Software and extension stores that rely on automatic store submission reviews are more prone to fake and malicious extensions being offered. The latest addition to the growing number of Chrome Store extensions that fall into the category is called Microsoft Authenticator.
The name suggests that it is an official product by Microsoft, but it is not. One hint that something is off is that the company that is offering the extension is not Microsoft Corporation but “Extensions”.
The app has 448 users and a three out of five stars rating at the store at the moment. It has been in the store since April 23, 2021.
If you have read our guide on verifying Chrome extensions before installation, you know that direct information such as the developer may provide hints that something may be fishy. The developer email address looks like one of those fake email addresses used for poising or spam sending; it uses a Gmail address, and not an official Microsoft address.
A look at the reviews includes several warnings from other users, but also some that praise it. The latter are likely fake and used to instill a level of trust in users who check the reviews before trying the extension.
A quick check of Microsoft’s Authenticator homepage reveals that it is available as a mobile application, and as a Microsoft Store version, but not as a browser extension.
The Microsoft Authenticator application cannot be used to authenticate Microsoft account sign-ins or any other sign-in for the matter. It displays a basic page with the option to “run Microsoft Authenticator”. A click on the button opens a Polish webpage that redirects to another webpage automatically asking for a sign-in or the creation of an account.
In this case, it is pretty obvious that the extension is not legitimate but fake. Still, more than 400 users have installed the extension already and it is possible that the count will increase in the coming days or weeks. Much of it depends on Google and whether the company will do something about it.
Now You: do you vet extensions before you install them?