Likelihood: MODERATE
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is moderate: exploitation status is unconfirmed and the extension required voluntary installation, but browser extension marketplaces have a well-documented history of low-friction, broad installation by non-technical users, and AI-branded lures are an active and escalating social-engineering vector. Impact is high because the specific mechanism — pre-submission address bar keystroke capture — exfiltrates credentials and internal URLs before any corporate security control (proxy, DLP, endpoint) can inspect or block the data, creating a direct path to unauthorized internal system access with limited detection opportunity.
Treatment rationale: The attack surface is controllable through browser extension policy enforcement and allowlisting, making active technical mitigation the appropriate primary response rather than acceptance or transfer, because the exposure window remains open on any device where the extension persists.
Third-Party / Supply-Chain Risk
The Google Chrome Web Store serves as the shared distribution platform; Google's extension vetting process is the upstream control that failed to prevent publication of this impersonating extension. Per NIST SP 800-161, this represents a supplier control failure in the software distribution supply chain — organizations relying on marketplace trust signals without independent verification inherit that control gap. Additionally, Perplexity AI as the impersonated brand did not cause the risk but represents a third-party brand-trust dependency: employees extended implicit trust to a product they believed was legitimate.
Loss Exposure (illustrative)
Magnitude: moderate-to-high — illustrative $150K–$1.5M per incident, driven by incident response, credential rotation at scale, and potential unauthorized access investigation; upper range assumes confirmed credential-based breach resulting in lateral movement
Frequency: Illustrative: for an organization with 500–2,000 knowledge workers and no enforced extension allowlist policy, probability of at least one employee having installed this or a similar impersonating extension in a 12-month period is estimated as plausible (illustrative annual frequency: 0.2–0.5 events per year per organization in that profile)
Annualized: Illustrative ALE: approximately $30K–$750K annualized, representing frequency range applied to loss magnitude range; wide band reflects uncertainty in whether installation occurred and whether captured keystrokes were acted upon by the attacker
Basis: Loss magnitude derived from: forensic investigation and IR engagement costs for browser-based credential compromise events, scope of credential rotation (all address-bar-entered credentials across affected devices), potential downstream access remediation if internal URLs or credentials were leveraged. Frequency derived from: documented prevalence of malicious browser extensions in enterprise environments, low friction of extension installation without policy controls, and active AI-branded lure campaigns as an established threat pattern. No external report dollar figures cited.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• If employee credentials were captured and subsequently used to access systems containing PII or regulated data, the event may constitute a reportable security incident under applicable state breach-notification statutes — verify with counsel.
• Pre-submission credential exfiltration involving corporate accounts may trigger notice obligations under cyber insurance policy incident-reporting requirements — verify with broker.
• If affected users accessed systems subject to HIPAA, PCI-DSS, or SOC 2 commitments, the keylogging mechanism may implicate those regulatory or contractual obligations — verify with counsel.