Category: Phishing & Social Engineering
Phishing in the browser
Phishing is when an attacker tricks someone into revealing credentials or approving access—often through a convincing message that sends them to a fake login page.
Quick answer
One successful phish can become full SaaS account takeover, financial fraud, and long-lived access via stolen sessions—not just a “bad link.”
For risky links and login flows, isolation keeps the page off the endpoint by running it in a disposable container and streaming only the rendered output to the user.
When you need this
- You’ve seen indicators of this threat in your environment.
- Users frequently click unknown links as part of daily work.
- You need a control that reduces risk without relying on perfect user judgment.
Last updated
2026-01-29
How it usually happens in the browser
- A user clicks a link from email, chat, SMS, or an ad and lands on a lookalike domain (or a compromised legitimate site).
- The page imitates an identity provider or app login and prompts for email/password, MFA codes, or “approve this sign-in.”
- Attackers capture credentials directly, or proxy the login in real time to steal session cookies/tokens after MFA.
- The user is redirected to the real site so the attack feels “normal,” while the attacker reuses the captured session elsewhere.
What traditional defenses miss
- User training and “spot the URL” guidance doesn’t hold up under time pressure and mobile browsers.
- MFA helps, but modern kits can steal session tokens after MFA (adversary-in-the-middle).
- VPNs and network security don’t stop a user from typing secrets into a phishing page on the open web.
- Endpoint tools may not treat “a web page” as execution, even though the browser is now the primary attack surface.
How isolation changes the game
- Isolation keeps untrusted web pages away from the endpoint by running them in a separate container and streaming only the rendered output to the user.
- When the session ends, the isolated container is deleted, which reduces persistence from drive-by content and limits session residue.
- Admins can enforce policies for risky browsing paths (unknown domains, newly registered domains, webmail, file shares) without relying on perfect user decisions.
- Isolation reduces exposure from token/cookie theft techniques that rely on running active content close to the user’s device.
Operational checklist
- Define what “untrusted” means (unknown domains, external webmail, link-shorteners, newly registered domains).
- Route untrusted browsing into isolation by default; avoid per-user “security modes” that people forget to enable.
- Block or heavily restrict downloads from isolated sessions; require scanning and explicit exceptions.
- Prefer phishing-resistant auth (FIDO2/WebAuthn) for critical apps; tighten re-auth for sensitive actions.
- Roll out to a pilot group first; tune allow/deny and friction points before broad enforcement.
- Add user-facing signals (banner, indicator) so employees recognize “this is an isolated session.”
FAQs
Is phishing only email?
No. Phishing commonly arrives via chat apps, SMS (“smishing”), ads, social media, and even QR codes that open a browser link.
Does MFA stop phishing?
MFA reduces risk, but some attacks proxy a real login to steal the post‑MFA session token. Stronger methods like phishing-resistant MFA help more.
What’s the fastest way to reduce phishing risk?
Reduce how often users interact with untrusted pages on their endpoint: isolate risky browsing by policy and make high-risk actions require stronger re-auth.
How is browser isolation different from a VPN?
A VPN encrypts network traffic. Isolation changes where untrusted web code runs: it runs in a separate container and streams the safe output to the user.
Will isolation break modern web apps?
Most sites work normally, but you should pilot and tune policies for downloads, uploads, and real-time apps that need special handling.
References
- CISA: Avoiding Social Engineering and Phishing Attacks — CISA
- Cloudflare: Browser Isolation — Cloudflare
- Chrome Enterprise: Policies — Google