Why the browser is now the front line for AI security
Security teams are staring at two AI problems at once. Adversaries are using AI to iterate on phishing kits, generate lures, and rotate infrastructure faster than blocklists can follow. Employees are adopting AI tools faster than security teams can review them, pasting sensitive data into LLMs, granting OAuth permissions to AI agents, and installing AI browser extensions that nobody vetted.
Both problems play out in the same place: the browser. The most efficient way to address them is with a single platform that has deep visibility into what's happening inside browser sessions — not two separate tools that each see half the picture.
AI-enabled attacks are outpacing traditional defenses
Security has always been a cat and mouse game between attackers and defenders, but AI is accelerating the attacker side of that equation. Phishing kits are forked, modified, and brought to market faster than ever — AI is a force multiplier for the criminal ecosystem, and it's changing the calculus for defenders in three ways.
AI has supercharged attacker tool creation: Attackers are using AI the same way any engineer would: to multiply their output. We’re seeing attackers heavily use AI in the creation and iteration of PhaaS tools and kits.
The rapid evolution of ClickFix, with new techniques like
InstallFix and ConsentFix is one example. And device code phishing, which abuses a legitimate OAuth flow to bypass MFA and passkeys entirely, has surged from a research curiosity to an industrialized PhaaS offering, with more than 18 kits being actively tracked in the wild. As AitM and device code kits converge into single platforms, we’re seeing signs of heavy AI use — as we observed when we got an inside look at Doko’s Panel and derivative kits, used extensively by ShinyHunters and BlackFile.
Device code phishing has exploded in 2026, with 18x kits in the wild, and a 37x spike in detections.
Get a behind-the-scenes look at criminal kits, and the platforms that are vulnerable to this technique (it’s not just Microsoft).
Register Now 
See our
blog postfor more examples.
IoC-based detections are increasingly degraded: AI has also collapsed the cost of building convincing phishing infrastructure (which was already on the floor). A convincing-looking phishing page can be vibecoded in minutes, deployed to a fresh domain, successfully claim victims, and rotated out before any reputation service flags it.
According to Spamhaus, 89% of phishing domains are active for fewer than two days. For organizations relying on blocklists and IOC feeds, every phishing attack is effectively a zero-day — it's never been seen before, and the next one won't look the same either.
Combined with the misuse of legitimate sites for hosting and delivery of phishing links, it’s very difficult to discern good from bad when relying on low-level IoCs like domains and IPs. Recent examples are even seeing attackers host malicious links via legitimate AI chat sharing functionality (a technique we’re detecting as
LLMShare).
AI is making it easier to build and run multi-channel campaigns: Push's own data shows that roughly 1 in 3 phishing payloads arrive via channels other than email — malvertising, social media, SEO poisoning, and so on. ClickFix is an even clearer example, where 4 in 5 payloads arrive specifically through search engine results. Email security is structurally blind to the delivery channels that are growing fastest.
The LLMShare example is a good one here too: attackers were malvertising the links via search engine ads that are incredibly hard to spot (showing how non-email delivery + legit site abuse + misuse of AI tools themselves can combine for maximum impact).
chatgpt.comsharing links, creating a convincing ad that is impossible to spot from just looking at the URL.
All three trends converge in the browser session, where payload delivery and account takeover actually happen. That's the layer where detection needs to operate — analyzing page behavior, script execution, and malicious mechanics (session theft, malicious copy and paste, file downloads, and so on) rather than matching domains against a feed — particularly where many attacks now take place entirely
inside the browser session without touching the endpoint. 
Uncontrolled AI adoption is the other half of the problem
On the employee side, adoption is outrunning governance.
There is a top-down mandate for organizations to use more AI in order to remain competitive. Attempting to block or bottleneck that process in a way that hurts potential efficiency and productivity gains is not going to cut it — so security teams need to find a way to adopt AI safely and securely.
The signs show that this is out of control for many organizations. The 2026 Verizon DBIR found that 45% of employees are now regular AI users on corporate devices, with 67% using non-corporate accounts.
Push's own telemetry shows the average organization has 16 unique AI apps, 17 AI browser extensions, and 17 AI-connected OAuth integrations — most of them unapproved. Of file uploads to AI tools, 38% are made from personal shadow accounts rather than organizational ones.
The risks stack up quickly. Sensitive data leaves the organization through clipboard pastes and file uploads to AI tools that security teams didn't approve and can't monitor. AI browser extensions collect browsing context from internal applications, creating a data exfiltration path that operates outside traditional DLP.
AI agents are requesting OAuth permissions to access organizational data — pulling information from one system, analyzing it in another, and presenting it in a third — with MCP connections now creating persistent, permissioned access that most organizations have little visibility and control over.
The 2026
Vercel breach shows where this leads: a compromised third-party AI SaaS provider's OAuth integration became the entry point into a corporate Google Workspace tenant. ShinyHunters' campaigns against Salesloft Drift and Gainsight demonstrated the same pattern at scale last year.
The browser sees both sides — and that's the point
Both problems share a root cause: security-relevant activity is happening inside browser sessions that most tools can't observe.
Many of these attack techniques are browser-native, meaning traditional monitoring tools simply do not have the required visibility inside the browser session to detect and intercept them.
The browser is equally the best single layer for gaining visibility and control over AI usage — it sees the apps, the OAuth grants, the extensions, and the account context. And enterprise AI tools like Claude, ChatGPT Enterprise, Microsoft Copilot, Gemini for Workspace increasingly provide native prompt logging and DLP controls on their enterprise plans.
Combining the two means that you can use the browser to enforce which AI tools employees can access and ensure they reach the corporate tenant rather than a personal account, then rely on platform-native controls to govern activity within that environment.
The browser is what makes platform controls effective and prevents the kind of shadow AI use that can otherwise go undetected — for example, if employees are using personal accounts, there are no enterprise audit logs to inspect. And for the growing category of AI agents, agentic browsers, and MCP-connected tools that operate through OAuth grants rather than direct user interaction, the browser is where the consent decisions that authorize those agents are made.
What to ask when evaluating browser-based solutions
When you're evaluating platforms in this space, four questions separate tools that provide genuine security telemetry from those that offer compliance reporting with limited investigative value.
Does the tool capture AI interactions that didn't trigger a policy violation? Enforcement-first tools record what they stopped — blocked uploads, unapproved app usage, flagged file names. That's useful for compliance, but the most significant events are often the ones that looked normal at the time: an approved extension that quietly updates its permissions, an OAuth consent grant that was technically permitted but shouldn't have been, a user whose behavior shifted gradually before a resignation. Ask whether the tool collects telemetry for permitted events, not just violations.
Does the tool capture the full OAuth consent flow when an AI agent requests access to organizational data? Most enforcement-first tools treat OAuth as binary — approved app or blocked app. That was a reasonable model when OAuth grants were IT-managed integrations. It isn't sufficient for agentic AI, where user-initiated consent grants happen inside browser sessions with broad scopes and frequently without security team awareness. The right tool captures what scopes were requested, who approved them, and what application received them — and can warn or block in real time.
When a new attack technique emerges that no tool has a signature for, how quickly does the platform detect it? Attackers rotate infrastructure in hours and use AI to generate new lures at scale. A detection model built on blocklists and known-bad indicators is architecturally behind any novel technique. Ask vendors to show you a specific detection that fired before the infrastructure appeared on any threat feed.
What telemetry reaches your SIEM — just alerts, or the session data that makes them investigable? Some tools send alert metadata: policy violations, timestamps, users involved. Others forward broader telemetry — credential reuse, app logins, extension installs, phishing kit detections, file uploads, clipboard activity, OAuth consents. The difference determines whether your SOC can investigate from the SIEM event itself or needs to pivot back to the vendor's console for actual evidence.
What this looks like in practice
Push Security is a browser-based threat detection and response platform, deployed as a lightweight browser extension that can be rolled out across an organization in under an hour with no browser migration required. It treats AI visibility and control as features that extend naturally from the platform's underlying architecture: deep browser-layer telemetry that powers both attack detection and AI governance in a single tool.
With Push, you can:
-
Detect and stop emerging browser-based attack techniques, including AI-enabled phishing and quickly evolving *Fix-style attacks.
-
Benefit from Push's
agentic detection pipeline, which continuously hunts across customer environments to identify emerging threats and ship new detections.
-
Stream telemetry to your SIEM for a wide variety of events, including attack detections, newly installed browser extensions or newly adopted apps, updates to extension permissions, file uploads and downloads, clipboard pastes, app logins, credential reuse, OAuth consents, and more.
-
Block file uploads and downloads.
-
Block clipboard pastes of sensitive data, with regex-based patterns you can define.
-
Write your own custom YAML rules targeting specific elements of the page DOM, web requests and responses, HTTP headers such as cookies, and more.
Security teams don't need to choose between stopping AI-enabled attacks and governing AI usage — or pay for two tools that each see half the picture.
If you'd like to learn more about Push,
book a live demo.
Sponsored and written by
Push Security.
Comments have been disabled for this article.
<small>Source: Bleeping Computer</small>
