Browser and identity attacks matrix: are your controls keeping up?

TL;DR: Attacker innovation is now concentrated in browser-based initial access techniques, with AiTM phishing, ClickFix, device code phishing, OAuth consent abuse, and malicious extensions increasingly driving SaaS and cloud compromise, according to Push Security. The old SaaS framing is giving way to browser-and-identity governance, where access review cycles and endpoint-only controls no longer match how compromise starts.

NHIMG editorial — based on content published by Push Security: Browser & Identity Attacks Matrix

By the numbers:

• Tycoon 2FA alone accounted for 62% of phishing detected by Microsoft and over 64,000 confirmed incidents.
• Microsoft reported ClickFix as the most common initial access vector in 2025, accounting for 47% of observed attacks.
• CrowdStrike documented a 563% increase in fake CAPTCHA lures, a top ClickFix style.

Questions worth separating out

Q: How should security teams govern browser-based identity attacks in cloud environments?

A: Treat the browser as part of the identity control plane.

Q: Why do browser attacks create more risk than traditional phishing for IAM teams?

A: Browser attacks often capture valid sessions, consents, or device-code approvals instead of passwords, so they bypass some classic authentication controls.

Q: What do security teams get wrong about device code phishing?

A: They often treat it like a niche phishing variant, when it is really an authorization abuse pattern.

Practitioner guidance

• Map browser-mediated identity entry points Inventory where users authenticate, consent, approve device codes, and install extensions, then tie those paths to the identity provider rather than to endpoint tooling alone.
• Constrain device authorization and consent flows Restrict device code flows to approved use cases, log every authorization grant, and alert on unusual consent patterns or unfamiliar client applications.
• Govern browser extensions as supply chain assets Require approval for extension installs, track ownership changes, and continuously assess post-install behaviour for access to sessions, web content, and identity tokens.

What's in the full article

Push Security's full technical whitepaper covers the operational detail this post intentionally leaves for the source:

• Browser attack family breakdowns for AiTM, ClickFix, ConsentFix, device code phishing, and malicious extensions
• Observed delivery channels beyond email, including search, social media, messaging, and voice-assisted lures
• Real-world technique timelines showing how browser-based initial access has industrialised over the last two years
• Examples of how attackers chain browser identity abuse into SaaS access, token replay, and mass exfiltration

👉 Read Push Security's analysis of browser and identity attacks in SaaS compromise →

Browser and identity attacks matrix: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →