Malicious Perplexity Chrome Extension Intercepted Searches and Address Bar Input

Microsoft has discovered a malicious Chrome extension that posed as the AI search engine Perplexity and quietly logged what people searched for. The extension, named “Search for perplexity ai” (ID flkebkiofojicogddingbdmcmkpbplcd), used a look-alike domain, perplexity-ai[.]online, to impersonate the real service at perplexity.ai. It routed every query and every character typed into the address bar through an attacker-controlled server before redirecting users to real results. Google removed it from the store after responsible disclosure.

Once installed, the extension set itself as the browser’s default search engine. When a user searched, the query went first to perplexity-ai[.]online, where the attacker’s server logged it with browser headers, IP address, and user agent. A rule then bounced the user to a real search engine (Perplexity, Google, or Bing), making the results appear normal. The theft occurred on that first stop before the redirect. The extension also pointed the browser’s live search suggestions (suggest_url) to the same attacker domain, capturing every character as typed before pressing Enter.

The extension requested declarativeNetRequest permissions to rewrite and redirect traffic, and shipped server-side code that logged every request. Microsoft considers this proof that the collection was deliberate. The extension also included disabled redirect rules for Google and Bing, and left room to run WebAssembly code later. This fits a pattern of malicious extensions hiding behind AI branding. Microsoft’s research tied a similar chat-skimming wave to roughly 900,000 installs across more than 20,000 company networks.

Users who installed “Search for perplexity ai” should remove it and check that their default search engine has not been changed. For teams, Microsoft recommends allowing only approved extensions through browser or company policy, watching for changed search settings, strange extension permissions, and traffic to unfamiliar domains, and treating AI-branded tools with extra suspicion.