Microsoft’s Edge team has removed 119 malicious extensions that posed as everyday tools while quietly stealing credentials, with a combined install base of up to 2.6 million users.
Microsoft calls the campaign StegoAd and traces it back to at least 2021. The extensions impersonated trusted categories, posing as ad blockers, translators, VPNs and video downloaders across more than 90 disposable developer accounts, each delivering genuine functionality to earn good reviews and stay below suspicion.
Microsoft’s analysis of the recovered payloads found credential theft aimed squarely at enterprise assets: Google account credentials and the second-factor codes entered at sign-in, browser cookies exfiltrated at a controlled pace to enable session hijacking, as well as WordPress administrator logins.
The attacker also used traffic-ranking data to prioritize the most valuable sites. A stolen admin login or a lifted session cookie could hand over a content management system or a cloud tenant without ever tripping a password prompt.
Why This Channel Stays Invisible
What kept StegoAd hidden was patience and disguise. Microsoft said each extension stayed dormant for several days after install to slip past automated review and would go quiet if it detected developer tools being opened.
Only later would it fetch what looked like an ordinary image file from a remote server, with the malicious code concealed inside the picture itself, a technique known as steganography. The campaign later evolved to bury code inside font files too, leaving static scanners with nothing to flag even as hidden behavior ran on the user’s machine.
Microsoft says it has removed all 119 extensions, suspended the developer accounts, and deployed new detection for this style of concealed payload. It also published indicators so defenders can hunt the same campaign across other browsers (Chrome and Firefox) and warned that the actor remains active.
For organizations, the lesson is clear: a browser extension is an unmanaged endpoint. Microsoft’s guidance points toward checking publishers and requested permissions before install, auditing what is already deployed, and resetting credentials for accounts like Google and WordPress if a flagged extension was ever present.
