CIO Influence
CIO Influence News Machine Learning Security

Menlo Security’s 2026 Browser Threat Report Finds 1 in 5 Enterprise Phishing Attacks Go Completely Undetected by the Security Tools Built to Stop Them

by Business Wire
Menlo Security's 2026 Browser Threat Report Finds 1 in 5 Enterprise Phishing Attacks Go Completely Undetected by the Security Tools Built to Stop Them

Menlo Security Logo

New research documents 4,937 zero-day attacks blocked before reputation filters knew they existed, 115,842 evasive phishing attacks purpose-built to bypass detection, and two Q1 2026 attacks stopped after every existing security tool saw nothing

Menlo Security, the leader Browser Security for human and agentic workforces, released its 2026 State of Browser Security Threat Report: Evasive Threats, Zero-Day Lures, and the New Browser-First Kill Chain. Based on platform telemetry across millions of active browser sessions in enterprise customer environments from January 1 through March 31, 2026, the report documents a fundamental and largely unaddressed shift in how sophisticated threat actors gain entry to enterprise environments: through the browser session layer that most enterprise security stacks were never built to see.

Also Read: CIO Influence Interview with Hugo Dozois-Caouette, CTO and Co-founder at MaintainX

In February 2026, a user at a 60,000-employee integrated health system clicked a link to what appeared to be an Adobe secure document portal. The domain was clean. Zero vendors on VirusTotal flagged it as malicious at time of click. Every reputation-based tool in the existing security stack saw nothing wrong. This is not an edge case. It is what happens when security architecture built around domain reputation encounters attacks engineered to abuse trusted infrastructure. The same gap that allowed this attack is present in most enterprise environments today. Menlo’s platform blocked the download before it executed, not because the domain was flagged, but because it analyzed what the page was attempting to do in real time.

Key findings from the 2026 State of Browser Security Threat Report include:

  • 4,937 zero-day attacks blocked before reputation filters became aware they existed. This highlights a structural problem with local browser security models, with total enterprise exposure window being 6 days minimum and up to weeks depending on patch deployment velocity,
  • 1 in 3 highly evasive threats originate from sites already classified as ‘safe.’ Menlo blocked 52,185 threats hosted on domains its customers’ security stacks were already configured to trust including Google Drive, Dropbox, SharePoint, and similar platforms.
  • 1 in 5 phishing links actively clicked by users goes completely undetected by legacy URL filtering. The attack is happening; the tool doesn’t know.
  • 25% of exploitable files disarmed were identified from password protected files. Of 433,314 exploitable files disarmed, 110,357 were concealed behind password protection: a deliberate evasion technique that defeats most automated scanning tools, which cannot inspect encrypted content without the key.
  • 115,842 evasive phishing attacks identified across active campaigns, each purpose-built to bypass detection. Using techniques like CAPTCHA abuse, TDS redirection, HTML smuggling, and brand impersonation, every one of these attacks was specifically engineered to pass reputation-based filters — and every one arrived through a browser session.

“The tools most enterprises rely on are performing exactly as designed. That is the problem. None of them were built to operate at the browser session layer, and that is precisely where attackers have learned to live,” said Bill Robbins, CEO of Menlo Security. “In Q1 2026, Menlo blocked thousands of zero-day attacks that arrived during the window between a vulnerability being discovered and a patch reaching enterprise endpoints. That window is not a process failure. It is an architectural feature of any security model that executes code locally. This report exists to map the gap and show what closing it actually looks like.”

The 2026 threat landscape calls for securing the browser session layer, where encrypted traffic executes, credentials are entered, sensitive data moves, and every attack technique documented in this report originates. Enterprises that govern this layer will be positioned to protect both their workforce and the AI agent sessions already operating in their environments by default. Those that don’t will continue relying on tools built for a threat model attackers have moved on from.

Catch more CIO Insights: What Does “Job-Ready” Really Mean in IT and Cybersecurity?

[To share your insights with us, please write to psen@itechseries.com ]

Business Wire, a Berkshire Hathaway company, is the global leader in press release distribution and regulatory disclosure. Public relations, investor relations, public policy and marketing professionals rely on Business Wire for secure and accurate distribution of market-moving news and multimedia. Founded in 1961, Business Wire is a trusted source for news organizations, journalists, investment professionals and regulatory authorities, delivering news directly into editorial systems and leading online news sources via its multi-patented NX network. Business Wire’s global newsrooms are available to meet the needs of communications professionals and news media worldwide.

Related posts

AEM Introduces the New Generation of Automated Burn-In Systems for AI and High Performance Compute Chip Testing

PR Newswire

Crisis24 Horizon Revolutionizing Risk Management with AI-Powered Intelligence and Global Expert Analysis

PR Newswire

MCK Network Solutions Launches North America’s First Unified, Predictive AI Security Platform for Growing Businesses

EIN Presswire