Till not too long ago, the cyber attacker methodology behind the largest breaches of the final decade or so has been fairly constant:
- Compromise an endpoint through software program exploit, or social engineering a consumer to run malware on their machine;
- Discover methods to maneuver laterally contained in the community and compromise privileged identities;
- Repeat as wanted till you may execute your required assault — often stealing knowledge from file shares, deploying ransomware, or each.
However assaults have essentially modified as networks have developed. With the SaaS-ification of enterprise IT, core enterprise programs aren’t regionally deployed and centrally managed in the best way they was. As an alternative, they’re logged into over the web, and accessed through an internet browser.
 |
| Assaults have shifted from focusing on native networks to SaaS companies, accessed by worker internet browsers. |
Underneath the shared duty mannequin, the half that is left to the enterprise consuming a SaaS service is generally constrained to how they handle identities — the car by which the app is accessed and utilized by the workforce. It is no shock that this has turn out to be the smooth underbelly within the crosshairs of attackers.
We have seen this again and again within the largest breaches of current years, with the highlights together with the large Snowflake marketing campaign in 2024 and the 2025 crime wave attributed to Scattered Spider.
These assaults are so profitable as a result of whereas attackers have moved with the modifications to enterprise IT, safety hasn’t actually stored up.
The browser is the brand new battleground — and a safety blind spot
Taking up workforce identities is the primary goal for attackers seeking to goal a corporation, and the browser is the place the place the assaults in opposition to customers occur. It is because it is the place these digital identities are created and used — and their credentials and classes dwell. That is what the attacker desires to get their fingers on.
Stolen credentials can be utilized as a part of focused assaults or in broader credential stuffing (biking identified username and credential pairs in opposition to varied apps and platforms), whereas stolen session tokens can be utilized to log in on to an lively session, bypassing the authentication course of.
There are just a few completely different strategies that attackers can use to get entry to those identities. Attackers harvest stolen credentials from varied locations — knowledge breach dumps, mass credential phishing campaigns, infostealer logs, even malicious browser extensions that they’ve tricked an worker into putting in. In truth, the cyber crime ecosystem itself has shifted on its axis to cater to this, with hackers particularly taking up the function of harvesting credentials and establishing account entry for others to take advantage of.
The high-profile Snowflake breaches in 2024 signalled a watershed second within the shift to identity-driven breaches, the place attackers logged into accounts throughout lots of of buyer tenants utilizing stolen credentials. One of many main sources of the stolen credentials used within the assaults had been infostealer logs relationship again to 2020 — breached passwords that hadn’t been rotated or mitigated with MFA.
Infostealers are notable as a result of they’re an endpoint malware assault designed to reap credentials and session tokens (primarily from the browser) to allow the attacker to then log into these companies… by their very own internet browser. So, even immediately’s endpoint assaults are seeing the attacker pivot again into the browser with the intention to get to identities — the important thing to the net apps and companies the place exploitable knowledge and performance now resides.
Assaults within the browser vs. on the browser
There’s an essential distinction to be made between assaults that occur within the browser, vs. these taking place in opposition to the browser itself.
There’s rising consensus that the browser is the brand new endpoint. However the analogy is not excellent — the fact is that internet browsers have a relatively restricted assault floor in comparison with the complexity of the standard endpoint — evaluating one thing like Google Chrome with a Home windows OS appears a really unbelievable idea.
Assaults that concentrate on the browser itself as a mechanism to compromise identities are few and much between. One of many extra apparent vectors is utilizing malicious browser extensions — so, situations by which a consumer has both:
- Been lured into putting in an already malicious extension, or
- Is utilizing a browser extension that’s later compromised by an attacker
However the issue of malicious extensions is one thing you clear up as soon as, after which transfer on. The fact is that customers shouldn’t be putting in random browser extensions, and given the chance, it is best to:
- Lock down your surroundings to permit solely a handful of important extensions.
- Monitor for indicators that an extension you belief is compromised.
This does not apply in an surroundings the place you give customers full entry to put in no matter extensions they select. But when the browser is the brand new endpoint, it is a bit like all of your customers being native admins — you are asking for hassle. And locking down extensions in your organizations is one thing that may be achieved utilizing native instruments in case you’re, for instance, a Chrome Enterprise buyer. Audit your customers as soon as, approve solely what’s wanted, and require additional approval to put in new extensions.
Identification is the prize, browser is the platform — and phishing is the weapon of alternative
However the method that is STILL driving probably the most impactful identity-driven breaches? It is phishing. Phishing for credentials, classes, OAuth consent, authorization codes. Phishing through e mail, immediate messenger, social media, malicious Google advertisements… all of it occurs in, or results in, the browser.
 |
| All phishing roads result in the browser, whatever the supply channel. |
And fashionable phishing assaults are more practical than ever. At this time, phishing operates on an industrial scale, utilizing an array of obfuscation and detection evasion strategies to dam e mail and community safety instruments from intercepting them. In all probability the most typical instance immediately is the usage of bot safety (assume CAPTCHA or Cloudflare Turnstile), utilizing authentic anti-spam options to dam safety instruments.
 |
| Cloudflare Turnstile is an easy means for safety groups to stop automated evaluation — it ought to in all probability include a set off warning for incident responders. |
The most recent technology of totally custom-made AitM phishing kits are dynamically obfuscating the code that masses the online web page, implementing customized CAPTCHA, and utilizing runtime anti-analysis options, making them more and more troublesome to detect. The methods by which hyperlinks are delivered has additionally elevated in sophistication, with extra supply channels (as we confirmed above) and the usage of authentic SaaS companies for camouflage.
And the newest developments point out that attackers are responding to more and more hardened IdP/SSO configuration by exploiting various phishing strategies that circumvent MFA and passkeys, mostly by downgrading to a phishable backup authentication methodology — which you’ll see in motion beneath, and learn extra about right here.
Identities are the lowest-hanging fruit for attackers to purpose for
The aim of the fashionable attacker, and the best means into what you are promoting’s digital surroundings, is to compromise identities. Whether or not you are coping with phishing assaults, malicious browser extensions, or infostealer malware, the target stays the identical — account takeover.
Organizations are coping with an unlimited and weak assault floor consisting of:
- A whole bunch of purposes, with hundreds of accounts unfold throughout the app property.
- Accounts weak to MFA-bypass phishing kits, as a result of they’re utilizing a login methodology that isn’t phishing-resistant, or as a result of the login methodology may be downgraded.
- Accounts with a weak, reused, or breached password and no MFA altogether (often the results of a forgotten-about ghost login).
- Bypassing the authentication course of solely to evade in any other case phishing-resistant authentication strategies, by abusing options like API key creation, app-specific passwords, OAuth consent phishing, cross-IdP impersonation, and extra.
 |
| A 1,000 consumer group has over 15,000 accounts with varied configurations and related vulnerabilities. |
A key driver of id vulnerability is the big variance within the configurability of accounts per software, with completely different ranges of centralized visibility and safety management of identities offered — for instance, whereas one app may be locked all the way down to solely settle for SSO logins through SAML and routinely take away any unused passwords, one other offers no management or visibility of login methodology or MFA standing (one other large driver of the Snowflake breaches final yr). Sadly, as a by-product of product-led progress and one thing that’s compounded by each new SaaS startup that hits the market, this example does not seem like it is going to change anytime quickly.
The tip result’s that identities are misconfigured, invisible to the safety crew, and routinely exploited by commodity attacker tooling. It is no shock that they are the first goal for attackers immediately.
 |
| Ghost logins, AitM phishing, downgrade assaults, and app-level configuration points are fuelling identity-based breaches. |
The answer: The browser as a telemetry supply and management level
As a result of id assaults play out within the browser, it is the right place for safety groups to watch, intercept, and shut down these assaults.
The browser has an a variety of benefits over the completely different locations the place id may be noticed and guarded, as a result of:
- You are not restricted to the apps and identities instantly linked to your IdP (a fraction of your workforce id sprawl).
- You are not restricted to the apps that you understand about and handle centrally — you may observe each login that passes by the browser.
- You may observe all of the properties of a login, together with the login methodology, MFA methodology, and so on. You’d in any other case want API entry to perhaps get this data (relying on whether or not an API is offered and whether or not this particular knowledge may be interrogated, additionally not customary for a lot of apps).
It is apparent with all that we have coated to this point that fixing each id vulnerability is an ominous activity — the SaaS ecosystem itself is working in opposition to you. This is the reason detecting and responding to id assaults is crucial. As a result of id compromise nearly all the time includes phishing or social engineering a consumer to carry out an motion of their browser (with some exceptions — just like the Scattered Spider-related assist desk assaults seen not too long ago), it is also the right place to observe for and intercept assaults.
Within the browser, you collect deep, contextualized details about web page conduct and consumer inputs that can be utilized to detect and shut down dangerous situations in actual time. Take the instance of phishing pages. As a result of Push operates within the browser, it sees every thing:
- The web page structure
- The place the consumer got here from
- The password they enter (as a salted, abbreviated hash)
- What scripts are operating
- And the place credentials are being despatched
 |
| Being within the browser provides you unrivalled visibility of phishing web page exercise and consumer conduct. |
Conclusion
Identification assaults are the largest unsolved downside dealing with safety groups immediately and the main reason for safety breaches. On the similar time, the browser presents safety groups with all of the instruments they should forestall, detect, and reply to identity-based assaults — proactively by discovering and fixing id vulnerabilities, and reactively by detecting and blocking assaults in opposition to customers in actual time.
Organizations want to maneuver previous the previous methods of doing id safety — counting on MFA attestations, id administration dashboards, and legacy e mail and community anti-phishing instruments. And there is no higher place to cease these assaults than within the browser.
Discover out extra
Push Safety’s browser-based safety platform offers complete detection and response capabilities in opposition to the main reason for breaches. Push blocks id assaults like AiTM phishing, credential stuffing, password spraying and session hijacking utilizing stolen session tokens. It’s also possible to use Push to search out and repair id vulnerabilities throughout the apps that your staff use, like ghost logins, SSO protection gaps, MFA gaps, weak passwords, dangerous OAuth integrations, and extra.
If you wish to study extra about how Push lets you detect and cease assaults within the browser, e-book a while with one among our crew for a dwell demo.
