Microsoft has disclosed that a significant number of users have unknowingly installed harmful browser extensions pretending to be authentic AI assistant tools, aiming to gather chat histories and browsing data.
The official report from Microsoft Defender reveals that these malicious Chromium-based extensions amassed around 900,000 installations. The impact of this campaign extended to over 20,000 business tenants, particularly those where staff regularly engage with AI tools involving sensitive data.
These extensions were designed to extract complete URLs and AI chat content from platforms like ChatGPT and DeepSeek, leaving organizations vulnerable to potential breaches of confidential information, such as proprietary code, strategic discussions, and internal workflows.
The threat actor behind this scheme released counterfeit AI assistant extensions on the Chrome Web Store, mimicking legitimate productivity tools like AITOPIA. Given that Microsoft Edge supports Chrome Web Store extensions, the deceptive listings could reach users on both browsers.
Once installed, these extensions operated persistently within the browser environment, collecting AI chat content and browsing data directly from active sessions, storing the information locally before transferring it out.
Maintaining contact with infrastructure controlled by the attackers through standard web protocols, the extensions disguised their activities as normal browser traffic. Periodically, data was transmitted via HTTPS POST requests to domains such as deepaichats[.]com and chatsaigpt[.]com. Subsequently, local caches were cleared to minimize detection.
Microsoft highlighted that the extensions employed a deceptive consent mechanism for ongoing data collection. Even though users could disable telemetry initially, subsequent updates automatically reactivated it without clear user notification.
The extensions tracked almost all visited URLs, including internal sites, alongside chat excerpts, model names, and a persistent identifier. Microsoft’s investigation revealed that the code lacked effective filtering and consent management.
The threat actor specifically targeted the expanding realm of AI-assistant browser extensions, taking advantage of the tendency for many professionals to install sidebar tools for interacting with models like ChatGPT and DeepSeek. These extensions often require wide-ranging permissions at the page level for user convenience.
In certain instances, assertive browsers automatically downloaded the extensions without explicit user consent, underscoring the persuasiveness of their names and descriptions, according to Microsoft.
To combat this threat, Microsoft recommended organizations to monitor network traffic to identified endpoints, such as *.chatsaigpt.com and *.deepaichats.com. Additionally, it advised conducting audits on browser extensions using Microsoft Defender Vulnerability Management, activating SmartScreen and Network Protection, and establishing organizational guidelines on AI utilization.
Users were also urged to scrutinize their installed extensions and remove any unfamiliar or unverified tools for added security.
