TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

GuidePoint Security

From Malware and Exploits to Apps and Identities: How the Browser Became the Battleground

GuidePoint Security · 2026-04-08 · Read original ↗

ATT&CK techniques detected

16 predictions
T1566.002Spearphishing Link
98%
“. the ecosystem is powered by phishing - as - a - service kits. tycoon 2fa is the most prevalent according to push security detection data — accounting for around 59 % of aitm detections — followed by sneaky2fa, flowerstorm, evilginx, nakedpages, and gabagool. these kits are cont…”
T1555.003Credentials from Web Browsers
96%
“from malware and exploits to apps and identities : how the browser became the battleground april 8, 2026 guest author : dan green, security researcher, push security tl ; dr - with browser attack techniques creating new challenges, security tools need to move up the stack to keep…”
T1176.001Browser Extensions
91%
“configuration from a remote server, allowing the attacker to vary payloads per browser and only trigger on specific pages — making both static and dynamic analysis unreliable. the broader campaign affected 2. 6 million users. a more recent campaign dubbed “ ghostposter ” used sim…”
T1557Adversary-in-the-Middle
81%
“techniques, abusing legitimate services and authentication flows. attackers are following a familiar playbook : hijack apps via accounts, dump the data, and profit through data resale and extortion. many traditional security tools are effectively bypassed by operating inside the …”
T1204.004Malicious Copy and Paste
78%
“uses a human - operated aitm kit. the attacker calls the victim impersonating it, directs them to a company - branded phishing page, captures their session in real time, and then intercepts a passkey enrolment to establish persistent access. because the phishing domains only acti…”
T1528Steal Application Access Token
71%
“- native clickfix variants going forward. oauth abuse : bypassing authentication entirely malicious oauth integrations sidestep the authentication process altogether. rather than stealing credentials or sessions, the attacker gets the victim to authorise an app connection on a le…”
T1176Software Extensions
71%
“configuration from a remote server, allowing the attacker to vary payloads per browser and only trigger on specific pages — making both static and dynamic analysis unreliable. the broader campaign affected 2. 6 million users. a more recent campaign dubbed “ ghostposter ” used sim…”
T1566.002Spearphishing Link
69%
“uses a human - operated aitm kit. the attacker calls the victim impersonating it, directs them to a company - branded phishing page, captures their session in real time, and then intercepts a passkey enrolment to establish persistent access. because the phishing domains only acti…”
T1671Cloud Application Integration
66%
“tenant. the app requested broad oauth scopes including full api access and the ability to generate refresh tokens without re - authentication. the result : a claimed 1, 000 + organizations compromised and 1. 5 billion records exfiltrated. and with a tracked 15x increase in device…”
T1557.001Name Resolution Poisoning and SMB Relay
63%
“techniques, abusing legitimate services and authentication flows. attackers are following a familiar playbook : hijack apps via accounts, dump the data, and profit through data resale and extortion. many traditional security tools are effectively bypassed by operating inside the …”
T1598Phishing for Information
62%
“. the ecosystem is powered by phishing - as - a - service kits. tycoon 2fa is the most prevalent according to push security detection data — accounting for around 59 % of aitm detections — followed by sneaky2fa, flowerstorm, evilginx, nakedpages, and gabagool. these kits are cont…”
T1176Software Extensions
50%
“tenant. the app requested broad oauth scopes including full api access and the ability to generate refresh tokens without re - authentication. the result : a claimed 1, 000 + organizations compromised and 1. 5 billion records exfiltrated. and with a tracked 15x increase in device…”
T1528Steal Application Access Token
49%
“sso is configured. these don ’ t appear in idp logs, often lack mfa at the app level, and can sit undetected for years. there are many reasons these persist. apps often charge extra for saml sso — if they offer it at all. even when it ’ s supported, someone needs to configure it.…”
T1598.003Spearphishing Link
40%
“. the ecosystem is powered by phishing - as - a - service kits. tycoon 2fa is the most prevalent according to push security detection data — accounting for around 59 % of aitm detections — followed by sneaky2fa, flowerstorm, evilginx, nakedpages, and gabagool. these kits are cont…”
T1528Steal Application Access Token
38%
“tenant. the app requested broad oauth scopes including full api access and the ability to generate refresh tokens without re - authentication. the result : a claimed 1, 000 + organizations compromised and 1. 5 billion records exfiltrated. and with a tracked 15x increase in device…”
T1111Multi-Factor Authentication Interception
36%
“techniques, abusing legitimate services and authentication flows. attackers are following a familiar playbook : hijack apps via accounts, dump the data, and profit through data resale and extortion. many traditional security tools are effectively bypassed by operating inside the …”

Summary

Guest Author: Dan Green, Security Researcher, Push Security TL;DR-With browser attack techniques creating new challenges, security tools need to move […]