TL;DR: As work shifts into SaaS and browser sessions, attackers are bypassing endpoint telemetry through AiTM phishing, session hijacking, and malicious extensions, according to Push Security. The blind spot is structural: EDR protects the host, but it cannot observe the live application session where credentials and actions are now being abused.
NHIMG editorial — based on content published by Push Security: browser-based attacks and the limits of endpoint-only EDR
Questions worth separating out
Q: How should security teams handle browser-based attacks when EDR is already deployed?
A: Teams should treat EDR and browser protection as complementary, not interchangeable.
Q: Why do browser-based attacks complicate identity and access management programmes?
A: Because identity is exercised inside the browser session, not only at the login boundary.
Q: What do security teams get wrong about session hijacking?
A: They often treat it as a pure authentication problem when it is also a session-control problem.
Practitioner guidance
- Instrument browser-session telemetry Measure page rendering, credential submission, token use, and suspicious redirection inside the browser, because host telemetry will not reveal those interaction patterns.
- Block high-risk credential submission events Stop credential entry when the page structure, origin, or behaviour does not match the expected authentication flow, especially during real-time proxy attacks.
- Detect abnormal session reuse Watch for valid tokens being used in unusual locations, sequences, or interaction patterns, since session hijacking often bypasses password-based alarms.
What's in the full article
Push Security's full article covers the operational detail this post intentionally leaves for the source:
- Examples of real browser-native attack flows, including how AiTM phishing and malicious extensions behave inside active sessions.
- A practical checklist for detecting suspicious browser behaviour before account takeover completes.
- Guidance on how browser detection complements EDR rather than replacing it.
- Specific response actions that can interrupt malicious activity at the point of interaction.
👉 Read Push Security's analysis of browser-based attacks and EDR blind spots →
Browser-based attacks: is endpoint-only EDR still enough?
Explore further
Browser-based attacks are exposing a control boundary that endpoint security was never designed to cross. EDR remains effective for host-level compromise, but it cannot observe the live application session where modern attackers now operate. That shifts the real security question from endpoint containment to browser-session governance. Practitioners should treat the browser as an identity enforcement point, not just a user interface.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and another 47% reporting only partial visibility, according to The State of Non-Human Identity Security.
- That same research found only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which helps explain why session and browser-layer controls are becoming a governance priority.
A question worth separating out:
Q: What should organisations do when attackers avoid the endpoint entirely?
A: They should move detection closer to the layer where the attack actually happens. That means browser-native protection, behavioural detection inside the session, and immediate response that can block unsafe actions at the point of interaction. If the attack never touches the host in a visible way, the browser must become part of the control surface.
👉 Read our full editorial: Browser-based attacks expose the limits of endpoint-only EDR