Till lately, the cyber attacker methodology behind the largest breaches of the final decade or so has been fairly constant:
Compromise an endpoint by way of software program exploit, or social engineering a consumer to run malware on their system;
Discover methods to maneuver laterally contained in the community and compromise privileged identities;
Repeat as wanted till you possibly can execute your required assault — often stealing knowledge from file shares, deploying ransomware, or each.
However assaults have essentially modified as networks have developed. With the SaaS-ification of enterprise IT, core enterprise techniques aren’t domestically deployed and centrally managed in the best way they was once. As a substitute, they’re logged into over the web, and accessed by way of an internet browser.
Assaults have shifted from concentrating on native networks to SaaS companies, accessed by means of worker internet browsers.
Below the shared duty mannequin, the half that is left to the enterprise consuming a SaaS service is usually constrained to how they handle identities — the automobile by which the app is accessed and utilized by the workforce. It is no shock that this has develop into the smooth underbelly within the crosshairs of attackers.
We have seen this repeatedly within the largest breaches of current years, with the highlights together with the huge Snowflake marketing campaign in 2024 and the 2025 crime wave attributed to Scattered Spider.
These assaults are so profitable as a result of whereas attackers have moved with the modifications to enterprise IT, safety hasn’t actually saved up.
The browser is the brand new battleground — and a safety blind spot
Taking on workforce identities is the primary goal for attackers seeking to goal a company, and the browser is the place the place the assaults towards customers occur. It’s because it is the place these digital identities are created and used — and their credentials and periods stay. That is what the attacker desires to get their fingers on.
Stolen credentials can be utilized as a part of focused assaults or in broader credential stuffing (biking identified username and credential pairs towards numerous apps and platforms), whereas stolen session tokens can be utilized to log in on to an lively session, bypassing the authentication course of.
There are a number of totally different strategies that attackers can use to get entry to those identities. Attackers harvest stolen credentials from numerous locations — knowledge breach dumps, mass credential phishing campaigns, infostealer logs, even malicious browser extensions that they’ve tricked an worker into putting in. The truth is, the cyber crime ecosystem itself has shifted on its axis to cater to this, with hackers particularly taking up the position of harvesting credentials and establishing account entry for others to use.
The high-profile Snowflake breaches in 2024 signalled a watershed second within the shift to identity-driven breaches, the place attackers logged into accounts throughout a whole lot of buyer tenants utilizing stolen credentials. One of many main sources of the stolen credentials used within the assaults had been infostealer logs relationship again to 2020 — breached passwords that hadn’t been rotated or mitigated with MFA.
Infostealers are notable as a result of they’re an endpoint malware assault designed to reap credentials and session tokens (primarily from the browser) to allow the attacker to then log into these companies… by means of their very own internet browser. So, even right this moment’s endpoint assaults are seeing the attacker pivot again into the browser so as to get to identities — the important thing to the net apps and companies the place exploitable knowledge and performance now resides.
Assaults within the browser vs. on the browser
There’s an vital distinction to be made between assaults that occur within the browser, vs. these occurring towards the browser itself.
There’s rising consensus that the browser is the brand new endpoint. However the analogy is not excellent — the truth is that internet browsers have a relatively restricted assault floor in comparison with the complexity of the normal endpoint — evaluating one thing like Google Chrome with a Home windows OS appears a really unbelievable idea.
Assaults that focus on the browser itself as a mechanism to compromise identities are few and much between. One of many extra apparent vectors is utilizing malicious browser extensions — so, situations during which a consumer has both:
Been lured into putting in an already malicious extension, or
Is utilizing a browser extension that’s later compromised by an attacker
However the issue of malicious extensions is one thing you remedy as soon as, after which transfer on. The truth is that customers shouldn’t be putting in random browser extensions, and given the danger, it is best to:
Lock down your setting to permit solely a handful of important extensions.
Monitor for indicators that an extension you belief is compromised.
This does not apply in an setting the place you give customers full entry to put in no matter extensions they select. But when the browser is the brand new endpoint, it is a bit like all of your customers being native admins — you are asking for bother. And locking down extensions in your organizations is one thing that may be achieved utilizing native instruments in case you’re, for instance, a Chrome Enterprise buyer. Audit your customers as soon as, approve solely what’s wanted, and require additional approval to put in new extensions.
Identification is the prize, browser is the platform — and phishing is the weapon of selection
However the approach that is STILL driving probably the most impactful identity-driven breaches? It is phishing. Phishing for credentials, periods, OAuth consent, authorization codes. Phishing by way of e mail, prompt messenger, social media, malicious Google advertisements… all of it occurs in, or results in, the browser.
All phishing roads result in the browser, whatever the supply channel.
And fashionable phishing assaults are simpler than ever. Right this moment, phishing operates on an industrial scale, utilizing an array of obfuscation and detection evasion strategies to dam e mail and community safety instruments from intercepting them. In all probability the commonest instance right this moment is the usage of bot safety (assume CAPTCHA or Cloudflare Turnstile), utilizing official anti-spam options to dam safety instruments.
Cloudflare Turnstile is an easy manner for safety groups to stop automated evaluation — it ought to in all probability include a set off warning for incident responders.
The most recent era of absolutely personalized AitM phishing kits are dynamically obfuscating the code that masses the online web page, implementing customized CAPTCHA, and utilizing runtime anti-analysis options, making them more and more troublesome to detect. The methods during which hyperlinks are delivered has additionally elevated in sophistication, with extra supply channels (as we confirmed above) and the usage of official SaaS companies for camouflage.
And the most recent developments point out that attackers are responding to more and more hardened IdP/SSO configuration by exploiting different phishing strategies that circumvent MFA and passkeys, mostly by downgrading to a phishable backup authentication methodology — which you’ll be able to see in motion under, and skim extra about right here.
Identities are the lowest-hanging fruit for attackers to intention for
The purpose of the fashionable attacker, and the simplest manner into your enterprise’s digital setting, is to compromise identities. Whether or not you are coping with phishing assaults, malicious browser extensions, or infostealer malware, the target stays the identical — account takeover.
Organizations are coping with an enormous and susceptible assault floor consisting of:
A whole bunch of purposes, with 1000’s of accounts unfold throughout the app property.
Accounts susceptible to MFA-bypass phishing kits, as a result of they’re utilizing a login methodology that’s not phishing-resistant, or as a result of the login methodology might be downgraded.
Accounts with a weak, reused, or breached password and no MFA altogether (often the results of a forgotten-about ghost login).
Bypassing the authentication course of solely to evade in any other case phishing-resistant authentication strategies, by abusing options like API key creation, app-specific passwords, OAuth consent phishing, cross-IdP impersonation, and extra.
A 1,000 consumer group has over 15,000 accounts with numerous configurations and related vulnerabilities.
A key driver of id vulnerability is the massive variance within the configurability of accounts per software, with totally different ranges of centralized visibility and safety management of identities offered — for instance, whereas one app might be locked all the way down to solely settle for SSO logins by way of SAML and robotically take away any unused passwords, one other offers no management or visibility of login methodology or MFA standing (one other massive driver of the Snowflake breaches final yr). Sadly, as a by-product of product-led progress and one thing that’s compounded by each new SaaS startup that hits the market, this example does not appear to be it will change anytime quickly.
The top result’s that identities are misconfigured, invisible to the safety group, and routinely exploited by commodity attacker tooling. It is no shock that they are the first goal for attackers right this moment.
Ghost logins, AitM phishing, downgrade assaults, and app-level configuration points are fuelling identity-based breaches.
The answer: The browser as a telemetry supply and management level
As a result of id assaults play out within the browser, it is the proper place for safety groups to watch, intercept, and shut down these assaults.
The browser has an a variety of benefits over the totally different locations the place id might be noticed and guarded, as a result of:
You are not restricted to the apps and identities immediately related to your IdP (a fraction of your workforce id sprawl).
You are not restricted to the apps that you recognize about and handle centrally — you possibly can observe each login that passes by means of the browser.
You may observe all of the properties of a login, together with the login methodology, MFA methodology, and so on. You’d in any other case want API entry to possibly get this data (relying on whether or not an API is offered and whether or not this particular knowledge might be interrogated, additionally not customary for a lot of apps).
It is apparent with all that we have lined thus far that fixing each id vulnerability is an ominous process — the SaaS ecosystem itself is working towards you. This is the reason detecting and responding to id assaults is crucial. As a result of id compromise virtually at all times includes phishing or social engineering a consumer to carry out an motion of their browser (with some exceptions — just like the Scattered Spider-related assist desk assaults seen lately), it is also the proper place to watch for and intercept assaults.
Within the browser, you collect deep, contextualized details about web page conduct and consumer inputs that can be utilized to detect and shut down dangerous situations in actual time. Take the instance of phishing pages. As a result of Push operates within the browser, it sees all the things:
The web page format
The place the consumer got here from
The password they enter (as a salted, abbreviated hash)
What scripts are working
And the place credentials are being despatched
Being within the browser provides you unrivalled visibility of phishing web page exercise and consumer conduct.
Conclusion
Identification assaults are the largest unsolved drawback dealing with safety groups right this moment and the main explanation for safety breaches. On the identical time, the browser presents safety groups with all of the instruments they should forestall, detect, and reply to identity-based assaults — proactively by discovering and fixing id vulnerabilities, and reactively by detecting and blocking assaults towards customers in actual time.
Organizations want to maneuver previous the outdated methods of doing id safety — counting on MFA attestations, id administration dashboards, and legacy e mail and community anti-phishing instruments. And there isn’t any higher place to cease these assaults than within the browser.
Discover out extra
Push Safety’s browser-based safety platform offers complete detection and response capabilities towards the main explanation for breaches. Push blocks id assaults like AiTM phishing, credential stuffing, password spraying and session hijacking utilizing stolen session tokens. You may as well use Push to search out and repair id vulnerabilities throughout the apps that your staff use, like ghost logins, SSO protection gaps, MFA gaps, susceptible passwords, dangerous OAuth integrations, and extra.
If you wish to study extra about how Push lets you detect and cease assaults within the browser, e-book a while with one among our group for a stay demo.
Discovered this text attention-grabbing? This text is a contributed piece from one among our valued companions. Comply with us on Google Information, Twitter and LinkedIn to learn extra unique content material we submit.
