Browsers: your biggest risk you’re staring at all day

This piece argues the humble web browser has become a prime battleground: the author claims over 80% of security incidents now start in browser-based apps and spotlights Scattered Spider (aka UNC3944 / Octo Tempest / Muddled Libra) for targeting identities and data inside Chrome, Edge, Firefox and friends. Their playbook includes browser-in-the-browser overlays, autofill theft, session/cookie hijacking to bypass MFA, malicious extensions/drive-by JavaScript, and in-browser reconnaissance via web APIs.
To counter this, the article proposes making the browser a first-class security control: runtime script protection to block credential theft; session token protections tied to device/identity context; extension governance; throttling or deceiving noisy web APIs used for recon; and feeding browser telemetry into SIEM/SOAR/ITDR. It maps these to use cases (phishing prevention, extension control, GenAI governance, DLP, BYOD, zero trust) and finishes with a CISO checklist (assess risk, enable browser protection across major browsers, define contextual policies, integrate telemetry, train staff, test often). It’s a contributed partner article with a call-to-action to speak to Seraphic.

Here’s a plot twist: the biggest “endpoint” in your company is the browser. With work racing into SaaS, attackers are skipping noisy malware and going straight for the tabs where your sessions, creds and cookies live. Groups like Scattered Spider (UNC3944 / Octo Tempest / Muddled Libra) have turned this into an art form. Cheery.

How the bad stuff happens
• Fake pop-ups & overlays pinch passwords (think browser-in-the-browser).
• Autofill & saved logins are raided for credentials.
• Session tokens/cookies are swiped to leap past MFA.
• Extensions & sneaky scripts run right inside the browser.
• Web-API recon fingerprints users and maps your apps.

What to do about it (that actually works)
1. Block nasty scripts at runtime to stop credential theft before it happens.
2. Tie session tokens to context (device posture, identity, network) so hijacked cookies are useless.
3. Police extensions—allow only vetted ones; bin the rest.
4. Tame the noisy web APIs attackers use for recon (or feed them decoys).
5. Pipe browser telemetry into your SIEM/SOAR so the SOC sees what really happened.

Why this matters now
These are malware-less attacks that sail past traditional controls. Treat the browser as the new identity perimeter: policy in the browser, signals to your SOC, and user education with a side of common sense. Cape optional, controls essential.