As Saas and Cloud-Native rebuild their businesses, web browsers emerged as new endpoints. However, unlike endpoints, the browser is barely monitored, despite being responsible for over 70% of the latest malware attacks.
Maintaining Aware’s recent browser security reports highlights the major concerns security leaders face using web browsers in most of their employees. In reality, traditional security tools blindly do what happens within the browser, and attackers know that.
Important findings:
70% of phishing campaigns impersonate Microsoft, OneDrive, or Office 365 to leverage user trust. Over 150 trusted platforms, such as Google Docs and Dropbox, have been abused to host phishing and exclusion data. 10% of AI prompts contain sensitive business content, poses risk across thousands of browser-based AI tools. 34% of file uploads on company devices are often sent to undetected personal accounts.
New attack patterns bypass traditional defenses
From real-time morphing phishing kits to JavaScript-based credential theft, attackers are bypassing firewalls, SWGs, and even EDRs. Here’s how:
Malware reassembly in your browser
Threats are delivered as fragments that are only active when assembled within a browser, making them invisible to network or endpoint tools.
Multi-Step Fishing
Phishing pages dynamically provide different content depending on who is watching. Users see scams and scanners don’t see anything. Microsoft remains the most spoofed target.
I live from a reliable platform
The attacker is hiding behind the URL from the reputable SaaS platform. Security tools allow this by default. Lead the enemy on a clear path.
The security stack must evolve to detect, analyze, and respond to actual threats: in-browser. Relying solely on perimeter-based defenses such as SWGs and network security tools is no longer sufficient.
AI: The next great (unsurveillanced) security risk
With 75% of employees using generated AI, most companies don’t know that data is pasted into models like CHATGPT, or that third-party browser extensions are doing it in the background. Unlike traditional apps, AI tools do not have defined security perimeters.
IT and security teams often respond reactively to AI adoption rather than proactively managing them. Traditional policy-based approaches have struggled with adoption of AI.
AI applications are being created rapidly, with static tolerance/denial lists disabled. Employees often switch between individuals and businesses’ use of AI, and carry out even more ambiguous enforcement. Many AI models are embedded within other platforms, making detection and control even more difficult.
This results in inconsistent governance that faces the challenge of defining and enforcing policies in an environment that does not have clear usage boundaries.
With AI regulations becoming more stringent, visibility and control over AI adoption is essential and no longer an option. Organizations should track usage, detect risks and flag sensitive data exposures before compliance pressures increase. Proactive surveillance today will lay the foundation for AI governance tomorrow.
DLP can’t keep up with browsers
Legacy Data Loss Prevention Systems are designed for email and endpoints. It’s not for workflows with a lot of browsers today. While browsers have become the main channel of data movement, traditional DLP solutions can only see where network traffic is sent, rather than the actual destination application that processes the data.
The most recent data removal risks include:
Copy customer data to AI assistant by pasting API keys into a browser-based tool and uploading documents to individuals
Even well-intentioned employees can unintentionally leak their IP when switching between work and personal accounts. Legacy tools cannot be detected.
With data moving more than ever before moving through your browser, DLP needs to evolve to recognize application context, user actions, and business intent. A unified browser-based DLP model allows security teams to enforce consistent data protection policies across all destinations, while controlling high-risk actions.
No one has seen the expansion issue
Despite minimal technological advancements over the years, browser extensions feature unprecedented access to sensitive organizational data and user identity. While security teams strictly control software updates, patches, and endpoint security policies, extensions continue to be an attack surface that is often overlooked by traditional security frameworks. During a user data survey, the Keep Ceware team discovered:
46% of extensions offer productivity use cases. 20% fall into lifestyle categories, such as shopping and social plugins. 10% are classified as high or serious risk due to excessive authority.
Permissions that allow full-page access, session tracking, or network intercept are still too common, even for extensions downloaded from trusted marketplaces.
As extensions continue to act as both a productivity tool and a security debt, businesses need to implement a stronger review process, visibility management, and proactive defense to protect their browsers from within.
Download the full report.
Shadows that live in browser
Shadow It’s not just about using applications that are no longer authorized from time to time. This has been a major challenge for enterprise security. Employees regularly employ SaaS applications, personal file sharing services, and third-party AI tools without supervision, often integrating them into real business data and daily work.
Employees with different job functions interact with multiple organizational instances of the same application on a daily basis. In many cases, they do not recognize the security impact.
Marketing & Creative Team: Members of the Marketing Team may accidentally upload assets to their partner Google Drive rather than official instances of the company, leading to unintended data exposures. Consultants and client roles: Consultants working with multiple clients can access client-specific SharePoint sites and create unconscious security gaps as sensitive data is shared across different organizations. Professional Services and External Collaboration: In industries such as law and accounting, which rely heavily on external collaboration, employees frequently work on more than 15 different SharePoint instances, introducing major challenges in monitoring data movement.
This shadow explosion creates a massive security gap, especially as product-driven growth platforms completely bypass the procurement process.
Instead of classifying an application as a business or consumer, security teams should assess the intent behind employee interactions, the account context in which the tool is used, and the real-time risk associated with SaaS activity. This means accepting dynamic risk assessment, context-aware access control, and continuous monitoring beyond static policies. Browsers become the most important point of visibility, revealing logins, account switching, MFA status, consent-based access requests, and data movement across organizational boundaries.
Forward path: Browser and native visibility and control
Keep Aware reports provide comprehensive insights and data points that prove that security needs to move inside your browser. As phishing campaigns evolve, malware reassembly has become more refined, AI usage has skyrocketed, browser extensions remain unchecked, and organizations that have failed to adapt remain vulnerable.
Security teams need to integrate browser security into the enterprise security stack to gain real-time visibility, detect browser and native threats, and protect those working.
If you’d like to learn more about protecting your organization from browser-based threats, please request a personalized demo.
Source link
