Most of us rely on browser extensions every day, often without thinking about it. They make online work faster and easier by saving passwords, blocking ads, translating text, managing notes, or connecting our favorite-web apps together. For many organizations, extensions have also become a practical replacement for traditional desktop software. As endpoint malware grew more sophisticated, companies began moving away from installing local applications like Microsoft Office and other client software, choosing instead to run everything safely in the browser. In this new “browser-first” world, extensions help restore familiar features and productivity shortcuts that used to live on the desktop. The downside is that this convenience also gives extensions deep access to data and accounts making them an increasingly appealing target for attackers.
Over the past several years, attackers have increasingly exploited the extension ecosystem to steal data, hijack accounts, and evade detection all while appearing legitimate in trusted marketplaces. To help defenders better understand and mitigate these threats, we’re introducing the Tactics & Techniques Matrix for Malicious Browser Extensions: a structured framework for describing, detecting, and defending against extension-based attacks
Why Browser Extensions Deserve Their Own Matrix
Traditional frameworks like MITRE ATT&CK provide excellent coverage for endpoint and network threats but browser extensions live in a unique space between application and user.
They:
- Operate inside the browser’s trusted process.
- Access user data, authentication tokens, and active sessions.
- Communicate externally through background scripts or web requests.
- Update silently, sometimes without user interaction.
These behaviors don’t fit neatly into traditional enterprise telemetry. SOCs, DFIR teams, and browser security engineers often describe the same activity in inconsistent ways making it harder to track emerging threats or automate detections.
The matrix fills that gap by introducing a common vocabulary for browser-extension-specific tactics and techniques.
What the Matrix Provides
The Tactics & Techniques Matrix for Malicious Browser Extensions organizes how attackers misuse browser extensions into clear, structured categories. Each entry focuses on a specific technique for example, header modification, script execution, or content spoofing and explains the risk of exploitation associated with it.
By mapping out these tactics and techniques in a single framework, the matrix gives security teams, reviewers, and researchers a common language to describe and prioritize risks. It highlights the areas where extensions can be most easily exploited, helping organizations focus their prevention and policy efforts where they matter most.
How the Matrix Helps Defenders
The matrix is designed to be a practical reference for anyone responsible for browser security whether that’s a threat analyst, a SOC engineer, or an app store reviewer. It doesn’t replace existing detection tools or policies; instead, it helps teams frame and prioritize their work using a shared understanding of how malicious extensions operate.
For defenders, the matrix offers several clear benefits:
- Consistent language for incidents
When a suspicious extension appears, analysts can describe its behavior using standardized terms such as Persistence through background scripts or Data Exfiltration via network requests making it easier to document findings and communicate across teams. - Risk-based prioritization
By outlining the potential impact of each technique, the matrix helps organizations identify which risks are most relevant to their environment. For example, an enterprise that relies heavily on browser-based document editing can focus more on techniques related to credential or data theft. - Guidance for policy and review processes
Product and app store teams can use the matrix to shape extension review criteria, permission policies, and security checklists. It provides a structured way to reason about why certain permissions, code patterns, or behaviors deserve closer scrutiny. - Foundation for future defense work
Even though this initial version doesn’t include detailed detection signals, it creates the foundation for building them. Over time, organizations can align their telemetry and alerting strategies with the tactics and techniques defined here.
In essence, the matrix helps defenders see the bigger picture turning isolated security events into part of a coherent threat model for browser extensions.
Responsible Transparency, Not Offensive Guidance
The matrix is intentionally defensive in nature. It does not include exploit code or actionable attack steps. Every technique is described only to the extent necessary for defenders to recognize and mitigate it safely.
Our goal is to raise the baseline for detection and resilience not to provide adversaries with new tools. The focus is always on observable signals, detection methods, and mitigations that can be operationalized responsibly.
The MATRIX
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| Gather Identity Information | Obtain Capabilities | Side-Loading | Embedding Scripts | Persistence through Local Storage | Expand Host Permissions | Hide Data From User | Header Sniffing | DOM Sniffing | Native Host Communication | Local Data Collection | Remote Control Over Network Filtering Policy | Data Exfiltration | Network Denial of Service: Tab Bombing |
| Synced Browser Devices Enumeration | Auto-Download | Supply Chain Compromise | Exploitation for Execution | Persistent Page Script Injection | Verify Access | Content Spoofing | Stored Credential Harvesting | System Location Discovery | Information enrichment | Communication through Cloud Storage | Auto-Submit form | Header Modification | |
| Patterns Data Gathering | Acquire Infrastructure | Trusted Relationship | Script Execution | Request Additional Permissions | Code Obfuscation/Deobfuscation | Form Credential Harvesting | System Information Discovery | Document Scan Data Collection | Ingress Tool Transfer | Exfiltration Over Web Service | Data Manipulation: Content Manipulation | ||
| Drive-by Compromise | Malicious Url | Delay Execution | Steal Web Session Cookie | Extension Discovery | Login Collection | Establish Network Connection | Content Download | ||||||
| Create Tab | Evade server-side checks | Adversary-in-the-Middle | Browser Information Discovery | Collect Device Attributes | Web Service-Based C2 | Bookmarks Manipulation | |||||||
| Method hijacking | CORS bypass | Network Tampering | Location Policy Hijacking | Collect Identity Tokens | Web Protocols | Search Engine Override | |||||||
| Auto-Click | Obfuscated Files or Information | Cookie Policy Hijacking | Browser Target Enumeration | Collect User’s Information | Raw Network Packet Transmission | Clipboard Content Injection | |||||||
| JavaScript Web Policy Tampering | Obfuscated Files or Information: Stripped Payloads | Multi-Factor Authentication Interception | Cryptographic Token Enumeration | Global Shortcut Hijacking | |||||||||
| Auto-Load | Hide Artifacts: Hidden offscreen Document | Exfiltration Over Web Service | Enterprise Certificates Discovery | Video Capture | |||||||||
| Content Script Injection | Disable or Modify Tools | Modify Authentication Process | File and Directory Discovery | Audio Capture | |||||||||
| Command Execution | Masquerading | Hardware Discovery | Screen Capture | ||||||||||
| Serial Command Transmission | Indicator Removal: Browser History | Process Discovery | Input Capture | ||||||||||
| Indicator Removal: Browser Data | System Network Configuration Discovery | Web Communication Data | |||||||||||
| Indicator Removal: Download Records | Peripheral Device Discovery | ||||||||||||
| Subvert Trust Controls | |||||||||||||
| Hidden File System | |||||||||||||
| History Tampering | |||||||||||||
| Reading List Tampering | |||||||||||||
| Indicator Tampering | |||||||||||||
| Frame-Busting Bypass |
Looking Ahead
Malicious extensions are not a hypothetical threat they are a proven, evolving attack vector. As browsers continue to expand functionality and permissions, defenders need structured, shareable knowledge to stay ahead.
The Tactics & Techniques Matrix for Malicious Browser Extensions is a step toward that goal. It gives researchers, SOCs, and browser vendors a common foundation to build on whether for incident response, telemetry development, or store policy evolution.
We’ll continue to refine the matrix as new behaviors and mitigations emerge, and we invite the broader security community to contribute feedback and insights. Together, we can make browser extension ecosystems safer for everyone.
