As SaaS and cloud-native work reshape the enterprise, the web browser has emerged as the new endpoint. However, unlike endpoints, browsers remain mostly unmonitored, despite being responsible for more than 70% of modern malware attacks.
Keep Aware’s recent State of Browser Security report highlights major concerns security leaders face with employees using the web browser for most of their work. The reality is that traditional security tools are blind to what happens within the browser, and attackers know it.
Key Findings:
- 70% of phishing campaigns impersonate Microsoft, OneDrive, or Office 365 to exploit user trust.
- 150+ trusted platforms like Google Docs and Dropbox are being abused to host phishing and exfiltrate data.
- 10% of AI prompts involve sensitive business content, posing risks across thousands of browser-based AI tools.
- 34% of file uploads on company devices go to personal accounts, often undetected.
New Attack Patterns Bypass Traditional Defenses
From phishing kits that morph in real-time to JavaScript-based credential theft, attackers are bypassing firewalls, SWGs, and even EDRs. Here’s how:
Malware Reassembly in the Browser
Threats are delivered as fragments that only activate when assembled inside the browser—making them invisible to network or endpoint tools.
Multi-Step Phishing
Phishing pages dynamically serve different content depending on who’s viewing—users see scams, and scanners see nothing. Microsoft remains the most impersonated target.
Living Off Trusted Platforms
Attackers hide behind URLs from reputable SaaS platforms. Security tools allow this by default—giving adversaries a clear path in.
The security stack must evolve to detect, analyze, and respond to threats where they actually occur: inside the browser. Relying solely on perimeter-based defenses like SWGs and network security tools is no longer enough.
AI: The Next Great (Unmonitored) Security Risk
With 75% of employees using generative AI, most enterprises are unaware of what data is being pasted into models like ChatGPT—or what third-party browser extensions are doing in the background. Unlike traditional apps, AI tools don’t have a defined security boundary.
IT and security teams are often left reactively responding to AI adoption, rather than proactively managing it. Traditional policy-based approaches struggle with AI adoption because:
- AI applications are rapidly being created, making static allow/deny lists ineffective.
- Employees often switch between personal and corporate AI use, further blurring enforcement.
- Many AI models are embedded inside other platforms, making detection and control even harder.
This results in inconsistent governance, where security teams are faced with the challenge of defining and enforcing policies in an environment that doesn’t have clear usage boundaries.
As AI regulations tighten, visibility and control over AI adoption will be mandatory and no longer optional. Organizations must track usage, detect risks, and flag sensitive data exposure before compliance pressures mount. Proactive monitoring today lays the foundation for AI governance tomorrow.
DLP Can’t Keep Up With the Browser
Legacy Data Loss Prevention systems were designed for email and endpoints—not for today’s browser-heavy workflows. The browser has become the primary channel for data movement, yet traditional DLP solutions can only see where network traffic is sent, not the actual destination application handling the data.
Modern data exfiltration risks include:
- Pasting API keys into browser-based tools
- Uploading documents to personal Google Drive
- Copy-pasting customer data into AI assistants
Even well-meaning employees can unintentionally leak IP when switching between work and personal accounts—something legacy tools can’t detect.
With more data moving through the browser than ever before, DLP must evolve to recognize application context, user actions, and business intent. A unified browser-based DLP model would give security teams the ability to apply consistent data protection policies across all destinations while enforcing controls on high-risk actions.
The Extension Problem No One’s Watching
Despite minimal technical evolution over the years, browser extensions now have unprecedented access to sensitive organizational data and user identities. While security teams rigorously manage software updates, patches, and endpoint security policies, extensions remain an attack surface often overlooked in traditional security frameworks. During their user data research, the Keep Aware team found:
- 46% of extensions serve productivity use cases.
- 20% fall into lifestyle categories—like shopping or social plugins.
- 10% are classified as high or critical risk due to excessive permissions.
Permissions that enable full-page access, session tracking, or network interception are still far too common—even in extensions downloaded from trusted marketplaces.
As extensions continue to serve as both productivity tools and security liabilities, enterprises must implement stronger review processes, visibility controls, and proactive defenses to secure the browser from the inside out.
Shadow IT Lives In The Browser
Shadow IT is no longer just occasional use of unsanctioned applications—it has become a major challenge for enterprise security. Employees regularly adopt SaaS applications, personal file-sharing services, and third-party AI tools without IT oversight, often integrating them into daily work with real business data.
Employees across different job functions routinely interact with multiple organizational instances of the same application—often without recognizing the security implications.
- Marketing & Creative Teams: A marketing team member might mistakenly upload assets to a partner’s Google Drive instead of the company’s official instance, leading to unintended data exposure.
- Consultants & Client-Facing Roles: A consultant working with multiple clients may access client-specific SharePoint sites, unknowingly creating security gaps as sensitive data is shared across different organizations.
- Professional Services & External Collaboration: Industries like legal and accounting, which rely heavily on external collaboration, frequently have employees working across 15+ different SharePoint instances, introducing significant challenges in monitoring data movement.
This explosion of Shadow IT creates massive security gaps, especially as product-led growth platforms bypass procurement processes entirely.
Instead of classifying applications as corporate or consumer, security teams must assess the intent behind employee interactions, the account context in which tools are used, and real-time risks tied to SaaS activity. This means moving beyond static policies to embrace dynamic risk assessments, context-aware access controls, and continuous monitoring. The browser has become the most critical point of visibility, revealing logins, account switching, MFA status, consent-based access requests, and data movement across organizational boundaries.
The Path Forward: Browser-Native Visibility and Control
Keep Aware’s report provides comprehensive insights and data points that prove that security must move inside the browser. As phishing campaigns evolve, malware reassembly becomes more sophisticated, AI usage soars, and browser extensions remain unchecked, organizations that fail to adapt will remain vulnerable.
Security teams must integrate browser security into their enterprise security stack to gain real-time visibility, detect browser-native threats, and protect people where they work.
Request a personalized demo if you’d like to learn more about protecting your organization from browser-based threats.
