Microsoft has revealed that hundreds of thousands of users have installed a malicious browser extension that impersonates a legitimate AI assistant tool and collects chat history and browsing data.
According to the official Microsoft Defender report, the number of installations of malicious Chromium-based extensions reached approximately 900,000. The campaign also affected more than 20,000 corporate tenants whose employees frequently interact with AI tools using sensitive information.
The extension collected complete URLs and AI chat content from platforms such as ChatGPT and DeepSeek. This exposed organizations to the potential leak of proprietary code, internal workflows, strategic discussions and other sensitive data, Microsoft said.
How the attack works
Threat actors have published similar AI Assistant extensions in the Chrome Web Store with similar branding and descriptions to legitimate productivity tools such as AITOPIA. Microsoft Edge supports Chrome Web Store extensions, so users of both browsers may receive the same list.
Once you install an extension, it continues to work within the context of your browser. They collected AI chat content and browsing telemetry directly from active sessions and staged the data locally before exfiltrating it.
The extension used standard web protocols to maintain communication with attacker-controlled infrastructure, making its activity difficult to distinguish from normal browser traffic. Periodically, data was sent via HTTPS POST requests to the domain containing Deepaichat.[.]com and chatsaigpt[.]Com. After submission, local buffers were cleared to reduce forensic visibility.
Telemetry is enabled by default after update
Microsoft pointed out that a misleading consent mechanism enabled continued data collection. Users were initially able to disable telemetry, but subsequent updates automatically re-enabled telemetry without the user’s explicit knowledge.
The extension logged nearly every URL visited, including internal sites, along with chat snippets, model names, and persistent identifiers. According to Microsoft’s analysis, the code contained minimal filtering and weak consent processing.
Campaign size
The threat actor targeted the growing ecosystem of AI assistant browser extensions, taking advantage of the fact that many knowledge workers have installed sidebar tools to interact with models such as ChatGPT and DeepSeek. These extensions often require extensive page-level permissions for convenience.
In some cases, agent browsers are automatically downloading extensions without the user’s explicit approval, which is a reflection of how convincing the name or description is, Microsoft said.
Mitigation guidance
Microsoft recommended that organizations monitor network traffic to known endpoints such as *.chatsaigpt.com and *.deepaichats.com. We recommended using Microsoft Defender vulnerability management to audit browser extensions, enable SmartScreen and network protection, and establish organizational policies regarding the use of AI.
Users were also advised to review installed extensions and remove unknown or unverified tools.
