Cybersecurity tools are missing a significant share of phishing attacks as corporate work shifts deeper into web browsers, raising concerns that legacy network, email and endpoint controls are losing sight of where employees now handle sensitive data.Research based on millions of active enterprise browser sessions between 1 January and 31 March 2026 found that one in five phishing attacks aimed at browser users went undetected by existing protection tools. The findings point to a widening security gap at the browser session layer, where staff routinely access email, finance systems, cloud storage, collaboration platforms and artificial intelligence tools.
Menlo Security’s 2026 State of Browser Security Threat Report, released on 28 May, said its platform blocked 4,937 zero-day attacks before reputation filters recognised them, 52,185 threats launched from websites already classified as safe, and 115,842 evasive phishing campaigns designed to bypass legacy detection. The report identified ClickFix lures, adversary-in-the-middle session hijacking, HTML smuggling and remote monitoring tool abuse as key techniques reshaping enterprise attacks.
The pattern is forcing security teams to reassess an assumption that dangerous activity can be identified before it reaches the user through email gateways, URL filters, firewalls or endpoint agents. Attackers are exploiting the gap by moving deception into the live browser session, where fake verification prompts, artificial error messages, login pop-ups and document-access screens can appear routine.
Browser-based phishing is also converging with credential theft and session compromise. Instead of merely collecting passwords for later use, many campaigns now aim to capture authentication tokens and multi-factor authentication codes during the login flow. That allows an attacker to turn a single click into active access, even when organisations have deployed stronger sign-in controls.
The risk was underlined by a separate Browser-in-the-Browser campaign targeting Microsoft 365 users. At least 10 domains used fake browser pop-ups that imitated legitimate authentication windows, including crafted address bars made to resemble trusted OAuth login pages. Victims who clicked sign-in buttons were shown embedded forms that looked like normal Microsoft prompts but were designed to harvest credentials.
The broader phishing economy is changing at the same time. Zscaler’s 2026 phishing and initial access research found that overall phishing volume fell by about 20 per cent year on year, but attackers were moving towards fewer, more convincing lures. Its telemetry identified 413,524 AI-generated site instances, with 37,447 flagged as malicious, while 95.2 per cent of phishing activity travelled over encrypted channels.
That shift has two implications for corporate defenders. First, phishing is no longer confined to suspicious emails with poor grammar or mismatched logos. It increasingly appears as polished, brand-consistent workflows inside web applications. Second, encrypted traffic, once treated as a marker of legitimacy, is now the default delivery path for many malicious campaigns, limiting tools that do not inspect traffic deeply and consistently.
Services companies, manufacturers, public bodies and finance teams are especially exposed because their staff handle high-trust workflows such as billing, renewals, onboarding, claims, approvals and document exchange. These processes often require fast decisions and frequent browser interaction, giving attackers opportunities to embed malicious prompts in activities that appear business-like.
Enterprise adoption of generative AI is adding another layer of complexity. Employees and autonomous agents increasingly operate through browsers to access cloud apps, process files and interact with data. Security teams built around human judgement, user training and periodic scanning face greater difficulty when non-human agents execute instructions at speed and may follow malicious web content without hesitation.
The latest breach data reinforce the sense that attackers are broadening their routes into corporate networks. Exploitation of software vulnerabilities has overtaken stolen credentials as the leading initial access vector in major breach datasets, while phishing remains a reliable path to identity compromise and malware delivery.
Security vendors are responding by pushing browser security, remote browser isolation, zero-trust access, session monitoring and inline data-loss prevention closer to the point of action. These tools aim to inspect page behaviour, isolate risky web content, stop malicious downloads, identify lookalike sites and enforce data policies during the browser session rather than after compromise.
Topics
Technology