Skip to main content
ThreatOther

Browser extension install lure — email walks you through installing a Chrome / Firefox / Edge extension with elevated permissions from a non-vendor sender (2025-2026 Guardio/Cyble campaigns)

browser-extension-install-lure

What this tier means

High-confidence threat indicator — phishing, impersonation, BEC, or scam pattern. Strong contributor to the trash decision.

How Gorganizer detects this

Email lures the recipient into installing a browser extension (Chrome, Firefox, Edge, Safari, Brave) with elevated permissions (tabs, cookies, storage, scripting, webRequest, host-permissions:*). Once installed, the extension can read every tab's content, exfiltrate session cookies, inject scripts into banking pages, read clipboard contents, and persist across browser restarts. Cyble, Guardio, and BleepingComputer documented multiple active campaigns through 2025 — common themes: "Copilot assistant", "privacy blocker", "VAT invoice helper", "ChatGPT sidekick". Fires when body contains install-flow language (install/add/enable/download an extension/add-on/plugin OR "load as unpacked extension") AND a browser/store/file-type hint (chrome://extensions, chromewebstore.google.com, addons.mozilla.org, .crx / .xpi / .safariextz file, "Developer mode", "web store", "unzip the folder"). Excludes known browser vendors (Google, Mozilla, Microsoft, Apple, Brave, Vivaldi, Opera, Arc, Kagi, DuckDuckGo), reply threads, and newsletters. Auto-classified as danger via the `-lure` DANGER_SUFFIXES rule from iter 874.

False-positive guard

Every signal in Gorganizer feeds a multi-module score — never a sole verdict. This is a threat-tier signal — it adds a strong contribution to the trash score. The full pipeline still requires convergence across multiple modules + a margin over the safety floor before deletion happens, and Gmail's trash (30-day recovery) is always used — never permanent delete.

About the scoring engine

Gorganizer's scoring engine emits over 1,800 signals across six modules — headers, sender, subject, body, attachments, and structural metadata. Every email is scored by every module independently; the final verdict requires multiple modules to agree and the trash score to beat the safety floor by a margin.

Sacred safety guards — never delete starred emails, replies, calendar invites, receipts/invoices, or attachments — apply unconditionally regardless of any signal.

Browse all signalsSafety guaranteesJSON

Ready to clean your inbox?

Gorganizer scans your Gmail with this signal and 1,800+ others, then cleans everything in one click. $4.99 one-time, no subscription.

Get started