Cruel Freaking Out of Chrome Extension and Address Bar Installation

Microsoft discovered a malicious Chrome extension that appeared as the AI search engine Perplexity and quietly tapped into what people were looking for. It routed all queries and all characters typed in the address bar through a server controlled by the attacker before redirecting users to the actual results.
Microsoft says Google removed it from the store after proper disclosure. The extension was called “Search confusion ai” (ID flkebkiofojicogddingbdmcmkpbplcd) and used a domain that looked similar, confusion-ai.[.]online, to achieve real service at perplexity.ai.
Microsoft’s Defender research team says the point was to block searches and collect data. It found no evidence of password theft, but much more access than a search box should require.
Once installed, the extension sets itself as the browser’s default search engine. If you search, the question starts with confused-ai[.]on the Internet, where the attacker’s server installed it through your browser’s headers, IP address, and user agent.
The rule then entered it into a real search engine (Confusion, Google, or Bing), so that the results looked normal. The theft happened at that first stop, before redirecting.
The address bar made it worse. The extension also pointed the browser’s live search suggestions (suggest_url) to the same attacker’s domain. So your input goes to the attacker’s server before you press Enter. Not just to finish the search, but all characters as you type.
Chrome allows search provider extraction, and official extensions use it. Rewriting and redirecting your traffic is part of the search box no business is done. This one asked the DeclarativeNetRequest family for permissions to do just that, and then sent the server-side code that made all the requests. Microsoft calls that evidence that the clustering was intentional, not a side effect of the redirect.

The extension also sends disabled redirect rules for Google and Bing, so the same settings can be enabled for those engines as well. It even left room to use WebAssembly code later, which a simple search tool has no reason to do.
This is in line with the ongoing development of malicious extensions that hide behind AI branding. Others change the default search engine to capture what you type. Others hijack the search provider or hack ChatGPT and DeepSeek chats. Microsoft’s own research pegged that wave of chat-skimming at about 900,000 installations on more than 20,000 corporate networks.
The difference here is the target: not your AI conversations, but your searches and the letters you type in the address bar, collected through a Chrome extension.
If you have installed “Search anomalous ai,” remove it and check that your default search engine has not been changed. For teams, Microsoft suggests the basics:
- Allow extensions only approved by browser or company policy.
- Watch for changed search settings, unusual extension permissions, and traffic to unfamiliar domains.
- Treat AI-branded tools with extra suspicion, and check the publisher and domain before installing.
No one has been named as an operator, and Microsoft did not say how many people it installed before the takedown. The AI brand has received coverage. The search results made the collection.



