Until recently, the cyberattacker methodology behind the biggest violations of the past decade or so has been fairly consistent.
Compromising endpoints via software exploits or by social engineering users to run malware on their devices. Find ways to move horizontally within the network and compromise your privileged identity. Repeat as needed until you can carry out the desired attack. They usually steal data from file shares, deploy ransomware, and steal both.
However, as networks evolve, attacks have changed radically. With SaaS-fifited in Enterprise IT, core business systems are not deployed locally and not centrally managed as they once did. Instead, you can log in on the internet and access it through a web browser.
The attack moved from local network targeting to SaaS services, accessed through the employee’s web browser.
Under the shared responsibility model, the parts left to businesses consuming SaaS services are largely constrained by the way they manage their identities. This is a way to access the app and use it by the workforce. It’s no surprise that this has turned into a soft abdomen at the attacker’s intersection.
We’ve seen it many times this time around the biggest violations of recent years, including the 2024 massive snowflake campaign and the 2025 crime waves caused by scattered spiders.
These attacks have been extremely successful. Because the attacker moved with changes to enterprise IT, but security was not actually maintained.
Browsers are a new battlefield and security blind spots
Taking over workforce identity is the first goal for attackers who are trying to target organizations, and browsers are where attacks against users arise. This is because these digital IDs are created and used, and their qualifications and sessions are live. This is something the attacker wants to get.
Stolen credentials can be used as part of a target attack or with a wider range of credential stuffing (cycling known usernames and credential pairs for various apps and platforms), but stolen session tokens can be used to log in directly to the active session and bypass the authentication process.
There are several different techniques that attackers can use to access these identities. Attackers harvested stolen qualifications from various locations, including dumping data breaches, large-scale qualification phishing campaigns, infostealer logs, and even malicious browser extensions. In fact, the cybercrime ecosystem itself responds by shifting to this axis, with hackers particularly playing a role in establishing account access for the harvest of qualifications and exploitation of others.
The famous snowflake violation of 2024 marked a fork moment in its shift towards identity-driven infringement. There, the attackers used stolen qualifications to record them to hundreds of customer tenants. One of the main sources of stolen credentials used in the attack was Infostealer Log, dating back to 2020. A password that was not rotated or mitigated in MFA has been violated.
Infostealers is an endpoint malware attack designed to harvest credentials and session tokens (mainly from the browser), which is noteworthy as attackers can log in to those services and log in via their own web browser. So even today’s endpoint attacks are causing attackers to return to their browsers to reach their identity. This is the key to online apps and services where available data and features are currently present.
Attacks in the browser and in the browser
There is an important distinction between attacks that occur in the browser and attacks that occur against the browser itself.
There is growing consensus that browsers are the new endpoint. But the analogy is not perfect. The reality is that web browsers have relatively limited attack surfaces compared to traditional endpoint complexity. Comparing something like Google Chrome with a Windows OS seems like a very incredible concept.
There are few attacks that target the browser itself as a mechanism to compromise identity, and there are none in between. One more obvious vector is to use malicious browser extensions. So here is the scenario that a user has:
Already fascinated by the installation of malicious extensions, or using browser extensions that are later compromised by attackers
However, malicious extension issues are something you can fix once and then move on. The reality is that users should not install random browser extensions, they should be given risk.
It locks down the environment and allows for only a handful of important extensions. Monitor metrics that trustworthy extensions are in lean.
This does not apply in environments where you can fully access to install all user-selected extensions. But if the browser is a new endpoint, this is a bit like all users are local admins. I’m looking for trouble. Also, locking down extensions within your organization is something that can be achieved using native tools, for example, if you are a customer of Chrome Enterprise. You will need to audit users once, approve only what you need, and then approve more to install the new extension.
Identity is a prize, browser is a platform, and phishing is a weapon of choice
But still the techniques driving the most impactful identity-driven breaches? It’s fishing. Phishing credentials, sessions, OAUTH consent, authorization codes. Phishing through email, instant messenger, social media, malicious Google ads…it’s all happening in your browser or is connected to it.
All phishing roads are connected to a browser regardless of the delivery channel.
And modern phishing attacks are more effective than ever. Today, phishing operates on an industrial scale, using a set of obfuscation and detection avoidance techniques to block email and network security tools from intercepting. Perhaps the most common example of today is the use of bot protection (think Captcha or CloudFlare Turnstile) that uses legitimate spam features to block security tools.
CloudFlare TurnStile is an easy way for security teams to prevent automated analysis. It should probably come with a trigger warning for the incident responder.
The latest generation of fully customized AITM phishing kits dynamically obfuscate the code that loads web pages, implements custom captures, and uses runtime anti-analysis capabilities to make detection more and more difficult. The way links are delivered is also sophisticated, with more delivery channels (as mentioned above) and using legitimate SaaS services for camouflage.
The latest trends also show that attackers are now able to support increasingly enhanced IDP/SSO configurations by leveraging alternative phishing technologies that avoid MFA and PassKey.
Identity is the lowest fruit for attackers to aim for
The easiest way to a modern attacker’s goal, and to a digital business environment, is to compromise on identity. Whether dealing with phishing attacks, malicious browser extensions, or Infostealer malware, the goal remains the same – account acquisition.
The organization deals with the vast and vulnerable attack surfaces, such as:
There are hundreds of applications and thousands of accounts spread throughout the app estate. Accounts that are vulnerable to MFA-Bypass phishing kits either use non-phishing login methods or can downgrade their login methods. The password is weak, and there are no fully reused or violated accounts and MFAs (usually the result of forgotten ghost logins). By abusing features like API key creation, app-specific passwords, OAUTH consent phishing, cross-IDP spoofing, and more, you can completely bypass the authentication process to avoid phishing-resistant authentication methods.
1,000 user organizations have over 15,000 accounts with various configurations and associated vulnerabilities.
A key driver of identity vulnerabilities has a large variation in account configurability per application, for example locking down one app and accepting SSO login via SSO login and automatically removing unused passwords, providing visibility of another app log in or MFA status. Unfortunately, this situation doesn’t seem to change anytime soon as it is a byproduct of product-driven growth and what gets worse by all new SaaS startups hitting the market.
The end result is that identity is misunderstood and invisible to security teams, and is routinely exploited by the tools of product attackers. It’s not surprising that they are the main targets of today’s attackers.
Ghost login, AITM phishing, downgrade attacks, and app-level configuration issues promote identity-based violations.
Solution: Browser as Telemetry Sources and Control Points
Identity attacks occur in the browser, making them the perfect place for security teams to observe, intercept and shut down these attacks.
Browsers have many advantages over various places where you can observe and protect your identity.
It is not limited to apps or identities that are directly connected to an IDP (where some of the workforce’s identities are widespread). It’s not limited to apps that you know and manage at the heart. You can observe all logins passing through your browser. You can observe all the properties of the login, including login methods, MFA methods, and more. Otherwise, you will need API access to retrieve this information (not the standard for many apps, depending on whether an API is provided and whether this particular data can be interrogated).
So far, it is clear that fixing vulnerabilities in all identity is an ominous task. The SaaS ecosystem itself works for you. This is why it is essential to detect and respond to identity attacks. Identity compromises are also a great place to monitor and intercept attacks, as most often involve phishing or social engineering, as users perform actions in their browsers (like the scattered spider-related helpdesk attacks seen recently, with a few exceptions).
Browsers gather deep contextualized information about page behavior and user input that can be used to detect and shut down dangerous scenarios in real time. Let’s take a look at an example phishing page. Push works in the browser so everything is visible.
Where the script and credentials are being sent out, running from the password entered by the user (as a salted, shortened hash)
Being in a browser gives you unparalleled visibility into phishing page activity and user behavior.
Conclusion
Identity attacks are the biggest open issue facing security teams today and are the leading cause of security breaches. At the same time, the browser presents security teams with all the tools they need to prevent, detect, and respond to identity-based attacks. Realistic fixes by detecting and blocking attacks against users in real time by finding and fixing identity vulnerabilities.
Organizations need to go past the old ways of doing identity security. It relies on MFA proofs, identity management dashboards, legacy shemale, and network anti-phishing tools. Also, there is no better place to stop these attacks than a browser.
Please see more
Push Security’s browser-based security platform provides comprehensive detection and response capabilities for the major causes of violations. Use stolen session tokens to press identity attacks such as AITM phishing, credential stuffing, password spray, and session hijacking. Push can also be used to find and fix identity vulnerabilities across apps used by employees, such as Ghost Logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and dangerous OAUTH integrations.
If you’d like to learn more about how push can help you detect and stop attacks in your browser, book your time with one of our teams for a live demo.
Source link
