Notifications
Clear all
Topic starter
11/06/2026 10:49 pm
TL;DR: Browser extensions now sit inside trusted browser sessions, where they can access tokens, data, and active accounts while still looking legitimate, according to LayerX Security. A dedicated tactics and techniques matrix gives defenders a common language for detection and policy, but it also shows that browser-side identity risk is broader than endpoint-only thinking.
NHIMG editorial — based on content published by LayerX Security: Introducing the Tactics & Techniques Matrix for Malicious Browser Extensions
Questions worth separating out
Q: How should security teams govern browser extensions that can touch identity sessions?
A: Security teams should govern browser extensions as access-bearing software, not as harmless productivity add-ons.
Q: Why do browser extensions create risk for identity and access controls?
A: Browser extensions can sit inside a trusted session and interact with page content, requests, and session state.
Q: What do security teams get wrong about malicious browser extensions?
A: Teams often treat extensions as a browser hygiene issue instead of an access governance issue.
Practitioner guidance
- Inventory browser extensions by permission and data access Classify installed extensions by the permissions they request, the pages they can read, and whether they can modify requests or inject scripts.
- Add extension review to access governance workflows Require security review for extensions that touch login, password management, document editing, or enterprise collaboration workflows.
- Map extension behaviour to named tactics Translate incidents and alerts into a common taxonomy such as credential harvesting, header modification, content spoofing, and data exfiltration.
What's in the full article
LayerX Security's full blog post covers the operational detail this post intentionally leaves for the source:
- The complete extension tactics matrix with the full set of tactic and technique categories
- Examples of how specific extension behaviors map to persistence, credential access, and exfiltration patterns
- The article's defensive framing for reviewers, SOC teams, and browser security engineers
- The source's discussion of how the matrix can shape future detection logic and store policy
👉 Read LayerX Security's analysis of malicious browser extension tactics and techniques →
Browser extension tactics matrix: what it means for IAM teams?
Explore further
12/06/2026 7:12 am
Browser extensions have become a shadow identity layer inside the enterprise browser. Once extensions can observe sessions, page content, and authentication flows, they are operating in a space that IAM teams rarely govern explicitly. That creates a governance gap, not just a detection gap, because the extension can act inside trusted user context while remaining outside most identity review processes. Practitioners should treat browser extension control as part of access governance, not as an isolated browser hardening exercise.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how weak identity observability still is across machine access paths.
A question worth separating out:
Q: How can organisations compare risky extensions against each other?
A: Compare them by the behaviors that matter operationally, such as persistence, credential access, content manipulation, and exfiltration. A shared taxonomy lets analysts and reviewers rank extensions based on the controls they can bypass and the data they can reach. That is more useful than judging them only by category name or store rating.
👉 Read our full editorial: Browser extension attack patterns need their own tactics matrix
