The "Stanley" toolkit, identified by Varonis researchers, is a new tool used by cybercriminals to create malicious Chrome browser extensions. These extensions can overlay phishing pages on legitimate sites while keeping the actual URL visible in the address bar. This tactic tricks users into entering sensitive information without realizing they're on a fraudulent page. The toolkit is packaged as a seemingly harmless note-taking extension called Notely, which users might install for its legitimate features, making them more likely to grant the necessary permissions for the attack. Purchasers of the Stanley toolkit gain access to a command-and-control panel that allows them to manage victims and configure phishing redirects. Notably, at higher tiers, buyers are assured that their malicious extensions will be approved by the Chrome Web Store, bypassing Google's review process. This highlights the increasing sophistication of browser-based attacks, where traditional security measures may fall short. The unchanged URL during phishing interactions creates a significant blind spot for detection. Experts emphasize that the rise of browser extensions as an attack vector coincides with the growing reliance on SaaS and cloud-based services. Users often grant extensive permissions to these extensions, which can then intercept web traffic and steal credentials. Security professionals warn that conventional defenses focused on detecting malware or unusual traffic patterns are inadequate when attacks occur within the browser environment itself. They recommend strategies like allow-listing trusted extensions and regularly reviewing permissions to mitigate risks.