Menlo Security's 2026 Browser Threat Report Finds 1 in 5 Enterprise Phishing Attacks Go Completely Undetected by the Security Tools Built to Stop Them

MOUNTAIN VIEW, Calif.,--(BUSINESS WIRE)--Menlo Security, the leader Browser Security for human and agentic workforces, today released its 2026 State of Browser Security Threat Report: Evasive Threats, Zero-Day Lures, and the New Browser-First Kill Chain. Based on platform telemetry across millions of active browser sessions in enterprise customer environments from January 1 through March 31, 2026, the report documents a fundamental and largely unaddressed shift in how sophisticated threat actors gain entry to enterprise environments: through the browser session layer that most enterprise security stacks were never built to see.

In February 2026, a user at a 60,000-employee integrated health system clicked a link to what appeared to be an Adobe secure document portal. The domain was clean. Zero vendors on VirusTotal flagged it as malicious at time of click. Every reputation-based tool in the existing security stack saw nothing wrong. This is not an edge case. It is what happens when security architecture built around domain reputation encounters attacks engineered to abuse trusted infrastructure. The same gap that allowed this attack is present in most enterprise environments today. Menlo’s platform blocked the download before it executed, not because the domain was flagged, but because it analyzed what the page was attempting to do in real time.

Key findings from the 2026 State of Browser Security Threat Report include:

• 4,937 zero-day attacks blocked before reputation filters became aware they existed. This highlights a structural problem with local browser security models, with total enterprise exposure window being 6 days minimum and up to weeks depending on patch deployment velocity,
• 1 in 3 highly evasive threats originate from sites already classified as 'safe.' Menlo blocked 52,185 threats hosted on domains its customers' security stacks were already configured to trust including Google Drive, Dropbox, SharePoint, and similar platforms.
• 1 in 5 phishing links actively clicked by users goes completely undetected by legacy URL filtering. The attack is happening; the tool doesn't know.
• 25% of exploitable files disarmed were identified from password protected files. Of 433,314 exploitable files disarmed, 110,357 were concealed behind password protection: a deliberate evasion technique that defeats most automated scanning tools, which cannot inspect encrypted content without the key.
• 115,842 evasive phishing attacks identified across active campaigns, each purpose-built to bypass detection. Using techniques like CAPTCHA abuse, TDS redirection, HTML smuggling, and brand impersonation, every one of these attacks was specifically engineered to pass reputation-based filters — and every one arrived through a browser session.

“The tools most enterprises rely on are performing exactly as designed. That is the problem. None of them were built to operate at the browser session layer, and that is precisely where attackers have learned to live,” said Bill Robbins, CEO of Menlo Security. “In Q1 2026, Menlo blocked thousands of zero-day attacks that arrived during the window between a vulnerability being discovered and a patch reaching enterprise endpoints. That window is not a process failure. It is an architectural feature of any security model that executes code locally. This report exists to map the gap and show what closing it actually looks like.”

The 2026 threat landscape calls for securing the browser session layer, where encrypted traffic executes, credentials are entered, sensitive data moves, and every attack technique documented in this report originates. Enterprises that govern this layer will be positioned to protect both their workforce and the AI agent sessions already operating in their environments by default. Those that don't will continue relying on tools built for a threat model attackers have moved on from.

Menlo Security’s 2026 State of Browser Security Threat Report is available now here.

About Menlo Security

Menlo Security is the pioneer of the Browser Security Platform, the industry’s first infrastructure designed to govern a hybrid workforce of humans and autonomous AI agents. By centering the browser as the new enterprise operating system, Menlo provides a "Guardian Runtime" that resolves the unique risks created when AI agents operate at machine-speed without human skepticism. The Menlo platform enables the agentic enterprise to scale AI with confidence, providing universal connectivity to legacy data and unified zero-day threat prevention across every session. Trusted by over 1,000 global enterprises—including eight of the ten largest financial institutions and major government agencies—Menlo protects over 8 million users and millions of simultaneous AI agent sessions. Headquartered in Mountain View, California, and backed by investors including JPMorgan Chase, American Express Ventures, and Vista Equity Partners, Menlo is securing the browser for the agentic age. Learn more at www.menlosecurity.com.