"The tools most enterprises rely on are performing exactly as designed. That is the problem. None of them were built to operate at the browser session layer, and that is precisely where attackers have learned to live," said Bill Robbins, CEO of Menlo Security.
Menlo Security's telemetry and the headline figure
On June 9, Menlo Security published its 2026 Browser Threat Report, drawing its conclusions from platform telemetry collected across millions of active browser sessions in enterprise customer environments between January 1 and March 31, 2026. The report's stark headline: one in five phishing attacks that target enterprise browser users went completely undetected by the tools meant to stop them.
Menlo also reported a closely related measurement: one out of five phishing links that users actively engaged with went undetected by legacy URL filtering. Those twin findings form the empirical basis for the company's warning: conventional protections are missing a substantial share of browser‑based intrusions.
The browser session layer as the new frontline
Menlo frames the problem as structural rather than incidental. According to the report, enterprise activities that once took place in standalone applications now commonly occur inside a browser session — including email, SaaS applications, collaboration tools, AI assistants, financial systems and credential management software. Because many legacy enterprise security products were not designed to operate at the browser session layer, the report says, attackers are exploiting that gap to gain entry to enterprise environments.
In short, the attack surface has shifted into the runtime of the browser itself, and many existing controls do not observe or control the behaviors that happen there.
Social engineering, CAPTCHAs and the ClickFix adaptation
The report emphasizes that modern browser attacks are not solely technical exploits of software vulnerabilities; they increasingly rely on social engineering that leverages routine browser interactions. Menlo points to everyday in‑browser prompts — CAPTCHAs, error messages and Cloudflare verification screens — as points where human behavior becomes part of the attack surface.
Menlo describes a specific technique, ClickFix attacks, in which attackers persuade users to paste code into tools that are not typically monitored. Because the user executes the action, that activity may bypass technical controls that are calibrated to detect 'malicious behavior' rather than legitimate user‑initiated commands. The result: otherwise bypassable activities appear benign to legacy defenses.
Implications for enterprise security products and procurement
Menlo's diagnosis is blunt: the tools most enterprises rely on are "performing exactly as designed," meaning they work according to the threat model for which they were built — not the one that now dominates browser sessions. The company recommends that organizations pay greater attention to securing the browser session layer.
Menlo adds a prescriptive claim about outcomes: "Enterprises that govern this layer will be positioned to protect both their workforce and the AI agent sessions already operating in their environments by default. Those that don't will continue relying on tools built for a threat model attackers have moved on from," the company said.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: The report signals a need to prioritize visibility and control where work actually occurs — in browser sessions — and to consider tools that can govern those sessions rather than relying exclusively on legacy URL filtering.
- Procurement leaders and risk managers: The finding that one out of five engaged phishing links bypassed legacy URL filtering suggests procurement criteria and risk assessments may need revision to account for browser‑layer detection capabilities.
- End users and operators of AI assistants: Menlo's account underscores the risk posed by everyday browser prompts and instructions that ask users to paste or execute code; attackers are adapting social engineering to take advantage of those interactions.
Menlo Security's report does not argue that existing products are defective as engineered; it argues they were built for a prior model of risk. That distinction shapes the practical question the report leaves on the table: will organizations adjust architecture, procurement and operational practices to govern the browser session layer — and thereby protect the human and AI agent activities that increasingly live there?
