Back to home

Browser extension triage

Your EDR flagged a browser extension. Now what?

CrowdStrike, Defender and SentinelOne tell you an extension asked for risky permissions. They won't tell you if it's actually malicious. Here's how to make the block-or-keep call in ten minutes, with evidence.

My EDR flagged a browser extension as high-risk. Is it actually dangerous?

A high-permission or high-severity flag from CrowdStrike, Microsoft Defender or SentinelOne is a prioritisation signal, not a verdict. These tools rate an extension by the permissions it declares - and, for CrowdStrike, install context like sideloading - but they don't read the extension's code or run it, so they can't tell you whether it actually abuses that access. CrowdStrike labels a high-severity extension as 'requiring further evaluation'; Microsoft says 'risk is subjective'.

So the flag means 'this one is worth looking at', not 'this one is malicious'. To decide block-or-keep you need three things the EDR doesn't give you: what the code actually does, what it could already have touched (the blast radius), and a defensible record of the decision.

The workflow below gets you there in about ten minutes. Paste the extension ID into Am I Being Pwned for a behavioural verdict - it reads the deobfuscated source and runs it in a sandbox - then use the blast-radius table to size exposure, and enforce.

Paste the extension ID for an instant verdict

Free, no account. Enter the 32-character ID from your EDR alert.

The 10-minute triage workflow

  1. 1

    Grab the extension ID from the alert

    Copy the 32-character extension ID (characters a-p). In CrowdStrike it's on the Browser Extension Assessment detail; in Microsoft Defender it's on the Browser extensions inventory row; in SentinelOne you'll have pulled it from a Deep Visibility / Data Lake query.

  2. 2

    Read what the flag actually means

    Your EDR rated the extension by its declared permissions. 'Can intercept web traffic' or 'read and change all your data on all sites' scores Critical or High because the permission is powerful - not because the extension was observed misusing it. Treat it as a lead, not a conviction.

  3. 3

    Get a behavioural verdict

    Paste the ID into the box below. Am I Being Pwned returns what the extension actually does: which endpoints it contacts, what data it reads, whether it injects scripts or exfiltrates anything - each finding backed by captured evidence and a CWE reference. That's the malicious-or-benign call your EDR won't make.

  4. 4

    Size the blast radius

    If the verdict is bad, work out what it could already have touched using the permission-to-exposure table below. 'cookies' plus broad host access means session tokens for every site; 'webRequest' means it can read and modify traffic; 'scripting' means arbitrary code on pages. This scopes incident response beyond 'reset everything'.

  5. 5

    Decide and enforce

    Keep extensions whose behaviour matches their stated purpose; block the rest. Push the block through the EDR or your MDM - Chrome policy, Intune, Jamf, or Kandji. Record the verdict, the evidence, and the action for the audit trail.

  6. 6

    Watch for the next version

    An extension that's clean today can turn malicious in an update, and a permission-based flag won't change because permissions rarely change. Continuous behavioural re-scanning catches the good-extension-gone-bad transition.

Blast radius: what each permission really exposes

If the verdict is bad, use this to size what the extension could already have reached.

Permission
What it grants
If abused
<all_urls> / broad host access
Read and change data on every site you visit
Anything you view or type on any site, silently
cookies
Read browser cookies
Session tokens; account takeover with no password needed
webRequest / webRequestBlocking
Observe and modify network requests
Read or alter traffic, capture form posts, inject content
scripting / content scripts
Inject JavaScript into pages
Arbitrary code on visited pages; credential capture, DOM scraping
tabs
See open tabs and their URLs
Full browsing history, in real time
debugger
Attach to the browser debugger
Near-total control of the page and everything on it
nativeMessaging
Communicate with native desktop apps
A bridge from the browser out to the operating system
management
Manage other installed extensions
Disable your security extensions or install more

What your EDR does, and where it stops

Frequently asked questions

Does a CrowdStrike or Defender high-risk flag mean an extension is malicious?

No. Both rate extensions by the permissions they declare, not by what their code does. A high-risk flag means the extension requested powerful access, which is worth reviewing - it does not mean the extension was observed abusing that access. CrowdStrike explicitly calls a high-severity extension one 'requiring further evaluation'. Confirming malicious behaviour needs code and runtime analysis.

How do I know if a flagged extension is actually dangerous or a false positive?

Get a behavioural verdict rather than a permission score. Paste the extension ID into Am I Being Pwned: it deobfuscates the source, runs the extension in a sandbox, and reports what it actually does - endpoints contacted, data read, scripts injected - with captured evidence. A legitimate password manager and a credential stealer can request identical permissions; only behaviour tells them apart.

What can a malicious browser extension actually access?

It depends on the permissions it holds. Broad host access plus cookies exposes session tokens for every site (account takeover with no password). webRequest lets it read and modify traffic. scripting lets it run arbitrary code on pages to capture credentials or scrape the DOM. tabs exposes your full browsing history. The permission-to-exposure table on this page maps each one to its real-world blast radius.

Should I block an extension my EDR flagged?

Block it if a behavioural verdict shows it exfiltrating data, injecting code, or doing anything beyond its stated purpose. Keep it if its behaviour matches what it claims to do, even if it holds broad permissions (a CSS editor legitimately needs access to every site). Don't decide on the permission flag alone - that's what leaves teams either over-blocking useful tools or keeping genuinely hostile ones.

My EDR flagged an extension that isn't on the Chrome Web Store. What does that mean?

It was sideloaded or force-installed outside the store, or the store listing was pulled after it was flagged. These are the highest-priority cases: they skip store review entirely, and store-metadata scanners can't analyse them because there's no listing to read. You need to analyse the actual extension bundle, which is what behavioural analysis does regardless of listing status.

Triage every flagged extension across your fleet.

Behavioural verdicts with evidence, not permission scores.