{"id":4926,"date":"2025-09-18T13:00:00","date_gmt":"2025-09-18T13:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4926"},"modified":"2025-09-18T13:00:00","modified_gmt":"2025-09-18T13:00:00","slug":"palo-alto-networks-acknowledges-browser-malware-risks-validating-squarexs-lmr-attack-findings","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4926","title":{"rendered":"Palo Alto Networks acknowledges browser malware risks, validating SquareX\u2019s LMR attack findings"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>SquareX\u2019s research on Last Mile Reassembly (LMR) attacks, which the browser-native cybersecurity company disclosed at DEF CON 32, has finally received the validation it\u2019s been waiting for.<\/p>\n<p>After more than a year of warning, Palo Alto Networks became the first major SASE vendor to publicly acknowledge that Secure Web Gateways (<a href=\"https:\/\/www.prnewswire.com\/news-releases\/squarex-discovers-new-cybersecurity-attacks-that-completely-bypass-secure-web-gateways-swg-leaving-most-enterprises-vulnerable-302214112.html\" target=\"_blank\" rel=\"noopener\">SWGs<\/a>) can\u2019t stop these evasive, browser-based malware attacks.<\/p>\n<p>In a blog post shared with CSO ahead of its publication on Monday, SquareX defined LMR attacks as techniques that exploit SWG limitations to slip malware past inspection, only to reassemble inside the browser as functional malware.<\/p>\n<p>Earlier this month, without explicitly naming LMR attacks as the target use cases, Palo Alto Networks announced new capabilities aimed at containing \u201cevasive attacks that assemble inside the browser\u201d capable of bypassing SWG protections.<\/p>\n<p>\u201cAdmitting this publicly would be largely detrimental to their (vendors\u2019) SASE\/SSE business, especially because many of them have SLAs promising to protect against 100% of known malwares,\u201d explained Audrey Adeline, of SquareX\u2019s Founder\u2019s office. \u201cOur best guess is that Palo Alto Networks is seeing more of its customers attacked using LMR techniques, which is typical of large incumbent vendors who are largely driven by significant customer demand.\u201d<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Why proxy defenses fail at the Browser<\/h2>\n<p>LMR attacks aren\u2019t a single trick but a toolkit of more than 20 bypasses that exploit overlooked blind spots. In one method, malware is split into pieces that slip past proxy inspection before reassembling into a working payload once inside the victim\u2019s browser. Other variations ride unmonitored binary channels such as WebRTC or gRPC, the same pipes that power conferencing apps and cloud workflows. The outcome is a class of attacks that defeats SWG protections by design.<\/p>\n<p>Adeline said this exposure is far from theoretical, as SquareX has been detecting and protecting customers against them. \u201cLMR allows attackers to smuggle any malicious script, site, or file \u2014 including known phishing sites and malware \u2013 that completely bypasses SWGs,\u201d she explained. \u201cOnce it\u2019s inside the browser, enterprises face credential theft, data exfiltration, and monitoring attacks without any oversight from their existing tools.\u201d<\/p>\n<p>SquareX researchers have extended these findings into \u201cData Splicing Attacks,\u201d showing that attackers, or even insiders, can use similar techniques to exfiltrate sensitive data. Whether through copy-paste operations or peer-to-peer file sharing sites, the data sneaks past traditional data loss prevention (DLP) controls undetected.<\/p>\n<p>According to Adeline, securing channels like WebRTC and gRPC is tough with traditional SASE or SSE tools, which lack browser-level visibility and often force enterprises to block them entirely. Browser-native security, she said, can protect these channels at the \u201clast mile\u201d in the browser by blocking malicious downloads, inspecting phishing sites or malicious scripts in real time.<\/p>\n<h2 class=\"wp-block-heading\">Palo Alto Networks first to break the silence<\/h2>\n<p>While SquareX directly disclosed the LMR vulnerability to all major vendors, Palo Alto Networks is the first to publicly confirm it. The acknowledgement came in the form of a September 4 <a href=\"https:\/\/investors.paloaltonetworks.com\/news-releases\/news-release-details\/palo-alto-networks-unveils-protection-highly-evasive-threats\" target=\"_blank\" rel=\"noopener\">announcement<\/a> where Palo Alto Networks unveiled new capabilities added to its Prisma Browser.<\/p>\n<p>In the announcement, the company said that Prisma Browser has been upgraded \u201cto intercept and neutralize encrypted, evasive attacks that assemble inside the browser and bypass traditional secure web gateways.\u201d With the announcement, the company admitted the architectural shortfall of SWGs in handling these attacks.<\/p>\n<p>\u201cPalo Alto Networks represent the first among SASE\/SSE vendors to recognize that the shift towards browser-native threats and need for browser-native security is inevitable (hence their acquisition of Talon for $625M), but we expect more SASE\/SSE vendors to follow suit as while it is cannibalistic to their existing cash cow business, as the browser becomes the new endpoint, they will have to build, acquire or partner with a browser security company soon to remain relevant,\u201d Adeline added. <\/p>\n<p>It\u2019s unclear whether Prisma Browser enhancements are aimed at LMR attacks per se, but the company\u2019s description closely aligns with how SquareX defines LMR. Palo Alto Networks did not immediately respond to CSO\u2019s request for comments.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>SquareX\u2019s research on Last Mile Reassembly (LMR) attacks, which the browser-native cybersecurity company disclosed at DEF CON 32, has finally received the validation it\u2019s been waiting for. After more than a year of warning, Palo Alto Networks became the first major SASE vendor to publicly acknowledge that Secure Web Gateways (SWGs) can\u2019t stop these evasive, [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":4927,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4926","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4926"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4926"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4926\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4927"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4926"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4926"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4926"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}