TL;DR: Identity attacks now concentrate in the browser, where stolen credentials, session tokens, OAuth consent abuse, and phished logins bypass legacy endpoint, email, and network controls, according to Push Security. The governing assumption has shifted: identity is the prize, and browser visibility is now a control plane, not a convenience layer.
NHIMG editorial — based on content published by Push Security: how attacks have moved from endpoints and internal networks to the browser
By the numbers:
- A 1,000 user organization has over 15,000 accounts with various configurations and associated vulnerabilities.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: How should security teams defend against browser-based identity attacks?
A: They should move controls closer to the browser session, where login, consent, token use, and phishing all converge.
Q: Why do traditional IAM controls miss modern account takeover?
A: Traditional IAM often assumes the decisive security event is authentication at the IdP.
Q: What do security teams get wrong about phishing-resistant authentication?
A: They often treat phishing-resistant login as the end of the problem.
Practitioner guidance
- Instrument browser-side identity telemetry Capture login method, redirect chain, page interaction, and credential handling in the browser so identity compromise can be detected where it actually happens.
- Inventory fallback authentication paths Map where users can downgrade from phishing-resistant methods to weaker recovery or backup login options, then remove the downgrade path wherever business risk is high.
- Prioritise session revocation workflows Ensure stolen tokens and active sessions can be invalidated quickly across SaaS applications, because browser-based takeover often bypasses password resets.
What's in the full article
Push Security's full article covers the operational detail this post intentionally leaves for the source:
- Browser telemetry examples showing how page layout, redirects, and form activity reveal phishing behaviour.
- Details on how malicious browser extensions, infostealer logs, and AiTM kits feed identity takeover.
- Examples of browser-level detection and response logic for session hijacking and credential theft.
- Operational guidance on identifying ghost logins, MFA gaps, and risky OAuth integrations.
👉 Read Push Security's analysis of browser-based identity attacks and SaaS blind spots →
Browser identity attacks: what IAM teams are missing now?
Explore further
Identity compromise has moved from endpoint intrusion to browser-mediated account takeover. The browser is now where credentials, sessions, consent, and login method decisions converge, so control strategies built around device compromise or network perimeter loss miss the real attack surface. This shift applies across human IAM and SaaS-managed non-human access alike. Practitioners should treat browser exposure as the primary identity risk boundary.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months.
A question worth separating out:
Q: How can organisations tell whether browser identity controls are working?
A: Look for reduced use of weak login paths, faster session revocation, fewer unauthorised consent grants, and visibility into suspicious browser behaviours such as unusual redirects or script activity. If the team cannot see those signals, the control is not working at the layer where the attack occurs.
👉 Read our full editorial: Browser-based identity attacks expose the new SaaS blind spot