Microsoft has issued a stark warning regarding a sophisticated cyber campaign that has compromised the chat histories of employees across over 20,000 enterprise tenants. This widespread breach was orchestrated by a network of fake AI browser extensions, which masqueraded as legitimate productivity tools and successfully infiltrated corporate environments, highlighting a significant vulnerability in the adoption of AI-powered workplace solutions.
These malicious extensions, built on Chromium, amassed nearly 900,000 installations before being detected. Their primary objective was to discreetly harvest sensitive data, including full conversation histories from popular AI platforms like ChatGPT and DeepSeek, alongside visited URLs and browsing telemetry. This allowed attackers to gain unauthorized access to proprietary information, internal code, and strategic plans shared by corporate employees.
Fake AI Browser Extensions Compromise Sensitive Corporate Data
Microsoft Defender analysts identified the widespread threat after observing anomalous outbound network connections originating from browser extensions within numerous enterprise environments. The threat actors demonstrated considerable skill by meticulously replicating the branding, permission requests, and user interface elements of legitimate extensions, such as the widely used AITOPIA tool. This level of imitation was crucial in evading detection by standard security protocols and gaining user trust.
The distribution vector for these counterfeit extensions was primarily the Chrome Web Store, leveraging its trusted reputation. Because Microsoft Edge also supports Chromium-based extensions from the same store, a single malicious listing could infect users across both browsers simultaneously. In some instances, agentic browsers further facilitated the spread by automatically downloading these extensions without explicit user consent, amplifying the campaign’s reach across both personal and corporate devices.
The data exfiltrated by these extensions was extensive, encompassing internal application URLs, detailed AI chat transcripts, model names used, and persistent session identifiers. This provided attackers with an evolving and comprehensive view of employee activities and ongoing projects. Troublingly, the persistent nature of the data collection meant that even employees who had attempted to opt out of data sharing were unknowingly contributing to the compromised information trove following each extension update.
Infection Mechanism and Stealthy Data Exfiltration
Upon installation, the malicious extensions employed background scripts to log visited URLs and AI chat content without requiring further user interaction. The inherent permissions granted to Chromium-based extensions allowed them access to nearly every page viewed within the browser, including sensitive internal corporate sites and AI chat sessions. The gathered data was stored locally in a Base64-encoded JSON format.
To evade detection by network monitoring tools, the data was not transmitted continuously but rather at scheduled intervals. This deliberate design minimized the chances of triggering alerts associated with constant, high-volume data transfers. The extensions then sent this collected information via HTTPS POST requests to attacker-controlled domains, primarily identified as `deepaichats[.]com` and `chatsaigpt[.]com`. Microsoft researchers noted that the structure of this traffic was engineered to blend seamlessly with standard web requests, rendering the command and control (C2) channel largely invisible to conventional security solutions.
Following successful data transmission, the extension diligently cleared its local storage to eliminate any trace of its activity on the device. A particularly concerning feature was the embedded mechanism that automatically re-enabled data collection after every extension update, effectively overriding any previously configured user consent settings. This persistent data harvesting capability underscored the sophisticated and evasive nature of the attack.
Mitigation Strategies and Future Outlook
Organizations are strongly advised to take immediate steps to assess their exposure to this threat. This includes auditing all browser extensions currently installed across their device fleets and removing any that are unrecognized or have been flagged in this campaign. Security teams should actively monitor outbound POST traffic for connections to known malicious domains, including `*.chatsaigpt.com`, `*.deepaichats.com`, `*.chataigpt.pro`, and `*.chatgptsidebar.pro`, to promptly identify all affected devices.
Implementing strict extension allowlisting policies through enterprise browser management platforms is identified as a highly effective measure to prevent employees from installing unvetted add-ons. Furthermore, enabling robust network protection to block access to known C2 endpoints is crucial. Applying comprehensive data security controls specifically around browser-based AI chat tools can significantly reduce the risk of sensitive information leaving the organization. Finally, it is imperative to educate employees on the importance of reviewing their installed Chrome and Edge extensions, removing any unfamiliar or unnecessary tools, and strictly adhering to IT-approved software installations.
The ongoing proliferation of AI tools in the workplace necessitates a heightened and sustained focus on security. As AI becomes more integrated into daily workflows, the potential for sophisticated attacks targeting AI-related data and infrastructure will likely increase. Organizations must remain vigilant and adapt their security postures to counter evolving cyber threats in this rapidly developing technological landscape.