1-855-263-7328
Security Portal Login
1-855-263-7328
Security Portal Login

Malicious Chrome Extensions

A coordinated campaign of malicious Chrome extensions is actively targeting enterprise SaaS platforms-specifically HR and ERP systems such as Workday, NetSuite, and SAP SuccessFactors.

This is not opportunistic malware. It is a deliberate identity takeover operation engineered to bypass modern security controls by exploiting the most trusted layer in the enterprise stack: the browser.

With more than 2,300 enterprise users already affected, the attack demonstrates a critical failure in how organizations assess browser trust, session security, and SaaS access control.

The Emerging Threat: Browser-Based Account Takeover

Enterprise security architectures invest heavily in:

  • Identity providers
  • MFA
  • Endpoint protection
  • Network monitoring
  • Zero Trust frameworks

Yet many still operate under a dangerous assumption:

The browser is implicitly trusted.

Attackers are exploiting that assumption with precision.

A group of five interrelated malicious Chrome extensions has been uncovered, designed to operate as a single attack framework. Once installed, these extensions gain persistent, stealthy control over SaaS sessions-effectively neutralizing identity protections without triggering traditional alerts.

Why HR and ERP Platforms Are the Prime Targets

HR and ERP systems represent the highest-value SaaS assets in any organization. They control:

  • Employee identities and lifecycle management
  • Payroll and compensation data
  • Financial records and vendor access
  • Role-based access provisioning across systems

Compromise here is not a single incident-it is a blast radius multiplier.

Once attackers gain control of these platforms:

  • Privilege escalation becomes trivial
  • Lateral movement accelerates
  • Compliance obligations collapse
  • Insider-like access is achieved externally
Anatomy of the Attack Framework

Coordinated, Not Isolated

The campaign consists of:

  • Four extensions published under the name databycloud1104
  • One separately branded extension called “Software Access”

Despite different branding, all share:

  • Identical infrastructure
  • Common command-and-control behavior
  • Coordinated execution logic

Each extension plays a specialized role, forming a modular attack chain.

The Most Dangerous Capability: Bidirectional Cookie Injection

The “Software Access” extension introduces a capability that fundamentally changes the threat model:

Bidirectional authentication cookie injection

This allows attackers to:

  1. Steal valid authentication cookies from a victim’s browser
  2. Inject those cookies directly into their own browser
  3. Instantly access enterprise SaaS platforms as the victim

No password required. No MFA challenge triggered. No suspicious login detected.

This is session hijacking at enterprise scale.

Persistent Credential Theft by Design

Other extensions in the framework continuously extract session tokens every 60 seconds.

This means:

  • Logging out does not end attacker access
  • Password resets are ineffective
  • Token expiration works against defenders
  • Access remains perpetually fresh

Normal user behavior-logging in to work-feeds the attacker.

Identity control is lost quietly and continuously.

The Silent Kill Switch: Blocking Incident Response

This campaign does not stop at access. It actively prevents remediation.

How Blocking Works

The extensions:

  • Use DOM MutationObserver functions
  • Inspect page content every 50 milliseconds
  • Identify security-sensitive workflows
  • Instantly erase them from the browser view

Within platforms like Workday, attackers block:

  • Password reset pages
  • Account deactivation workflows
  • MFA management screens
  • Audit log access
  • Administrative security controls

Victims are redirected to malformed URLs, creating the illusion of system error.

The Result

Security teams may detect suspicious activity-but cannot act from the compromised browser.

This is not just compromise. It is containment failure by design.

Why Traditional Controls Fail

This attack succeeds because it operates:

  • Outside endpoint EDR visibility
  • Above network security controls
  • Inside the authenticated browser session

Browser extensions:

  • Run with trusted permissions
  • Access cookies, DOM, and active sessions
  • Bypass network and endpoint boundaries

They are effectively trusted code running with privileged identity context.

Compliance and Regulatory Impact

For regulated industries, the implications are severe:

  • Audit trails can be blocked or obscured
  • Access revocation may silently fail
  • Least privilege controls are bypassed
  • Incident response timelines break down
  • Regulatory reporting becomes unreliable

This creates material compliance exposure, not just technical risk.

What Security Teams Must Do – Immediately

1. Treat Browser Extensions as Executable Risk

Unapproved extensions are not “tools”-they are code execution with identity context.

2. Enforce Extension Allowlisting

  • Block user-installed extensions by default
  • Permit only vetted, business-critical extensions
  • Apply policy enforcement enterprise-wide

3. Elevate Browser Session Security

Browser sessions must be treated as privileged assets, equivalent to credentials.

4. Monitor Browser-Level Telemetry

Watch for:

  • Abnormal DOM manipulation
  • Unauthorized cookie access
  • Unusual extension behavior
  • Persistent token extraction patterns

5. Accept That User Awareness Is Not Enough

These extensions are disguised as productivity tools. Users install them willingly.

This attack is engineered to bypass human judgment.

The Strategic Lesson

If attackers control the browser, they control the business.

Identity does not live solely in IAM systems. It lives in active sessions.

And sessions live in the browser.

Conclusion: Rethinking Browser Trust

This campaign marks a turning point in enterprise threat modeling.

Browser extensions are no longer a peripheral risk. They are now primary identity takeover tools targeting the systems that matter most.

Organizations must:

  • Rethink browser trust
  • Redefine session security
  • Treat SaaS access as a living attack surface

Prevention today is significantly cheaper than recovery tomorrow.

Silent compromise is the most dangerous kind.

About COE Security

COE Security supports organizations across finance, healthcare, government, consulting, technology, real estate, and SaaS.

We help reduce SaaS and identity risk through:

  • Email security
  • Threat detection
  • Cloud security
  • Secure development practices
  • Compliance advisory
  • Security assessments and risk reduction

Follow COE Security on LinkedIn to stay cyber-safe and resilient.

Click to read our LinkedIn feature article