SquareX’s research on Last Mile Reassembly (LMR) attacks, which the browser-native cybersecurity company disclosed at DEF CON 32, has finally received the validation it’s been waiting for.
After more than a year of warning, Palo Alto Networks became the first major SASE vendor to publicly acknowledge that Secure Web Gateways (SWGs) can’t stop these evasive, browser-based malware attacks.
In a blog post shared with CSO ahead of its publication on Monday, SquareX defined LMR attacks as techniques that exploit SWG limitations to slip malware past inspection, only to reassemble inside the browser as functional malware.
Earlier this month, without explicitly naming LMR attacks as the target use cases, Palo Alto Networks announced new capabilities aimed at containing “evasive attacks that assemble inside the browser” capable of bypassing SWG protections.
“Admitting this publicly would be largely detrimental to their (vendors’) SASE/SSE business, especially because many of them have SLAs promising to protect against 100% of known malwares,” explained Audrey Adeline, of SquareX’s Founder’s office. “Our best guess is that Palo Alto Networks is seeing more of its customers attacked using LMR techniques, which is typical of large incumbent vendors who are largely driven by significant customer demand.”
Why proxy defenses fail at the Browser
LMR attacks aren’t a single trick but a toolkit of more than 20 bypasses that exploit overlooked blind spots. In one method, malware is split into pieces that slip past proxy inspection before reassembling into a working payload once inside the victim’s browser. Other variations ride unmonitored binary channels such as WebRTC or gRPC, the same pipes that power conferencing apps and cloud workflows. The outcome is a class of attacks that defeats SWG protections by design.
Adeline said this exposure is far from theoretical, as SquareX has been detecting and protecting customers against them. “LMR allows attackers to smuggle any malicious script, site, or file — including known phishing sites and malware – that completely bypasses SWGs,” she explained. “Once it’s inside the browser, enterprises face credential theft, data exfiltration, and monitoring attacks without any oversight from their existing tools.”
SquareX researchers have extended these findings into “Data Splicing Attacks,” showing that attackers, or even insiders, can use similar techniques to exfiltrate sensitive data. Whether through copy-paste operations or peer-to-peer file sharing sites, the data sneaks past traditional data loss prevention (DLP) controls undetected.
According to Adeline, securing channels like WebRTC and gRPC is tough with traditional SASE or SSE tools, which lack browser-level visibility and often force enterprises to block them entirely. Browser-native security, she said, can protect these channels at the “last mile” in the browser by blocking malicious downloads, inspecting phishing sites or malicious scripts in real time.
Palo Alto Networks first to break the silence
While SquareX directly disclosed the LMR vulnerability to all major vendors, Palo Alto Networks is the first to publicly confirm it. The acknowledgement came in the form of a September 4 announcement where Palo Alto Networks unveiled new capabilities added to its Prisma Browser.
In the announcement, the company said that Prisma Browser has been upgraded “to intercept and neutralize encrypted, evasive attacks that assemble inside the browser and bypass traditional secure web gateways.” With the announcement, the company admitted the architectural shortfall of SWGs in handling these attacks.
“Palo Alto Networks represent the first among SASE/SSE vendors to recognize that the shift towards browser-native threats and need for browser-native security is inevitable (hence their acquisition of Talon for $625M), but we expect more SASE/SSE vendors to follow suit as while it is cannibalistic to their existing cash cow business, as the browser becomes the new endpoint, they will have to build, acquire or partner with a browser security company soon to remain relevant,” Adeline added.
It’s unclear whether Prisma Browser enhancements are aimed at LMR attacks per se, but the company’s description closely aligns with how SquareX defines LMR. Palo Alto Networks did not immediately respond to CSO’s request for comments.
No Responses