Managing your exposure to malicious browser extensions with Microsoft Defender XDR and Microsoft Sentinel or CrowdStrike

The Rise of Browser Extensions

The rise of malicious browser extensions is a concerning trend that has evolved alongside the increasing reliance on web browsers for everyday tasks. Initially designed to enhance user experience by adding functionality such as ad-blocking, productivity tools, and customisation features, browser extensions have become an integral part of modern internet use. However, their popularity and extensive permissions have also made them an attractive target for cybercriminals.

Over the years, attackers have exploited browser extensions as a vehicle for data theft, credential harvesting, and malware distribution. High-profile incidents like the compromise of the Cyberhaven extension in 2024—where malicious code was injected to steal sensitive data from over a million users—highlight the growing sophistication of these threats. Similarly, cases like the "Great Suspender" in 2021 and the "DataSpii Incident" in 2019 revealed how seemingly legitimate extensions could be weaponised after being sold to unknown entities or through deceptive updates

The Risk of Browser Extensions

When browser extensions are installed, you as the user will permit certain permissions to these extensions. It’s worth noting that not all permissions require explicit permission by the user. Here are some of the types of permissions that a browser extension may rely on:

• Cookies

• Identities

• Browsing history and data

• Credentials

• Live web page contents

• Text input

• Audio/video capture

As you can see by this list, depending on the extension, some of these categories could be deemed a risk to the organisation. Should your daily news feed extension be able to read text input on all other websites? Is this justified?

Malicious actors in the cyber space seen this as an opportunity, browser extensions regularly go ignored by detection and audit teams alike. Therefore, the ability to create and proliferate a malicious extension is seen as easier than developing and deploying malware.

How do Malicious Browser Extensions Proliferate?

In order to distribute malicious extensions, attackers are naturally creative in their techniques. Below, we’ve listed some of the common ways.

Deceptive Publishing

Attackers often submit malicious extensions to official web stores, such as the Chrome Web Store, disguising them as legitimate tools1. They employ tactics like:

• Choosing unsuspecting titles and icons

• Requesting minimal permissions initially

• Encrypting malicious payloads to avoid detection

In some cases, these extensions pass the initial screening process, becoming publicly available for download.

Social Engineering

Once published, malicious actors use various methods to trick users into installing their extensions:

• Phishing emails with malicious macros

• Drive-by download websites

• Compromising open-source extensions on platforms like GitHub

• Posing as recruiters on LinkedIn

Malvertising Campaigns

Hackers create lookalike sites that impersonate popular software and services, such as:

• Roblox

• YouTube

• VLC media player

These fake sites use malvertising to trick users into downloading and installing risky software. For an in-depth insight into how Precursor’s Incident Response service responded to a malicious SEO campaign, click here.

Exploitation of Legitimate Extensions

In some cases, attackers target and compromise legitimate, popular extensions:

• The "Cyberhaven Incident" in December 2024 involved a phishing attack on a developer, leading to the compromise of an extension used by 400,000 users.

• The "Great Suspender" and "Nano Adblocker" cases involved extensions being sold to unknown entities who then injected malicious code

What are the challenges?

Several factors contribute to the difficulty in detecting and preventing malicious extensions:

• The sheer volume of extensions (over 250,000 available on the Chrome Web Store) makes thorough vetting challenging.

• Malicious extensions often remain available for extended periods, with one study finding an average availability of 380 days before removal.

• The permissions model of browsers allows extensions to request broad access, increasing the potential attack surface.

By exploiting these various channels and leveraging sophisticated techniques, malicious browser extensions continue to pose a significant threat to users and organisations alike.

How IT and Security Leaders can Strategically Mitigate Browser Extension Risk

• Prevent auto-sync of browser extensions to prevent accidental installations

• Audit and control installations of browser extensions

• Utilise existing EDR features to audit and prevent installations, see below examples.

Are AI-Related Browser Extensions Changing the Risk Landscape?

The rise of AI in general has caused a boom in consumption of anything with the “AI” badge, this is also the case in browser extensions as users and organisations alike are trying to navigate the swift adoption and understanding of artificial intelligence.

This rapid growth has seen a continued opportunity window for attackers to create lookalike high-risk permission extensions for download. A recently documented campaign showed that at least 36 Chrome extensions were related to AI, potentially impacting over 2 million of its users.

AI browser extensions are believed to be amongst the most downloaded and sought after extensions on the Chrome marketplace.

What Types of Malicious Extensions Are Impacting Organisations?

Cryptojacking

Cryptojacking extensions secretly use the victim's computer resources to mine cryptocurrency:

• They run in the background, often undetected

• Cause system slowdowns and increased energy consumption

• Can lead to hardware damage due to overuse

Infostealers

Infostealers is a threat we’ve documented in depth previously. Infostealing extensions gather a wide range of user data:

• Collect browsing history, search terms, and personal information

• May target specific platforms (e.g., Facebook cookies and authentication tokens)

• Can capture data submitted to web pages or directly from user input devices

• May gather credentials to sell on the dark web

• Often sell collected data to third parties for marketing or malicious purposes

These malicious extensions pose significant risks to both individual users and organisations, emphasising the need for increased vigilance and improved security measures in browser extension ecosystems.

The extension landscape is not showing any signs of slowing down, organisations must worry about everything from listed extensions that are getting passed the checks from Google to unlisted extensions not on the store that users are lured into clicking and installing. Organisations are further out of the loop when genuine extensions are hijacked and malicious code injected, relying on the developers to detect malicious code in their development process.

How to manage risky browser extensions in CrowdStrike

Using CrowdStrike Exposure Management (Available as a bolt-on to Precursor MDR, with Precursor’s partnership with CrowdStrike), we can easily audit and alert upon risky installations.

How to manage risky browser extensions in Microsoft Defender XDR andMicrosoft Sentinel

Our expert analysts have shared the below query you can utilise in Defender’s Advanced Hunting feature to easily summarise your highest risk extensions. Note this requires either a trial of or purchased version of Defender Threat and Vulnerability Management, also included in Defender for Endpoint P2. Speak to our account management experts for information on procuring Microsoft license upgrades.

KQL Query for Defender Advanced Hunting

DeviceTvmBrowserExtensions
| where ExtensionRisk == @"High" or ExtensionRisk == @"Critical"
| summarize Count=count() by ExtensionName

You can then audit these results and investigate extensions for what is expected in your network and for your user base.

What should you do if you detect a suspicious extension in your network?

If you do not have the internal resources or support from a partner to handle such an incident, Precursor’s Incident Response team can assist you, beginning with a free of charge scoping meeting and provide initial advice.

How do Precursor help manage browser extension risk?

The Precursor MDR team adopt the approach of syncing all extension installs to our Precursor MDR service monitoring, assessing and responding. Where a malicious extension is identified, the Precursor MDR team initiate a global hunt to identify other affected assets across the customer base, improving herd immunity on a national and global scale, crossing multiple sectors.

‍