Browser-based attack controls: what IAM teams need to know

TL;DR: Browser-based attacks now exploit search, social apps, device-code flows, and malicious extensions to reach employees where they work, while CrowdStrike says valid account abuse made up 35% of incidents in 2025 and Verizon places identity at the centre of breach activity. The practical shift is toward in-browser enforcement, because awareness and perimeter controls no longer match how compromise actually happens.

NHIMG editorial — based on content published by Push Security: a guide to in-browser controls for protecting users from browser-based attacks

By the numbers:

• valid account abuse accounted for 35% of incidents in 2025

Questions worth separating out

Q: How should security teams stop browser-based attacks before account compromise occurs?

A: They should place detection and enforcement in the browser session itself, where phishing, malicious extensions, and copy-paste attacks actually unfold.

Q: Why do browser-based attacks bypass traditional security controls so often?

A: They exploit the gap between layers.

Q: What do security teams get wrong about user awareness training for browser threats?

A: They assume training can keep pace with attacker creativity.

Practitioner guidance

• Deploy in-browser controls for high-risk user actions Prioritise credential entry, clipboard use, extension installation, and consent prompts, because those are the browser moments attackers abuse most often.
• Run phased warn-to-block rollouts Start in monitor mode, tune false positives against real user workflows, then move selected groups to warn or block so enforcement does not break adoption.
• Use browser events to close identity gaps Feed detections into your SIEM and access workflows so missing MFA, reused passwords, and unapproved apps become remediable identity findings, not isolated browser alerts.

What's in the full article

Push Security's full product guide covers the operational detail this post intentionally leaves for the source:

• Configuration examples for monitor, warn, and block modes across browser-based detections.
• Admin-console telemetry fields and webhook outputs for triaging phishing, extension, and clipboard events.
• Step-by-step rollout guidance for protecting specific employee groups, apps, and accounts.
• Custom branding and styling options for block pages and banners in the Push console.

👉 Read Push Security's guide to in-browser controls for browser-based attacks →

Browser-based attack controls: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →