Cybersecurity researchers identified five malicious Chrome extensions masquerading as legitimate productivity tools for HR and ERP platforms such as Workday, NetSuite, and SuccessFactors. These extensions—primarily published under the 'databycloud1104' publisher and one under 'Software Access'—exploit browser permissions to steal authentication cookies by exfiltrating them every 60 seconds to attacker-controlled domains (e.g., api.databycloud[.]com). They manipulate the DOM to block access to critical administrative and security pages within these platforms, including password changes, 2FA device management, session controls, and audit logs, effectively disabling incident response capabilities. The extensions also prevent code inspection by disabling developer tools and detect the presence of security-related Chrome extensions to evade detection. The most advanced extension, Software Access, not only steals cookies but also injects stolen cookies into the attacker's browser to hijack sessions directly. This combination of continuous credential theft, administrative interface blocking, and session hijacking creates a scenario where defenders can detect unauthorized access but cannot remediate it through standard means. Despite removal from the official Chrome Web Store, these extensions remain accessible via third-party download sites, prolonging the threat. The campaign appears coordinated, sharing infrastructure and functionality, and has been active since at least August 2021. The threat targets enterprise users who rely on these platforms, leveraging browser extension trust to gain persistent, stealthy access to sensitive corporate accounts.

For European organizations, the impact is significant due to the widespread use of Workday, NetSuite, and SuccessFactors across various industries including finance, manufacturing, and public sector entities. The theft of authentication cookies enables attackers to bypass multi-factor authentication and gain full access to employee and administrative accounts, potentially exposing sensitive personal data, payroll information, financial records, and strategic business data. The blocking of security and administrative interfaces hampers incident response efforts, allowing attackers to maintain persistence and escalate privileges undetected. This can lead to data breaches, financial fraud, regulatory non-compliance (e.g., GDPR violations), and reputational damage. The threat is exacerbated by the availability of these extensions on third-party sites, increasing the risk of infection through social engineering or supply chain vectors. Organizations with remote or hybrid workforces relying heavily on browser-based access to these platforms are particularly vulnerable. The inability to remediate through normal channels may prolong attacker dwell time and complicate forensic investigations.

European organizations should implement a multi-layered defense strategy: 1) Enforce strict browser extension policies via enterprise management tools to whitelist only approved extensions and block installation from third-party sites. 2) Conduct user awareness campaigns to educate employees about the risks of installing unverified browser extensions, especially those claiming to enhance access to corporate platforms. 3) Monitor network traffic for unusual outbound connections to suspicious domains such as api.databycloud[.]com and api.software-access[.]com. 4) Deploy endpoint detection and response (EDR) solutions capable of detecting anomalous browser behaviors, including cookie exfiltration and DOM manipulation. 5) Regularly audit and monitor administrative accounts and session activity logs for signs of unauthorized access or session hijacking. 6) Implement strong authentication controls, including hardware-based MFA, and consider session management policies that limit cookie lifetimes and enforce re-authentication. 7) Remove any detected malicious extensions immediately and mandate password resets for affected users. 8) Collaborate with browser vendors and threat intelligence sharing platforms to stay updated on emerging malicious extensions and indicators of compromise. 9) Restrict access to administrative interfaces through network segmentation and zero-trust principles to reduce the impact of compromised user sessions.