The Evolution of Cyberattacks: How Browser-Based Threats Are Redefining the Kill Chain
In 2026, cyberattacks have undergone a fundamental shift moving away from traditional endpoint exploits to directly targeting cloud applications and identities through the browser. Attackers now bypass endpoints entirely, compressing the kill chain from initial access to data exfiltration into minutes, often leveraging legitimate services and authentication flows.
Industry data underscores this trend: 83% of cloud and SaaS breaches involved identity-based initial access, while 73% focused on data theft (Google Cloud). The average e-crime breakout time has dropped to 29 minutes, with 82% of attacks now malware-free (CrowdStrike). Nearly half (48%) of intrusions involve browser-based activity, and 87% span multiple attack surfaces (Unit 42).
A new report from Push Security, 2026 Browser Attack Techniques, details six key tactics driving modern breaches:
-
Adversary-in-the-Middle (AitM) Phishing – Powered by PhaaS kits like Tycoon 2FA (responsible for 59% of detections), these reverse-proxy attacks intercept credentials, MFA tokens, and session cookies in real time. Recent campaigns by Scattered Lapsus$ Hunters use human-operated kits that activate only when manually controlled, making detection difficult.
-
ClickFix & Variants – Tricking users into executing malicious commands via fake "verify you're human" prompts, ClickFix was the top initial access vector in 2025 (47% of attacks) (Microsoft). A browser-native variant, ConsentFix, linked to APT29, abuses OAuth key material to compromise accounts without endpoint malware.
-
Malicious OAuth Integrations – Attackers bypass authentication via consent phishing and device code phishing, even on accounts with phishing-resistant MFA. A Salesforce campaign attributed to Scattered Lapsus$ Hunters compromised 1,000+ organizations, exfiltrating 1.5 billion records using device code phishing. Push researchers report a 15x increase in such attacks in 2026.
-
Malicious Browser Extensions – Attackers either trick users into installing extensions or compromise legitimate ones, pushing malicious updates. The Cyberhaven campaign affected 2.6 million users by dynamically loading malicious configs from remote servers, while GhostPoster (890,000 installs) evaded detection by delaying payload activation.
-
Credential Stuffing – Despite SSO and MFA adoption, 1 in 4 logins remain password-based, 2 in 5 lack MFA, and 1 in 5 use weak or breached credentials (Push Security). 63% of logins involve compromised credentials (Cloudflare). The Snowflake breach demonstrated this risk, with 80% of compromised accounts having credentials available in breach datasets since 2020.
-
Session Hijacking via Token Replay – Stolen session tokens, often harvested by infostealers or malicious extensions, allow attackers to bypass authentication entirely. The 2023 Okta breach showed how a single infostealer infection on a personal device combined with Chrome profile syncing led to widespread compromise.
Why This Matters
Modern attacks operate within the browser, blending with legitimate traffic. EDR tools see browser processes but not session activity, while web proxies miss obfuscated client-side behavior. 95% of in-browser attacks use bot protection to block security scanners, and attackers abuse trusted services (SharePoint, Google Sites, Cloudflare) to host infrastructure.
The cost asymmetry is stark: a Chrome RCE exploit costs $250,000, while a phishing kit rental runs $1,000/year, and bulk stolen credentials sell for $15. Attackers aren’t breaking browsers they’re operating inside them.
Source: https://www.linkedin.com/pulse/learn-ttps-behind-todays-biggest-breaches-2026-ebkxe
Snowflake cybersecurity rating report: https://www.rankiteo.com/company/snowflake-computing
Okta cybersecurity rating report: https://www.rankiteo.com/company/okta-inc-
"id": "SNOOKT1774442722",
"linkid": "snowflake-computing, okta-inc-",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '1,000+ organizations',
'industry': 'Technology',
'name': 'Salesforce (campaign target)',
'type': 'SaaS Provider'},
{'customers_affected': '2.6 million users',
'name': 'Cyberhaven Campaign',
'type': 'Browser Extension'},
{'customers_affected': '890,000 installs',
'name': 'GhostPoster',
'type': 'Browser Extension'},
{'industry': 'Technology',
'name': 'Snowflake',
'type': 'Cloud Data Platform'},
{'industry': 'Technology',
'name': 'Okta (2023 breach)',
'type': 'Identity Provider'}],
'attack_vector': ['Browser-based threats',
'Adversary-in-the-Middle (AitM) Phishing',
'ClickFix',
'Consent Phishing',
'Device Code Phishing',
'Malicious Browser Extensions',
'Token Replay'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': ['1.5 billion (Salesforce '
'campaign)',
'Unknown (Snowflake breach)'],
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Credentials',
'Session tokens',
'Personally Identifiable '
'Information (PII)',
'OAuth tokens']},
'date_publicly_disclosed': '2026',
'description': 'Cyberattacks have shifted from traditional endpoint exploits '
'to targeting cloud applications and identities through the '
'browser, compressing the kill chain from initial access to '
'data exfiltration into minutes. Attackers leverage legitimate '
'services and authentication flows, with 83% of cloud and SaaS '
'breaches involving identity-based initial access and 73% '
'focused on data theft. The average e-crime breakout time is '
'now 29 minutes, with 82% of attacks being malware-free.',
'impact': {'data_compromised': ['1.5 billion records (Salesforce campaign)',
'2.6 million users (Cyberhaven campaign)'],
'identity_theft_risk': 'High',
'systems_affected': ['Cloud applications',
'SaaS platforms',
'Browser extensions']},
'initial_access_broker': {'entry_point': ['Browser-based attacks',
'Phishing kits',
'Malicious extensions']},
'lessons_learned': 'Modern attacks operate within the browser, blending with '
'legitimate traffic. Traditional security tools like EDR '
'and web proxies are insufficient to detect in-browser '
'threats. Attackers abuse trusted services and bot '
'protection to evade detection.',
'motivation': ['Data theft', 'Financial gain', 'Espionage'],
'post_incident_analysis': {'corrective_actions': ['Enhance identity and '
'access management',
'Deploy browser-native '
'security tools',
'Improve monitoring of '
'OAuth and session tokens',
'Educate users on phishing '
'and malicious extensions'],
'root_causes': ['Identity-based initial access',
'Lack of phishing-resistant MFA',
'Abuse of legitimate services',
'Insufficient browser security '
'controls']},
'recommendations': ['Implement phishing-resistant MFA',
'Monitor and restrict OAuth integrations',
'Enforce strict browser extension policies',
'Enhance session token security',
'Adopt browser-native security solutions'],
'references': [{'source': 'Google Cloud'},
{'source': 'CrowdStrike'},
{'source': 'Unit 42'},
{'source': 'Push Security - 2026 Browser Attack Techniques'},
{'source': 'Microsoft'},
{'source': 'Cloudflare'}],
'threat_actor': ['Scattered Lapsus$ Hunters',
'APT29',
'Cyberhaven Campaign',
'GhostPoster'],
'title': 'Evolution of Browser-Based Cyberattacks (2026)',
'type': ['Phishing',
'Credential Stuffing',
'Session Hijacking',
'Malicious OAuth Integrations',
'Malicious Browser Extensions'],
'vulnerability_exploited': ['Identity-based initial access',
'Weak or breached credentials',
'Lack of MFA',
'OAuth key material abuse',
'Session token theft']}