Notifications
Clear all
Topic starter
09/06/2026 11:49 pm
TL;DR: Browser-based attacks such as AiTM phishing, ClickFix, ConsentFix, and device code phishing are moving faster than defenses, with ClickFix becoming Microsoft’s most common initial access vector in about a year and device code phishing jumping from near-zero to at least 12 kits, according to Push Security. Traditional email, endpoint, and network controls are losing coverage because the attack and the identity workflow now happen inside the browser.
NHIMG editorial — based on content published by Push Security: browser-based attack techniques defining the 2026 threat landscape
By the numbers:
- Device code phishing went from near-zero to at least 12 distinct kits in a matter of months.
Questions worth separating out
Q: How should security teams defend against browser-based identity attacks?
A: Security teams should defend browser-based identity attacks by treating the browser as a control point, not just a delivery channel.
Q: Why do browser attacks bypass so many traditional security controls?
A: Browser attacks bypass traditional controls because the malicious action often happens inside a legitimate browser session.
Q: What breaks when device code phishing is allowed in everyday enterprise workflows?
A: When device code phishing is normalised in everyday workflows, attackers can hijack a legitimate identity flow without stealing a password or intercepting MFA.
Practitioner guidance
- Map browser-mediated identity flows Inventory which authentication, consent, and device-code journeys are reachable through the browser, then mark the ones that bypass email, EDR, or proxy visibility.
- Add pre-execution browser controls Detect clipboard injection, suspicious redirects, and page content that instructs users to paste commands before the payload is executed.
- Review OAuth and device-code exposure Limit which apps and users can approve OAuth consent, and reduce unnecessary device-code reliance in developer and admin workflows.
What's in the full article
Push Security's full blog post covers the operational detail this post intentionally leaves for the source:
- Direct attack-chain examples for AiTM, ClickFix, ConsentFix, and device code phishing
- Browser-layer detection logic and why it catches technique behaviour rather than known indicators
- In-the-wild campaign timelines and the specific lure patterns used across LinkedIn, search, and compromised sites
- Demonstration detail on how the browser interactions unfold before the payload or token is captured
👉 Read Push Security's analysis of browser-based attack techniques in 2026 →
Browser attack techniques in 2026: are identity controls keeping up?
Explore further
10/06/2026 2:18 am
Browser-first identity compromise has become the governance gap that IAM programmes keep underestimating. Traditional identity controls were built around login events, MFA prompts, and endpoint-visible execution, but these browser attacks exploit the space between them. The browser is now the control plane where authentication, consent, and session theft converge. Practitioners should treat browser-mediated identity abuse as a core IAM problem, not a peripheral phishing issue.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- 45% of organisations cite lack of credential rotation as the top cause of NHI-related attacks, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
A question worth separating out:
Q: How do organisations reduce the impact of stolen browser sessions?
A: Organisations reduce the impact of stolen browser sessions by shortening session lifetime, revoking tokens quickly, and watching for reuse across impossible locations or unusual devices. They should also separate high-risk administrative access from ordinary browser-based SaaS use so a stolen session does not unlock everything.
👉 Read our full editorial: Browser attacks are bypassing identity controls through the browser
