Back

AI-Driven Phishing Attacks Surge via Browser Exploits in 2026

Severity: High (Score: 64.5)

Sources: Bleepingcomputer, pushsecurity.com

Published: 2026-06-02 · Updated: 2026-06-02

Keywords: security, browser, front, line, teams, staring, problems

Summary

In 2026, security teams face dual AI-related threats: adversaries leveraging AI to enhance phishing kits and employees unwittingly exposing sensitive data through AI tools. Attackers are rapidly iterating on phishing-as-a-service (PhaaS) tools, with 18 new device code phishing kits identified, marking an 18-fold increase in such kits and a 37-fold spike in detections. Phishing infrastructure is now being created and deployed at unprecedented speeds, with 89% of phishing domains active for less than two days, rendering traditional blocklist defenses ineffective. The misuse of legitimate sites for hosting phishing links complicates detection efforts, as attackers exploit AI chat functionalities to distribute malicious content. Security teams are urged to adopt integrated solutions that provide comprehensive visibility into browser sessions to combat these evolving threats. Key Points: • AI is significantly enhancing the speed and effectiveness of phishing attacks. • 2026 has seen an 18-fold increase in device code phishing kits and a 37-fold rise in detections. • Traditional IoC-based defenses are becoming ineffective against rapidly changing phishing domains.

Detailed Analysis

**Impact** Organizations across multiple sectors are affected globally, with a significant surge in phishing attacks exploiting browser vulnerabilities. Device code phishing kits have increased 18-fold in the wild, accompanied by a 37-fold spike in detections in 2026. Sensitive data, including credentials and OAuth tokens, are at risk due to attackers bypassing MFA and passkeys, potentially leading to account takeovers and operational disruptions. The rapid rotation of phishing domains—89% active for less than two days—complicates traditional defenses and increases exposure. **Technical Details** Attackers leverage AI to rapidly create and iterate phishing kits, including PhaaS tools like ClickFix, InstallFix, ConsentFix, and device code phishing kits that abuse legitimate OAuth flows to bypass MFA. Techniques include man-in-the-middle (AitM) and device code phishing converging into unified platforms such as Doko’s Panel, used by threat groups like ShinyHunters and BlackFile. Infrastructure includes fast-rotating domains and abuse of legitimate sites, including AI chat sharing functionality (LLMShare) for hosting malicious links. The kill chain focuses on browser session exploitation, with payload delivery and account takeover occurring entirely within the browser via script execution, session theft, and malicious copy-paste. **Recommended Response** Deploy browser session monitoring tools capable of analyzing page behavior, script execution, and malicious mechanics rather than relying on IOC blocklists. Harden OAuth permissions and restrict unvetted AI browser extensions to reduce attack surface. Monitor for rapid domain rotation and multi-channel phishing delivery, including malvertising and SEO poisoning. Prioritize detection of device code phishing techniques and enforce strict controls on OAuth flows to prevent MFA bypass.

Source articles (3)

  • Why the browser is now the front line for AI security — Bleepingcomputer · 2026-06-02
    Security teams are staring at two AI problems at once. Adversaries are using AI to iterate on phishing kits, generate lures, and rotate infrastructure faster than blocklists can follow. Employees are…
  • Why the browser is now the front line for AI security — Bleepingcomputer · 2026-06-02
    Security teams are staring at two AI problems at once. Adversaries are using AI to iterate on phishing kits, generate lures, and rotate infrastructure faster than blocklists can follow. Employees are…
  • ConsentFix — pushsecurity.com · 2026-06-02

Timeline

  • 2026-06-02 — AI phishing threats escalate: Adversaries are using AI to rapidly create and deploy phishing kits, complicating defenses.
  • 2026-06-02 — Device code phishing kits surge: 18 new device code phishing kits have been identified, marking an 18x increase in 2026.
  • 2026-06-02 — Phishing domains active for less than two days: 89% of phishing domains are now active for under two days, making detection challenging.

Related entities

  • Phishing (Attack Type)
  • Drift (Campaign)
  • Gainsight (Company)
  • Vercel (Company)
  • Salesloft (Tool)
  • Claude (Tool)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • CWE-862 - Missing Authorization (Cwe)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1566.002 - Spearphishing Link (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • ChatGPT Enterprise (Platform)
  • Gemini For Workspace (Platform)
  • Google Workspace (Platform)
  • Microsoft Copilot (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed