Phishing shifted beyond email in 2025 and IAM controls lagged

At a glance

What this is: This analysis shows that phishing in 2025 moved beyond email into browser-native, social, and search-driven attack paths, while attacker kits increasingly bypassed MFA and other controls.

Why it matters: It matters because IAM, PAM, and NHI programmes still built around email and traditional login flows will miss the real abuse surface where credentials, sessions, and OAuth consent are now stolen.

By the numbers:

• Roughly 1 in 3 phishing attacks detected by Push Security were delivered outside of email.
• The top initial access vector detected by Microsoft last year was ClickFix, involved in 47% of attacks.

👉 Read Push Security's analysis of how phishing evolved in 2025

Context

Phishing is no longer just an email security problem. In 2025, attackers increasingly used LinkedIn DMs, search ads, fake landing pages, reverse proxies, browser extensions, and consent abuse to obtain account access, which means the primary control gap has shifted into the identity layer and the browser.

For IAM teams, that changes the operating assumption. If session theft, OAuth consent, and browser-native social engineering can bypass conventional phishing controls, then the programme cannot depend on inbox filtering or password-centric authentication alone.

This is a browser-first identity attack problem, and that is why the article’s findings matter for both human identity controls and the growing set of non-email access paths now used to compromise accounts.

Key questions

Q: How should security teams defend against phishing when attacks move beyond email?

A: Security teams should shift from inbox-centric prevention to browser-aware detection, stronger app-consent governance, and post-login monitoring. Non-email phishing often bypasses sender controls entirely, so the browser becomes the key enforcement point. Teams also need identity telemetry that can identify session theft, malicious redirects, and risky OAuth grants after the lure succeeds.

Q: Why do phishing-resistant authentication methods still fail in real attacks?

A: Phishing-resistant authentication reduces password replay, but it does not eliminate session theft, consent abuse, or browser-native social engineering. Attackers can still obtain a valid session through reverse-proxy kits, device-code tricks, or malicious extensions. The key failure is assuming that a strong login factor automatically means the account is safe after authentication.

Q: What do security teams get wrong about browser-based phishing defence?

A: Many teams still treat browser phishing as a web filtering problem instead of an identity and session problem. That misses the real abuse paths, including OAuth consent, token capture, and malicious browser activity. Effective defence requires visibility into the browser journey, not only the destination URL.

Q: How should organisations prioritise phishing controls for 2026?

A: Organisations should prioritise controls that detect and contain account takeover after the initial click, especially browser telemetry, app-consent restrictions, and session monitoring. If attackers can bypass email and proxy the login, the deciding factor becomes how quickly the organisation can observe and revoke the resulting access.

Technical breakdown

Omni-channel phishing now starts outside email

Phishing attacks no longer need the inbox to reach a user. Attackers can seed links through LinkedIn messages, search ads, compromised sites, and custom landing pages, then route victims into credential harvesters or session theft flows. This works because the browser is where the user, identity provider, and application session converge, but most defences still assume the email gateway is the first and best line of control. When the lure arrives through a social or search channel, traditional email filtering never gets a chance to intervene.

Practical implication: move detection and response closer to browser activity, not just mail flow.

Why AiTM phishing and PhaaS kits bypass MFA

Attacker-in-the-middle phishing kits proxy the login in real time, capture the session token, and make multi-factor authentication largely irrelevant. That is why reverse-proxy kits such as Tycoon, NakedPages, Sneaky2FA, and Evilginx variants remain effective: they steal the authenticated session rather than brute-force the password. The real issue is not just credential compromise but session transfer, which allows the attacker to inherit an already approved identity context. This is a structural weakness in any control model that treats MFA as the end of the authentication problem.

Practical implication: treat session theft as a first-class identity risk, not a downstream anomaly.

Consent phishing, device code abuse, and browser-native takeover

When attackers cannot beat the standard login flow, they often sidestep it. Consent phishing abuses OAuth app approval, device code phishing abuses device-login flows, and browser-native techniques such as ClickFix and ConsentFix push the victim to authorise or execute the attack locally. These methods are effective because they turn user cooperation into the attack primitive. They also widen the blast radius into app tenants, browser sessions, and trusted integrations, which is why access controls must cover consent, extension trust, and application-scoped privilege, not just passwords.

Practical implication: review OAuth app consent, device-code exposure, and browser-extension trust as part of identity governance.

Threat narrative

Attacker objective: The attacker wants durable account access that survives the initial lure and can be used to pivot into business applications, data, or further criminal operations.

1. Entry begins through non-email lures such as LinkedIn messages, search ads, compromised sites, or browser-native prompts that draw the victim into a phishing flow outside the inbox.
2. Escalation occurs when reverse-proxy kits, consent abuse, device code phishing, or malicious extensions capture the authenticated session or grant attacker-controlled app access.
3. Impact follows when attackers reuse the stolen session or delegated access to take over business applications, exfiltrate data, or enable broader criminal access reuse.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Phishing has become an identity attack surface problem, not an email problem. The article shows that attackers now use search, social platforms, browser prompts, and malicious app consent to reach the user where email controls cannot help. That means the old boundary between phishing prevention and IAM has collapsed. Practitioners should treat browser-mediated access as part of identity governance, not as a separate endpoint or email concern.

Session theft is now more operationally important than password theft. AiTM kits work because they inherit a live session after authentication, which leaves many traditional controls intact while the attacker operates inside the account. That shifts the security question from 'was the login challenged' to 'who controls the session after the login'. Security teams need to assume that a successful login can still be a compromise.

Browser-native social engineering creates an access model that conventional MFA cannot fully contain. Consent phishing, device code abuse, and malicious extensions all exploit user-authorised pathways rather than overt credential capture. This is where identity governance, OAuth governance, and browser trust decisions converge. The practical implication is that phishing resistance must be evaluated as a control system, not as a single authentication feature.

Ephemeral session trust debt: The security model now accumulates risk in the gap between a legitimate user action and attacker-controlled reuse of the resulting session or consent grant. That gap is what makes modern phishing harder to detect and easier to operationalise at scale. Practitioners should think in terms of trust lifetime, not just authentication strength.

Visibility gaps are now the limiting factor in phishing defence. Push Security’s findings reinforce a familiar but still under-closed problem: organisations can block known bad sites only if they can see the actual browser journey and app interaction. That is why phishing defence has become a governance problem for IAM, security operations, and browser controls together. Teams that cannot observe consent, redirects, or session reuse will not contain the modern attack chain.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• That visibility gap is why browser-side identity telemetry and consent governance now matter as much as email filtering for phishing defence, as explored in 52 NHI Breaches Analysis.

What this signals

The phishing problem is converging with identity governance because the attack now lives in the same surfaces that IAM teams are expected to control: consent grants, browser sessions, app access, and delegated trust. Organisations that still separate phishing defence from identity control will keep missing the handoff point where a lure becomes account takeover. The operational question is no longer whether phishing is blocked, but whether identity telemetry can see the compromise before the session is reused.

Browser trust debt: the browser has become the weak coordination point between authentication, consent, and session management. That means IAM programmes need a clearer view of browser-mediated access paths, especially where third-party apps and session reuse overlap. For practitioners, the near-term signal to watch is whether identity controls can see and constrain post-login abuse, not just deny bad links.

Push Security’s findings also reinforce a broader programme issue: phishing resistance is only as strong as the fallback methods, consent paths, and monitoring that surround it. As adversaries standardise on reverse proxies and browser-native abuse, teams should expect more pressure on access governance, not less. The security model that survives 2026 will be the one that can observe and revoke risky access fast enough to matter.

For practitioners

• Instrument browser-side detection and response Monitor the browser as the primary phishing execution environment, including redirects, suspicious consent flows, extension activity, and session hijack signals. Email telemetry alone will miss the attack path in many cases.
• Review OAuth consent and device-code exposure Audit tenant settings, app consent policies, and device-code login usage so that malicious app authorisation and substitute-passcode abuse are constrained before they become routine entry paths.
• Reduce reliance on MFA as a finish line Treat MFA as one control in a larger identity flow, then validate whether session binding, conditional access, and post-login monitoring can detect reuse after a proxy-based login has succeeded.
• Map phishing paths to identity governance controls Tie browser-based phishing scenarios to IAM, PAM, and access review processes so that app consent, session lifetime, and privileged browser activity are visible in governance workflows.

Key takeaways

• Phishing in 2025 shifted decisively into browser, social, and search channels, which makes email-only defences incomplete.
• Reverse-proxy kits and browser-native abuse turn successful logins into session compromise, so MFA alone is no longer a sufficient control story.
• Identity teams should prioritise browser visibility, consent governance, and post-login containment because that is where modern phishing now succeeds.

Key terms

• AiTM phishing: Attacker-in-the-middle phishing is a technique where the attacker proxies the victim’s login in real time and captures the resulting session. The user may complete MFA successfully, but the attacker receives the authenticated session and can reuse it without repeating the login flow.
• Consent phishing: Consent phishing tricks a user into approving an attacker-controlled OAuth application. The attacker does not need to steal a password if the user authorises delegated access, which can grant persistent API or app permissions inside the tenant.
• Session hijacking: Session hijacking is the theft or reuse of a valid authenticated session so the attacker can act as the user without re-entering credentials. In identity programmes, it is often more operationally dangerous than password compromise because it bypasses many authentication checks.
• Browser-based phishing: Browser-based phishing is phishing that executes through the web browser rather than the inbox, often using redirects, malicious sites, consent prompts, or extensions. It matters because the browser is where identity, application access, and session state intersect.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Push Security: Phishing trends in 2025 and what they mean for 2026. Read the original.