trusted AI brands are becoming increasingly attractive social engineering lures as enterprises accelerate adoption of generative AI tools.

“Attackers are following user trust,” said Sushovan Mukhopadhyay, director analyst at Gartner. “As employees adopt AI tools quickly, trusted AI brands become high-value bait for social engineering.”

Browser extensions can quietly become “a data collection layer inside the employee’s everyday workflow,” exposing sensitive search queries, browsing activity, and business context, he said.

Mukhopadhyay said the larger issue is that enterprise AI adoption is moving faster than security governance, creating opportunities for attackers to exploit the gap between employee enthusiasm and organizational controls.

A governance blind spot

Both experts said the harder enterprise problem is visibility.

“Most organizations have a mature process for software inventory, but very few have the same level of visibility for browser extensions,” Dubey said. During security assessments, he has seen organizations maintain strict application allowlists while employees continued installing browser extensions with little or no oversight.

Rather than looking only for known malicious extensions, security teams should monitor for risky behaviors such as changes to default search providers, requests for access to all websites, communications with domains unrelated to the claimed publisher, and extensions that seek additional permissions after installation, he said.

Microsoft similarly recommended that organizations verify extension publishers, carefully review requested permissions, and monitor enterprise browsers for unauthorized or unapproved extensions.

Mukhopadhyay said CISOs should begin treating browser extensions as governed enterprise software rather than personal productivity tools.

“That means using allowlists, permission reviews, search-setting monitoring, and controls for unapproved AI tools,” he said. Citing Gartner data, he said by 2029, 30% of enterprises will use secure enterprise browser technologies to improve browser extension auditing, risk profiling, and policy enforcement.

As browsers become the primary workspace for email, SaaS applications, and AI assistants, attackers are likely to continue targeting them, Dubey said. Organizations should therefore treat browser extensions “as third-party software suppliers” that are reviewed, approved, and continuously monitored like any other enterprise application.