The Phishing Attack Surface Has Expanded
Traditional threats have moved beyond the inbox and onto the browser.
Phishing remains one of the most effective attack vectors for compromising employee identities. As organizations enhance their email security defenses, cybercriminals are also adapting their tactics to exploit weaknesses in the browser.
To build effective identity threat prevention, security teams must layer defenses across multiple attack surfaces, starting with the inbox and extending to the browser.
The Evolution of Phishing and Identity Threats
This shift in tactics has given rise to a new generation of phishing techniques that are harder to detect and more damaging in impact.
1. Traditional Email-Based Phishing
- Attackers send fraudulent emails containing malicious links, attachments, or social engineering tactics.
- Traditional email security filters out known threats but struggles with zero-day phishing kits, which exploit unknown system vulnerabilities, and adversary-in-the-middle (AiTM) attacks.
- Business Email Compromise (BEC) bypasses link-based detection by impersonating executives or vendors and pressuring employees into urgent action.
2. How In-Browser Phishing Compromise Credentials
- Victims are lured to a phishing site that looks identical to a real login page. An attacker-controlled proxy sits between the user and the legitimate site, ready to steal session tokens.
- When the victim enters their credentials and completes MFA, the proxy captures the session token in real time, giving the attacker access without needing to bypass MFA directly.
- Phishing sites leverage dynamic content injection to evade detection, making it harder for automated scanners to detect phishing activity.
- Once inside, cybercriminals install malicious browser extensions and OAuth abuse tokens to maintain long-term access, creating persistent identity threats beyond initial credential theft.
Email Security: Strengths and Limitations
How It Works:
Email security is implemented within corporate accounts to prevent threats at the point of delivery. These solutions scan inbound emails for:
- Malicious links and attachments
- Known phishing domains and threat signatures
- Behavioral anomalies in sender patterns
Strengths:
- Stops known threats early: Blocks phishing emails before they ever reach users' inboxes, reducing exposure to known malicious content.
- Detects impersonation: Identifies spoofed emails, suspicious senders, and impersonation attempts using behavioral and signature-based analysis.
- Powers the SOC: Provides actionable threat intelligence to Security Operations Center (SOC) teams for faster investigation and response.
Limitations:
- No protection after the click: Once a user clicks a phishing link, email security can’t stop what happens next, especially if the site uses real-time tactics like AiTM to hijack sessions
- Blind to zero-day threats: Sophisticated phishing kits that use new infrastructure or evasion techniques often slip through traditional detection methods
Browser-Based Phishing Detection: Closing Identity Threat Gap
How It Works:
Threat actors take advantage of the security gap between the inbox and the browser. Unlike traditional tools that rely on static blocklists, browser security solutions detect phishing in real time by analyzing dynamic page behaviors and blocking advanced tactics like AiTM attacks.
Strengths:
- Stops phishing at the point of attack: Even if a phishing email slips into the inbox, users will still be protected in real time.
- Detects zero-day threats: Uses behavioral analysis to identify and block brand-new phishing sites.
- Blocks advanced attack techniques: Prevents malicious redirects, credential harvesting scripts, and other in-browser threats.
- Prevents session hijacking: Detects and blocks AiTM attacks before attackers gain persistent access.
"A spear phishing email was sent to the inboxes of our sister company. It bypassed their email security completely undetected. But as soon as a user clicked on the link, we got an alert from Obsidian. Within minutes, the team was able to quarantine those emails and block the websites." - Leading Financial Services Company
Defense in Depth: Combining Email Security and Browser-Based Detection
Phishing defense requires a layered security approach. Relying on email filtering alone leaves organizations vulnerable if the threat is not contained within the inbox. Combining email security with in-browser detections ensures that threats are stopped both before and after message delivery.
Best Practices for Identity Threat Prevention:
- Deploy both email and browser security solutions to cover all attack surfaces.
- Use real-time browser analysis to detect and block AiTM phishing kits.
- Enforce phishing-resistant authentication methods, such as FIDO2 security keys.
- Monitor OAuth permissions to prevent attackers from maintaining persistent access.
- Educate employees on evolving phishing tactics and social engineering techniques.
Defending Beyond the Inbox
Stopping phishing attacks requires a multi-layered defense strategy. While traditional email security solutions remain critical for filtering out known phishing attempts, it is just one piece in the security puzzle. In-browser detections are essential for blocking zero-day phishing kits, AiTM attacks, and session hijacking.
Organizations must adopt a defense-in-depth approach to protect user identities and prevent credential theft in real time, from the inbox and beyond. Get started for free to begin detecting AiTM phishing threats.
