The Browser Defense Playbook: Stopping the Attacks That Start on Your Screen

The Browser: The New Center of Work — and Risk

The predominance of cloud-based apps and the trend towards remote work have made the browser the place where most work happens. In fact, about 85% of daily work takes place there.

In many ways, it’s a win for all involved.

Users can work from a wider range of locations and devices, accessing full “desktops” inside a browser tab. Organizations can manage apps and browser access easier than through localized desktop software. This all allows for greater central management, lower costs and better flexibility.

But where work goes, attackers tend to follow.

In Unit 42’s 2025 Global Incident Response Report, nearly half of the incidents we investigated involved malicious activity launched or facilitated through employees’ browsers. Popular tactics include phishing, abuse of URL redirects and malware downloads – each one exploiting the browser session without adequate detection or blocking.

Securing the browser should be a high priority. In this blog, we’ll explain its unique risks and provide tips for defending it.

Why Browsers Fail: Common Pitfalls and Security Lapses

Google Chrome, Apple Safari, Mozilla Firefox and Microsoft Edge come from the biggest, most trusted names in tech. As such, users tend to treat the browser as a defense between the internet and the organization’s infrastructure.

Though browsers do provide some security through TLS connections, sandboxing and automatic updates, attackers still plant malicious traps for unsuspecting users to trip.

Social Engineering

Fraudulent emails, fake websites and login portals, malicious links and files – phishing attacks are largely conducted through browsers.

Browser Extensions

Marketplaces like the Google Web Store offer tens of thousands of extensions. Many of these extensions aren’t secure, and some are outright malicious—in fact, a Stanford University study found that 280 million Google Chrome users installed extensions containing malware over a three-year period.

Users who work on their personal device face more risk. Unlike managed corporate environments, personal devices often lack centralized security policies and monitoring to vet or block suspicious extension installations. For example, an extension for converting files or finding retail discounts may hold malware.

Browser-Specific Tactics

Session hijacking tactics allow malware on the endpoint to steal session tokens from the browser in order to impersonate the user. Once a session is compromised, numerous other security controls can be bypassed. Cross-site scripting allows attackers to inject scripts into web-based apps. These scripts can steal user sessions, modify transactions or show fake login screens.

No Clicking Necessary

“Don’t click anything suspicious” is no longer valid advice. Malicious assets seem more authentic than ever, and many don’t even need clicking. Simply visiting a malicious or compromised website can cause malware to be downloaded and installed without the user’s knowledge or interaction.

A Lack of Policy

For many organizations, the browser isn’t on their radar in terms of being part of the attack surface. As such, many organizations allow insecure protocols and lack an inventory of permissible extensions.

Think of the browser as the new endpoint. Through the browser, users access internal systems, sensitive information, source code, financial transactions and more.

Crucial Steps Every Defender Should Take

New tools are emerging that help secure the browser. For example, enterprise-grade secure browsers come with strict extension allow lists. They conduct data loss prevention based on context directly in the browser, enable role-based browsing permissions and more.

With or without these tools, organizations should still take steps to harden systems and pursue strategies that support browser security.

See all traffic without needing to decrypt traffic, by analyzing the encrypted traffic’s behavior rather than its contents.

Extend zero trust to the browser by implementing multi-factor authentication for every browser-based app and using step-up MFA for sensitive user actions. Tailor access rules according to context like device security posture, location, or network

Bring the browser into the fold of security by implementing tools that detect suspicious behavior like credential misuse, sensitive access from unknown devices and malware hidden in large files before they are downloaded.

Zero Trust: Implementation Strategies

Just as organizations would implement zero trust in internal systems, they should verify identity and control access tightly within the browser.

First things first: authenticate the user’s access permissions before they open the browser. Then, validate the user’s identity before granting access to any web app and apply conditional access.

Apply the principle of least privilege to SaaS and web apps — which users can access which apps and what they can do inside them — with granular last-mile data controls.

Assume all web traffic and extensions are risky. Only allow vetted, enterprise-approved extensions. Continuously monitor extensions and block them should they pose a risk.

Continuously monitor browser sessions for risky behavior and log everything. Perform continuous risk assessment regarding device health, user behavior and application risk.

Finalizing your Playbook: Achieving Superior Browser Security

Our Prisma Browser combines zero trust principles by leveraging our cloud-delivered security services. It provides real-time traffic inspection without the need for encryption, malware prevention, URL filtering and data loss prevention across traffic — all without an agent. Working with Prisma Access secures access to internal applications without exposing them to the public internet, ensuring every user and device is continuously authenticated and authorized before granting access.