SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Computer screen web browser shadowy malware figures slipping past security barrier
#
Malware
#
Firewalls
#
Network Security

Major vendors admit browser attacks bypass secure gateways

Fri, 19th Sep 2025
Author image
By Jed Nykolle Harme, Editor

Major SASE/SSE vendors have begun acknowledging the limitations of their Secure Web Gateways in defending against a class of browser-based cyberattacks known as Last Mile Reassembly attacks.

Last Mile Reassembly attacks, first identified and disclosed by SquareX, allow attackers to bypass the inspection and protection mechanisms of Secure Access Service Edge (SASE) and Security Service Edge (SSE) solutions. Attackers achieve this by breaking up malicious code into multiple chunks, which evade detection when examined in isolation. The malware is then reassembled inside the victim's browser, allowing it to execute without being intercepted by traditional proxy defences.

Vendor acknowledgement

Palo Alto Networks has become the first major vendor to acknowledge these architectural shortcomings. The company described the attacks as "encrypted, evasive attacks that assemble inside the browser and bypass traditional secure web gateways," further noting that "the browser is becoming the new operating system for the enterprise, the primary interface for AI and cloud applications. Securing it is not optional."

This public admission highlights a growing consensus within the cybersecurity sector that proxy-based solutions are not sufficient to protect enterprises from browser-based threats, particularly as more business applications are accessed through web browsers.

Attack techniques

SquareX has identified over 20 techniques that exploit these limitations, some of which involve smuggling malicious files through binary channels such as WebRTC, gRPC and WebSockets. These communication protocols are widely used by web applications for functionalities like video conferencing and streaming, but, as SquareX notes, are not monitored by existing Secure Web Gateways.

Many SASE/SSE vendors have even recommended that their customers disable these channels due to their inability to provide security coverage. According to SquareX's findings, all major SASE/SSE solutions on the market remain vulnerable to these attack vectors, and responsible disclosures have been made to multiple providers.

Data splicing risks

Building on these earlier discoveries, SquareX researchers have explored the potential for these techniques to facilitate data exfiltration, a category of attack referred to as Data Splicing Attacks. The company demonstrated at BSides San Francisco how attackers could use similar methods to bypass endpoint and cloud Data Loss Prevention (DLP) solutions by sharing confidential files or copy-pasting sensitive data through the browser. The rise of peer-to-peer file sharing services that lack DLP inspection capabilities has further increased this risk.

Focus on browser security research

The prevalence of web browsers as a primary interface for cloud and AI-powered applications has placed browser security under greater scrutiny. SquareX has launched a year-long research initiative, 'The Year of Browser Bugs', aiming to disclose a significant browser architectural vulnerability every month. This has included revelations such as Polymorphic Extensions, a proof-of-concept malicious browser extension capable of impersonating password managers and cryptocurrency wallets, and Passkeys Pwned, which identified passkey implementation flaws putting user accounts at risk.

"Research has always been a core part of SquareX's DNA. We believe that the only way to defend against bleeding edge attacks is to be one step ahead of attackers. In the past year alone, we've discovered over 10 zero day vulnerabilities in the browser, many of which we disclosed at major conferences like DEF CON and Black Hat due to the major threat it poses to organizations," says Vivek Ramachandran, the Founder of SquareX, "Palo Alto Networks' recognition of Last Mile Reassembly attacks represents a major shift in incumbent perspectives on browser security. At SquareX, research has continued to inform how we build browser-native defenses, allowing us to protect our customers against Last Mile Reassembly attacks and other novel browser-native attacks even before we disclosed the attack last year."

This recognition from a leading SASE/SSE vendor signals a shift in perspective on browser-based security attacks and highlights the need for browser-native defences, which companies such as SquareX advocate.

Industry collaboration

To further browser security education within the industry, SquareX has collaborated with Chief Information Security Officers at companies including Campbell's and Arista Networks to produce The Browser Security Field Manual. Released at Black Hat, the manual provides technical guidance for cybersecurity professionals on defending against advanced browser-based threats and implementing effective mitigation strategies.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
2026: Resilience, the new foundation of cybersecurity
AI’s 2026 security fallout: identity chaos & deepfake fear
ADLINK gains IEC 62443-4-1 nod for secure edge R&D
Agentic AI double agents expose dangerous security gaps
Ping Identity names Adnan Chaudhry Chief Revenue Officer

Top stories

Instagram denies breach after 17m user records leak
Target locks down Git after major source code leak
Concentric AI adds AWS GovCloud support for data security
Forrester: AI to drive modest job losses, not apocalypse
Black Hat to debut cyber war room documentary in Vegas