Notifications
Clear all
Topic starter
11/06/2026 11:44 pm
TL;DR: Phishing is moving beyond email into social media, messaging apps, search ads, and in-app channels, making traditional mailbox-centric controls less effective and broadening the path to account compromise, according to Push Security. The real gap is not delivery alone but the identity layer that turns one stolen login into access across SSO-connected apps and business systems.
NHIMG editorial — based on content published by Push Security: non-email phishing, identity compromise, and modern evasion tactics
By the numbers:
- According to the most recent Verizon DBIR, 60%+ of creds found in infostealer logs were from social media sites.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: How should security teams respond when phishing moves outside email channels?
A: They should move detection to the browser and identity layers, because the mailbox is no longer the only or even the main delivery path.
Q: Why do non-email phishing campaigns increase enterprise risk?
A: They increase risk because they bypass the controls most organisations built around email, while still targeting the same identities and the same SSO-connected applications.
Q: What do organisations get wrong about blocking phishing URLs?
A: They often assume URL blocking is enough after a report, but modern campaigns rotate domains quickly and selectively serve content to evade static controls.
Practitioner guidance
- Expand phishing detection beyond email Instrument browser-based detection that observes page rendering, token theft behaviour, and suspicious login flows across social, search, and chat-delivered lures.
- Map SSO blast radius for high-risk accounts Identify which business apps inherit trust from core identity providers and prioritise those paths for stronger session monitoring and revocation.
- Harden session protection and revocation Shorten the window between suspicious authentication and containment by revoking tokens, forcing re-authentication, and alerting on anomalous browser sessions.
What's in the full article
Push Security's full article covers the operational detail this post intentionally leaves for the source:
- Browser-based detection examples for AiTM phishing, credential stuffing, ClickFixing, and session hijacking
- Case study walkthroughs showing how social media and malvertising campaigns are chained into identity compromise
- Technical examples of the obfuscation and conditional-loading tricks used to evade proxy and email controls
- The vendor's product overview and demo path for teams evaluating browser-based identity attack detection
👉 Read Push Security's analysis of non-email phishing and identity compromise →
Non-email phishing and identity compromise: are controls keeping up?
Explore further
12/06/2026 8:32 am
Non-email phishing has turned the browser into the real control plane of user compromise. Once attackers can reach victims outside email, the security model shifts from message hygiene to identity interception. Mailbox-only controls miss the page the user actually sees, which means the first meaningful security boundary is now the browser session and the identity interaction that follows. Practitioners should treat browser-layer visibility as a core control plane, not an enhancement.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
A question worth separating out:
Q: How can teams reduce the impact of a stolen login session?
A: Teams should treat the session as the primary compromise object and build rapid revocation paths around it. That means continuous monitoring for anomalous browser activity, immediate token invalidation when risk is detected, and tighter access controls on identities that can reach many downstream apps.
👉 Read our full editorial: Non-email phishing is expanding the identity attack surface
