Risky Bulletin — Sponsored: ConsentFix and Push Security's Browser Attack Taxonomy

Date: December 14, 2025
Host: Risky Business (B)
Guest: Mark Orlando, Field CTO, Push Security (A)

Episode Overview

This episode explores the evolving landscape of browser-based cyber attacks and the challenges defenders face in adapting their models and detection capabilities. The discussion centers around Push Security's research-driven approach, their open browser attack taxonomies, and the debut of a newly identified threat they call "ConsentFix," a sophisticated browser attack variant. The episode provides both high-level context and in-depth technical insight for defenders grappling with modern browser threats.

Key Discussion Points and Insights

1. The Browser as a Modern Battleground

• Blind Spots and Rapid Evolution:

  • Mark Orlando emphasizes that the web browser remains a significant blind spot for security teams and has become an increasingly contested area for cyber attackers.
  • "As a longtime defender... I've come to feel like browser is not only kind of a big blind spot for security teams, but also increasingly a contested area, as we're seeing in a lot of these really high profile breaches..." (A, 01:44)

• Changing Attacker Tactics:

  • Attack techniques are evolving rapidly, outpacing defenders’ traditional detection and response methods.

2. Outdated Mental Models and Taxonomy Limitations

• The Need for Updated Models:

  • Existing frameworks (e.g., MITRE ATT&CK, cyber kill chain, defense-in-depth) were not designed for modern SaaS and browser-oriented threats.
  • "All models are wrong, but some are useful." (A quoting George Box, 05:27)
  • "It's important to understand where models like Mitre ATT and CK... are useful and where they have limitations." (A, 05:23)

• Push Security's Contribution — Open Taxonomy:

  • Push Security has open-sourced a taxonomy for browser attacks to improve shared understanding and operational preparation among defenders.
  • They aim to extend (not replace) established models, e.g., MITRE ATT&CK, to incorporate new browser-centric threats.

3. Collaboration and Community-Led Security

• Importance of Common Language:
  • A shared taxonomy helps in crisis communication and incident response.
  • "When it's hitting the fan, you don't necessarily have time to get words wrong." (B, 05:03)
• Community Feedback:
  • These open resources are designed to evolve with community and vendor input, acknowledging that attacker techniques shift rapidly.

4. The "ConsentFix" Attack: A New Variant

What Is "ConsentFix"? (09:12–18:46)

• Discovery:

  • Push Security identified and stopped a novel browser attack in the wild, which led to its analysis and publication.
  • The attack combines elements of "consent phishing" and "ClickFix" techniques.

• How Typical ClickFix Works:

  • Users are tricked into running commands locally, often via social engineering.
  • Increasing endpoint detection makes this less reliable for attackers.

• How ConsentFix Improves Upon ClickFix:

  • Entirely in-browser: No endpoint interaction needed, reducing chances of detection by EDR.
  • Malvertising Delivery: Victims find malicious ads when searching for benign items (e.g., sports equipment), bypassing email-based filters.
  • Targeting:
    • Victims redirected via obfuscated paths until they reach a page that checks their email against a target list; non-targets see nothing suspicious.
    • Targets are shown an OAuth authorization window (targeting the Azure CLI app) where they are prompted to copy an authorization URL.
  • User Action:
    • The user, after legitimate-seeming interaction, is tricked into posting sensitive OAuth data to the attacker’s site, giving the attacker access.

• What Makes It Dangerous:

  • Sidesteps phishing-resistant authentication (like FIDO).
  • Bypasses sign-in detection—no credentials harvested, just session hijack.
  • Evades traditional detection (network tools, EDR, even diligent IDP log monitoring).
  • Sophisticated targeting ensures that only valuable victims encounter the exploit.

• Impact on Defenders:

  • The attack chain doesn’t fit legacy models (i.e., no obvious initial access to catch); defenders risk "playing cleanup" after-the-fact instead of preventing compromise.
  • "You're not going to get that chance. You're not even seeing the front end of the attack." (A, 16:14)

5. Why Traditional Defenses Fall Short

• Legacy Security Stack Limitations:

  • Network-based defenses, proxies, and endpoint detection tools are blind to purely in-browser manipulations.
  • Reliance on classic models leads to gaps:
    • "Those models... don’t really line up to what the attack really looks like." (A, 16:32)
  • Most compromises are discovered well after the fact, requiring forensic—not preventive—response.

• Necessity for Browser Visibility:

  • Push Security advocates for browser-level detection and response as a critical, modern control.

Notable Quotes & Memorable Moments

• On the Ephemerality and Velocity of Modern Attacks:

  "Those things are changing every five minutes because the bad guy behavior is changing, you've got changes in the attack surface."
  (B, 06:55)

• On the Importance of Research-Led Security:

  "We're very much a research led organization. And in fact just today we published a post with some research that we've done around a new kind of variant of a browser based attack..."
  (A, 09:12)

• On Defending Against ConsentFix:

  "If you're relying on... traditional security stack... none of those things are going to show up. Even if you're being really diligent and looking at your IDP logs, all you're going to see is yeah, somebody's been authenticated."
  (A, 17:19)

• On the Need for In-Browser Detection:

  "A great way to address that is by having a detection response capability in the browser to stop that."
  (A, 16:16)

Timestamps for Important Segments

| Timestamp | Segment / Topic | |------------|----------------------------------------------------| | 00:45 | Mark's background and role at Push Security | | 01:44 | The browser as a contested area in cyber defense | | 03:21 | The need for new/extended security models | | 05:10 | The importance of a common taxonomy; Push's efforts| | 09:12 | Push Security's research-led approach | | 10:27 | Technical breakdown: How ConsentFix attack works | | 15:13 | Challenges to classic detection and response | | 16:32 | Legacy models failing to detect modern browser attacks| | 17:19 | The futility of legacy logs and controls here | | 18:46 | Summary and appreciation for Push’s research |

Conclusion

This episode highlighted both the necessity and complexity of modernizing browser security. Push Security, through open taxonomies and proactive research, advocates for evolving defender knowledge and tools as attacker methods shift deeper into the browser—beyond the reach of traditional detection. The debut of the ConsentFix attack illustrates this shift, serving as a stark reminder that defenders must look beyond established models and invest in browser-level visibility to stay ahead.

Links to further resources and the full research reports are indicated as available in the episode’s show notes.