Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Browser extension controls and ClickFix blocking: what changes for IAM teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: Browser activity is being treated as a governed identity surface, not just a user interface, according to Push Security. The monthly update adds malicious browser extension detection, browser extension blocklists and allowlists, ClickFix-style attack blocking with payload capture, richer browser telemetry, and branding and RBAC changes, all aimed at improving browser-layer detection and control for end-user environments.

NHIMG editorial — based on content published by Push Security: malicious extension detection, ClickFix blocking, branding, and metadata updates

By the numbers:

  • When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should security teams govern browser extensions in enterprise environments?

A: Security teams should treat browser extensions as client-side privileged software and govern them with a default-deny mindset.

Q: Why do ClickFix-style attacks bypass familiar IAM controls?

A: ClickFix-style attacks exploit the gap between authentication and in-session user action.

Q: How can organisations tell whether browser telemetry is improving detection?

A: Browser telemetry is working when it produces actionable context, not just more data.

Practitioner guidance

  • Define browser extension governance as an access control problem Classify extensions by business need, threat exposure, and privilege level, then enforce a default-deny or limited allowlist model for unmanaged add-ons.
  • Block copy and paste execution paths used by ClickFix-style lures Create controls that intercept malicious paste events, quarantine the payload, and route the detection into SOC workflows with enough context for triage.
  • Enable browser event storage for higher-fidelity investigations Turn on local browser event storage where policy permits, especially for environments with emerging threats or limited endpoint telemetry.

What's in the full article

Push Security's full update covers the operational detail this post intentionally leaves for the source:

  • Exact admin-console paths for enabling malicious extension detection and browser extension blocking
  • Configuration options for allowlist versus blocklist enforcement and user-facing block pages
  • Mode and scope settings for malicious copy and paste detection, including payload collection
  • Telemetry settings for browser event storage and metadata retention

👉 Read Push Security's update on browser extension detection and ClickFix blocking →

Browser extension controls and ClickFix blocking: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8425
 

Browser policy is becoming identity policy. Once extensions, banners, telemetry, and copy-and-paste controls all sit inside the browser, the browser becomes part of the trust boundary for human access. That matters because many identity programmes still treat the browser as a neutral access layer rather than an enforceable execution environment. The practitioner implication is that session governance now needs to include what the browser can load, paste, and persist.

A few things that frame the scale:

  • When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
  • DeepSeek accidentally embedded over 11,000 secrets in its training data and left a database exposed online, revealing more than one million sensitive records including chat histories, backend credentials, and API keys.

A question worth separating out:

Q: Who should own browser security controls that affect user access and investigation?

A: Ownership should sit with identity and security operations together, because browser controls now influence both enforcement and evidence collection. IAM teams should define policy and exception logic, while SOC or detection engineering teams tune the alerting and payload review. That split avoids leaving browser governance fragmented across endpoint, web, and identity functions.

👉 Read our full editorial: Browser extension controls and ClickFix blocking tighten IAM visibility



   
ReplyQuote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8425
 

Browser policy is becoming identity policy. Once extensions, banners, telemetry, and copy-and-paste controls all sit inside the browser, the browser becomes part of the trust boundary for human access. That matters because many identity programmes still treat the browser as a neutral access layer rather than an enforceable execution environment. The practitioner implication is that session governance now needs to include what the browser can load, paste, and persist.

A few things that frame the scale:

  • When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
  • DeepSeek accidentally embedded over 11,000 secrets in its training data and left a database exposed online, revealing more than one million sensitive records including chat histories, backend credentials, and API keys.

A question worth separating out:

Q: Who should own browser security controls that affect user access and investigation?

A: Ownership should sit with identity and security operations together, because browser controls now influence both enforcement and evidence collection. IAM teams should define policy and exception logic, while SOC or detection engineering teams tune the alerting and payload review. That split avoids leaving browser governance fragmented across endpoint, web, and identity functions.

👉 Read our full editorial: Browser extension controls and ClickFix blocking tighten IAM visibility



   
ReplyQuote
Share: