Microsoft: The future is browser-native and we must secure it

There is no doubt that web browsers have evolved a lot in the past few decades. Initially, they were intended to be the gateway to the worldwide web, but in recent times, they have grown a lot in terms of functionality to the point that we have AI agents running directly within them. Now, Microsoft has explained why it is so crucial to make browsers secure against digital threats.

Microsoft has emphasized that the browser is the "universal workspace" where cloud, AI, and Software-as-a-Service (SaaS) converge, which is why the future is browser-native. The Redmond tech firm has highlighted that the average company accesses 106 SaaS applications from within the browser, and users spend an average of 6 hours and 37 minutes per day inside this particular piece of software.

There are lots of drivers behind this high usage, including hardware-agnosticism, universal accessibility, no friction installation, and AI as an "invisible layer". This is why it is imperative that organizations protect against areas which act as lucrative attack surfaces for malicious actors. Some examples are listed below:

• Phishing & Social Engineering 2.0: Still a popular way to lure targets through copying of legitimate websites, pop-ups, deep fakes, QR codes, and more
• Malicious OAuth and Consent Phishing: Malicious OAuth apps exploit legitimate authentication flows to get illegal access, and are greatly underestimated
• Session Hijacking, Token Theft: Includes exploitation through reused passwords, weak MFA, ignoring warnings, weak cookies/session token management, session hijacking, and social engineering
• Zero-day, Sandbox Escape, Engine Bugs: Sophisticated malware may be able to perform a sandbox escape and compromise the system
• Malicious Extensions. Plugins, and Add-ons: Malicious extensions are known to steal data without your knowledge, we covered a recent example here
• Evasion, Smuggling, Last-mile Reassembly: Microsoft describes this as "network-level, traffic-inspection, URL-filtering vs what the browser sees remains a gap. Attackers exploit encoding fragmentation, chunking, content-decoding differences, obfuscation, ephemeral domains, interpretation mismatches and other mechanisms which let malicious payloads slip by filters and be executed by the browser."
• Persistent Client-side Compromises, "Man-in-the-Browser": Involves keyloggers, credential stealers, session hijackers, cookie theft, and form-grabbers
• Clickjacking and UI Redress Attacks: Invisible overlays that trick users into clicking harmful UI elements
• Supply-chain, Trusted-component Compromise: includes dependencies such as compromised third-party libraries, web pages, browser extension stores, misused certificates
• New and Expanded API Surfaces & User Data: Browsers now offer some very powerful APIs in terms of privileges, which can be targeted for exploitation
• AI Integrated Browsers: This is a relatively new attack surface targeted by prompt injection attacks, context leakage, and data exposure.

Microsoft has noted that while browser usage has significantly increased over the past few years, there is still a notable gap in terms of implementation of security controls around them. This is something that the enterprise space needs to be mindful of, as it adopts this technology for even more use-cases.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 18 October 2025 at 5:14 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix