While email URL rewriting and IOC-based defenses are valuable layers, they primarily rely on static indicators of compromise that require prior discovery. Because threat actors continuously create new domains, age infrastructure, and use dynamic redirection chains, many AiTM attacks can safely pass through email inspection systems before indicators are updated and propagated.

A recent incident with the U.S. Cybersecurity and Infrastructure Security Agency shows how even senior leaders can unknowingly expose sensitive data. The lesson: AI changes how mistakes happen and how quickly they spread. Efficiency alone isn’t enough. Organizations need clear boundaries, broad training, AI governance, and security that assumes human error. At Conceal, we help teams use AI safely without slowing down.

This blog will be the first entry in a new series of “Conceal vs”. In this series, we will discuss various threat-actor TTPs (tools, tactics, and procedures), how they work, why they work, who might be using them, and how Conceal’s real-time browser-native security solution thwarts them.

Recently, Conceal’s threat research team completed a thorough investigation and analysis of an emerging threat actor’s tactics specifically designed to evade traditional browser security safeguards. Their sophisticated tactics, which made the browser's human user an integral part of the attack, demonstrate that threat actors recognize that organizations’ attempts to protect their users leave gaps they can exploit. Now more than ever, it’s imperative that security teams adopt real-time in-browser security controls that do not rely on static signatures, domain lookups, and similar approaches. See the full threat-actor breakdown from the Conceal research team here.

We’ve already shown how malicious scripts hide in plain sight, how dynamic pages shift after load, and how threat actors deliver different content based on who’s looking. Now we’re bringing that same philosophy to one of the quietest but most dangerous pathways in the browser: Downloads

Credential theft is one of the most common entry points for enterprise breaches. Attackers use stolen or phished logins to quietly access corporate environments, move laterally, steal data, and launch ransomware. Modern techniques like Adversary in the Middle make fake login flows look completely legitimate, capturing usernames, passwords, MFA codes, and session cookies without the user realizing anything is wrong. Without protection that understands both content and context, these attacks slip past traditional security tools and put organizations at risk. Conceal stops these attacks by detecting and blocking AiTM activity before credentials can be stolen.

A quick reminder of the thesis: attackers are makers of plausible lies. They imitate, they hide, and they time. But every deception needs building blocks: HTML nodes, scripts, network calls, redirects, small text volumes, and odd registries. These building blocks are visible if you know where to inspect.

Most people assume browser protection is a binary act; a URL is either blocked or allowed. But that model belongs to an older web. Today’s threats don’t live in the address bar; they live in the page itself: inside iframes, hidden inputs, scripted redirects, staged forms, delayed injections. The truth is, a malicious site can begin innocent, evolve into deception mid-session, and reveal its intent only after interaction.

Web browsers are undergoing a once-in-a-decade evolution. What was once a simple tool for accessing information has now become the primary workspace for nearly every modern job function. From SaaS applications to cloud-based collaboration tools, the browser has quietly become the universal productivity platform. Now, with the emergence of AI-driven browsers, that transformation is accelerating in ways that were once only imagined in science fiction. 

It’s Halloween season; the time of year when ghosts roam, goblins lurk, and somewhere in your SOC, a security analyst just saw another alert pop up for the 437th time today. Let’s be honest: in cybersecurity, every day can feel like Halloween. The jump scares come from unexpected logins, the haunted house is your legacy VPN infrastructure, and the masked villain is the ransomware actor hiding behind your browser tab.