Menlo Security released its annual browser security report, identifying several drivers in the rise of browser-based attacks. To compile the report, Menlo Threat Intelligence analyzed more than 752,000 browser-based phishing attacks and studied the trends now shaping AI-powered threats. The research reveals that a surge in generative AI-based threats has spurred a 140% increase in browser-based phishing attacks compared to 2023, and a 130% increase specifically in zero-hour phishing attacks.

Microsoft, Facebook, and Netflix were the brands most commonly impersonated in browser-based phishing attempts. Generative AI services are also increasingly impersonated — in 2024, Menlo Security identified nearly 600 incidents of GenAI fraud, in which imposter sites used GenAI platform names to manipulate and exploit unsuspecting victims.

Web browsers are the most widely used application for both work and personal activities. This widespread use and frequent vulnerabilities has enabled threat actors to evolve their tactics, shifting their focus towards sophisticated browser-based attacks. These attacks utilize subtle and powerful tactics that bypass traditional endpoint security defenses and network security controls.

Common attack vectors include malicious ads positioned on popular websites to distribute malware and steal credentials. Browser-based phishing attacks are prevalent, especially those leveraging Legacy Reputation URL Evasion (LURE) techniques, which evade web filters that attempt to categorize domains based on implied trust. Attacks through business collaboration tools like Slack or Microsoft Teams often involve brand impersonation techniques, and exploitation of browser vulnerabilities in major browsers like Chrome, Firefox and Edge remains a threat. The full report details real-world examples of each type of attack.

Key findings from the State of Browser Security Report include:

• Cybercriminals created nearly 1M new phishing sites each month, which represents a 700% increase since 2020
• Nearly 51% of browser-based phishing attempts involved some form of brand impersonation
• 75% of phishing links are hosted on good, trusted websites, with up to six days as the average window of exposure before legacy security tools begin blocking pages from zero-hour phishing attacks
• Phishing attacks hosted on subdomain providers increased by 51%, representing 24% of all phishing attacks
• Four of the top five hosting providers used by bad actors to host phishing attacks were based in the U.S., potentially reflecting the country's economic and political significance, increased digital transformation and remote work, and the growing reliance on U.S.-based cloud services and SaaS platforms housing critical data and financial information.
• Instances of attackers exploiting cloud services to host malicious content including phishing sites and ransomware is on the rise. AWS and CloudFlare accounted for nearly 50% of all instances of abused cloud hosting instances in 2024.

Download the report.