Notifications
Clear all
Topic starter
11/06/2026 11:11 pm
TL;DR: Browser extension visibility, malicious copy-and-paste detection for ClickFix-style attacks, read-only RBAC for investigations, and domain enrichment for detections are among the additions in a monthly update, according to Push Security. The operational shift is toward faster triage and narrower investigation access, not just more alerts.
NHIMG editorial — based on content published by Push Security: Browser extension visibility, ClickFix detection, RBAC and more
By the numbers:
- You can now expand the URL blocking control to 2,000 URLs.
Questions worth separating out
Q: How should security teams detect browser-based copy-paste attacks before they execute locally?
A: Monitor for clipboard content that resembles commands, scripts, or obfuscated instructions, then correlate that activity with browser events and local execution signals.
Q: Why do browser extensions create identity governance risk?
A: Extensions can broaden the browser trust boundary by accessing content, modifying pages, or interacting with data that identity teams assume is protected by the browser session.
Q: How do security teams know whether investigation access is too broad?
A: A strong signal is when responders need full console rights to do routine triage.
Practitioner guidance
- Inventory browser extensions by provenance and permission Enable browser extension visibility and separate policy-installed, manually installed, and sideloaded extensions in reporting.
- Tune copy-paste detections for execution, not nuisance Set malicious copy and paste detection to Monitor first, then validate which clipboard patterns correlate with command execution or suspicious browser handoffs.
- Split investigation access from admin control Use read-only console roles for triage, app review, and offboarding checks, while reserving configuration changes for a smaller admin set.
What's in the full article
Push Security’s full post covers the operational detail this post intentionally leaves for the source:
- Step-by-step console configuration for browser extension visibility and investigation views
- Detection and exception handling options for malicious copy and paste controls
- Read-only admin role setup for investigation, app review, and offboarding workflows
- Domain enrichment settings for urlscan.io context and domain registration signals
👉 Read Push Security’s update on browser extension visibility and ClickFix detection →
Browser extensions and ClickFix detection: what should IAM teams change?
Explore further
12/06/2026 7:44 am
Browser-side telemetry is now an identity governance requirement, not an optional detective control. Once teams can see browser extensions, app activity, and entity-linked events in one console, the browser becomes part of the governed identity surface. That matters because browser extensions can create hidden access paths and alter what a user can see, copy, or execute. Practitioners should treat browser observability as part of NHI and human identity oversight, not as a separate endpoint add-on.
A few things that frame the scale:
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging (37%) and over-privileged accounts (37%), according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, including 38% with no or low visibility and 47% with only partial visibility, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: What should teams do with domain enrichment in detection workflows?
A: Use it to rank the credibility of a detection, not to replace investigation. Fresh registration, repeated scans, and negative verdicts can help prioritise suspicious infrastructure, but the final decision still needs identity context, event correlation, and an operational response process.
👉 Read our full editorial: Browser extension visibility and copy-paste detection change triage
