Over the last decade, our industry has mapped attacker behavior—Tactics, Techniques, and Procedures (TTPs)—primarily at the host, network, and, more recently, the cloud layers. Yet the application that mediates nearly every user action today, the web browser, remains conspicuously absent from threat‑modelling conversations. 

‍

As cloud apps, SaaS platforms, and distributed workforces proliferate, adversaries have shifted their reconnaissance and initial access to the path of least resistance: the browser. If defenders want to continue meeting attackers head-on, we must bring the same structured understanding of attacker behavior to browser activity that we already apply elsewhere.

‍

With that context in mind, the next sections unpack five intertwined reasons why the dedicated, browser-focused TTP framework we are developing is now critical, starting with the sheer ubiquity of the browser itself.

‍

1. Widespread Usage 

• The browser has become the modern workspace. From emails and chats to code reviews, HR tasks, and file transfers, virtually every task a knowledge worker performs now begins and ends in a browser tab.
  
  
• SaaS dominates the app space. The average enterprise relies heavily upon cloud-hosted software, all delivered via the browser, making the browser the gateway to sensitive data.
  
  
• Scale breeds risk. When over 90% of the workforce uses the browser daily, each tab expands an organization’s attack surface and represents a high likelihood of risk.

We are cataloguing attacker activity occurring via this ubiquitous interface, because where users go, attackers follow.

‍

2. Underestimated Attack Surface

• Security blind spot. Endpoint agents and network sensors are built around the browser context, and thus fail to inspect this unmanaged environment, leaving credential theft attacks, social engineering attempts, and stealthy persistent mechanisms unmonitored, unmanaged, and unprotected.
  
  
• Third‑party dependencies. Each modern website loads handfuls of unaudited third-party content—from JavaScript libraries to advertisements—that run rampant, unchecked, in employees’ browsers.
  
  
• Extensions are persistent threats. Once installed, or silently hijacked, browser extensions wield broad, long‑lived permissions that survive restarts and browser updates, allowing attackers to quietly monitor, exfiltrate, and tamper with every page a user visits.

A framework for this underestimated attack surface empowers teams to strategically close security gaps, because where controls aren’t present, attackers are.

‍

3. Ease of Execution

• Native features become weapons. Drive‑by downloads, JavaScript execution, malvertising, malicious extensions, form phishing, and consent phishing each leverage default browser capabilities—no kernel exploit required.
  
  
• Path of least resistance. Attackers find tricking users within the browser context simpler (and often more effective) than engineering sophisticated OS-level exploits.

• Browser APIs are open for business. Built-in APIs—that allow websites to access a visitor’s clipboard, cookies, browsing history, and to track mouse movements, etc.—are readily available to any website.

Documenting attacker TTPs conveys the built-in risks of browser features, because where features enable abuse, attackers abuse.

‍

4. “Shift Left” Mentality

• Recon happens in the tab. As many security teams strive to detect an attack as early in the attack chain as possible (i.e., as far “left” as possible), the browser is increasingly the means of reconnaissance and initial access.
  
  
• Time‑to‑detect gap. Phishing, credential harvesting, cookie theft, and OAuth abuse all occur during the browser session, well before EDR tools raise an alert.
  
  
• Browser‑native telemetry closes that gap. Without browser-native controls, which enable powerful insights and real-time protections, the browser remains an open, unprotected door to the rest of the organization.

Addressing how the browser landscape contributes to initial access creates a strong cybersecurity posture, because where there’s an open door, attackers walk in.

‍

5. Known-Good is the New Bad

• Living off trusted platforms. Google apps, Monday, Canva, Prezi, and Miro are just a few examples of platforms that organizations use and trust in business but attackers abuse and leverage in phishing attacks, effectively crumpling that crisp line we used to draw between good and bad.
  
  
• Compromised sites, emails, and libraries. Adversaries hijack reputable domains, legitimate business emails, and ubiquitous JavaScript libraries (remember the Polyfill.io scare?) to run multi‑step lures like ClickFix and ClearFake, turning implicitly trusted traffic into a stealthy malware delivery chain.
  
  
• Compromised web apps and add-ons. Once an attacker infiltrates the supply chain of an OAuth‑granted app or a permissive browser extension (Think: those 16 high‑profile Chrome extensions hijacked in December 2024), they inherit permissions to manipulate interactions, harvest credentials, and exfiltrate sensitive data.

The web is a congested highway of trust, and this new mental model helps security teams see through the veiled attempts to piggyback off trusted relationships—because what is implicitly trusted, attackers leverage.

‍

Extending Attacker TTPs to the Browser

The browser has quietly become both the center of knowledge work and the lowest‑friction gateway for attackers. Extending the attacker TTP landscape to encompass browser activity gives security teams the context they need to:

1. Rapidly detect and understand malicious browser activity.
2. Effectively respond to browser-based incidents. 
3. Strategically close security gaps across their technology stack.

‍

Our browser extension of the TTP framework aims to provide that common mental model. We’re maturing our platform to reflect such attacker TTPs in Keep Aware’s Browser Detection and Response (BDR) logging and detection capabilities. For an introduction to browser-based attacker Tactics and examples of Techniques and Procedures, download and read our Defining Browser Threat TTPs.

Until then, remember: if it happens in a tab, it belongs in your threat model.