Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Browser-based attacks: is endpoint-only EDR still enough?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: As work shifts into SaaS and browser sessions, attackers are bypassing endpoint telemetry through AiTM phishing, session hijacking, and malicious extensions, according to Push Security. The blind spot is structural: EDR protects the host, but it cannot observe the live application session where credentials and actions are now being abused.

NHIMG editorial — based on content published by Push Security: browser-based attacks and the limits of endpoint-only EDR

Questions worth separating out

Q: How should security teams handle browser-based attacks when EDR is already deployed?

A: Teams should treat EDR and browser protection as complementary, not interchangeable.

Q: Why do browser-based attacks complicate identity and access management programmes?

A: Because identity is exercised inside the browser session, not only at the login boundary.

Q: What do security teams get wrong about session hijacking?

A: They often treat it as a pure authentication problem when it is also a session-control problem.

Practitioner guidance

  • Instrument browser-session telemetry Measure page rendering, credential submission, token use, and suspicious redirection inside the browser, because host telemetry will not reveal those interaction patterns.
  • Block high-risk credential submission events Stop credential entry when the page structure, origin, or behaviour does not match the expected authentication flow, especially during real-time proxy attacks.
  • Detect abnormal session reuse Watch for valid tokens being used in unusual locations, sequences, or interaction patterns, since session hijacking often bypasses password-based alarms.

What's in the full article

Push Security's full article covers the operational detail this post intentionally leaves for the source:

  • Examples of real browser-native attack flows, including how AiTM phishing and malicious extensions behave inside active sessions.
  • A practical checklist for detecting suspicious browser behaviour before account takeover completes.
  • Guidance on how browser detection complements EDR rather than replacing it.
  • Specific response actions that can interrupt malicious activity at the point of interaction.

👉 Read Push Security's analysis of browser-based attacks and EDR blind spots →

Browser-based attacks: is endpoint-only EDR still enough?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Browser-based attacks are exposing a control boundary that endpoint security was never designed to cross. EDR remains effective for host-level compromise, but it cannot observe the live application session where modern attackers now operate. That shifts the real security question from endpoint containment to browser-session governance. Practitioners should treat the browser as an identity enforcement point, not just a user interface.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and another 47% reporting only partial visibility, according to The State of Non-Human Identity Security.
  • That same research found only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which helps explain why session and browser-layer controls are becoming a governance priority.

A question worth separating out:

Q: What should organisations do when attackers avoid the endpoint entirely?

A: They should move detection closer to the layer where the attack actually happens. That means browser-native protection, behavioural detection inside the session, and immediate response that can block unsafe actions at the point of interaction. If the attack never touches the host in a visible way, the browser must become part of the control surface.

👉 Read our full editorial: Browser-based attacks expose the limits of endpoint-only EDR



   
ReplyQuote
Share: