In the last few months, some of the world’s most recognized retail brands — Marks & Spencer, Co-op, Harrods, Victoria’s Secret, The North Face, and Cartier — have been hit by a wave of sophisticated cyber-attacks. Cybercriminal group Scattered Spider (UNC3944) is linked to the attacks on U.K. retailers, and many believe this group is responsible for the U.S. retailer attacks as well.

At RSAC Conference 2025, in the anticipated and authoritative keynote, The Five Most Dangerous New Attack Techniques…and What to Do for Each, Joshua Wright with the SANS Institute notes, Scattered Spider has increasingly leveraged browser-native tactics, and it’s time security teams in retail — and beyond — rethink where and how work actually happens.

“The thing that’s so amazing about this is that their [Scattered Spider] number one tool is just a browser.”
 — Joshua Wright, SANS Institute

These incidents, spanning both the U.K. and the U.S., have disrupted operations, exposed customer data, and underscored a painful truth: the browser has become the new endpoint — and it’s clearly under siege.

The Anatomy of a Global Threat Campaign

A Timeline of Disruption

In both the U.K. and U.S., major retailers have fallen victim to increasingly coordinated attacks:

• Marks & Spencer, Co-op, Harrods: Suspended online ordering, significant customer impact, and reputational harm.
• The North Face, Victoria’s Secret, Cartier: Credential harvesting, data theft, and operational slowdowns leading to investor fallout.

These attacks all follow a similar playbook:

1. Credential Phishing and Fake Domains

• Look-alike domains: The group created fake login pages mimicking legitimate services (e.g., Okta, corporate portals) to trick users into submitting credentials.
• Phishing/Smishing: Broad campaigns via email and SMS directed victims to malicious links, often tailored to specific targets.

2. Social Engineering

• MFA bombing (push fatigue): Flooding users with authentication requests until accidental approval.
• Vishing (voice phishing): Posing as IT staff, Scattered Spider convinced employees to reset passwords or approve MFA changes, often after SIM-swapping victims.

3. Credential Stuffing

• Reused credentials: Attackers exploited passwords from prior breaches to gain access to accounts on retailers’ platforms (e.g., The North Face breach).

4. Browser History and Data Extraction

• Raccoon Stealer: Harvested browser history, saved passwords, and autofill data to identify high-value targets.

5. Exploiting Third-Party Vulnerabilities

• Supply chain attacks: Compromised customer service providers (e.g., Adidas’ third-party vendor) to access retailer systems.

6. Session Cookie Theft

• Raccoon Stealer and VIDAR Stealer: Malware tools used to extract browser cookies, login credentials, and session data, enabling unauthorized access to accounts.
• MITRE T1539 (Steal Web Session Cookie): Directly hijacking active browser sessions to bypass authentication.

The threat actors behind these attacks — especially Scattered Spider — are now known for exploiting human trust and browser-centric workflows rather than complex exploits.

Ultimately, their goal is to compromise an enterprise as quickly as possible with the least sophisticated tactic as possible. Why bother with lengthy, complicated, sophisticated attacks when simple ones using a browser will do?

The Browser Is the New Endpoint — And It’s Under Siege

Joshua Wright’s remarks at RSAC 2025 weren’t hyperbole. The browser has evolved into the nexus of authentication, productivity, and data access.

Threat actors know this — and they’re exploiting:

• Session sprawl: Persistent logins across dozens of apps mean a single token can unlock an enterprise.
• Insufficient visibility: Most security tools stop at the network or endpoint — not the browser layer itself.
• Credential and extension abuse: Phishing, malicious Chrome extensions, and unmanaged browser behavior are rampant.

We’ve been trained to think that identity is the new perimeter, and that may be true. But in a Zero Trust world, the “last mile” is the browser — and it’s wide open.

Traditional Security Tools Aren’t Enough

Most retailers rely on a mix of:

• Endpoint Detection & Response (EDR)
• Secure Web Gateways (SWG)
• Cloud Access Security Brokers (CASB)

Yet none of these were designed to observe or respond to what’s actually happening in the browser. Worse, some retailers have experimented with proprietary enterprise browsers — only to face resistance from users, compatibility issues, and dropped productivity.

In one discovery call, the CISO of a 45,000-associate retailer described their pain candidly:

“We run [well-known EDR], and it generally stops the bad guys — but a lot of bad things can happen in five minutes. And in the stores, that’s enough time for real damage.”

SquareX: The First Browser Detection & Response Platform Built for Identity-Aware Threats

SquareX is purpose-built for this exact challenge. Unlike network-based or device-centric tools, SquareX provides in-browser visibility, control, and response — all without disrupting user workflows or requiring a new browser.

Close the Browser and Identity Security Gap

Today’s most dangerous threats aren’t brute-force exploits — they’re identity-based attacks hiding in plain sight. From OAuth abuse to session hijacks, attackers exploit the browser as both gateway and execution layer. SquareX brings security into the browser, where these threats originate.

Here’s how:

1. Real-Time Browser Detection and Response

• Browser-native telemetry tracks user sessions, extensions, URL activity, and SaaS interactions in real time.
• Detect and mitigate token theft, phishing attempts, session abuse, and rogue extensions before they escalate.
• Policy-based automation enables rapid containment — revoke tokens, isolate sessions, or block behaviors without waiting on downstream systems.

2. Identity Attack Prevention Built In

• Enforce identity-based policies directly in the browser:
• Block OAuth or SAML logins that bypass corporate SSO policies.
• Prevent password reuse across SaaS platforms — one of the top entry points for attackers.
• Enforce least privilege by flagging SaaS apps requesting excessive or risky permissions.
• Advanced phishing protection using in-browser OCR to:
• Detect deceptive login prompts that mimic corporate portals.
• Thwart Adversary-in-the-Middle (AiTM) and Browser-in-the-Middle (BitM) attacks that bypass MFA and intercept credentials.

3. Zero Friction for End Users

• No browser changes required — SquareX works inside existing Chrome and Edge environments.
• Users stay productive; security teams gain unmatched visibility.
• Compatible with managed, BYOD, and third-party devices — critical in retail environments with high workforce variability.

🚀 The SquareX Advantage: Secure Any Browser on Any Device

SquareX isn’t a browser. It’s not a proxy. It’s a lightweight, enterprise-grade security layer inside the browser — giving you control over the most exploited, yet least protected, part of your digital environment. With SquareX, you can turn any browser on any device into a secure enterprise browser.

Find out more about browser detection and response.

Schedule a custom demo of SquareX.

Retail Under Siege: Why the Browser Is the New Cyber Battleground was originally published in SquareX Labs on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from SquareX Labs - Medium authored by Mary Yang. Read the original post at: https://labs.sqrx.com/retail-under-siege-why-the-browser-is-the-new-cyber-battleground-6ecfb690154b?source=rss----f5a55541436d---4