PhishWatch Autor: Phishwatch
Detects browser-native phishing attacks like ConsentFix, ClickFix, and Browser-in-the-Browser and AiTM that bypass traditional email security.
Metadane rozszerzenia
O tym rozszerzeniu
PhishWatch
PhishWatch helps detect browser-native phishing attacks that bypass email filters because these attacks do not activate until after delivery, inside your browser.
Modern phishing no longer requires suspicious-looking domains. Attackers increasingly use legitimate cloud infrastructure, AI-generated content, and browser-native techniques to steal credentials. With 82% of detections now malware-free (CrowdStrike 2026) and ClickFix identified as a leading initial access technique (Microsoft 2025), the attack surface has shifted from the inbox to the browser. PhishWatch operates at this critical layer, where phishing attacks must execute to succeed.
What PhishWatch Detects
ClickFix (Windows, macOS, and FileFix)
Helps detect social engineering attacks that trick users into copying and executing malicious commands disguised as verification steps, system fixes, or troubleshooting actions. Includes UNC path and File Explorer address-bar variants. Clipboard inspection occurs locally and is never transmitted.
Adversary-in-the-Middle (AiTM)
Helps identify credential-flow mismatches associated with reverse-proxy phishing attacks that relay credentials to legitimate services in real time, harvest session cookies, and bypass MFA protections. Includes WebSocket relay variants used by Tycoon 2FA.
Identity Provider Clone Detection
Helps detect login pages whose structure closely matches Microsoft or Google sign-in pages but are hosted on unverified domains, helping identify cloned authentication portals before credentials are entered.
Device Code Phishing
Helps detect abuse of OAuth device authentication flows (RFC 8628), where attackers socially engineer victims into authorizing attacker-controlled sessions using legitimate vendor authentication pages.
ConsentFix (OAuth Token Hijacking)
Helps detect attempts to paste OAuth authorization codes into credential fields on fraudulent login pages and blocks submission.
Browser-in-the-Browser (BitB)
Helps detect browser window spoofing techniques that simulate legitimate authentication pop-ups through deceptive DOM overlays.
Passkey Downgrade Detection
Helps detect attempts to redirect passkey-based authentication flows to password-based authentication on unverified hosts.
Typosquatting and Newly Registered Domains
Performs real-time brand similarity analysis and domain age evaluation against more than 500 known brands.
Fake Update and AI Lure Detection
Helps detect SocGholish-style fake browser update prompts and phishing pages impersonating AI services, particularly when combined with ClickFix social engineering techniques.
How It Works
PhishWatch monitors navigation events and evaluates browser mechanics rather than relying on blocklists or visual page appearance. Detection is event-driven and activates only when meaningful risk indicators are present. Normal browsing continues without interruption.
When a risk is detected, PhishWatch presents a clear, explainable warning describing the specific mechanical reason for the alert. Users always retain the option to proceed.
Privacy by Design
Most detection runs entirely on the user's device. Cloud-based risk scoring may be triggered when local signals indicate a potential threat.
When a cloud check is performed, only the domain name and sanitized signal metadata are transmitted.
PhishWatch never transmits:
For Managed Service Providers
PhishWatch can be deployed through Chrome managed policies and integrates with Google Admin Console, Microsoft Intune, Group Policy, and leading RMM platforms including NinjaOne, Datto, and ConnectWise.
Features include:
Designed for Transparency
Privacy Policy: https://phishwatch.io/privacy
MSP Pilot Program: https://phishwatch.io/pilot
Website: https://phishwatch.io
PhishWatch helps detect browser-native phishing attacks that bypass email filters because these attacks do not activate until after delivery, inside your browser.
Modern phishing no longer requires suspicious-looking domains. Attackers increasingly use legitimate cloud infrastructure, AI-generated content, and browser-native techniques to steal credentials. With 82% of detections now malware-free (CrowdStrike 2026) and ClickFix identified as a leading initial access technique (Microsoft 2025), the attack surface has shifted from the inbox to the browser. PhishWatch operates at this critical layer, where phishing attacks must execute to succeed.
What PhishWatch Detects
ClickFix (Windows, macOS, and FileFix)
Helps detect social engineering attacks that trick users into copying and executing malicious commands disguised as verification steps, system fixes, or troubleshooting actions. Includes UNC path and File Explorer address-bar variants. Clipboard inspection occurs locally and is never transmitted.
Adversary-in-the-Middle (AiTM)
Helps identify credential-flow mismatches associated with reverse-proxy phishing attacks that relay credentials to legitimate services in real time, harvest session cookies, and bypass MFA protections. Includes WebSocket relay variants used by Tycoon 2FA.
Identity Provider Clone Detection
Helps detect login pages whose structure closely matches Microsoft or Google sign-in pages but are hosted on unverified domains, helping identify cloned authentication portals before credentials are entered.
Device Code Phishing
Helps detect abuse of OAuth device authentication flows (RFC 8628), where attackers socially engineer victims into authorizing attacker-controlled sessions using legitimate vendor authentication pages.
ConsentFix (OAuth Token Hijacking)
Helps detect attempts to paste OAuth authorization codes into credential fields on fraudulent login pages and blocks submission.
Browser-in-the-Browser (BitB)
Helps detect browser window spoofing techniques that simulate legitimate authentication pop-ups through deceptive DOM overlays.
Passkey Downgrade Detection
Helps detect attempts to redirect passkey-based authentication flows to password-based authentication on unverified hosts.
Typosquatting and Newly Registered Domains
Performs real-time brand similarity analysis and domain age evaluation against more than 500 known brands.
Fake Update and AI Lure Detection
Helps detect SocGholish-style fake browser update prompts and phishing pages impersonating AI services, particularly when combined with ClickFix social engineering techniques.
How It Works
PhishWatch monitors navigation events and evaluates browser mechanics rather than relying on blocklists or visual page appearance. Detection is event-driven and activates only when meaningful risk indicators are present. Normal browsing continues without interruption.
When a risk is detected, PhishWatch presents a clear, explainable warning describing the specific mechanical reason for the alert. Users always retain the option to proceed.
Privacy by Design
Most detection runs entirely on the user's device. Cloud-based risk scoring may be triggered when local signals indicate a potential threat.
When a cloud check is performed, only the domain name and sanitized signal metadata are transmitted.
PhishWatch never transmits:
- Clipboard contents
- Page content or DOM data
- Form fields
- Passwords
- Cookies
- Session tokens
- Browsing history
- Personal identifiers
For Managed Service Providers
PhishWatch can be deployed through Chrome managed policies and integrates with Google Admin Console, Microsoft Intune, Group Policy, and leading RMM platforms including NinjaOne, Datto, and ConnectWise.
Features include:
- GDPR Article 28 documentation
- NIS2 Article 21 mapping support
- Frankfurt-hosted infrastructure
- 30-day pilot programs for DACH-based MSPs
Designed for Transparency
- Built on Chrome Manifest V3
- No eval() usage or dynamic script injection
- Deterministic and explainable detections
- Fail-open design: uncertainty never blocks navigation
- All warnings can be overridden by the user
Privacy Policy: https://phishwatch.io/privacy
MSP Pilot Program: https://phishwatch.io/pilot
Website: https://phishwatch.io
Ocenione na 0 przez 0 recenzentów
Uprawnienia i dane
Wymagane uprawnienia:
- Mieć dostęp do danych użytkownika na wszystkich stronach
Opcjonalne uprawnienia:
- Mieć dostęp do danych użytkownika na stronie „api.phishwatch.io”
Zbieranie danych:
- Autorzy tego rozszerzenia twierdzą, że nie wymaga ono zbierania danych.
Więcej informacji
- Odnośniki dodatku
- Wersja
- 3.3.15
- Rozmiar
- 236,39 KB
- Ostatnia aktualizacja
- 5 dni temu (22 cze 2026)
- Powiązane kategorie
- Licencja
- Wszelkie prawa zastrzeżone
- Prywatność
- Zasady ochrony prywatności tego dodatku
- Historia wersji
- Dodaj do kolekcji