A surge in browser-based phishing attacks has been recorded over the past year, with 752,000 incidents identified – marking a 140% increase year-over-year (YoY) between 2023 and 2024. The rise of artificial intelligence (AI)-driven phishing techniques and the exploitation of enterprise browsers have contributed to this trend.
According to a new report by Menlo Security, cybercriminals are increasingly focusing on browsers as their primary attack vector, leveraging sophisticated evasion techniques, social engineering and zero-day vulnerabilities to bypass traditional security measures.
The report identified more than 170,000 zero-hour phishing attacks in the last 12 months, reflecting a 130% increase from 2023. Additionally, one in five attacks leveraged evasion techniques to bypass security controls.
“Malicious actors are quick to develop new techniques to evade detection and [...] increase the number of browser-based phishing attacks,” said Thomas Richards, principal consultant at Black Duck.
The report also highlights a sharp rise in credential phishing campaigns, often masquerading as trusted enterprise applications or using deceptive branding to lure victims into providing sensitive information.
“Phishers exploit the high public interest in GenAI by imitating popular AI platforms, banking on user curiosity and trust in cutting-edge technology,” explained Jason Soroko, senior fellow at Sectigo.
The report outlines several notable trends related to these attacks:
- Brand impersonation was used in 51% of browser-based phishing attacks
- GenAI names were used to deceive users in nearly 600 phishing incidents,
- Exploitation of zero-days targeting vulnerabilities in popular browsers like Chrome and Edge
- Abuse of Cloudflare services for phishing, which increased by 104% in 2024
- Adoption of phishing-as-a-service (PhaaS), facilitating large-scale attacks
Protections Against Browser-Based Attacks
“The threat landscape will continue to intensify significantly with faster, more sophisticated attacks leveraging both new and reinvented techniques,” said Stephen Kowski, field CTO at SlashNext. “Attackers will continue exploiting trusted platforms and using GenAI to create more convincing phishing campaigns at an unprecedented scale.”
Despite increased investment in cybersecurity, traditional defenses such as firewalls and secure web gateways are proving inadequate against these evolving threats. Attackers are refining their methods, deploying evasive techniques that evade detection, including fileless malware and memory-only payloads.
“Organizations are making risky trade-offs by relying on basic security tools and default email protection instead of investing in comprehensive security solutions,” Kowski added.
To combat these threats, organizations must adopt proactive security measures.
Secure cloud browsing solutions can isolate user activity from enterprise networks to prevent malicious content from compromising systems. Meanwhile, AI-enhanced threat detection tools can help identify and neutralize sophisticated phishing campaigns before they cause damage.
“Organizations must adopt real-time, AI-driven mobile security to detect and block phishing before users are compromised,” said Krishna Vishnubhotla, vice president of product strategy at Zimperium. “Relying on outdated defenses is no longer enough – security must evolve as fast as the threats.”