Cybersecurity software regularly fails to detect and prevent the cyber-attacks they are designed to protect organizations from, especially within the bowser layer, research by Menlo Security has warned.
Published on June 9, Menlo Security’s 2026 Browser Threat Report found that one in five phishing attacks which target the enterprise browser users go completely undetected by the tools which are supposed to protect the network and its users from attacks.
Based on platform telemetry across millions of active browser sessions in enterprise customer environments between January 1 and March 31 2026, the research warned that threat actors are gaining entry to enterprise environments through the browser session layer.
The problem, the paper said, is that attacks via the browser target areas which many traditional enterprise cybersecurity products are not designed to identify or prevent suspicious activity in.
Enterprise activities like email, SaaS applications, collaboration tools, AI assistants, financial systems and credential management software now commonly take place inside a browser session rather than within an application.
But many enterprise security products are not built with this in mind, creating opportunities for cybercriminals. One out of five phishing links actively engaged by users went completely undetected by legacy URL filtering, according to Menlo.
“The tools most enterprises rely on are performing exactly as designed. That is the problem. None of them were built to operate at the browser session layer, and that is precisely where attackers have learned to live,” said Bill Robbins, CEO of Menlo Security.
Social Engineering as a Security Bypass
One of the key issues surrounding browser-based attacks is that they don’t just exploit technical vulnerabilities, they actively exploit how people interacts with the browser too.
Humans regularly need to interact with in-browser alerts such as CAPTCHAs, error messages and Cloudflare verification screens. Attackers have responded to this by adapting their social engineering techniques to fit this reality.
For example, by deploying ClickFix attacks, the attacker encourages the human to paste code into tools which are not typically monitored by cybersecurity solutions.
Or even if they are, because the victim has run the command themselves, the activity bypasses technical controls on ‘malicious behavior’ because the activity is viewed as a legitimate user performing a legitimate action. Either way, the nature of modern phishing attacks has found ways to bypass traditional defenses.
According to Menlo, to counter this threat, organizations must pay more attention to securing the browser session layer.
“Enterprises that govern this layer will be positioned to protect both their workforce and the AI agent sessions already operating in their environments by default. Those that don’t will continue relying on tools built for a threat model attackers have moved on from,” the company said.
