← Back to Cybersecurity News Center
Severity
HIGH
CVSS
7.5
Priority
0.805
×
Tip
Pick your view
Analyst for full detail, Executive for the short version, or Plain & Simple if you are not a tech person.
Analyst
Executive
Plain & Simple
Executive Summary
Multiple independent research teams have documented an active campaign wave in which malicious Chrome extensions disguised as AI productivity tools, fake ChatGPT, Copilot, and similar assistants, harvest credentials, steal authenticated session tokens, and exfiltrate email from Gmail and Microsoft Outlook. At least one campaign variant reached 260,000 installs before removal. Because these extensions execute inside the browser's trusted context, perimeter and network controls provide no protection; the attack surface exists on every managed and unmanaged endpoint where employees install browser extensions.
Plain & Simple
Here’s what you need to know.
No jargon. Just the basics.
👤
Are you affected?
Probably, if you added a free AI tool to your Chrome browser recently, it may be fake.
🔓
What got out
Suspected: passwords and saved login details from your browser
Suspected: your email messages from Gmail or Outlook
Suspected: your AI chat history if you use ChatGPT in Chrome
✅
Do this now
1 Open Chrome, go to Extensions, and remove any AI tools you did not get from a source you fully trust. 2 Change your email password and turn on a second password sent to your phone for Gmail or Outlook. 3 Change passwords for any accounts you logged into recently using Chrome.
👀
Watch for these
Emails or texts from your bank or services you use asking you to confirm your account.
Login alerts from accounts you did not try to access yourself.
Unexpected password reset emails you did not request.
🌱
Should you worry?
This is serious if you installed a fake AI extension, but most people have not. Removing unknown extensions and changing your email password covers the main risk.
Want more detail? Switch to the full analyst view →
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
Actor Attribution
HIGH
2vk (VK Styles campaign, GitHub), AiFrame cluster (unattributed)
TTP Sophistication
HIGH
14 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Google Chrome browser extensions (Chrome Web Store), Gmail, Microsoft Outlook, ChatGPT (prompt interception); users of AI productivity tools across enterprise and consumer segments
Are You Exposed?
⚠
Your industry is targeted by 2vk (VK Styles campaign, GitHub), AiFrame cluster (unattributed) → Heightened risk
⚠
You use products/services from Google Chrome browser extensions (Chrome Web Store) → Assess exposure
⚠
14 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
An attacker who steals a valid Gmail or Outlook session token gains access to that employee's full inbox without needing their password or triggering MFA — exposing M&A communications, customer data, financial records, and legal correspondence. For organizations in regulated industries, email access of this type creates direct notification obligations under GDPR, HIPAA, and state privacy laws. Reputational damage follows if customer or partner data exfiltrated from compromised inboxes is later disclosed or weaponized.
You Are Affected If
Employees use Google Chrome as their primary browser on managed or unmanaged endpoints
No Chrome extension allowlist policy is enforced via Chrome Browser Cloud Management or MDM
Employees have access to Gmail, Microsoft Outlook, or ChatGPT from their browsers
AI productivity tools (ChatGPT plugins, Copilot extensions, AI assistants) are permitted or not reviewed for extension permissions
Remote or BYOD endpoints access corporate email without browser-layer controls
Board Talking Points
Attackers are distributing fake AI tools through Google's own extension store to steal employee email access without needing passwords — 260,000 users installed one variant before it was removed.
Security should audit and lock down which browser extensions employees can install within the next 5 business days, prioritizing anyone with access to corporate email or sensitive systems.
Without action, a single employee installing a fake AI tool can give an attacker full access to their inbox — including confidential communications, customer data, and anything sent or received over email.
GDPR — Gmail and Outlook exfiltration directly exposes personal data of EU data subjects processed through corporate email, triggering Article 33 breach notification obligations
HIPAA — If affected email accounts are used by covered entities or business associates, intercepted email may constitute unauthorized access to protected health information (PHI)
CCPA — California consumer personal data transmitted through compromised Gmail or Outlook accounts may constitute a reportable security incident under Cal. Civ. Code § 1798.150
Technical Analysis
Malicious Chrome extensions masquerade as AI productivity tools (ChatGPT, Copilot, AI assistant variants) and are distributed via the Chrome Web Store, social engineering, and GitHub-hosted packages.
Once installed, they execute within the browser's privileged extension context, bypassing network-layer and endpoint perimeter controls entirely.
Observed capabilities across documented variants: credential harvesting (CWE-255/T1555 ), authenticated session cookie theft (T1539 , CWE-200), Gmail and Outlook data exfiltration (T1114 ), ChatGPT prompt interception (T1056.004 ), and browser session hijacking (T1185 ).
A related Unit 42 finding documented a Chrome vulnerability enabling extension-based hijacking of Gemini Live sessions. Researchers flagged AI-generated malware in extension payloads (T1059.007 ), lowering development barriers for threat actors. Agentic AI browser platforms requesting excessive permissions represent an expanding structural attack surface (CWE-272, CWE-494). Attributed clusters include: 2vk (VK Styles, GitHub distribution), AiFrame (unattributed), CL Suite (getauth[.]pro infrastructure), and Chrome MCP Server operator (qubecare[.]ai infrastructure). No CVE assigned to the campaign; relevant CWEs: CWE-284, CWE-200, CWE-319, CWE-272, CWE-494. MITRE ATT&CK techniques: T1071.001 , T1539 , T1185 , T1176 , T1204.002 , T1041 , T1102 , T1566 , T1059.007 , T1114 , T1555 , T1056.004 , T1090 . Sources: Unit 42 (Palo Alto Networks), Socket, LayerX, Koi Security. No vendor patch available; mitigation is policy, detection, and browser management control.
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate to CISO and legal/privacy counsel immediately if forensic evidence confirms session tokens were used post-theft (impossible-travel logins, OAuth grants from attacker IPs, or email exfiltration from Gmail/Outlook), as this constitutes unauthorized access to personal data and may trigger breach notification obligations under GDPR, CCPA, or HIPAA depending on the data classifications present in affected mailboxes.
1
Containment: Audit all Chrome extensions installed across managed endpoints immediately. Use Chrome Browser Cloud Management or equivalent MDM telemetry to enumerate installed extensions by extension ID. Block installation of extensions not on an approved allowlist via Chrome enterprise policy (ExtensionInstallAllowlist / ExtensionInstallBlocklist). Focus first on endpoints with access to Gmail, Outlook, or ChatGPT.
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy: Choose a containment strategy based on the attack vector; browser-layer attacks executing in trusted context require policy-based blocking before network controls can be effective.
NIST IR-4 (Incident Handling)
NIST CM-7 (Least Functionality) — restrict browser to approved extensions only
NIST SI-3 (Malicious Code Protection) — treat malicious extensions as malicious code at the browser entry/exit point
CIS 2.3 (Address Unauthorized Software) — enumerate and block unauthorized extensions as unauthorized software on managed endpoints
CIS 4.6 (Securely Manage Enterprise Assets and Software) — enforce extension allowlist via Chrome enterprise policy as a configuration management control
Compensating Control
Without Chrome Browser Cloud Management, deploy a GPO (Windows) or managed preference plist (macOS) pushing ExtensionInstallBlocklist with wildcard '*' and ExtensionInstallAllowlist with approved IDs. Enumerate currently installed extensions across endpoints by running: `Get-ItemProperty 'HKCU:\Software\Google\Chrome\Extensions\*' | Select-Object PSChildName` (PowerShell, per-host) or collect the JSON files under `%LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions\` and parse the manifest.json for each subdirectory to extract 'name', 'permissions', and 'host_permissions'. A 2-person team can script this with PowerShell remoting or a simple bash loop over SSH for macOS/Linux endpoints.
Preserve Evidence
Before enforcing blocklist policy, snapshot the current extension state for forensic preservation: export Chrome's `%LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions\` directory tree (Windows) or `~/Library/Application Support/Google/Chrome/Default/Extensions/` (macOS) — each subfolder is an extension ID. Capture `manifest.json` from each to document declared permissions. Pull Chrome Browser Cloud Management extension inventory report if available. Export Windows registry key `HKCU\Software\Google\Chrome\Extensions` to preserve install history. Document any extension IDs matching the fake AI productivity naming pattern (e.g., extensions claiming to be ChatGPT, Copilot, or similar) installed during the campaign window, particularly those with IDs that appeared in the 260,000-install wave.
2
Detection: Query EDR and browser management telemetry for extensions with permissions including cookies, webRequest, tabs, and nativeMessaging in combination. Review DNS and proxy logs for connections to known malicious infrastructure: getauth[.]pro and qubecare[.]ai. Inspect Chrome extension manifests for excessive permission scopes inconsistent with stated functionality. SIEM: alert on Chrome extension installs from outside the managed allowlist.
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis: Correlate indicators from multiple sources; browser telemetry, DNS/proxy logs, and manifest inspection are the primary visibility surfaces for this threat because perimeter controls cannot inspect in-browser execution.
NIST SI-4 (System Monitoring) — extend monitoring scope explicitly to browser extension installation events and associated network egress
NIST AU-2 (Event Logging) — ensure Chrome extension install/update events and browser-generated DNS queries are included in the defined event logging set
NIST AU-6 (Audit Record Review, Analysis, and Reporting) — actively review DNS and proxy logs for the two named C2 domains as a priority analysis task
CIS 8.2 (Collect Audit Logs) — confirm browser extension telemetry and DNS query logs are actively ingested into the log management process
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — treat detection of high-risk permission combinations as a vulnerability indicator requiring tracked remediation
Compensating Control
Without SIEM/EDR: (1) Parse all `manifest.json` files across the Extensions directory using PowerShell: `Get-ChildItem -Path "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions" -Recurse -Filter manifest.json | ForEach-Object { $m = Get-Content $_.FullName | ConvertFrom-Json; if ($m.permissions -match 'cookies|webRequest|tabs|nativeMessaging') { [PSCustomObject]@{ID=$_.Directory.Parent.Name; Name=$m.name; Permissions=$m.permissions} } }`. (2) Use DNS query logs from your local resolver or pfSense/OPNsense query log to grep for `getauth.pro` and `qubecare.ai`. (3) Deploy Sysmon with EventID 22 (DNS Query) and filter on those two domains using a Sigma rule targeting `dns_query` with `query|contains` for those hostnames.
Preserve Evidence
Before alerting/blocking, capture: (1) Full DNS query logs from your resolver or endpoint DNS cache (`ipconfig /displaydns` per host, or Sysmon EID 22 exports) filtered for `getauth[.]pro` and `qubecare[.]ai` with timestamps and source IP. (2) Proxy or firewall egress logs showing HTTP/S POST requests to those domains — these extensions exfiltrate cookies and session tokens via POST, so look for outbound POST traffic with unusual body sizes to those FQDNs. (3) Chrome `History` and `Network Action Predictor` SQLite databases under `%LOCALAPPDATA%\Google\Chrome\User Data\Default\` — copy these files (not open while Chrome is running) to capture URL visit history that may show the extension's web store installation page and C2 beaconing URLs. (4) The raw manifest.json and background service worker JS files from the specific extension directory — the malicious logic (cookie harvesting, webRequest interception) will be present in the extension's background.js or service_worker.js.
3
Eradication: Force-remove identified malicious extensions via Chrome enterprise policy (ExtensionInstallForcelist removal or direct MDM push). Invalidate all active session tokens for affected users in Gmail (Google Admin Console > Security > Device Sessions) and Microsoft Outlook (Entra ID: Revoke-AzureADUserAllRefreshToken). Reset credentials for any account where a malicious extension had cookie or password-form access.
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication: After containment, eliminate all components of the incident including stolen credentials and active session tokens; for browser-based session theft, token invalidation is a required eradication step equivalent to removing malware persistence.
NIST IR-4 (Incident Handling) — eradication activities must address all affected components including extension artifacts and compromised identity material
NIST IA-5 (Authenticator Management) — reset compromised authenticators (passwords and session tokens) for all accounts where the extension had cookie or form-fill access
NIST AC-2 (Account Management) — revoke active sessions and refresh tokens as part of account remediation for confirmed credential-access events
NIST SI-2 (Flaw Remediation) — document and verify removal of the malicious extension from every affected endpoint before closing the eradication phase
CIS 5.2 (Use Unique Passwords) — enforce unique credential reset for all affected accounts; do not allow password reuse that an intercepted form-fill may have already captured
CIS 6.2 (Establish an Access Revoking Process) — follow the documented access revocation process to invalidate sessions and tokens systematically across Gmail and M365
Compensating Control
For orgs without MDM: manually deploy a registry key via GPO or login script setting `HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallBlocklist\1 = <malicious_extension_id>` and `ExtensionInstallForcelist` removal. For token revocation without Entra ID premium tooling, use the free `Revoke-AzureADUserAllRefreshToken` cmdlet via the AzureAD PowerShell module (free): `Connect-AzureAD; Get-AzureADUser -SearchString 'affected_user' | ForEach-Object { Revoke-AzureADUserAllRefreshToken -ObjectId $_.ObjectId }`. For Google Workspace, admin-level session revocation is available in the free Google Admin Console under Users > [User] > Security > Review Sessions.
Preserve Evidence
Before eradication, preserve: (1) A full forensic copy of the malicious extension directory (`%LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions\<extension_id>\`) including all JS files — the background script will contain the cookie-stealing and webRequest interception code, which is required for scope determination (what data was accessed). (2) Chrome `Cookies` SQLite database (`%LOCALAPPDATA%\Google\Chrome\User Data\Default\Network\Cookies`) — this file reveals which authenticated session cookies were present and accessible to the extension at time of compromise; copy it before Chrome is relaunched post-removal. (3) Google Admin Console audit log export (Reports > Audit > Login) and Entra ID Sign-in logs showing session activity from affected accounts during the compromise window — this establishes whether stolen tokens were actually used by the threat actor from external IPs.
4
Recovery: Re-authenticate affected users with fresh credentials and new session tokens. Enable phishing-resistant MFA (FIDO2/passkeys) on Gmail and M365 accounts where session tokens were potentially stolen. Monitor for anomalous OAuth token activity and impossible-travel login events in Google Workspace and Entra ID audit logs for 30 days post-remediation.
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery: Restore systems to normal operation and confirm that all threat footholds are eliminated; for session-token theft, re-authentication with phishing-resistant MFA closes the residual risk that stolen tokens or intercepted credentials enable re-entry.
NIST IR-4 (Incident Handling) — recovery phase must include verification that the threat actor no longer has viable access via stolen tokens or credentials
NIST IA-2 (Identification and Authentication) — enforce phishing-resistant MFA (FIDO2/passkeys) as the authentication upgrade that defeats session token replay and credential reuse from this campaign
NIST AC-17 (Remote Access) — monitor post-recovery remote access (OAuth, IMAP, EWS) for signs that stolen tokens are being replayed from attacker infrastructure
NIST AU-6 (Audit Record Review, Analysis, and Reporting) — conduct active 30-day review of Google Workspace and Entra ID audit logs for impossible-travel, OAuth anomalies, and new application consent grants
CIS 6.3 (Require MFA for Externally-Exposed Applications) — enforce MFA on Gmail and M365 as externally-exposed enterprise applications immediately following credential reset
CIS 6.4 (Require MFA for Remote Network Access) — extend FIDO2/passkey enforcement to any remote access paths used by affected accounts
Compensating Control
Without Entra ID P2 or Google Workspace enterprise licensing: use the free Entra ID (formerly Azure AD Free) Conditional Access sign-in logs available in the Azure portal under Azure Active Directory > Sign-in logs — filter by user, date range, and flag entries where 'Location' differs from the user's normal geography or 'Client App' shows legacy protocols (IMAP, POP, SMTP AUTH) that bypass MFA. For Google Workspace, free audit logs are available at admin.google.com under Reports > Audit > Login — export as CSV and use a simple spreadsheet filter on 'Login Type = exchange' or 'Suspicious login' flags. FIDO2 security keys (e.g., YubiKey) or device passkeys are a zero-cost MFA upgrade for Google and Microsoft accounts.
Preserve Evidence
During recovery monitoring, collect: (1) Entra ID Conditional Access and Sign-in logs for affected accounts — specifically filter for `clientAppUsed` values of `IMAP`, `POP3`, `SMTP`, or `Exchange ActiveSync` which indicate legacy protocol access that a stolen session token or password would enable even post-MFA enforcement gaps. (2) Google Workspace Admin audit log for OAuth token grants — look for new third-party application authorizations made from affected accounts during or after the compromise window, as the extension may have used its cookie access to silently authorize additional OAuth scopes. (3) Entra ID Audit Logs for `Revoke refresh tokens` and `User risk level changed` events to confirm token revocation was processed and to track whether Identity Protection flagged the account.
5
Post-Incident: Formalize a browser extension governance policy: require security review and allowlisting before any extension is permitted on managed endpoints. Extend DLP controls to browser-layer data flows. Evaluate browser isolation or enterprise browser solutions for users with access to sensitive email and AI platforms. Review permission scope requirements for any agentic AI browser tools currently approved.
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity: Conduct lessons-learned review and update policies, detection capabilities, and preventive controls to reduce recurrence; this campaign demonstrates that browser extensions are an uncontrolled software installation vector requiring formal governance equivalent to endpoint software.
NIST IR-4 (Incident Handling) — post-incident activity must produce documented updates to the incident handling capability, including updated detection rules and policy changes
NIST IR-8 (Incident Response Plan) — update the IR plan to include browser extension compromise as a named incident category with defined scope, triage criteria, and containment procedures
NIST CM-7 (Least Functionality) — formalize browser extension allowlisting as a least-functionality configuration standard; unapproved extensions are unauthorized software
NIST SI-7 (Software, Firmware, and Information Integrity) — apply integrity verification requirements to approved browser extensions, including periodic re-review of permission scopes after Chrome Web Store updates
NIST SA-15 (Development Process, Standards, and Tools) — when reviewing agentic AI browser tools, assess the supply chain risk of extensions that access sensitive data flows including email and AI prompt content
CIS 2.1 (Establish and Maintain a Software Inventory) — add browser extensions to the enterprise software inventory with the same rigor applied to installed applications
CIS 2.2 (Ensure Authorized Software is Currently Supported) — include browser extensions in the supported software review; extensions abandoned by developers or removed from the Chrome Web Store must be treated as unsupported software
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — incorporate browser extension permission-scope review into the recurring vulnerability management process, triggered on any extension update
Compensating Control
Without enterprise DLP tooling: deploy Sysmon with DNS logging (EID 22) and a standing Sigma rule alerting on DNS queries to any domain not in an approved list from Chrome processes (`Image|endswith: \chrome.exe`). For DLP at the browser layer, uBlock Origin in enterprise lockdown mode (via ExtensionInstallForcelist with managed settings) can block data exfiltration to known-bad domains at zero cost. For extension permission auditing on an ongoing basis, schedule a monthly cron/task to re-parse all `manifest.json` files across the Extensions directory and diff against the last known-good baseline — a new permission appearing in an approved extension's manifest after an auto-update is a detection signal. For agentic AI tool review, manually audit the `host_permissions` field in the manifest for any extension claiming access to `https://mail.google.com/*` or `https://outlook.office.com/*`.
Preserve Evidence
For post-incident reporting and policy justification, preserve: (1) The complete permission manifest of every malicious extension identified in this incident — specifically the `permissions`, `host_permissions`, and `content_scripts.matches` fields — as the documented evidence base for the new permission-scope review policy. (2) DNS and proxy log exports showing the exfiltration traffic to `getauth[.]pro` and `qubecare[.]ai` with timestamps, source hosts, and data volumes — this quantifies the blast radius and supports breach notification assessment. (3) The Chrome Web Store listing URLs (captured via web archive if the extensions were removed) and install counts — the 260,000-install figure and AI productivity branding pattern are the threat intelligence basis for the agentic AI tool review policy requirement.
Recovery Guidance
Verify recovery completeness by confirming: (1) all malicious extension IDs are absent from every managed endpoint via a follow-up Chrome Browser Cloud Management or MDM extension inventory report, (2) all affected user accounts show only FIDO2/passkey authentication events with no legacy protocol (IMAP/POP/SMTP AUTH) access in the 72 hours post-credential reset, and (3) no new third-party OAuth application authorizations appear in Google Workspace or Entra ID audit logs for affected accounts. Maintain active monitoring of Google Workspace Login Audit and Entra ID Sign-in logs for impossible-travel and anomalous OAuth activity for a minimum of 30 days, given that this campaign harvested session tokens which may have been cached by the threat actor for delayed use. Any approved agentic AI browser extension that accesses Gmail, Outlook, or ChatGPT should be treated as a recovery watch item until its permission scope is formally re-reviewed under the new governance policy.
Key Forensic Artifacts
Chrome Extensions directory tree (%LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions\ on Windows; ~/Library/Application Support/Google/Chrome/Default/Extensions/ on macOS) — each subdirectory name is an extension ID; the manifest.json and background.js/service_worker.js within contain the declared permissions and the actual credential-harvesting and webRequest-interception code specific to this campaign's attack mechanism
Chrome Cookies SQLite database (%LOCALAPPDATA%\Google\Chrome\User Data\Default\Network\Cookies) copied prior to browser relaunch — contains the authenticated session cookies for Gmail (accounts.google.com) and Outlook (login.microsoftonline.com, outlook.office.com) that the malicious extension was positioned to steal via the cookies permission
DNS query logs or Sysmon EventID 22 records filtered for getauth[.]pro and qubecare[.]ai with source hostname and timestamp — these are the confirmed C2/exfiltration domains for this campaign and their presence in DNS logs directly evidences that an installed extension made outbound contact with threat actor infrastructure
Google Workspace Admin Reports > Audit > Login CSV export and Entra ID Sign-in logs for affected accounts covering the full suspected compromise window — filter for 'Login Type: exchange', 'Client App: IMAP/POP3/SMTP', impossible-travel flags, and new OAuth application consent grants, which would indicate the threat actor actively used stolen session tokens or credentials harvested via the extension's password-form interception capability
Chrome extension update history from the Chrome Web Store update manifest cache (%LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions\<extension_id>\<version>\_metadata\) — this records when the extension was installed and updated, which can establish whether a legitimate-appearing extension was trojanized via an update during the active campaign wave, a known delivery technique used in this class of AI-productivity-branded extension attacks
Detection Guidance
Primary detection surface is browser management and endpoint telemetry, not network controls. Key indicators:
Extensions installed outside the managed allowlist, query Chrome Browser Cloud Management or MDM for extension IDs not in the approved set; Extension manifests requesting permissions: cookies, webRequest, tabs, nativeMessaging, identity, or browsingData, flag any AI-branded extension with these scopes; DNS/proxy hits on known malicious domains: getauth[.]pro, qubecare[.]ai, treat any connection as high-confidence IOC; Unusual OAuth token issuance or session token refresh patterns in Google Workspace Admin audit logs or Entra ID sign-in logs, especially from browser user-agent strings; Outbound exfiltration patterns via WebSockets or fetch() calls to non-corporate endpoints from browser processes (where endpoint DLP captures browser network activity); GitHub-distributed extension packages from the 2vk/VK Styles cluster, monitor for installs sourced from github.com/vkstyles or similar repositories outside the Chrome Web Store. SIEM rule suggestion: alert on Chrome extension install events (Windows Event Log or EDR telemetry) where the extension ID does not match the approved allowlist. Verify that your EDR and Chrome Browser Cloud Management platforms support extension install event logging, as not all EDR products capture this telemetry natively.
Indicators of Compromise (2)
Export as
Splunk SPL
KQL
Elastic
Copy All (2)
2 domains
Type Value Enrichment Context Conf.
⌘ DOMAIN
getauth[.]pro
VT
US
Command-and-control infrastructure attributed to the CL Suite operator campaign variant
HIGH
⌘ DOMAIN
qubecare[.]ai
VT
US
Infrastructure attributed to the Chrome MCP Server operator campaign variant
HIGH
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (1)
2 domain indicator(s). Detects DNS lookups and connections.
KQL Query Preview
Read-only — detection query only
// Threat: Malicious Chrome Extensions Exploit AI Productivity Branding to Steal Credential
let malicious_domains = dynamic(["getauth.pro", "qubecare.ai"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_domains)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (4)
Sentinel rule: Unusual C2 communication patterns
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (80, 443, 8080, 8443)
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "svchost.exe")
| summarize Connections = count() by DeviceName, RemoteIP, InitiatingProcessFileName
| where Connections > 50
| sort by Connections desc
Sentinel rule: Suspicious file execution from downloads
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FolderPath has_any ("\\Downloads\\", "\\Temp\\", "\\AppData\\Local\\Temp\\")
| where FileName endswith_any (".exe", ".scr", ".bat", ".ps1", ".vbs", ".js", ".hta", ".msi")
| where InitiatingProcessFileName in~ ("explorer.exe", "outlook.exe", "chrome.exe", "msedge.exe")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, AccountName
| sort by Timestamp desc
Sentinel rule: Phishing email delivery
KQL Query Preview
Read-only — detection query only
EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Phish" or DetectionMethods has "Phish"
| summarize Attachments = make_set(AttachmentCount), Urls = make_set(UrlCount) by NetworkMessageId, Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, ThreatTypes
| sort by Timestamp desc
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Falcon API IOC Import Payload (2 indicators)
POST to /indicators/entities/iocs/v1 — Weak/benign indicators pre-filtered. Expiration set to 90 days.
Copy JSON
[
{
"type": "domain",
"value": "getauth[.]pro",
"source": "SCC Threat Intel",
"description": "Command-and-control infrastructure attributed to the CL Suite operator campaign variant",
"severity": "high",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-07-31T00:00:00Z"
},
{
"type": "domain",
"value": "qubecare[.]ai",
"source": "SCC Threat Intel",
"description": "Infrastructure attributed to the Chrome MCP Server operator campaign variant",
"severity": "high",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-07-31T00:00:00Z"
}
]
Route 53 DNS — Malicious Domain Resolution
Query Preview
Read-only — detection query only
fields @timestamp, qname, srcaddr, rcode
| filter qname in ["getauth[.]pro", "qubecare[.]ai"]
| sort @timestamp desc
| limit 200
Compliance Framework Mappings
T1071.001
T1539
T1185
T1176
T1204.002
T1041
+8
CA-7
SC-7
SI-4
AT-2
SI-3
SI-8
+8
A01:2021
A02:2021
A08:2021
6.1
6.2
3.10
2.5
2.6
6.3
+1
164.312(a)(1)
164.312(e)(1)
164.312(d)
164.308(a)(6)(ii)
MITRE ATT&CK Mapping
T1539
Steal Web Session Cookie
credential-access
T1185
Browser Session Hijacking
collection
T1176
Software Extensions
persistence
T1041
Exfiltration Over C2 Channel
exfiltration
T1102
Web Service
command-and-control
T1566
Phishing
initial-access
T1114
Email Collection
collection
T1555
Credentials from Password Stores
credential-access
T1090
Proxy
command-and-control
T1556
Modify Authentication Process
credential-access
Guidance Disclaimer
