Browser-based attacks and identity gaps: what IAM teams need to know

TL;DR: Browser-based attacks are now the main path into business apps, with phishing, ClickFix, malicious OAuth grants, extensions, and stolen credentials all converging in the browser, according to Push Security. The security boundary has shifted from endpoint and email controls to browser-visible identity and session behaviour, making app access governance and detection the critical control plane.

NHIMG editorial — based on content published by Push Security: browser-based attacks and the identity controls needed to detect and respond to them

By the numbers:

• The news around extension-based compromises has been on the rise since the Cyberhaven extension was hacked in December 2024, along with at least 35 other extensions.

Questions worth separating out

Q: How should security teams reduce browser-based identity compromise across SaaS apps?

A: Security teams should treat the browser as an identity control point, not just a user interface.

Q: Why do phishing-resistant MFA methods still leave browser-based attacks dangerous?

A: Phishing-resistant MFA can stop password capture, but it does not stop attackers who steal the resulting session, trick a user into approving an OAuth grant, or use a malicious extension.

Q: What do security teams get wrong about malicious browser extensions?

A: They often treat extensions as productivity add-ons instead of privileged software with access to content, cookies, tabs, and browsing history.

Practitioner guidance

• Inventory browser-accessed identity paths Map which SaaS apps, OAuth grants, logins, and extensions are actually used in the browser, including unmanaged and shadow IT services.
• Restrict consent and extension privilege Tighten OAuth approval policies, review delegated scopes, and limit extension installs to pre-approved items with narrow permissions.
• Detect session abuse in the browser Use browser telemetry to spot suspicious login completions, anomalous tab activity, repeated consent grants, and session replay indicators.

What's in the full article

Push Security's full article covers the operational detail this post intentionally leaves for the source:

• How each browser attack technique works at the page, session, and control-bypass level
• Examples of the browser and endpoint signals Push Security uses to detect suspicious activity
• The practical differences between phishing, ClickFix, consent phishing, extensions, and stolen credentials in live environments
• Why browser-based visibility changes incident response for SaaS access abuse

👉 Read Push Security's analysis of browser-based attacks and identity abuse →

Browser-based attacks and identity gaps: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →