Man-in-the-browser (MitB) in the browser

How it usually happens in the browser

• A user installs a malicious extension or becomes infected with malware that hooks into the browser.
• The attacker reads form inputs, modifies page content, or injects invisible fields into transactions.
• Sensitive operations (payments, account settings) are altered while displaying “normal” information to the user.
• Data is exfiltrated continuously from inside legitimate sessions.

What traditional defenses miss

• The traffic and actions can look legitimate because they occur inside a real authenticated session.
• Users see the attacker’s modified UI and often can’t detect subtle transaction changes.
• Many controls focus on blocking initial compromise rather than detecting in-session tampering.

How isolation changes the game

• Isolation reduces exposure to malicious web content that often precedes browser compromise and can support stricter browsing policies on risky destinations.
• A strong isolation program pairs with extension controls to reduce the chance of MitB footholds.
• Disposable isolated sessions limit residual state from risky browsing, though endpoint malware still requires remediation.

Operational checklist

• Enforce strict extension allowlists; block user installs and audit updates.
• Use endpoint security and patch management to reduce malware footholds.
• Require step-up verification for high-risk transactions (out-of-band confirmation, re-auth).
• Isolate risky browsing paths to reduce exposure to exploit and download vectors.
• Monitor for transaction anomalies (new payees, changed bank details, unusual admin actions).

FAQs.