Browser Security Explained: Consent Phishing, "Click Fix" Attacks & The Limits of EDR

Mar 10, 2026

Adam Bateman, security researcher and CEO of Push Security with red‑team roots. He explores browser‑native attacks and why treating IDPs like firewalls is risky. Topics include consent phishing that hijacks Azure, click‑fix clipboard attacks, the shift to identity‑first adversaries, and limits of EDR and SSPM in SaaS/Chromebook environments.

46:07

forum

Ask episode

web_stories

AI Snips

view_agenda

Chapters

auto_awesome

Transcript

info_circle

Episode notes

insights

INSIGHT

IDP Is Management Not A Gatekeeper

An IDP is not a firewall that blocks all identity access.
Adam Bateman compares an IDP to a domain controller: attackers can still create or use local accounts and bypass centralized SSO protections.

insights

INSIGHT

The Perimeter Moved Into The Browser

Modern architectures moved work from native apps to browsers, shifting the critical perimeter to identity in the browser.
Adam explains attackers now target browser-held identities because browsers talk to cloud services where data and value live.

insights

INSIGHT

Identity Coalitions Dominate High Profile Breaches

High‑profile groups like Scattered Spider, Lapsus and ShinyHunters focus on identity and social engineering rather than network exploits.
Adam highlights their success (Okta, MGM, Salesforce) and formation into coalition groups targeting browser identity attacks.

Get the Snipd Podcast app to discover more snips from this episode

Adam's background and red team roots

02:21 • 3min

chevron_right

Why identity and MFA aren't fully solved

05:05 • 3min

chevron_right

An IDP is not a firewall

08:00 • 2min

chevron_right

AI, ChatGPT and shadow SaaS signups

09:47 • 2min

chevron_right

Consent phishing and OAuth app risks

11:34 • 2min

chevron_right

The architectural shift to browser‑centric attacks

13:50 • 2min

chevron_right

Scattered Spider and identity‑first groups

16:10 • 3min

chevron_right

On‑prem vs Chromebook threat models

19:37 • 4min

chevron_right

Why server‑side SSPM struggles for SaaS

23:24 • 2min

chevron_right

Browser EDR: observing logins and phishing

25:42 • 1min

chevron_right

Omnichannel phishing and weaponized SaaS apps

26:54 • 9min

chevron_right

Click‑fix attacks explained

35:40 • 2min

chevron_right

Consent‑fix: full Azure compromise in browser

37:45 • 1min

chevron_right

Who should own browser security

39:10 • 2min

chevron_right

Culture, personal notes, and Push Security research

Is your security team treating your Identity Provider (IDP) like a firewall? In this episode, Adam Bateman (CEO & Co-founder of Push Security) explains why that's a dangerous mistake and how modern attackers are bypassing SSO entirely .Drawing from his background leading red teams that simulated nation-state attacks , Adam breaks down the massive architectural shift from network-based attacks to browser-native exploits. We dive into the terrifying evolution of phishing, from "Click Fix" attacks that trick users into running malicious commands via their clipboard, to "Consent Phishing" that completely takes over Azure without ever touching the endpoint .If your company relies heavily on SaaS applications or Chromebooks, this episode would be a valuable listen.

Guest Socials -⁠ ⁠⁠⁠⁠⁠⁠⁠Adam's Linkedin

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

If you are interested in AI Security, you can check out our sister podcast -⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ AI Security Podcast⁠

Questions asked:

(00:00) Introduction(02:50) Who is Adam Bateman? (Red Teaming & Simulating Nation States) (05:40) Why Identity & MFA Are Not "Solved" Problems (07:50) The Myth: Why an IDP is Not a Firewall (11:30) Consent Phishing: Exploiting OAuth Apps (13:30) The Architectural Shift: Network to Browser (15:30) Scattered Spider & The Rise of Identity Coalitions (19:30) Threat Modeling: On-Prem vs. Chromebooks (23:20) The Problem with SSPM and API Limitations (28:40) How "Click Fix" Attacks Trick Users into Running Malware (32:30) Omnichannel Phishing: LinkedIn, SMS, and Google Ads (34:30) Weaponizing Legitimate SaaS Apps (The DocuSign Exploit) (37:00) Consent Fix: Full Azure Compromise Inside the Browser (38:50) Disrupting the Secure Web Gateway (SWG) Market (41:40) Fun Questions: Wakeboarding, Culture, and Brat's Restaurant

Resources spoken about during the episode:

You can find out more about Push Security here.

Thank you to Push Security for sponsoring this episode.

Home Top podcasts Popular guests Top books