Microsoft says a malicious Chromium-based browser extension spoofed Perplexity AI, intercepted searches typed into the address bar, and routed them through attacker-controlled infrastructure before sending users on to legitimate search results.
The extension, named Search for perplexity ai, has been taken down after Microsoft reported it to Google, according to research published by Microsoft Defender Security Research and Microsoft Defender Experts on June 29. Microsoft identified the extension ID as flkebkiofojicogddingbdmcmkpbplcd and the suspicious domain as perplexity-ai[.]online, a lookalike domain not associated with the real Perplexity service.
The finding is narrow, but the risk is bigger than one fake extension. As AI search tools become normal parts of browser workflows, attackers are borrowing trusted AI branding to make old browser-extension abuse feel like a productivity upgrade.
How the extension hid the redirect
Microsoft’s analysis found that the extension used Chromium’s Manifest V3 capabilities and declarativeNetRequest rules to turn a normal-looking search into a two-step redirect. A user typed a query into the browser’s Omnibox. The browser sent that query to perplexity-ai[.]online. The extension then redirected the user to a legitimate search provider, so the final page could still look normal.
That design matters because the visible search result was not where the data exposure happened. Microsoft says the first hop let the attacker-controlled server log the query, HTTP headers, user agent, and source IP address before the redirect completed. The extension’s suggest_url field also routed real-time search suggestions through the same infrastructure, meaning typed characters could be sent before the user pressed Enter.
The extension also attempted to set itself as the browser’s default search provider through chrome_settings_overrides. That kind of setting can be legitimate in a real search extension, but Microsoft flagged the combination of a lookalike AI brand, search override behavior, powerful network permissions, and redirection infrastructure as inconsistent with a trustworthy AI assistant.
Why AI-branded extensions are attractive to attackers
Browser extensions can sit close to search traffic, page content, cookies, and browsing behavior. That makes them useful software when they are legitimate and a high-value attack surface when they are not. AI branding adds another layer of social engineering because users increasingly expect AI helpers to live inside browsers, summarize pages, change search behavior, and ask for broad permissions.
Microsoft’s post does not claim the extension stole passwords. The confirmed behavior is search interception and data collection. But search queries can still reveal work projects, medical questions, financial intent, unreleased company names, customer problems, and other sensitive context. In a company environment, address-bar searches can also expose internal tool names or incident-response activity.
The extension’s architecture also showed room for broader abuse. Microsoft found disabled rule sets for Google and Bing in addition to Perplexity, plus server-side code that logged incoming requests and proxied suggestion queries. That makes the case more useful than a simple fake-app warning: it shows how an AI-themed extension can preserve a normal user experience while quietly collecting the traffic in the middle.
What to check if you installed AI browser tools
Anyone who installed a Perplexity-themed Chrome or Chromium extension should check the extension list and remove anything named Search for perplexity ai or matching Microsoft’s reported extension ID. In Chrome, Edge, Brave, and other Chromium browsers, review installed extensions, verify the publisher, and remove anything that changes search behavior without a clear reason.
Users should also check their default search provider and startup/search settings after removing a suspicious extension. If the browser points to a lookalike AI domain, reset it to the intended provider. For an extra check, review recent browser history for traffic to perplexity-ai.online or the onboarding URL extension.tilda[.]ws/perplexityai.
For managed environments, the practical response is stricter extension governance. Microsoft recommends allow-listing trusted extensions, monitoring unauthorized search-setting changes, watching for unusual extension permissions, and looking for outbound traffic to intermediary domains associated with search activity. Security teams using Microsoft Defender can hunt for the extension ID in file events and look for network connections to the suspicious domain.
The safer rule for AI extensions
The safest habit is to treat AI-branded extensions like any other privileged browser software, not like a lightweight shortcut. Install from the official vendor or a well-known marketplace listing, confirm the developer name, check whether the domain matches the real service, and be skeptical of tools that demand search-provider control when their purpose is supposed to be chat, summarization, or answer generation.
For companies, the lesson is more direct: browser extensions have become part of the AI software supply chain. If employees are free to install AI search helpers, coding assistants, meeting summarizers, and page readers without review, the browser becomes another place where trusted-brand impersonation can turn ordinary work into a data-collection channel.