Malicious Chrome Extensions Pose as Workday, NetSuite to Hijack Accounts

Cyber Pulse Academy — Fri, 16 Jan 2026 15:14:58 +0000

Chrome Extension Supply Chain Attack

How Fake HR Tools Hijack Your Accounts Explained Simply

Executive Summary: The Anatomy of a Browser-Based Breach
The Attack Breakdown: A Step-by-Step Technical Analysis
Mapping to MITRE ATT&CK: The Adversary's Playbook
Red Team vs. Blue Team: Perspectives on the Attack
Proactive Defense Framework: Securing Your Browser Ecosystem
Frequently Asked Questions (FAQ)
Key Takeaways & Conclusion

Executive Summary: The Anatomy of a Browser-Based Breach

In January 2026, cybersecurity researchers uncovered a coordinated supply chain attack leveraging five malicious Google Chrome extensions. These extensions posed as legitimate productivity tools for major enterprise platforms like Workday, NetSuite, and SuccessFactors, collectively amassing over 2,300 installs from the official Chrome Web Store before their removal.

This attack represents a significant evolution in browser-based threats, moving beyond simple adware to a multi-faceted campaign designed for persistent credential theft, defensive evasion, and complete account takeover. The operators employed a chillingly effective strategy: compromise the user at the browser level, the gateway to their most sensitive SaaS applications.

Unlike traditional malware, these extensions operated with the permissions granted by the user, making them difficult for standard antivirus software to flag. Their primary goal was to steal authentication cookies and session tokens, enabling hackers to bypass multi-factor authentication (MFA) and seamlessly hijack user sessions on critical business platforms. This breach vector is particularly dangerous because it targets the weak link in cloud security: the endpoint's browser.

The Attack Breakdown: A Step-by-Step Technical Analysis

Let's dissect exactly how this Chrome extension supply chain attack unfolded. The threat actors executed a multi-phase operation with surgical precision, exploiting the inherent trust users place in the browser extension ecosystem.

Phase 1: Infiltration & Impersonation

The attack began with social engineering. The malicious extensions, published under publisher names like "databycloud1104," were advertised as helpful tools for accessing premium features on Workday, NetSuite, and SuccessFactors, platforms used daily by millions for HR, finance, and ERP tasks.

Names & Identifiers: Extensions used benign names like "DataByCloud Access," "Tool Access 11," and "Software Access."
Permission Request: Upon installation, they requested broad permissions including cookies, management, scripting, and access to data on specific enterprise domains. This is a critical red flag often overlooked by users.
Initial Footprint: Although install counts were moderate, the targeting was specific, users searching for productivity enhancements for critical business software.

Phase 2: The Dual-Pronged Malicious Payload

Once installed, the extensions activated two primary, intertwined malicious functions: credential theft and defensive sabotage.

Step 1: Continuous Cookie Exfiltration

The core malicious function was executed by the DataByCloud Access extension. It used the chrome.cookies API to collect authentication cookies for predefined enterprise domains. A background script ran every 60 seconds, sending stolen cookies to the command-and-control (C2) server at api.databycloud[.]com.

Technical Insight: Authentication cookies, especially session tokens, are gold for attackers. They often contain all the necessary information for a server to recognize a user as "logged in," potentially bypassing passwords and even some forms of MFA if the session is still active.

Step 2: Surgical Defense Evasion via DOM Manipulation

To prevent the victim from detecting or remediating the breach, extensions like Tool Access 11 implemented a cunning defense evasion technique. They maintained a blocklist of 44+ specific administrative page titles within Workday (e.g., "/security/authentication," "/proxy/configuration").

When a user navigated to one of these pages, the extension used JavaScript to manipulate the Document Object Model (DOM), either clearing the page content or redirecting to a malformed URL. This blocked access to security settings, password change interfaces, 2FA management, and audit logs, effectively crippling the victim's ability to respond.

Step 3: Active Session Hijacking

The most advanced capability was found in the Software Access extension. It didn't just steal cookies; it could also receive stolen cookies from its C2 server and inject them directly into the browser's cookie store using chrome.cookies.set().

This function allowed the threat actor to perform a live session hijacking. They could take a stolen session token from a victim, inject it into their own controlled browser, and instantly gain access to the victim's account without needing a username, password, or 2FA code.

Mapping to MITRE ATT&CK: The Adversary's Playbook

The Chrome extension supply chain attack is a textbook example of how threat actors combine multiple techniques into a powerful sequence. The MITRE ATT&CK framework helps us deconstruct their methodology.

The following table maps the observed malicious activities to specific MITRE ATT&CK Techniques and Tactics, providing a common language for defenders to understand and counter the threat.

MITRE ATT&CK Tactic	Technique ID & Name	How It Was Used in This Attack
Initial Access	T1475: Deliver Malicious App via Authorized Repository	The malicious extensions were uploaded to the official Chrome Web Store, exploiting user trust in the platform.
Persistence	T1176: Browser Extensions	The extensions established persistence by installing themselves as legitimate-looking Chrome add-ons with background service workers.
Credential Access	T1539: Steal Web Session Cookie	The primary attack vector. Used the `chrome.cookies` API to exfiltrate authentication cookies every 60 seconds.
Defense Evasion	T1562.001: Disable or Modify Tools (Block Security Pages)	Actively monitored and manipulated the DOM to block access to security administration pages within Workday/NetSuite.
Defense Evasion	T1622: Debugger Evasion (Disable DevTools)	Some extensions used the DisableDevtool library to obstruct analysis via browser developer tools.
Collection	T1119: Automated Collection	Scripted, automated collection of cookies from specified domains on a scheduled basis.
Command and Control	T1071.001: Application Layer Protocol (Web Protocols)	Communicated with C2 servers (`api.databycloud[.]com`) over HTTPS, blending in with normal web traffic.

Understanding this mapping is crucial for Security Operations Centers (SOCs). It allows them to craft detection rules (e.g., for unusual cookie access patterns by extensions or DOM manipulation on security pages) and align their incident response playbooks to a known adversary framework.

Red Team vs. Blue Team: Perspectives on the Attack

This Chrome extension supply chain attack offers valuable lessons from both offensive (Red Team) and defensive (Blue Team) viewpoints. Let's break down the strategies and counter-strategies.

The Red Team (Threat Actor) Perspective

Objective: Gain persistent, undetected access to corporate SaaS accounts to steal data, conduct espionage, or enable financial fraud.

Why This Vector is Effective:

High Trust, Low Scrutiny: Extensions from the official Web Store are often trusted by both users and security software.
Bypasses Network Defenses: The attack operates entirely within the browser and its sanctioned APIs, evading network intrusion detection systems (NIDS).
Persistence: Extensions auto-update and run in the background, providing a stable foothold.
Direct Credential Access: Stealing session cookies is more reliable than phishing for passwords, as it often bypasses MFA.

Exploited Weaknesses: User propensity to install "helpful" tools without reviewing permissions; lack of enterprise-level browser extension management; the difficulty of monitoring extension behavior at scale.

The Blue Team (Defender) Perspective

Objective: Detect, prevent, and respond to browser extension-based threats to protect organizational data and user accounts.

Key Challenges & Solutions:

Visibility Gap: Standard EDR tools may not deeply monitor browser extension behavior. Solution: Implement dedicated browser security solutions or use Chrome's enterprise policies for granular logging.
Detection Difficulty: Malicious API calls look similar to legitimate ones. Solution: Baseline normal extension behavior and alert on anomalies (e.g., an extension accessing cookies for domains not in its manifest).
Response Hurdles: The attack actively blocks remediation. Solution: Have out-of-band response plans, such as using mobile device management (MDM) to force-remove extensions or reset passwords via a separate admin account.

Core Strategy: Shift from mere detection to resilience. Assume some extensions will be malicious and limit the damage they can do via strict permission controls and session timeouts.

Proactive Defense Framework: Securing Your Browser Ecosystem

Defending against sophisticated Chrome extension supply chain attacks requires a layered approach, combining technology, policy, and user education. Here is a actionable framework for individuals and enterprises.

For Individual Users & Security-Conscious Professionals

Audit Your Extensions Regularly: Go to chrome://extensions/. Remove any you don't recognize or use. Check permission lists, does a "color picker" need to "read and change all your data on all websites"?
Implement the Principle of Least Privilege: When installing an extension, critically review the permissions it requests. Look for alternatives that require fewer permissions.
Use Dedicated Browsers or Profiles: Use one secure browser (with minimal extensions) for sensitive tasks like banking and work email, and a different one for general browsing.
Enable Enhanced Safe Browsing: In Chrome settings, turn on Enhanced Safe Browsing for proactive threat detection.

For Enterprise IT & Security Teams

Enterprise defense requires centralized control and visibility. Google Chrome provides powerful enterprise policies through the Chrome Browser Cloud Management console or Group Policy.

Enforce an Extension Allowlist: The most effective control. Block all extensions by default and only allow vetted, business-necessary ones from the Chrome Web Store. Use the ExtensionInstallAllowlist policy.
Block Permissions at Scale: Use the ExtensionInstallBlock policy to block high-risk permissions (e.g., declarativeNetRequest, broad host permissions like ) or specific extension IDs from the malicious list.
Monitor Extension Activity: Leverage Chrome Enterprise logs sent to your SIEM (like Google Chronicle, Splunk) to track extension installation events and permission changes.
Implement Short Session Timeouts: On critical SaaS applications (Workday, NetSuite), work with vendors to enforce shorter session lifetimes. This reduces the window of usability for a stolen session cookie.
User Education Campaigns: Regularly train employees on the risks of unvetted browser extensions and establish a clear process for requesting business-necessary tools.

Frequently Asked Questions (FAQ)

Q1: I think I might have installed one of these extensions. What should I do right now?

Immediate Action Plan: 1) Go to chrome://extensions/ and remove any suspicious extensions. 2) For any potentially compromised accounts (Workday, NetSuite, etc.), immediately log out of all sessions (if the interface is accessible) and change your password. 3) Enable or re-configure Multi-Factor Authentication (MFA) on those accounts. 4) Monitor account activity logs for any access from unfamiliar locations or devices.

Q2: How can a malicious extension bypass Multi-Factor Authentication (MFA)?

This is a critical point. Many MFA methods, like Time-based One-Time Passwords (TOTP), only protect the initial login. Once a user is authenticated, the server creates a session cookie. If a malware extension steals that cookie, the attacker presents it to the server, which sees it as a valid, already-logged-in session. This is why phishing-resistant MFA (like WebAuthn/FIDO2 security keys) and shorter session timeouts are important for high-value accounts.

Q3: Are other browsers (Firefox, Edge, Safari) vulnerable to similar attacks?

Yes, the threat model is similar across all major browsers that support extensions. Each has its own extension store and permission model. The core risk, users installing malicious code that runs with high privileges in their browser, is universal. The defense principles (allowlisting, least privilege, monitoring) apply equally. Microsoft Edge, for example, also supports comprehensive enterprise management via its policies.

Q4: Where can I learn more about browser security and extension analysis?

Here are excellent, up-to-date external resources:

Chrome Extensions API Reference: Understand the capabilities granted to extensions.
MITRE ATT&CK T1176: Browser Extensions: The authoritative framework entry for this technique.
CISA's Secure Our World: General cybersecurity hygiene guidance applicable to all users.
Chrome Enterprise Policy List: The complete list of policies for managing Chrome in organizations.

Key Takeaways & Conclusion

1. The Browser is the New Battleground: As core business functions move to SaaS, the browser holding the session keys becomes the primary target. Supply chain attacks via extensions are a potent, stealthy method to compromise it.

2. Cookie Theft = Account Takeover: Stolen session cookies often provide attackers with more power than stolen passwords, as they can negate MFA. Protecting these tokens is paramount.

3. Defense Requires a New Mindset: You cannot rely on the extension store's curation alone. Enterprises must adopt a "zero-trust" approach to extensions: verify explicitly, allowlist strictly, and monitor constantly.

4. Response Must Be Multi-Channel: When an attacker can block security pages, your incident response plan must include out-of-band actions, such as using MDM tools or alternate admin consoles to revoke access.

The discovery of these five malicious extensions is a stark reminder that our digital toolkits can be turned against us. By understanding the technical attack vectors, mapping them to established frameworks like MITRE ATT&CK, and implementing a layered defense strategy, both individuals and organizations can significantly harden their browsers against these evolving threats. Stay vigilant, audit your extensions, and prioritize security over convenience.

Ready to Secure Your Browser Environment?

Start your defense today. Audit your personal browser extensions right now, and if you're responsible for an organization, review your Chrome management policies.

Share this knowledge with your colleagues to help build a more secure community.

Always consult with security professionals for organization-specific guidance.

Browser Security – Cyber Pulse Academy