Microsoft Warns: Fake Perplexity Extension Abused Chrome Search Features

Microsoft Warns: Fake Perplexity Extension Abused Chrome Search Features

Microsoft Warns: Fake Perplexity Extension Abused Chrome Search Features

Image: VectorMine/Adobe

Microsoft found a fake Perplexity AI Chrome extension that rerouted searches through attacker servers. Here’s what users should check now.

Jul 1, 2026

Your Chrome searches may not have been going where you thought.

Microsoft has uncovered a malicious Chrome extension masquerading as Perplexity AI that rerouted users’ address bar searches and autocomplete requests through attacker-controlled servers before sending them to legitimate search engines. The extension abused legitimate Chromium search APIs rather than exploiting a browser vulnerability, allowing it to appear normal.

Google has since removed the extension from the Chrome Web Store following Microsoft’s disclosure. Yet the incident raises a serious question: what happens when attackers distribute malicious software through official platforms, compromising thousands or even millions of unsuspecting users?

Deception at its finest

The extension’s success stems from how little it changed the browsing experience.

In a typical search scenario, when the user types in Chrome’s search bar, the browser listens for their search input and sends it to the search provider in real time, which returns auto-suggestions.

The attackers first created a fake Perplexity AI extension, baiting users into installing it by posing as a legitimate AI tool. That deception allows the attackers to request the needed search-related permissions without triggering suspicion among users.

With the extension installed and granted the necessary permissions, searches typed into Chrome’s address bar were first routed to an attacker-controlled server instead of going directly to the user’s preferred search engine. The server logs the search input before redirecting the request to the legitimate search provider.

According to Microsoft, “the extension requests powerful DNR permissions that enable traffic redirection, URL rewriting, and selective request filtering, which aren’t consistent with expected AI assistant behavior.” A key Chrome setting used by the malicious extension is chrome_settings_overrides, which allows the attacker to effectively use Chrome’s own features against the browser’s users.

Must-read security coverage

Malware keeps finding its way into official platforms

For years, one of the most common cybersecurity recommendations has been to download software only from official platforms. The reasoning is straightforward: apps and extensions published through trusted marketplaces are expected to undergo security checks before reaching users.

However, recent incidents suggest those safeguards are not foolproof. Attackers have repeatedly found ways to slip malicious software past review processes, allowing malware to be distributed through platforms many users trust by default:

Advertisement

What you should do now

Google has removed the fake Perplexity AI extension, but users should still take a few precautions:

  • Remove the extension with ID: “flkebkiofojicogddingbdmcmkpbplcd” if it is installed.
  • Change your passwords as a precaution, even though Microsoft found no evidence of credential theft.
  • Verify an extension’s website before installing. The fake extension used perplexity-ai[.]online instead of the legitimate perplexity.ai.
  • Review extension permissions carefully, especially requests to modify browser settings or search behavior.
  • Audit your installed extensions regularly and remove those you no longer use.
  • Where possible, use the service’s official website instead of a browser extension.
  • Keep your browser up to date with the latest security updates.

The broader lesson is simple: browser extensions deserve the same scrutiny as any other software. Even when an extension comes from an official store, users should still check the publisher, permissions, website, and ongoing need before keeping it installed.

Want to better protect your Chrome account? Learn how Google’s new Device Bound Session Credentials (DBSC) feature helps stop attackers from abusing stolen session cookies.

Joseph Ofonagoro

Joseph is a technical writer with about three years of experience creating clear, practical content across consumer technology, startups, tutorials, and cybersecurity. He is also advancing a career in cyber threat intelligence, driven by a strong interest in the responsible use of technology and its role in protecting people, organizations, and digital systems. His passion for cybersecurity grew out of a broader commitment to helping others understand technology safely and effectively. As an undergraduate at the National Open University of Nigeria, he leads a community of technology enthusiasts, guiding beginners, sharing learning resources, and helping students build confidence as they explore careers in tech. Joseph’s writing combines technical curiosity with an accessible, beginner-friendly style. In addition to his editorial work, he periodically shares cybersecurity case studies and research reports on social media, covering threat trends, security lessons, and practical insights for readers interested in cyber awareness and digital safety.