State of Browser Attacks Series

The browser is the new endpoint, and it's under attack. Attacks are happening entirely inside the browser sandbox, targeting applications directly over the internet, and blending in with legitimate web and network traffic, application access, and user activity. This is a significant challenge for security teams. Existing security tools can't get visibility of what's happening inside the browser. Attackers know this, and are ruthlessly exploiting the browser blindspot. This is fuelling a lot of attacker innovation, with new tools and techniques constantly emerging. Push Security VP R&D Luke Jennings is joined by John Hammond, Senior Principal Security Researcher at Huntress, to demonstrate the latest browser-based attack techniques. Ride along with Luke and John as they analyse real-world attacks, covering:

• ConsentFix, the browser-native ClickFix attack linked to Russian APTs
• Session-stealing, MFA-bypassing phishing campaigns targeting enterprises over LinkedIn and Google Ads
• The latest social engineering tradecraft and detection evasion techniques
• What the future of browser-based attacks looks like and what security teams can do about it

It wasn't supposed to be like this. Passwords were supposed to be dead (just ask Bill Gates). But it's 2026, and we're still talking about the risk posed by compromised credentials.

Despite advancements in passwordless authentication, big pushes from organizations like Microsoft to remove passwords by default, and the rise in support for SSO and MFA, we're still seeing data breaches track back to vulnerable accounts using weak, breached, and reused passwords.

The reality we see at Push is that employees have anywhere between 3 and 100 accounts (average 15) across their business apps. For the last 1 million+ logins that Push recorded, more than a quarter (26%) were password logins. Of those password logins, 18% had a password security issue — reused, easily guessable, already leaked in a public breach list, or actively for sale in criminal forums. And on the whole, 2 in 5 accounts we see aren't protected by MFA. That creates a vast attack surface waiting to be exploited. And with literally billions of credentials available online, fed by a constant stream of infostealer compromises, phishing campaigns, and data breaches, attackers have a lot of room to work.

Push's Field CTO Mark Orlando is joined by Troy Hunt, creator of Have I Been Pwned, to discuss the compromised credential landscape. We'll cover:

• Troy's insights on how identity attacks have evolved (and how they haven't) over the last decade
• The latest trends driving new credential dumps
• The reality of controls like MFA, SSO, and passkeys in combating password risk
• The threat of backdoor "ghost logins"
• The hidden implications when your credentials are leaked
• What the future of passwords really looks like

Modern enterprises have invested heavily in security: email gateways, endpoint agents, network monitoring, SIEM, SOAR, and more. Yet breaches keep happening. And they're not happening in the sophisticated ways most security teams are preparing for.

Attackers aren't burning zero-days or crafting complex exploit chains. They're simply logging into apps over the internet with stolen or phished credentials, dumping sensitive data, and cashing out. No endpoint malware. No noisy lateral movement. And ultimately, no alerts firing.

The uncomfortable truth is that the security stack was built for a world that no longer exists. The perimeter moved to identity. Work moved to the browser. But detection and response never followed. The result is a growing gap between what organizations think they're protected against and where attacks are actually landing.

It's security theater, and attackers know it.

Push Security Field CTO Mark Orlando is joined by Matt Johansen for an honest look at where enterprise security is falling short and what actually works. You'll learn:

• Troy's insights on how identity attacks have evolved (and how they haven't) over the last decade
• The latest trends driving new credential dumps
• The reality of controls like MFA, SSO, and passkeys in combating password risk
• The threat of backdoor "ghost logins"
• The hidden implications when your credentials are leaked
• What the future of passwords really looks like