A malicious Chromium extension impersonating Perplexity AI captured search queries and real-time typing from users’ address bars before redirecting them to the real results, according to research published June 29 by the Microsoft Defender Security Research Team. Google removed the extension from the Chrome Web Store after Microsoft reported it through responsible disclosure.

The extension, listed as “Search for perplexity ai” with ID flkebkiofojicogddingbdmcmkpbplcd, used the typosquatted domain perplexity-ai[.]online rather than the legitimate perplexity.ai. Its manifest forced itself as the browser’s default search provider and routed all Omnibox queries through attacker-controlled infrastructure before delivering users to their intended search results. The user saw nothing unusual.

The two-hop intercept is the critical technical detail. The extension’s suggest_url field, which handles real-time autocomplete suggestions, also pointed to the attacker domain. That means each keystroke entered in the address bar before a user pressed Enter was transmitted to the attacker server. The server logged the full request, capturing request headers, the browser user agent, and the visitor’s IP address, before the redirect rules sent the user onward. Data was collected on hop one; the redirect on hop two preserved the illusion of a normal search experience.

Microsoft’s analysis of the bundled server-side code (a Node.js proxy and nginx configuration) confirmed the logging was architecturally intentional, not a side effect of the redirect mechanism. The nginx config filtered CORS origins to infrastructure under *.oda[.]digital, indicating operator-controlled backend infrastructure. The extension’s manifest also included inactive redirect rule sets for Google and Bing, suggesting the capability to expand targeting.

Microsoft’s analysis found no definitive evidence of credential theft, but noted the permissions requested introduced elevated privacy and security risk. The declarativeNetRequest permissions it requested let the extension redirect traffic, rewrite URLs, and filter requests selectively, none of which fits the behavior of a legitimate AI search assistant. A real search tool does not need advanced network-manipulation APIs.

Why this matters for search and SEO teams. Browser extensions sit between the user and the SERP. An extension controlling the default search provider and the suggest endpoint controls what queries are logged before they reach any search engine. For organizations where staff install AI productivity extensions without central approval, this represents a search-integrity and data-privacy risk that sits entirely outside normal search monitoring. Search Console, analytics platforms, and ranking tools have no visibility into what happens at this layer.

The specific social engineering angle is worth noting. Microsoft’s research points out that AI-branded extensions currently see high install rates and that people tend to trust AI tools built into the browser more readily. Perplexity AI is a recognized search product, and the extension branding closely matched it. The gap between perplexity.ai and perplexity-ai.online is exactly the kind of difference a non-technical user is unlikely to notice.

The concrete precaution for teams managing users at scale is a two-part check: audit any browser extensions installed across managed devices that request search provider override permissions or declarativeNetRequest access, and warn users explicitly that AI-branded tools appearing in the Chrome Web Store may not be affiliated with the companies they name. Microsoft recommends enforcing extension allowlists through enterprise policy controls in managed environments and watching for outbound traffic to unusual domains tied to search activity.

The extension has been removed. The typosquatted domain and extension ID (flkebkiofojicogddingbdmcmkpbplcd) serve as indicators of compromise for organizations running endpoint detection.

Microsoft Security Blog (Microsoft Defender Security Research Team) published June 29, 2026; reported widely June 30, 2026.