Microsoft announced a new security capability for Edge that will detect and revoke malicious extensions installed outside the official Edge Add-ons store (sideloaded). The rollout is planned for November 2025 and will be available across all global multi-tenant instances. While technical specifics were not disclosed, the feature targets a long-standing attack vector used to compromise browsers and steal data.
Why sideloaded browser extensions raise security risk
Like other Chromium-based browsers, Edge allows local installation of unpacked extensions in developer mode for testing. This workflow is convenient for developers, but in user and enterprise environments it bypasses store vetting such as reputation checks, code review, and permission policy enforcement, increasing the likelihood of installing a malicious component.
Even brief exposure can be consequential. Malicious extensions can exfiltrate session tokens, inject scripts into web pages, alter content, or intercept form data within seconds, often without visible indicators. Adversaries frequently mask harmful behaviors behind “useful” features to build trust and spread at scale.
Real-world impact and scale: campaigns and statistics
Large-scale incidents underscore the risk. In 2020, Awake Security reported more than 100 malicious Chrome extensions with an estimated 32 million installations. In 2022, McAfee identified several extensions amassing roughly 1.4 million installs. These cases show how social engineering and distribution outside official channels can impact both consumers and enterprises.
What Microsoft is adding to Edge
Microsoft says Edge will be able to detect and revoke malicious sideloaded extensions. In practice, revocation likely means forcibly disabling an extension and blocking re-enablement. Although the company has not detailed detection logic, the announcement aligns with broader efforts to harden the extension ecosystem and reduce abuse.
Probable detection and enforcement approaches
Based on common browser security strategies, Edge may combine reputation feeds and blocklists (publisher identity, signatures, hashes), behavioral analysis (signals of data exfiltration, injection, or anomalous network calls), permission and capability checks compared to typical profiles, and telemetry-driven heuristics to flag suspicious patterns. In enterprise environments, policy integration via GPO/Intune would support centralized controls and reporting, complementing Microsoft’s existing protection stack.
Microsoft’s broader extension ecosystem safeguards
Recent steps include a Publish API for developers, strengthened account and update checks, and experiments with warnings for extensions that degrade Edge performance. Collectively, these measures reduce the chance of malicious code entering the ecosystem and improve visibility for users and administrators.
Practical steps to reduce extension risk now
Organizations and consumers do not need to wait for November 2025 to improve protection against malicious browser extensions. The following measures reduce attack surface immediately:
- Avoid developer mode and sideloading; install only from the official Microsoft Edge Add-ons store.
- Scrutinize requested permissions and publisher reputation; remove extensions you do not actively use.
- Enforce enterprise policies (GPO/Intune) to disable sideloading and maintain a strict allowlist of approved extensions.
- Keep Edge and the OS up to date; enable built-in protections such as Microsoft Defender SmartScreen and site isolation.
- Use endpoint security with EDR to monitor for browser injections and suspicious network activity originating from extensions.
- Train users to recognize social engineering and phishing that promote “helpful” but malicious add-ons.
Automated detection and revocation of malicious sideloaded extensions in Edge will close a convenient pathway for adversaries. Combined with stronger publishing checks and performance alerts, the change should materially enhance enterprise browser security. Now is the time to review extension governance, restrict sideloading where possible, curate a trusted plugin list, and prepare users for safer browsing habits while monitoring Microsoft’s updates to Edge.
