Back to articles

AI extension incident response: a playbook for enterprise security teams

When malicious AI extensions hit 20K+ enterprise tenants, most teams had no playbook. Here's the incident response plan your org needs before the next campaign.

Maxim Kosterin
8 min read

Your security team gets an alert on a Monday morning: Microsoft Defender has flagged a browser extension installed across 400 employee machines. The extension — something called "Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI" — has been silently exfiltrating every ChatGPT and DeepSeek conversation your employees have had for the past three months.

What do you do in the next 60 minutes?

If you don't have an answer, you're not alone. When the Microsoft Defender Security Research Team published findings in March 2026 on a malicious AI extension campaign affecting over 20,000 enterprise tenants and nearly 900,000 users, most organizations had no browser extension incident response plan at all. Endpoint detection covered executables. Network monitoring covered outbound connections. But browser extensions? They sat in a blind spot between IT policy and security operations.

This playbook is what I'd implement after watching that gap play out at scale.

Phase 1: Containment (first 60 minutes)

The instinct is to investigate first. Resist it. Containment comes before forensics — every minute that extension runs is another batch of AI conversations leaving your network.

Step 1: Force-remove the extension across all managed browsers.

If you're using Chrome Enterprise policies, push a ExtensionInstallBlocklist update with the extension ID. For organizations on Microsoft Endpoint Manager or similar MDM tools, deploy the policy change as an emergency update. Don't wait for the next sync cycle — trigger an immediate policy refresh.

// Chrome Enterprise policy — block specific extension
{
  "ExtensionInstallBlocklist": {
    "Value": ["<malicious-extension-id>"]
  }
}

Step 2: Block the C2 domains at your DNS resolver and firewall.

According to Microsoft's findings, the campaign used identifiable command-and-control infrastructure. Add the known exfiltration domains to your DNS blocklist and egress firewall rules. This catches machines where the policy push hasn't landed yet and prevents any residual scripts from phoning home.

Step 3: Revoke active sessions for affected AI platforms.

If employees were using ChatGPT, DeepSeek, or other LLM platforms that the extension targeted, force-rotate their session tokens. The extension may have captured active session cookies — invalidating those sessions limits the attacker's ability to access accounts directly.

Phase 2: Scope assessment (hours 2–8)

Now that the bleeding has stopped, figure out how deep the wound goes.

Step 4: Identify every machine with the extension installed.

Query your endpoint management platform for the extension ID. If you don't have centralized extension visibility (and many organizations don't), this is the step where you discover that gap. You'll need to either run a script across managed devices that reads chrome://extensions data from each profile, or query Chrome's Preferences JSON files in each user's profile directory.

For organizations using Extenshi's catalog, the permission breakdown and risk scoring for any extension can accelerate the triage process — instead of manually parsing each extension's manifest.json, you get a plain-language summary of what it can actually access.

Step 5: Build a timeline of exposure.

For each affected user, determine:

  • When was the extension installed?
  • Which AI platforms did they use during the exposure window?
  • What were they working on? (You won't know the specific conversations, but project context helps prioritize.)

The exposure window matters. According to the Microsoft Defender Security Research Team's report, these extensions operated continuously once installed. An employee who installed the extension three months ago has a fundamentally different exposure profile than someone who installed it last week.

Step 6: Classify the data at risk.

This is where AI extension incidents diverge from typical malware. A stolen password gets rotated. A harvested AI conversation history can't be un-stolen. Think about what your employees actually type into ChatGPT:

  • Code containing proprietary logic or API keys
  • Legal documents and contract negotiations
  • HR discussions about employees
  • Financial projections and strategic plans
  • Customer data pasted into prompts for analysis

Each category has different disclosure obligations and remediation paths. Classify affected users into risk tiers based on their role and the sensitivity of their typical AI usage.

Phase 3: Remediation (days 1–7)

Step 7: Credential rotation for high-risk users.

Any user who pasted API keys, passwords, database connection strings, or other secrets into an AI chat during the exposure window needs those credentials rotated immediately. Don't rely on employees self-reporting — if your organization doesn't have an AI usage policy that prohibits pasting secrets into chatbots, assume it happened.

Step 8: Notify affected business units.

Legal, HR, and any team that handles regulated data (financial, medical, PII) need to know about the exposure. Depending on your jurisdiction and the data involved, you may have regulatory notification obligations under GDPR, HIPAA, CCPA, or industry-specific frameworks.

Step 9: Preserve forensic evidence.

Before wiping affected browser profiles, capture:

  • The extension's source files (from the Chrome extensions directory)
  • Network logs showing connections to exfiltration domains
  • Browser history and AI platform access logs for the exposure window
  • The extension's manifest.json and any embedded scripts

This evidence supports internal investigation, potential legal action, and regulatory compliance documentation.

Phase 4: Hardening (weeks 2–4)

The incident is contained and remediated. Now make sure it doesn't happen again.

Step 10: Implement an extension allowlist.

The single most effective control against malicious extensions is switching from a blocklist model (block known-bad) to an allowlist model (only allow known-good). Yes, employees will complain. Yes, it creates friction. But blocklists are reactive by definition — they only work after someone gets compromised.

Chrome Enterprise, Edge for Business, and Firefox Enterprise all support extension allowlisting. Start with the extensions that are already installed across your fleet, audit them, and build the allowlist from there.

Step 11: Deploy continuous extension monitoring.

One-time audits miss the most dangerous scenario: a legitimate extension pushing a malicious update. The Urban VPN incident — where a "Featured" extension added AI chat harvesting in a silent update, as reported by Malwarebytes — demonstrated that trust at installation time doesn't guarantee trust at runtime.

Set up monitoring that flags:

  • New extensions installed outside the allowlist
  • Permission changes in existing extensions (an extension that suddenly requests <all_urls> deserves investigation)
  • Extensions communicating with newly registered domains

The Extenshi catalog tracks permission changes and security research flags across Chrome, Firefox, and Edge extensions — it's a useful layer for teams that need visibility without building a custom scanning pipeline.

Step 12: Create an AI usage policy that accounts for browser extensions.

Most enterprise AI policies address which AI platforms employees can use. Very few address which browser extensions can sit on top of those platforms. After this incident, your AI acceptable use policy should explicitly cover:

  • Which AI-related browser extensions are approved (if any)
  • Whether employees can install extensions that request access to AI platform domains
  • How to report suspicious extension behavior
  • That pasting credentials, PII, or regulated data into AI chat is prohibited regardless of extension status

The 60-minute checklist

Print this out. Put it in your incident response runbook next to the ransomware playbook.

Time Action Owner
0–15 min Force-remove extension via enterprise policy IT Ops
0–15 min Block C2 domains at DNS/firewall Security Ops
15–30 min Revoke active sessions on affected AI platforms Identity team
30–60 min Query endpoints for extension install scope IT Ops
1–4 hr Build exposure timeline per affected user Security Ops
4–8 hr Classify data at risk by category and regulation Security + Legal
Day 1–3 Rotate credentials for high-risk users IT Ops
Day 1–3 Notify Legal, HR, affected business units CISO
Day 1–7 Preserve forensic evidence Security Ops
Week 2+ Implement extension allowlist IT Policy
Week 2+ Deploy continuous extension monitoring Security Ops
Week 2+ Update AI usage policy for extension controls CISO + Legal

Why this incident is different from typical malware

I've responded to plenty of endpoint compromises. Malicious browser extensions targeting AI conversations hit different because of what they capture.

Traditional malware steals credentials, financial data, or files — things with established response procedures. AI chat histories contain unstructured, context-rich data that spans every part of an organization. A single employee's three-month ChatGPT history might contain fragments from legal strategy, product roadmaps, customer negotiations, personnel decisions, and source code — all in one data stream.

That's why the 20,000+ enterprise tenant figure from Microsoft's report is so significant. Each tenant represents an organization where this kind of cross-functional data exposure may have occurred.

The playbook above won't undo the exposure. But it will shrink the window, limit the damage, and give your organization a defensible response when the next campaign hits — because it will.

Audit your organization's extensions →


This article is based on publicly available security research and news reporting. Extenshi does not independently verify all claims made by third-party researchers. References to specific companies or products reflect the findings of cited sources and do not constitute accusations of intentional wrongdoing. If you believe any information is inaccurate, please contact us at [email protected].

Related Articles