🟠 High | Source: The Hacker News
Microsoft removed 119 malicious extensions from its Edge Add-ons store that used steganography to hide malware payloads inside image and font files, evading detection until days after installation. Dubbed StegoAd, the campaign combined credential theft with ad fraud and is attributed to a single threat actor active since at least 2021. The delayed activation technique was specifically designed to bypass automated security scanning at the point of submission.
Security Architect’s Take: Audit and restrict which browser extensions are permitted across your organisation using enterprise browser policies or an approved allowlist — Edge supports this via Microsoft Intune and Group Policy. Given the multi-year duration of this campaign, treat any unmanaged extension installed since 2021 as potentially suspect and review endpoint telemetry for anomalous credential access or ad-fraud traffic patterns.
Original advisory: Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts