Secure Web Gateways cannot protect you from phishing attacks
For almost two decades, Secure Web Gateways (SWGs) have been trusted by enterprises to keep employees safe from malicious web content, including phishing attacks. SWGs work by analyzing network traffic and URLs, identifying known phishing sites, and blocking suspicious content before it reaches employees. While this was effective in combating phishing attacks in the past, today's web-based threats have evolved far beyond what SWGs can handle.
The Evolution of Phishing Tactics
Phishing attacks used to be simpler, with attackers relying on tricks like typosquatting, URL redirection, and link shorteners. SWGs, leveraging threat feeds and static inspection, were able to catch many of these rudimentary tactics. However, the modern phishing landscape is far more sophisticated. Attackers are no longer just relying on easily detectable URLs or scripts. Instead, they are exploiting the browser itself—leveraging features like the DOM, Canvas, Extensions, and WebAssembly to execute attacks entirely on the client side. This is where SWGs fall short.
Because SWGs operate at the network level, they are completely blind to attacks that happen within the browser. They cannot see or understand what's happening in real time inside the browser window, meaning many of the modern phishing techniques fly under their radar. As a result, enterprises that continue to rely solely on SWGs to protect against phishing are exposed to a wide array of attack techniques that SWGs simply aren't designed to detect.
Common Phishing Techniques that SWGs Miss
- CAPTCHA Abuse: Attackers use CAPTCHA forms to make phishing pages look more legitimate and to evade URL scanners that SWGs rely on. Neither SWGs or the URL scanners that they rely on are able to bypass some CAPTCHAs, failing to detect the phishing page that sits behind it.
- Full-Page Screenshot: Phishers overlay an invisible form over a screenshot of a legitimate site. The SWG won't flag the page, as they do not know that the image is mimicking an entire page and the form benign on its own.
- Pixel-Perfect Phishing Pages: Attackers create exact replicas of real websites using MHTML or raw HTML files render it using javascript on the client side, bypassing SWG detection.
- Encrypted Web Resources: Phishing pages use encryption to encode HTML and other web resources, which are decrypted and rendered within the user's browser. This process bypasses SWGs, which cannot inspect encrypted content.
- Steganography in Web Elements: Hidden data is embedded within images or other elements on a phishing page, making it difficult for SWGs to recognize malicious activity.
- Browser-in-the-Browser (BitB) Attacks: Phishing pages simulate a legitimate login pop-up (e.g., Google SSO) within a fake browser window. Users unwittingly enter credentials into this fake window, and since it appears client-side, it evades SWGs.
- Canvas-Based Phishing Pages: HTML canvas allows attackers to draw custom elements and capture user inputs like mouse clicks and keystrokes, making it nearly impossible for traditional security solutions to detect phishing pages that are rendered entirely on the HTML canvas. Recently, there has been a few cases in the wild where Browser-in-the-middle attacks are orchestrated using a similar approach.
- Server-Side Polymorphism: Phishing sites change their underlying code frequently, making it impossible for SWGs' signature-based detection to keep up. These sites may also redirect users to legitimate pages if unusual behaviour is detected. An example of this is faceb00k[.]com, which has been in circulation for a long time and has not been blacklisted by many security solutions due to its constant morphing.
- Poisoned Tenants: Attackers can redirect the SaaS tenants to their own malicious versions, tricking users into believing that it is owned by their organization. This cannot be detected by SWGs.
- Shadow DOM Exploitation: Attackers use the Shadow DOM to create hidden sections on a webpage, tricking users into interacting with elements that don't appear in the main DOM and thus escape SWG detection.
- Injection Through Browser Extensions: Malicious extensions can inject phishing content into legitimate web pages, tricking users into interacting with harmful elements that appear on trusted sites. SWGs are completely unaware of extensions.
- WebAssembly (WASM) Phishing: Attackers use WebAssembly to smuggle phishing content, which a client-side javascript then extracts and renders. SWGs do not analyse WASM or screen them for phishing content.
Why SWGs Fail
SWGs fail to protect against modern phishing attacks because they lack visibility into critical browser activities. They have no awareness of user interactions, such as mouse movements or keystrokes, which phishing attacks frequently exploit. Additionally, SWGs lack access to rich browser data, meaning they cannot track changes in the DOM, monitor canvas interactions, or detect the behaviour of browser extensions. Finally, SWGs are blind to web application context, as attackers can use JavaScript to dynamically render phishing pages entirely on the client side, evading network-layer inspection.
These inherent limitations in SWGs create a vast blind spot for enterprises. The browser is now an integral part of business operations, with more than 85% of business applications expected to be SaaS-based by next year. This means that attackers will continue to target the browser, exploiting its complexity and dynamic nature to deliver phishing attacks that traditional network-based solutions can't stop.
The Need for Browser-Native Security
Unlike the case for malicious files, where an Endpoint security solution can kick in even if the network / browser layer detection fails, there is no other layer of security that can help prevent a phishing attack. It is thus of utmost importance that phishing attacks are detected on the browser without fail.
The only way to effectively detect and prevent modern phishing attacks is by employing browser-native security solutions. Unlike SWGs, these solutions operate within the browser itself, giving them full visibility into user interactions, browser behavior, and web application context. This allows them to detect and block phishing attacks that manipulate browser features, such as those involving steganography, dynamic content generation, or advanced techniques like WebAssembly.
Browser-native security solutions, like SquareX, are built to operate at the same level as the threats they combat. They can conduct last mile detection of a phishing page even if the page has constant DOM changes, or if a malicious extension is injecting malicious content, offering far more robust protection against phishing attacks than SWGs ever could.
Relying solely on Secure Web Gateways to protect your enterprise from phishing attacks is no longer a viable strategy. To stay ahead, enterprises must embrace browser-native security solutions that are purpose-built to defend against the evolving web threat landscape.