Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Omni-channel phishing in 2025: what IAM teams need to change


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Phishing became omni-channel in 2025, with roughly 1 in 3 attacks detected by Push Security arriving outside email and attacker toolkits increasingly bypassing MFA, consent controls, and browser defenses through AiTM kits, device-code abuse, and browser-native social engineering. The browser, not the inbox, is now where identity compromise is most likely to begin and where detection strategy has to catch up.

NHIMG editorial — based on content published by Push Security: Phishing trends in 2025 and what they mean for 2026

By the numbers:

Questions worth separating out

Q: How should security teams defend against phishing when attacks move beyond email?

A: Security teams should shift from inbox-centric prevention to browser-aware detection, stronger app-consent governance, and post-login monitoring.

Q: Why do phishing-resistant authentication methods still fail in real attacks?

A: Phishing-resistant authentication reduces password replay, but it does not eliminate session theft, consent abuse, or browser-native social engineering.

Q: What do security teams get wrong about browser-based phishing defence?

A: Many teams still treat browser phishing as a web filtering problem instead of an identity and session problem.

Practitioner guidance

  • Instrument browser-side detection and response Monitor the browser as the primary phishing execution environment, including redirects, suspicious consent flows, extension activity, and session hijack signals.
  • Review OAuth consent and device-code exposure Audit tenant settings, app consent policies, and device-code login usage so that malicious app authorisation and substitute-passcode abuse are constrained before they become routine entry paths.
  • Reduce reliance on MFA as a finish line Treat MFA as one control in a larger identity flow, then validate whether session binding, conditional access, and post-login monitoring can detect reuse after a proxy-based login has succeeded.

What's in the full article

Push Security's full report covers the operational detail this post intentionally leaves for the source:

  • Attack-demo examples showing the exact browser-based phishing patterns intercepted in 2025
  • Channel-specific breakdowns of non-email phishing, including LinkedIn, search, and malvertising paths
  • Technique-level detail on AiTM kits, consent phishing, device-code abuse, and ConsentFix
  • Demonstration material that shows how the detections were surfaced during the webinar

👉 Read Push Security's analysis of how phishing evolved in 2025 →

Omni-channel phishing in 2025: what IAM teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Phishing has become an identity attack surface problem, not an email problem. The article shows that attackers now use search, social platforms, browser prompts, and malicious app consent to reach the user where email controls cannot help. That means the old boundary between phishing prevention and IAM has collapsed. Practitioners should treat browser-mediated access as part of identity governance, not as a separate endpoint or email concern.

A few things that frame the scale:

A question worth separating out:

Q: How should organisations prioritise phishing controls for 2026?

A: Organisations should prioritise controls that detect and contain account takeover after the initial click, especially browser telemetry, app-consent restrictions, and session monitoring. If attackers can bypass email and proxy the login, the deciding factor becomes how quickly the organisation can observe and revoke the resulting access.

👉 Read our full editorial: Phishing shifted beyond email in 2025 and IAM controls lagged



   
ReplyQuote
Share: