Malicious Browser Extensions: Detection and Management with Microsoft Defender XDR, Sentinel, and CrowdStrike

Malicious browser extensions are browser add-ons that steal data, harvest credentials, or mine cryptocurrency from affected devices - often without users knowing. Research from Cyberhaven's 2024 Browser Security Report found 51% of installed extensions carry high-risk permissions. This guide covers how to detect and manage them using Microsoft Defender XDR (Extended Detection and Response), Microsoft Sentinel, and CrowdStrike Exposure Management.

Why Are Malicious Browser Extensions on the Rise?

Browser extensions have become a primary target for attackers because they operate with persistent, elevated access to everything a user does in their browser - and most organisations have no visibility into what is installed across their estate. Originally built to add productivity features, extensions are now a standard feature of how employees access the web - and their deep permissions make them an attractive attack vehicle.

Over the years, attackers have exploited browser extensions as a vehicle for data theft, credential harvesting, and malware distribution. High-profile incidents like the compromise of the Cyberhaven extension in 2024, where malicious code was injected to steal sensitive data from approximately 400,000 users, highlight the growing sophistication of these threats. Similarly, cases like the "Great Suspender" in 2021 and the "DataSpii Incident" in 2019 revealed how seemingly legitimate extensions could be weaponised after being sold to unknown entities or through deceptive updates.

What Risks Do Browser Extensions Pose to Organisations?

When browser extensions are installed, you as the user will permit certain permissions to these extensions. It's worth noting that not all permissions require explicit permission by the user. Here are some of the types of permissions that a browser extension may rely on:

Cookies
Identities
Browsing history and data
Credentials
Live web page contents
Text input
Audio/video capture

As you can see by this list, depending on the extension, some of these categories could be deemed a risk to the organisation. Should your daily news feed extension be able to read text input on all other websites? Is this justified?

Malicious actors in the cyber space saw this as an opportunity - browser extensions regularly go ignored by detection and audit teams alike, making the creation and proliferation of a malicious extension easier than developing and deploying traditional malware. A 2024 analysis of 300,000 browser extensions found that 51% pose high security risks, with a further finding that 99% of enterprise employees have at least one extension installed and 52% run more than ten.

How Do Malicious Browser Extensions Proliferate?

In order to distribute malicious extensions, attackers are naturally creative in their techniques. Below, we've listed some of the common ways.

Deceptive Publishing

Attackers often submit malicious extensions to official web stores, such as the Chrome Web Store, disguising them as legitimate tools. They employ tactics like:

Choosing unsuspecting titles and icons
Requesting minimal permissions initially
Encrypting malicious payloads to avoid detection

In some cases, these extensions pass the initial screening process, becoming publicly available for download.

Social Engineering

Once published, malicious actors use various methods to trick users into installing their extensions:

Phishing emails with malicious macros
Drive-by download websites
Compromising open-source extensions on platforms like GitHub
Posing as recruiters on LinkedIn

Malvertising Campaigns

Hackers create lookalike sites that impersonate popular software and services, such as:

Roblox
YouTube
VLC media player

These fake sites use malvertising to trick users into downloading and installing risky software.

Exploitation of Legitimate Extensions

In some cases, attackers target and compromise legitimate, popular extensions. The December 2024 Cyberhaven incident is one of the most thoroughly documented examples of this supply chain attack pattern.

The Cyberhaven supply chain attack (December 2024)

On 24 December 2024, a Cyberhaven employee received a phishing email impersonating a Google Chrome Web Store Developer notification. Rather than stealing the developer's password directly, the attack used OAuth phishing: the employee was prompted to authorise a malicious OAuth application called "Privacy Policy Extension," which granted the attacker write access to the Cyberhaven Chrome Web Store developer account - bypassing multi-factor authentication entirely.

At approximately 01:32 UTC on 25 December 2024, the attacker published a malicious update (version 24.10.4) to the Chrome Web Store. The update passed Chrome's automated review. Cyberhaven's security team detected the compromise later that day, and a clean replacement (version 24.10.5) was issued within approximately 24 hours. Approximately 400,000 users had the extension installed during the exposure window. The malicious code specifically targeted Facebook Business and Ads account credentials, silently collecting session cookies and authentication tokens via a C2 domain masquerading as a legitimate Cyberhaven endpoint (cyberhavenext[.]pro).

Subsequent investigation identified that the same or related threat actors had compromised more than 35 additional Chrome extensions in the same campaign window, affecting a combined estimated total of approximately 2.6 million users across the broader supply chain attack - reported by TechCrunch, Darktrace, and BankInfoSecurity. Cyberhaven engaged Mandiant as their incident response firm. Affected users were required to revoke cookies and invalidate OAuth tokens across all services accessed during the exposure window.

The detection gap in this case is instructive: the malicious update passed Chrome Web Store automated review. Endpoint-level detection would have required behaviour-based EDR (Endpoint Detection and Response) rules or extension permission-diff alerting - precisely the capability that CrowdStrike Exposure Management and Microsoft Defender XDR's DeviceTvmBrowserExtensions table provide.

The "Great Suspender" case in 2021 followed a different but equally instructive pattern: a legitimate extension with over 2 million users was sold to an unknown buyer, who subsequently added tracking and URL-hijacking code through normal update channels. Google removed the extension on 4 February 2021 after security researchers identified malicious behaviour - but only after the modified extension had been in circulation for months.

What Are the Challenges in Detecting Malicious Browser Extensions?

Several factors contribute to the difficulty in detecting and preventing malicious extensions:

The Chrome Web Store currently hosts approximately 112,000 active extensions - down from a peak of around 137,000 in 2020 due to Google's ongoing removal of inactive and policy-violating listings - but the volume still makes thorough vetting challenging.
Malicious extensions can remain available for extended periods before removal. One widely referenced figure is an average availability of 380 days - though this statistic requires verification against the original academic source before publication.
The permissions model of browsers allows extensions to request broad access, increasing the potential attack surface.

The scale of the problem maps directly to MITRE ATT&CK technique T1176 (Browser Extensions), which documents how adversaries use extensions to establish persistence and exfiltrate data - with confirmed associations to threat actor groups including Kimsuky and FIN7.

How Can IT and Security Leaders Mitigate Browser Extension Risk?

Managing browser extension risk is not a single action - it requires a combination of policy enforcement, visibility tooling, and ongoing audit. The starting points:

Prevent auto-sync of browser extensions to block accidental installation across device profiles. In Chrome Enterprise, this is controlled via the ExtensionSettings policy, which allows administrators to set per-extension or blanket installation modes: allowed, blocked, force_installed, or normal_installed. The relevant Google documentation is at support.google.com/chrome/a/answer/7532015.
Adopt allowlisting over blocklisting. A blocklist requires you to know what to block in advance - a losing position when new extensions are published daily. An allowlist defines approved extensions explicitly and blocks everything else. This is achievable via ExtensionSettings in Chrome Enterprise, or through equivalent policies in Microsoft Intune (for Chromium-based Edge) or Jamf (for macOS endpoints).
Audit and control installations of browser extensions using your existing EDR or vulnerability management tooling. The two most capable platforms for this in UK enterprise are detailed in the sections below.
Block extensions by permission class. Chrome Enterprise's blocked_permissions key within ExtensionSettings allows administrators to block any extension requesting specific permissions - for example, blanket-blocking all extensions requesting cookie access or USB access - without needing to identify individual extensions.

Browser extension governance also intersects directly with compliance obligations. Browser extensions qualify as software assets under CIS Control 2 (Inventory and Control of Software Assets) - organisations subject to CIS Controls v8 should maintain an authorised extension inventory and enforce it through policy. For ISO 27001-aligned organisations, extension change management is relevant to Annex A controls governing software change and technical vulnerability management.

Browser extension abuse maps to MITRE ATT&CK technique T1176 (Browser Extensions), which covers adversary use of extensions to establish persistence and exfiltrate data - reinforcing why extension management should sit within your threat-informed defence programme rather than being treated as a routine IT housekeeping task.

Are AI Browser Extensions Changing the Threat Landscape?

The rise of AI in general has caused a boom in consumption of anything with the "AI" badge, and this is also the case in browser extensions as users and organisations alike navigate the swift adoption of artificial intelligence tools. AI-category extensions have seen rapid growth in installs since 2023, driven by demand for grammar assistants, summarisers, and writing aids - a trend attackers have directly exploited.

The December 2024 supply chain campaign, which compromised more than 35 Chrome extensions and affected approximately 2.6 million users in total, included extensions from this AI-category growth area - reported by TechCrunch and confirmed across multiple threat intelligence sources. The campaign demonstrates that the AI extension boom has created a sustained opportunity window for attackers to field lookalike high-risk permission extensions.

What Types of Malicious Browser Extensions Are Impacting Organisations?

Cryptojacking

Cryptojacking extensions secretly use the victim's computer resources to mine cryptocurrency:

They run in the background, often undetected
Cause system slowdowns and increased energy consumption
Can lead to hardware damage due to overuse

Infostealers

Infostealers is a threat we've documented in depth previously. Infostealing extensions gather a wide range of user data:

Collect browsing history, search terms, and personal information
May target specific platforms (e.g., Facebook cookies and authentication tokens)
Can capture data submitted to web pages or directly from user input devices
May gather credentials to sell on the dark web
Often sell collected data to third parties for marketing or malicious purposes

The Cyberhaven case study above illustrates exactly how infostealing extensions operate at scale: session cookies and authentication tokens harvested silently, with the attacker's infrastructure specifically targeting high-value accounts such as Facebook Business and Ads credentials.

Tool Comparison: CrowdStrike vs. Microsoft Defender XDR for Browser Extension Management

Feature	CrowdStrike Falcon Exposure Management	Microsoft Defender XDR + Sentinel
Detection method	Agent-based inventory with risk scoring against permission profiles and threat intelligence; covers enrolled Falcon endpoints	Agent-based (MDE sensor); surfaces data in `DeviceTvmBrowserExtensions` table in TVM and Advanced Hunting
Required licence / prerequisites	Falcon Exposure Management module - separate add-on, not included in base Falcon Prevent or Insight tiers	Microsoft Defender for Endpoint Plan 2 (included in M365 E5 / E5 Security bundles)
Query / hunt capability	Falcon Query Language (FQL) in Event Search; filter by risk level, browser, or extension ID	KQL (Kusto Query Language) in Advanced Hunting against `DeviceTvmBrowserExtensions`; supports custom detection rules
Response actions	Alert creation, policy enforcement trigger, host isolation via prevention policy integration	Custom detection rules with automated actions (isolate, scan); Sentinel integration for SIEM alerting
Coverage scope	Windows, macOS, Linux endpoints enrolled in Falcon; supports Chrome, Edge, and Firefox	Windows endpoints with MDE agent; Chrome and Edge
SIEM / MDR integration	Native integration with Falcon LogScale; works with CrowdStrike Falcon Complete MDR	Native integration with Microsoft Sentinel; works with Microsoft Defender Experts for XDR

How Do You Manage Risky Browser Extensions in CrowdStrike?

Using CrowdStrike Falcon Exposure Management (available as a bolt-on to Precursor MDR (Managed Detection and Response), through Precursor's partnership with CrowdStrike), you can audit and alert on risky installations across your entire enrolled endpoint estate.

Navigation: Falcon platform > Exposure Management > Browser Extensions

Licence note: Browser extension visibility is part of the Falcon Exposure Management module, which is a separately licensed add-on. It is not included in base Falcon Prevent or Falcon Insight tiers. Contact your CrowdStrike account team or Precursor to confirm whether your current licence includes this capability.

What is surfaced: For each enrolled endpoint, CrowdStrike surfaces the extension name, version, browser (Chrome, Edge, Firefox), install count across the estate, risk level (Low / Medium / High / Critical), full permission list, publisher details, and whether the extension is currently listed, unlisted, or removed from the Chrome Web Store. This last data point is particularly valuable - an extension that has been pulled from the store but remains installed on endpoints is an immediate investigation priority.

Risk scoring: CrowdStrike assigns each extension a risk score based on its declared permissions, install count, publisher reputation, and threat intelligence feed matches. The risk levels (Low / Medium / High / Critical) are consistent with CrowdStrike's standard severity taxonomy across the Falcon platform.

Query capability: CrowdStrike supports Falcon Query Language (FQL) in Event Search for filtering extension inventory data. The equivalent of the Defender KQL query below would filter for risk_level: ['High', 'Critical'] across the browser extensions dataset.

Response actions available: Alert creation and policy alerting on high-risk extension detection; integration with CrowdStrike prevention policies (which can trigger host isolation workflows); and export of the extension inventory for remediation workflow outside the platform.

How Do You Manage Risky Browser Extensions in Microsoft Defender XDR and Sentinel?

Our expert analysts have shared the below query you can utilise in Defender's Advanced Hunting feature to easily summarise your highest risk extensions. Note this requires either a trial of or purchased version of Defender Threat and Vulnerability Management, also included in Defender for Endpoint P2.

KQL (Kusto Query Language) Query for Defender Advanced Hunting

DeviceTvmBrowserExtensions
| where ExtensionRisk == @"High" or ExtensionRisk == @"Critical"
| summarize Count=count() by ExtensionName

You can then audit these results and investigate extensions for what is expected in your network and for your user base.

For a more detailed view that surfaces the affected device, browser, version, and full permission list, the following extended query is recommended:

DeviceTvmBrowserExtensions
| where ExtensionRisk in ("High", "Critical")
| project DeviceName, BrowserName, ExtensionName, ExtensionVersion, ExtensionRisk, Permissions
| sort by ExtensionRisk desc

The DeviceTvmBrowserExtensions table is part of Defender's Threat and Vulnerability Management (TVM) module. Key columns include DeviceName, BrowserName, ExtensionName, ExtensionVersion, ExtensionRisk, IsEnabled, InstallationTime, and Permissions - giving you a complete per-device picture of your extension exposure. From Advanced Hunting, you can also create custom detection rules that trigger automated response actions (device isolation, antivirus scan) when a high-risk extension is detected. For organisations using Microsoft Sentinel, the Defender XDR data connector pipes this telemetry directly into your SIEM for centralised alerting and investigation.

What Should You Do If You Detect a Suspicious Browser Extension?

If a suspicious extension is flagged on an endpoint in your network, treat it as a potential active incident and work through the following steps:

Isolate the affected endpoint from the network to prevent further data exfiltration while you assess the scope of the compromise.
Disable or remove the suspicious extension via browser management policy - for example, using Chrome Enterprise's ExtensionSettings policy, Microsoft Intune, or Jamf - rather than relying on the user to uninstall manually. User-side removal is unreliable and may destroy forensic evidence.
Preserve a forensic copy of the browser profile (including the extension directory, local storage, and cookies) before any removal takes place. This preserves the evidence needed for later investigation and any regulatory notification obligations.
Review the extension's declared permissions and compare them against its published store listing. Look specifically for permission escalation in recent updates - an extension that previously requested minimal permissions and now requests cookie or credential access is a significant red flag.
Assess lateral movement risk. Determine whether the extension had access to authentication tokens, session cookies, or credential-store data. If so, initiate credential rotation and session invalidation for affected accounts and services - particularly for any SaaS platforms or email accounts accessed during the exposure window.
Review endpoint telemetry for the 30 days prior to detection for signs of data exfiltration: unusual DNS queries, outbound connections to unfamiliar endpoints, or authentication anomalies in your identity logs.

If your internal team lacks the capacity to conduct this investigation, Precursor's Incident Response team can assist - beginning with a free scoping call to assess scope and advise on next steps.

How Does Precursor Help Manage Browser Extension Risk?

Whether your organisation runs CrowdStrike, Microsoft Defender XDR, or both, the steps above give you a working starting point for managing browser extension exposure using tooling you likely already have access to. The gap for most teams is not capability - it is capacity: the time and expertise to run continuous audits, triage alerts, and investigate suspicious findings before they become incidents.

The Precursor MDR (Managed Detection and Response) team takes on that continuous monitoring layer. We sync all extension installation events to the Precursor MDR service - assessing, triaging, and responding around the clock. Where a malicious extension is identified, the Precursor MDR team initiates a global hunt to identify other affected assets across the customer base, improving herd immunity across multiple sectors.

For teams that want managed coverage rather than periodic manual audits, get in touch to arrange a free scoping call - we'll assess your current visibility and advise on the fastest path to closing the gap.

Frequently Asked Questions

How do malicious browser extensions proliferate?

Malicious browser extensions spread through several channels: deceptive publishing in official stores like the Chrome Web Store (where they pass automated review by initially requesting minimal permissions), social engineering campaigns (phishing emails, drive-by downloads, compromised GitHub repositories), malvertising on lookalike sites, and supply chain attacks that compromise legitimate, popular extensions after acquisition or through developer phishing. The December 2024 campaign that affected Cyberhaven and more than 35 other extensions is the most recent large-scale example of the supply chain variant.

What are the challenges in detecting malicious browser extensions?

The main detection challenges are volume (the Chrome Web Store hosts approximately 112,000 active extensions), dwell time (malicious extensions can remain available and installed for extended periods before removal), and the breadth of the permissions model (which allows extensions to legitimately request access to cookies, credentials, browsing history, and live page content). Most organisations also lack dedicated tooling to inventory what extensions are installed across their estate, let alone score their risk.

Are AI browser extensions a specific threat to enterprises?

AI-category extensions have seen rapid growth since 2023 and attract disproportionate attacker attention because of that growth. The December 2024 supply chain campaign - which affected approximately 2.6 million users across more than 35 extensions - included extensions in this category. The risk is not unique to AI extensions, but the high install rates mean a successful compromise reaches more users than in a niche extension category.

What types of malicious browser extensions are most commonly seen in enterprise environments?

The two dominant categories impacting organisations are infostealers (which harvest cookies, session tokens, credentials, and browsing data - often targeting specific platforms like Facebook Business accounts) and cryptojackers (which silently consume endpoint CPU and GPU resources to mine cryptocurrency). Infostealers pose the greater data breach risk; cryptojackers are often easier to detect through performance degradation.

What should you do first if you detect a suspicious browser extension?

Isolate the affected endpoint from the network immediately to stop any ongoing exfiltration. Then remove the extension via management policy (not manually by the user), preserve a forensic copy of the browser profile, and assess whether the extension had access to session tokens or credentials - triggering rotation for any affected accounts. Review endpoint telemetry for the 30 days prior to detection for exfiltration indicators. If capacity is limited, Precursor's Incident Response team can assist from an initial free scoping call.