I posted this over at Thurrott as well, but though it was important enough to repeat here:
Just a quick heads-up to any Chrome users who downloaded the “Microsoft Authenticator” add-on for Chrome… It doesn’t come from Microsoft, it comes from the developer “Extension” and redirects to a site in Poland to try and get users to sign in to a phishing site. It also used high CPU, so possibly a crypto-miner as well.
Microsoft has never released a Chrome Add-on for their Authenticator, it is built into Edge, or is a stand-alone app on Android (and iOS?).
If you downloaded it, you might want to change all passwords stored in Authenticator and rescind and renew all OTP codes for the Authenticator app.
Google gave no comment, on how the add-on managed to get published in the store in the first place.
As with the Play Store, Apple’s App Store or downloading directly from the web, double and triple check the site / author of the application/app/add-on before installing. If the name doesn’t match up with the company behind the app/add-on, don’t install it, before double checking to ensure that it is legitimate – some companies have apps written for them by other companies, so there are legitimate times, where a web developer or software developer writes an app or add-on for another company and publishes it themselves (but should never be the case for companies like Microsoft, Amazon, Facebook etc.).
For web software or sites in general, before I log on or download something, I always ensure the certificate is from a trusted source – although most AV packages these days perform a “man-in-the-middle” attack on all browsers, so you cannot verify the certificate is legitimate, because the certificates for every site are illegitimate!