The security alert arrives Monday morning. An employee's session token was stolen Friday afternoon. By Saturday, attackers had accessed Salesforce, downloaded customer data from SharePoint, and moved laterally through Slack channels. Every access used valid credentials. Every login passed through your zero trust gateway. MFA was enabled and functioning. The session itself was hijacked, not the credentials.

This scenario defines 2025's fastest-growing threat vector. Over 85% of the workday now occurs in browsers, accessing SaaS applications and cloud services that contain the organization's most sensitive data. Browser-based attacks accounted for nearly half of all incidents investigated in 2025, yet most security architectures still treat the browser as a trusted endpoint rather than a threat surface. Researchers discovered over 20 billion stolen cookie records (an average of 2,000 per infected device), revealing how systematically attackers now target sessions rather than credentials.

The ShadyPanda campaign exposed the scale of the problem. Threat actors spent seven years building trust in legitimate browser extensions, accumulating 4.3 million installations before flipping them into malware via silent updates. Extensions that users had relied on for years suddenly began stealing session cookies, impersonating SaaS accounts, and exfiltrating data, all while operating inside zero trust perimeters with fully authenticated sessions.

Why zero trust architecture missed the browser layer

Zero trust revolutionized security by eliminating network-based trust assumptions. The architecture validates identity at every access request, applies least privilege principles, and continuously evaluates access decisions. Traditional zero trust focuses on identity verification and network access control, treating authentication as the critical gate. Once a user authenticates successfully and passes MFA, the session is trusted.

Attackers adapted. They no longer target passwords. They target the session itself. A browser holds session tokens after successful authentication: temporary digital keys that maintain active sessions without requiring re-entry of credentials. These tokens sit in browser storage, in memory, or in cookies. Stealing them bypasses the entire zero trust authentication layer because the session has already been validated.

The technical gap is structural. Zero trust architectures verify identity at the authentication boundary, then trust the session. Browser security operates at a different layer. Session tokens, browser extensions, and in-browser behavior exist inside the authenticated perimeter. Legacy security controls (firewalls, network gateways, endpoint detection) lack visibility into what happens inside the browser session itself. Traditional controls like DLP, EDR, and SSE operate one layer too low, inspecting network traffic or files but missing session-level activity patterns.

The technical mechanics of browser session compromise

Modern phishing kits evolved into Attacker-in-the-Middle platforms that proxy authentication requests to legitimate services. When a user enters credentials and completes MFA challenges, the AitM kit intercepts the session token generated after successful authentication. The attacker never obtains the password or MFA codes. They obtain the authenticated session, which provides the same access as the legitimate user.

The attack sequence is straightforward. Attackers distribute phishing links through channels that bypass email security: SMS, Slack, Teams, LinkedIn, malicious ads, or SaaS in-app messaging. The victim authenticates normally, completing all security challenges. The AitM kit captures the resulting session token and uses it to establish its own authenticated session, impersonating the victim.

Browser extensions provide another pathway. 99% of enterprise users have at least one extension installed, with over half granting high or critical permissions. Extensions can read all page content, access cookies, and exfiltrate data. The ShadyPanda operators demonstrated how trusted extensions become attack infrastructure. They published or acquired harmless extensions, operated them cleanly for years, then pushed malicious updates that automatically installed without user interaction, stealing session cookies, impersonating SaaS accounts, and exfiltrating data through the extension itself, bypassing DLP controls.

What attackers accomplish through hijacked sessions

A Microsoft report emphasized that 80% of recent MFA bypass incidents occurred through session token abuse. Once an attacker controls a session token, they possess the same access rights as the legitimate user. They authenticate to SaaS applications, access cloud resources, read confidential data, and move laterally to connected systems, all without triggering authentication challenges.

The timeline extends across days or weeks. Attackers steal session tokens Friday evening when security teams are off. They spend the weekend exploring accessible data and mapping system connections. By Monday, they've exfiltrated critical information or established persistent access. The legitimate user never logged out, MFA challenges never triggered, and zero trust gateways saw only properly authenticated traffic.

The confluence of browser risk and workspace transformation

The shift to SaaS and cloud-based workflows transformed the browser from an application into the primary workspace. 90% of organizations allow employees to access corporate data from personal BYOD devices, extending work beyond managed endpoints. Employees access email, customer data, financial systems, and collaboration tools entirely through browser tabs, often outside corporate networks and without VPN connections. Many applications that appear to be native desktop software (Slack, Teams, VS Code, Discord) are actually Chromium browser engines packaged with frameworks like Electron, meaning they inherit the same session-based vulnerabilities while appearing as trusted desktop applications.

This workspace transformation expanded the attack surface. Each SaaS application represents a potential target. Each browser extension grants permissions that could be abused. Each session token provides access that can be stolen. The proliferation of GenAI tools adds another dimension. Nearly half of employees use GenAI tools through unmanaged accounts outside IT visibility. Sensitive data copy-pasted into prompt fields, sessions that bypass SSO, and AI-powered personalization that exposes data all occur within the browser, invisible to network-based controls.

The convergence of these factors creates a parallel threat surface. Traditional security focused on network perimeter, endpoint protection, and application security. Browser-based attacks operate inside all these perimeters. The browser session exists on the endpoint, accesses applications through the network, but the actual attack surface (session tokens, extension permissions, in-browser behavior) sits in a layer that traditional controls don't inspect.

What detection requires at the network flow layer

Defending against browser-based attacks doesn't require inspecting inside encrypted sessions or authenticated browser activity. The network flow patterns reveal malicious intent regardless of whether HTTPS encrypts the traffic or whether the session is fully authenticated. Exfiltration creates distinctive network behavioral timelines that remain visible at the flow level.

When network flows exhibit reconnaissance patterns (systematic connections to multiple SaaS applications testing permissions, enumeration of accessible resources across different services, discovery queries following predictable sequences), that behavioral timeline structure indicates compromise regardless of session authentication. When flows follow exfiltration patterns (sustained bulk transfers to unfamiliar cloud storage, API call sequences to external endpoints, large outbound data movements to unmanaged locations), that structure indicates malicious intent regardless of whether the browser session uses valid credentials.

DeepTempo's approach focuses on analyzing network flow behavioral timelines between endpoints. The foundation model learns what reconnaissance behavioral timelines structurally look like at the network level, what data exfiltration behavioral timelines look like, and what normal operational activity looks like. Classifiers then interpret these flow patterns to determine what each behavioral timeline is attempting to accomplish. Encrypted HTTPS sessions and authenticated browser activity don't obscure these patterns because the network flows themselves reveal intent through volume, timing, destinations, and structural relationships between endpoints.

The broader requirement is detecting malicious behavioral timelines at the network level where encryption and authentication don't hide intent. This means analyzing flow patterns between endpoints, identifying when network activity structures reveal reconnaissance or exfiltration, and detecting when behavioral timelines indicate malicious objectives despite originating from authenticated browser sessions. Traditional controls focused on preventing unauthorized access. Network flow-based detection identifies malicious activity within authorized sessions by recognizing the structural patterns that attacks create regardless of encryption or credential validity.

Closing note

Browser-based attacks transitioned from edge cases to primary threat vectors throughout 2025. The statistics are unambiguous: 85% of work happens in browsers, 20 billion stolen session tokens exist in underground markets, and nearly half of all incidents investigated involved browser-based compromise. Organizations that secured authentication but left sessions unmonitored will continue discovering breaches that operated inside their zero trust perimeters using fully validated credentials.

The threat is not hypothetical. Session tokens are being stolen right now through compromised extensions, AitM phishing, and infostealer malware. Those tokens provide authenticated access to SaaS applications, cloud resources, and sensitive data. The advantage of network flow-based detection is that malicious behavioral timelines remain visible regardless of encryption or session authentication. Exfiltration, reconnaissance, and lateral movement create distinctive flow patterns that reveal intent at the network level where browser-based obfuscation cannot hide them.

MITRE: Initial Access, Credential Access, Defense Evasion, Collection

Related reading:

Get in touch to run a 30 day risk-free assessment in your environment. DeepTempo will analyze your existing data to identify threats that are active. Catch threats that your existing NDRs and SIEMs might be missing!