Till not too long ago, the cyber attacker methodology behind the largest breaches of the final decade or so has been fairly constant:
- Compromise an endpoint through software program exploit, or social engineering a person to run malware on their gadget;
- Discover methods to maneuver laterally contained in the community and compromise privileged identities;
- Repeat as wanted till you’ll be able to execute your required assault — often stealing knowledge from file shares, deploying ransomware, or each.
However assaults have essentially modified as networks have developed. With the SaaS-ification of enterprise IT, core enterprise methods aren’t domestically deployed and centrally managed in the best way they was. As an alternative, they’re logged into over the web, and accessed through an internet browser.
 |
| Assaults have shifted from concentrating on native networks to SaaS companies, accessed by way of worker internet browsers. |
Beneath the shared duty mannequin, the half that is left to the enterprise consuming a SaaS service is usually constrained to how they handle identities — the car by which the app is accessed and utilized by the workforce. It is no shock that this has grow to be the mushy underbelly within the crosshairs of attackers.
We have seen this again and again within the greatest breaches of current years, with the highlights together with the huge Snowflake marketing campaign in 2024 and the 2025 crime wave attributed to Scattered Spider.
These assaults are so profitable as a result of whereas attackers have moved with the modifications to enterprise IT, safety hasn’t actually stored up.
The browser is the brand new battleground — and a safety blind spot
Taking up workforce identities is the primary goal for attackers trying to goal a company, and the browser is the place the place the assaults in opposition to customers occur. It’s because it is the place these digital identities are created and used — and their credentials and classes reside. That is what the attacker needs to get their arms on.
Stolen credentials can be utilized as a part of focused assaults or in broader credential stuffing (biking identified username and credential pairs in opposition to numerous apps and platforms), whereas stolen session tokens can be utilized to log in on to an energetic session, bypassing the authentication course of.
There are a couple of totally different strategies that attackers can use to get entry to those identities. Attackers harvest stolen credentials from numerous locations — knowledge breach dumps, mass credential phishing campaigns, infostealer logs, even malicious browser extensions that they’ve tricked an worker into putting in. In reality, the cyber crime ecosystem itself has shifted on its axis to cater to this, with hackers particularly taking up the function of harvesting credentials and establishing account entry for others to take advantage of.
The high-profile Snowflake breaches in 2024 signalled a watershed second within the shift to identity-driven breaches, the place attackers logged into accounts throughout tons of of buyer tenants utilizing stolen credentials. One of many main sources of the stolen credentials used within the assaults have been infostealer logs relationship again to 2020 — breached passwords that hadn’t been rotated or mitigated with MFA.
Infostealers are notable as a result of they’re an endpoint malware assault designed to reap credentials and session tokens (primarily from the browser) to allow the attacker to then log into these companies… by way of their very own internet browser. So, even right now’s endpoint assaults are seeing the attacker pivot again into the browser in an effort to get to identities — the important thing to the net apps and companies the place exploitable knowledge and performance now resides.
Assaults within the browser vs. on the browser
There’s an vital distinction to be made between assaults that occur within the browser, vs. these taking place in opposition to the browser itself.
There’s rising consensus that the browser is the brand new endpoint. However the analogy is not good — the fact is that internet browsers have a relatively restricted assault floor in comparison with the complexity of the normal endpoint — evaluating one thing like Google Chrome with a Home windows OS appears a really unbelievable idea.
Assaults that focus on the browser itself as a mechanism to compromise identities are few and much between. One of many extra apparent vectors is utilizing malicious browser extensions — so, eventualities during which a person has both:
- Been lured into putting in an already malicious extension, or
- Is utilizing a browser extension that’s later compromised by an attacker
However the issue of malicious extensions is one thing you resolve as soon as, after which transfer on. The fact is that customers shouldn’t be putting in random browser extensions, and given the chance, it’s best to:
- Lock down your surroundings to permit solely a handful of important extensions.
- Monitor for indicators that an extension you belief is compromised.
This does not apply in an surroundings the place you give customers full entry to put in no matter extensions they select. But when the browser is the brand new endpoint, this can be a bit like all of your customers being native admins — you are asking for hassle. And locking down extensions in your organizations is one thing that may be achieved utilizing native instruments in case you’re, for instance, a Chrome Enterprise buyer. Audit your customers as soon as, approve solely what’s wanted, and require additional approval to put in new extensions.
Id is the prize, browser is the platform — and phishing is the weapon of alternative
However the approach that is STILL driving essentially the most impactful identity-driven breaches? It is phishing. Phishing for credentials, classes, OAuth consent, authorization codes. Phishing through e mail, immediate messenger, social media, malicious Google advertisements… all of it occurs in, or results in, the browser.
 |
| All phishing roads result in the browser, whatever the supply channel. |
And fashionable phishing assaults are more practical than ever. At this time, phishing operates on an industrial scale, utilizing an array of obfuscation and detection evasion strategies to dam e mail and community safety instruments from intercepting them. Most likely the most typical instance right now is using bot safety (assume CAPTCHA or Cloudflare Turnstile), utilizing reputable anti-spam options to dam safety instruments.
 |
| Cloudflare Turnstile is a straightforward method for safety groups to forestall automated evaluation — it ought to most likely include a set off warning for incident responders. |
The most recent technology of absolutely custom-made AitM phishing kits are dynamically obfuscating the code that masses the online web page, implementing customized CAPTCHA, and utilizing runtime anti-analysis options, making them more and more tough to detect. The methods during which hyperlinks are delivered has additionally elevated in sophistication, with extra supply channels (as we confirmed above) and using reputable SaaS companies for camouflage.
And the most recent traits point out that attackers are responding to more and more hardened IdP/SSO configuration by exploiting various phishing strategies that circumvent MFA and passkeys, mostly by downgrading to a phishable backup authentication technique — which you’ll be able to see in motion under, and learn extra about right here.
Identities are the lowest-hanging fruit for attackers to intention for
The purpose of the trendy attacker, and the best method into your online business’s digital surroundings, is to compromise identities. Whether or not you are coping with phishing assaults, malicious browser extensions, or infostealer malware, the target stays the identical — account takeover.
Organizations are coping with an unlimited and weak assault floor consisting of:
- A whole bunch of purposes, with hundreds of accounts unfold throughout the app property.
- Accounts weak to MFA-bypass phishing kits, as a result of they’re utilizing a login technique that’s not phishing-resistant, or as a result of the login technique might be downgraded.
- Accounts with a weak, reused, or breached password and no MFA altogether (often the results of a forgotten-about ghost login).
- Bypassing the authentication course of completely to evade in any other case phishing-resistant authentication strategies, by abusing options like API key creation, app-specific passwords, OAuth consent phishing, cross-IdP impersonation, and extra.
 |
| A 1,000 person group has over 15,000 accounts with numerous configurations and related vulnerabilities. |
A key driver of id vulnerability is the large variance within the configurability of accounts per software, with totally different ranges of centralized visibility and safety management of identities supplied — for instance, whereas one app might be locked right down to solely settle for SSO logins through SAML and routinely take away any unused passwords, one other supplies no management or visibility of login technique or MFA standing (one other massive driver of the Snowflake breaches final yr). Sadly, as a by-product of product-led development and one thing that’s compounded by each new SaaS startup that hits the market, this case does not seem like it will change anytime quickly.
The tip result’s that identities are misconfigured, invisible to the safety group, and routinely exploited by commodity attacker tooling. It is no shock that they are the first goal for attackers right now.
 |
| Ghost logins, AitM phishing, downgrade assaults, and app-level configuration points are fuelling identity-based breaches. |
The answer: The browser as a telemetry supply and management level
As a result of id assaults play out within the browser, it is the proper place for safety groups to watch, intercept, and shut down these assaults.
The browser has a number of benefits over the totally different locations the place id might be noticed and guarded, as a result of:
- You are not restricted to the apps and identities instantly related to your IdP (a fraction of your workforce id sprawl).
- You are not restricted to the apps that you recognize about and handle centrally — you’ll be able to observe each login that passes by way of the browser.
- You possibly can observe all of the properties of a login, together with the login technique, MFA technique, and so forth. You’d in any other case want API entry to perhaps get this data (relying on whether or not an API is supplied and whether or not this particular knowledge might be interrogated, additionally not normal for a lot of apps).
It is apparent with all that we have lined up to now that fixing each id vulnerability is an ominous activity — the SaaS ecosystem itself is working in opposition to you. This is the reason detecting and responding to id assaults is important. As a result of id compromise nearly all the time entails phishing or social engineering a person to carry out an motion of their browser (with some exceptions — just like the Scattered Spider-related assist desk assaults seen not too long ago), it is also the proper place to observe for and intercept assaults.
Within the browser, you collect deep, contextualized details about web page conduct and person inputs that can be utilized to detect and shut down dangerous eventualities in actual time. Take the instance of phishing pages. As a result of Push operates within the browser, it sees every little thing:
- The web page structure
- The place the person got here from
- The password they enter (as a salted, abbreviated hash)
- What scripts are working
- And the place credentials are being despatched
 |
| Being within the browser offers you unrivalled visibility of phishing web page exercise and person conduct. |
Conclusion
Id assaults are the largest unsolved drawback dealing with safety groups right now and the main reason for safety breaches. On the identical time, the browser presents safety groups with all of the instruments they should stop, detect, and reply to identity-based assaults — proactively by discovering and fixing id vulnerabilities, and reactively by detecting and blocking assaults in opposition to customers in actual time.
Organizations want to maneuver previous the outdated methods of doing id safety — counting on MFA attestations, id administration dashboards, and legacy e mail and community anti-phishing instruments. And there is no higher place to cease these assaults than within the browser.
Discover out extra
Push Safety’s browser-based safety platform supplies complete detection and response capabilities in opposition to the main reason for breaches. Push blocks id assaults like AiTM phishing, credential stuffing, password spraying and session hijacking utilizing stolen session tokens. You can even use Push to seek out and repair id vulnerabilities throughout the apps that your staff use, like ghost logins, SSO protection gaps, MFA gaps, weak passwords, dangerous OAuth integrations, and extra.
If you wish to study extra about how Push lets you detect and cease assaults within the browser, e book a while with considered one of our group for a reside demo.
