Malicious AI Assistant Extensions Harvested LLM Chat Histories Across 20K+ Enterprise Tenants

Microsoft Defender Security Research has identified a massive campaign involving malicious Chromium-based browser extensions. These extensions impersonate legitimate AI assistants to harvest Large Language Model (LLM) chat histories and sensitive browsing data. Reaching approximately 900,000 installs, the campaign has successfully infiltrated more than 20,000 enterprise environments.

Severity: High

Targeting And Distribution

• The Lure: Attackers exploit the high demand for AI productivity tools by publishing “look-alike” extensions in the Chrome Web Store.
• Impersonation: These malicious tools emulate the branding, permission prompts, and UI of legitimate extensions to deceive users.
• Cross-Browser Reach: Because Microsoft Edge supports Chromium-based extensions, a single malicious listing can compromise users across both Chrome and Edge ecosystems.
• Automation: In some instances, “agentic browsers” were observed automatically downloading these extensions without explicit user approval due to their convincing descriptions.

Data Collection Capabilities

The primary objective of this campaign is long-term, persistent data exfiltration.

• LLM Content Harvesting: The extensions capture full chat content including prompts and responses from platforms such as ChatGPT and DeepSeek.
• Browsing Telemetry: Background scripts log nearly all visited URLs, including internal company sites and navigation context (previous/next pages).
• Sensitive Data Exposure: This activity risks the leakage of proprietary code, internal strategic discussions, and confidential workflows.

Operational Techniques

• Persistence: The threat does not use traditional malware techniques; instead, it relies on standard browser behavior where extensions automatically reload upon startup.
• Evasive Consent: While users might initially decline data collection, subsequent updates to the extension are designed to automatically re-enable telemetry by default.
• Stealthy Exfiltration: Collected data is staged locally in Base64-encoded JSON format and transmitted in periodic batches via HTTPS POST requests.
• C2 Infrastructure: Communication is directed to attacker-controlled domains, including deepaichats[.]com, chatsaigpt[.]com, chataigpt[.]pro, and chatgptsidebar[.]pro.
• Anti-Forensics: After successful transmission, the extension clears local buffers to reduce on-disk artifacts and limit visibility to security investigators.

Recommendations

1. Conduct a full inventory of browser extensions across the organization using tools such as Browser extensions assessment in Microsoft Defender Vulnerability Management.
2. Apply strict policies to block or remove unverified or side-loaded extensions, particularly those with the following IDs:
   • fnmihdojmnkclgjpcoonokmkhjpjechg
   • inhcgfpbfdjbjogdfjbcigolkmhnocop
3. Educate employees on the risks of side-loaded or unverified productivity extensions. Furthermore, encourage end-users to review their currently installed extensions in Chrome or Edge and remove any they do not recognize or trust.
4. Ensure Microsoft Defender SmartScreen and Network Protection are enabled on all endpoints.
5. Monitor network POST traffic to the extension’s known endpoints (*.chatsaigpt[.]com, *. deepaichats[.]com, *.chataigpt[.]pro, *.chatgptsidebarp[.]pro) and assess impacted devices to understand scope of data exfiltrated.
6. Create and enforce formal organizational procedures regarding the approved use of AI tools and the installation of third-party assistants.

Source:

• https://www.microsoft.com/en-us/security/blog/2026/03/05/malicious-ai-assistant-extensions-harvest-llm-chat-histories/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.