Notifications
Clear all
Topic starter
09/06/2026 11:18 pm
TL;DR: Browser-based attacks now bypass endpoint-centric controls by living inside the session layer, while CrowdStrike’s 2026 Global Threat Report says 82% of detections are malware-free and Push reports a 37x rise in device code phishing, showing why the browser has become the real identity attack surface. The governance gap is no longer visibility alone: access, token handling, and response all need to move to where authentication actually happens.
NHIMG editorial — based on content published by Push Security: why the gap between EDR and browser activity creates an identity security blind spot
By the numbers:
- 82% of attack detections are now malware-free, according to CrowdStrike's 2026 Global Threat Report.
- PhaaS-driven account compromise surged 389% year-over-year according to eSentire.
- Fake CAPTCHA lures used in ClickFix attacks increased 563% in 2025, according to CrowdStrike.
Questions worth separating out
Q: How should security teams handle identity risk when authentication happens in the browser?
A: Security teams should treat the browser as part of the identity control plane, not just the place where authentication happens.
Q: Why do endpoint tools miss so many browser-based account takeover attacks?
A: Endpoint tools miss these attacks because their visibility ends at the operating system, while the attack happens inside the browser session.
Q: What breaks when organisations rely on EDR alone for browser security?
A: Reliance on EDR alone breaks the chain between page behaviour and identity compromise.
Practitioner guidance
- Map browser-covered identity flows Identify where authentication, consent, and sensitive application use now happen in browsers rather than in dedicated clients, and treat those flows as primary control points.
- Instrument session-layer detection and response Deploy controls that can inspect DOM behaviour, suspicious script activity, clipboard events, and OAuth consent inside the browser session.
- Review browser extension and token risk together Audit extensions with access to pages, forms, or session data, then correlate that access with token handling and MFA coverage.
What's in the full article
Push Security's full analysis covers the operational detail this post intentionally leaves for the source:
- Side-by-side walkthroughs of AiTM phishing, session hijacking, device code phishing, and ClickFix attack mechanics
- Browser-session detection examples showing how DOM, script, and clipboard behaviours are used as telemetry
- Deployment notes on how browser-layer controls integrate with existing SIEM and XDR workflows
- Practical comparison of what endpoint, network, and browser-layer tools each can and cannot see
👉 Read Push Security's analysis of browser-native identity attacks and EDR blind spots →
Browser blind spots and identity attacks: are your controls keeping up?
Explore further
10/06/2026 1:35 am
Browser-layer identity attacks expose a visibility gap, not just a detection gap. The core problem is that EDR observes the host while attackers now operate in the session, where authentication, token issuance, and application access converge. That makes browser telemetry a governance requirement for identity programmes, not an optional enhancement. Practitioners should treat browser visibility as part of identity control design, not a separate security tool category.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% only partial visibility.
A question worth separating out:
Q: How can teams decide whether they need browser-native controls or more network filtering?
A: Teams should use browser-native controls when the risk is inside the session, such as credential relay, token theft, or malicious clipboard execution. Network filtering helps with known-bad destinations, but it cannot reliably see what happens after the page loads. If the attack is identity-driven, inspection must move into the browser.
👉 Read our full editorial: Browser blind spots are where modern identity attacks succeed
