Omni-channel phishing in 2025: what IAM teams need to change

TL;DR: Phishing became omni-channel in 2025, with roughly 1 in 3 attacks detected by Push Security arriving outside email and attacker toolkits increasingly bypassing MFA, consent controls, and browser defenses through AiTM kits, device-code abuse, and browser-native social engineering. The browser, not the inbox, is now where identity compromise is most likely to begin and where detection strategy has to catch up.

NHIMG editorial — based on content published by Push Security: Phishing trends in 2025 and what they mean for 2026

By the numbers:

• Roughly 1 in 3 phishing attacks detected by Push Security were delivered outside of email.
• The top initial access vector detected by Microsoft last year was ClickFix, involved in 47% of attacks.

Questions worth separating out

Q: How should security teams defend against phishing when attacks move beyond email?

A: Security teams should shift from inbox-centric prevention to browser-aware detection, stronger app-consent governance, and post-login monitoring.

Q: Why do phishing-resistant authentication methods still fail in real attacks?

A: Phishing-resistant authentication reduces password replay, but it does not eliminate session theft, consent abuse, or browser-native social engineering.

Q: What do security teams get wrong about browser-based phishing defence?

A: Many teams still treat browser phishing as a web filtering problem instead of an identity and session problem.

Practitioner guidance

• Instrument browser-side detection and response Monitor the browser as the primary phishing execution environment, including redirects, suspicious consent flows, extension activity, and session hijack signals.
• Review OAuth consent and device-code exposure Audit tenant settings, app consent policies, and device-code login usage so that malicious app authorisation and substitute-passcode abuse are constrained before they become routine entry paths.
• Reduce reliance on MFA as a finish line Treat MFA as one control in a larger identity flow, then validate whether session binding, conditional access, and post-login monitoring can detect reuse after a proxy-based login has succeeded.

What's in the full article

Push Security's full report covers the operational detail this post intentionally leaves for the source:

• Attack-demo examples showing the exact browser-based phishing patterns intercepted in 2025
• Channel-specific breakdowns of non-email phishing, including LinkedIn, search, and malvertising paths
• Technique-level detail on AiTM kits, consent phishing, device-code abuse, and ConsentFix
• Demonstration material that shows how the detections were surfaced during the webinar

👉 Read Push Security's analysis of how phishing evolved in 2025 →

Omni-channel phishing in 2025: what IAM teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →