Browser identity attacks: what IAM teams are missing now

TL;DR: Identity attacks now concentrate in the browser, where stolen credentials, session tokens, OAuth consent abuse, and phished logins bypass legacy endpoint, email, and network controls, according to Push Security. The governing assumption has shifted: identity is the prize, and browser visibility is now a control plane, not a convenience layer.

NHIMG editorial — based on content published by Push Security: how attacks have moved from endpoints and internal networks to the browser

By the numbers:

• A 1,000 user organization has over 15,000 accounts with various configurations and associated vulnerabilities.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should security teams defend against browser-based identity attacks?

A: They should move controls closer to the browser session, where login, consent, token use, and phishing all converge.

Q: Why do traditional IAM controls miss modern account takeover?

A: Traditional IAM often assumes the decisive security event is authentication at the IdP.

Q: What do security teams get wrong about phishing-resistant authentication?

A: They often treat phishing-resistant login as the end of the problem.

Practitioner guidance

• Instrument browser-side identity telemetry Capture login method, redirect chain, page interaction, and credential handling in the browser so identity compromise can be detected where it actually happens.
• Inventory fallback authentication paths Map where users can downgrade from phishing-resistant methods to weaker recovery or backup login options, then remove the downgrade path wherever business risk is high.
• Prioritise session revocation workflows Ensure stolen tokens and active sessions can be invalidated quickly across SaaS applications, because browser-based takeover often bypasses password resets.

What's in the full article

Push Security's full article covers the operational detail this post intentionally leaves for the source:

• Browser telemetry examples showing how page layout, redirects, and form activity reveal phishing behaviour.
• Details on how malicious browser extensions, infostealer logs, and AiTM kits feed identity takeover.
• Examples of browser-level detection and response logic for session hijacking and credential theft.
• Operational guidance on identifying ghost logins, MFA gaps, and risky OAuth integrations.

👉 Read Push Security's analysis of browser-based identity attacks and SaaS blind spots →

Browser identity attacks: what IAM teams are missing now?

Explore further

View Full Forum →  |  NHI Foundation Course →