Cside observed a new malicious client-side injection originating from a malicious browser extension impersonating Microsoft Clarity and overwriting referral tokens to redirect referral revenue to a malicious actor.
cside.com
Cside observed a new malicious client-side injection originating from a malicious browser extension impersonating Microsoft Clarity and overwriting referral tokens to redirect referral revenue to a malicious actor.
This attack bypasses traditional security tools for two reasons: the injection vector and the evasion techniques.
The script is injected by a browser extension, not embedded in the site's source code. This means Content Security Policy headers will not block it. Tag audits will not find it. Subresource Integrity checks do not apply. Server-side security tools have no visibility into what a browser extension injects into the page at runtime.
On top of that, the server behind msclairty[.]com filters requests aggressively. Security scanners, AI-powered research tools, and any request from a datacenter IP or known bot user-agent receives a 403 Forbidden response. Even if a scanner somehow retrieved the real payload, the obfuscated source contains no recognizable signatures or known malicious patterns that static analysis would flag.
The script also evades manual research. It detects open DevTools and exits. It overwrites all console methods. It removes the iframe from the DOM after 20 seconds. It wipes the console after 3 seconds.
The loader adds another layer: it hooks history.pushState, history.replaceState, and popstate to re-trigger on every client-side navigation in single-page applications. Each route change sends the new URL to the server for fresh targeting. And because the server decides which payload variant to deliver based on the page URL and referrer, static analysis of a single captured payload cannot reveal the full range of attacks the infrastructure is capable of.
