Professional services firms have become prime hunting grounds for AI-powered attackers seeking high-value data that commands premium prices on criminal markets. Law firms hold merger details worth millions in insider trading opportunities, accounting practices store tax records containing complete financial profiles of wealthy individuals and corporations, and consulting firms possess strategic plans that competitors would pay handsomely to acquire. (Source: BleepingComputer)

The data these firms protect extends far beyond their own operations. Client files containing privileged attorney communications, audit workpapers with unreleased financial statements, and consulting deliverables outlining market expansion strategies represent intellectual property that attackers can monetize through corporate espionage, blackmail, or direct sale to nation-state actors. A single compromised partner account at a major firm provides access to hundreds of client environments through legitimate business relationships and trusted vendor connections.

Financial records present particularly attractive targets. Tax preparation files contain social security numbers, bank account details, investment portfolios, and income documentation that enable identity theft at scale. Audit files reveal undisclosed liabilities, pending litigation, and internal control weaknesses that short sellers exploit for profit. Even routine bookkeeping data exposes vendor payment schedules, customer lists, and pricing models that competitors use to undercut bids and poach clients.

45% of employees are now regular AI users on corporate devices, with 67% using non-corporate accounts

The credential repositories maintained by professional firms multiply the damage potential. Single sign-on tokens for client portals, VPN certificates for remote access, and service account passwords for automated processes turn one breach into dozens. Attackers leverage these legitimate credentials to move laterally through client networks without triggering security alerts, as the connections appear to originate from trusted business partners.

AI fundamentally changes how attackers craft these campaigns against professional services targets. Phishing kits are forked, modified, and brought to market faster than ever, with attackers using AI to multiply their output in creating and iterating PhaaS tools. The verbose comments observed in page code from tools like Doko's Panel demonstrate clear indicators of AI-assisted development, allowing criminals to rapidly evolve techniques.

The sophistication shows in execution. Attackers now generate client-specific lures that reference actual case numbers, ongoing transactions, and recent communications scraped from compromised email accounts or public filings. AI analyzes writing patterns from legitimate firm communications to craft messages that match internal terminology, formatting conventions, and signature blocks. These campaigns arrive through multiple channels simultaneously - malvertising in search results, social media messages, and SEO-poisoned articles about regulatory changes.

Device code phishing, which abuses legitimate OAuth flows to bypass MFA and passkeys entirely, has evolved from research curiosity to industrialized offering with more than 18 kits actively tracked. The convergence of AitM and device code kits into single platforms demonstrates heavy AI use in development, creating attacks that operate entirely inside browser sessions without touching endpoints where traditional security tools operate.

The speed of infrastructure rotation compounds detection challenges. According to the source intelligence, 89% of phishing domains remain active for fewer than two days. Attackers deploy convincing pages to fresh domains, claim victims, and rotate infrastructure before reputation services flag them. For organizations relying on blocklists and IOC feeds, every phishing attack effectively becomes a zero-day event.

The Attack Chain: From Fake Installers to Credential Theft

The modern attack chain begins where employees least expect it: in their search results. ClickFix campaigns deliver 80% of their payloads through search engine results rather than email, exploiting the trust users place in top-ranked pages. Attackers purchase ads targeting searches for common software updates, browser fixes, and productivity tools that professional services firms regularly need.

When victims click these poisoned search results, they encounter pages that mirror legitimate vendor sites with uncanny accuracy. The InstallFix variant specifically targets users searching for software installers, presenting fake download buttons that deliver malicious PowerShell scripts disguised as installation packages. These scripts execute directly in memory without touching disk, bypassing traditional endpoint detection.

The sophistication becomes apparent in the credential harvesting phase. ConsentFix techniques abuse legitimate OAuth flows to request broad permissions that victims perceive as normal authentication prompts. The malicious pages present what appears to be a standard Microsoft or Google login screen, but the underlying mechanics capture not just passwords but complete session tokens that bypass multi-factor authentication entirely.

Doko's Panel and its derivatives represent the industrialization of this attack chain. These platforms provide attackers with turnkey infrastructure for managing campaigns at scale. The panels include built-in evasion techniques, automated victim tracking, and real-time credential validation. Comments embedded in the page code reveal extensive AI assistance in development, with verbose explanations that suggest automated code generation rather than manual programming.

Once credentials are harvested, the attack pivots to lateral movement through a technique researchers have labeled LLMShare. Attackers abuse legitimate AI chat sharing functionality to host and distribute malicious links that appear to originate from trusted platforms like chatgpt.com. These links bypass URL filters because they use legitimate domains, and the sharing mechanism provides perfect cover for command-and-control communications.

The PhaaS (Phishing-as-a-Service) ecosystem enables even unsophisticated actors to execute these complex chains. Platforms offer subscription models where attackers rent access to pre-built infrastructure, complete with hosting, domain rotation, and payload delivery mechanisms. The convergence of AitM (Adversary-in-the-Middle) and device code phishing into unified platforms means attackers can switch techniques based on target defenses.

BlackFile operations demonstrate the efficiency of this industrialized approach. Their campaigns rotate infrastructure every few hours, with domains active for less than two days before abandonment. Each iteration uses slightly modified page structures and delivery mechanisms, ensuring that signature-based detection remains perpetually behind.

ShinyHunters takes this further by chaining compromised OAuth integrations from one victim to infiltrate connected organizations. Their campaigns against Salesloft Drift and Gainsight showed how a single compromised third-party integration becomes an entry point into dozens of downstream targets. The Vercel breach exemplified this pattern when attackers used a compromised AI SaaS provider's OAuth token to access corporate Google Workspace tenants.

The entire chain operates within browser sessions, never requiring traditional malware installation. Scripts execute in browser memory, credentials transmit through encrypted channels, and persistence mechanisms rely on OAuth tokens rather than system modifications. This browser-native approach means that endpoint protection, network monitoring, and email gateways all miss critical stages of the attack.

Detection and Immediate Response for Professional Services Organizations

Professional services organizations face an urgent detection challenge: 89% of phishing domains remain active for fewer than two days, according to Spamhaus data, meaning every attack effectively operates as a zero-day threat. Your traditional security stack cannot keep pace with AI-accelerated infrastructure rotation, where attackers generate convincing phishing pages in minutes and abandon them before reputation services flag the domains.

The immediate priority is gaining visibility into browser sessions where device code phishing and ConsentFix attacks execute without touching your endpoints. These techniques abuse legitimate OAuth flows to bypass MFA and passkeys entirely, with more than 18 active kits tracked in the wild targeting professional services credentials.

Immediate Actions (Execute Today):

• Audit all browser extensions across your fleet for permissions that access browsing context or clipboard data - 17 AI browser extensions operate in the average organization without security review
• Review OAuth consent grants in Microsoft 365 and Google Workspace admin consoles, specifically checking for third-party AI agents with broad read/write scopes
• Enable prompt logging on enterprise AI platforms including Claude, ChatGPT Enterprise, Microsoft Copilot, and Gemini for Workspace to capture data exfiltration attempts
• Configure your SIEM to ingest browser telemetry including credential reuse events, extension installations, and OAuth consent flows rather than just policy violations

Your detection strategy must account for LLMShare campaigns that weaponize legitimate AI chat sharing functionality. Attackers host malicious links through chatgpt.com sharing features, creating malvertising campaigns that appear legitimate even to trained security teams examining the URL structure.

Short-Term Priorities (This Week):

• Deploy browser-layer detection that analyzes page behavior and script execution rather than matching domains against threat feeds
• Implement controls that enforce corporate AI tenant usage - 38% of file uploads to AI tools occur through personal shadow accounts according to Push Security telemetry
• Configure DLP patterns to block clipboard pastes containing client matter numbers, tax identification numbers, or audit workpaper references
• Establish monitoring for MCP (Model Context Protocol) connections that create persistent, permissioned access to organizational data

The Vercel breach demonstrates the convergence of these threats: a compromised third-party AI provider's OAuth integration became the entry point into corporate Google Workspace tenants. Your response framework must address both the AI tools employees adopt and the AI-powered attacks targeting those same tools.

Long-Term Implementation (This Month):

• Deploy browser-based threat detection platforms that capture telemetry for permitted events, not just violations - gradual behavior shifts before insider threats often appear normal initially
• Establish real-time blocking for file uploads and downloads based on content inspection rather than file names or extensions
• Create custom YAML detection rules targeting specific DOM elements, web requests, and HTTP headers including session cookies
• Implement an agentic detection pipeline that continuously hunts across your environment for emerging threats without waiting for signature updates

Professional services firms cannot treat AI governance and attack detection as separate initiatives. The browser layer where employees paste client data into ChatGPT is the same layer where ShinyHunters campaigns harvest credentials through Salesloft Drift and Gainsight integrations. A unified browser security platform provides the telemetry to detect both shadow AI usage and the attacks that exploit it.

Why Traditional Endpoint Security Misses These Attacks

Traditional endpoint security operates on a fundamental assumption that no longer holds: that threats must touch the disk or execute code on the device to compromise an organization. Modern browser-based attacks violate this assumption entirely, operating within the legitimate confines of web sessions where endpoint detection and response (EDR) tools have minimal visibility.

The architecture of endpoint protection creates blind spots that attackers deliberately exploit. EDR solutions monitor process creation, file system changes, registry modifications, and network connections at the operating system level. But when malicious activity occurs entirely within browser memory through JavaScript execution, these tools see nothing suspicious — just a browser doing what browsers do.

Consider how device code phishing operates: the entire authentication flow happens through legitimate Microsoft or Google OAuth endpoints. The endpoint sees only HTTPS traffic to trusted domains. No malware downloads. No suspicious processes spawn. No registry keys change. The attack completes entirely through API calls that mirror normal user authentication, leaving endpoint tools watching for threats that never materialize in their field of view.

The shift from file-based to script-based attacks compounds this visibility gap. Modern phishing kits execute malicious JavaScript directly in browser memory, manipulating DOM elements and stealing credentials without writing anything to disk. These scripts can capture keystrokes, exfiltrate form data, and redirect authentication tokens — all while appearing to endpoint security as standard browser behavior interacting with legitimate websites.

Signature-based detection faces an even more fundamental challenge: there's nothing to signature. When attackers host malicious content on legitimate platforms like chatgpt.com through LLMShare techniques, traditional security tools see only connections to trusted AI services. The malicious payload exists as a shared conversation link, indistinguishable from legitimate AI collaboration at the network and endpoint layers.

Professional services firms face unique vulnerabilities in this landscape. Partners and senior associates often operate with broad system privileges necessary for client work, making their accounts high-value targets. These users frequently access external portals, cloud applications, and client systems — legitimate activities that create noise where attacks hide. Security teams at these firms typically focus on protecting client data through encryption and access controls, not monitoring the nuanced behavioral patterns within browser sessions.

The resource constraints common in professional services amplify these risks. Many firms outsource IT management or rely on small internal teams focused on keeping systems operational rather than threat hunting. Without dedicated security operations centers or 24/7 monitoring, browser-based attacks can persist for days or weeks before discovery. By then, attackers have often established persistence through OAuth tokens that survive password resets and continue functioning even after the initial compromise vector is addressed.

Browser extensions present another detection challenge that endpoint tools cannot address. These extensions operate with permissions to read and modify web content, access clipboard data, and interact with cloud services. An AI extension that updates its permissions post-installation looks identical to a legitimate feature update from an endpoint perspective. Yet that permission expansion could grant access to every document viewed in the browser, every password entered, every client file accessed.

Hardening Professional Firm Infrastructure Against Browser-Based Attacks

Professional services firms must implement browser-specific hardening measures that address the unique characteristics of OAuth-based attacks and AI agent infiltration. The convergence of device code phishing with AI-enabled attack automation demands infrastructure controls that operate at the browser layer, where 38% of file uploads to AI tools occur through personal shadow accounts rather than organizational ones.

Browser isolation provides the most comprehensive protection for partners and senior executives who regularly interact with external documents and untrusted sites. Deploy remote browser isolation (RBI) solutions that render web content in containerized environments, preventing malicious scripts from reaching the local browser instance. For cost-conscious deployments, implement application-based isolation using Windows Sandbox or Chrome Enterprise's Site Isolation feature, which confines high-risk browsing to memory-isolated processes.

Extension whitelisting requires enforcement mechanisms beyond group policy suggestions. Configure Chrome Enterprise or Edge for Business to operate in ExtensionInstallBlocklist * mode with explicit allowlist entries for approved extensions. This prevents the 17 AI browser extensions that the average organization unknowingly hosts from collecting browsing context from internal applications. Deploy Microsoft Defender Application Guard or Bromium Secure Browser for users who require flexibility, creating isolated browser instances for unapproved extension testing.

The 45% of employees using AI on corporate devices need credential protection that specifically addresses OAuth consent flows. Windows Hello for Business with PIN complexity requirements prevents credential theft even when users approve malicious OAuth requests, as the biometric or PIN-protected credentials cannot be exported. For macOS environments, enforce Touch ID for all browser password autofill operations and configure Keychain Access to require authentication for OAuth token storage.

Network segmentation must account for browser-based lateral movement patterns. Create dedicated VLANs for workstations that regularly access AI tools, preventing compromised browser sessions from reaching critical infrastructure. Implement East-West segmentation using host-based firewalls that restrict browser processes from accessing local network resources beyond authenticated proxy servers. This containment strategy limits damage when AI agents with OAuth permissions attempt to bridge internal and external environments.

Prioritize implementation based on deployment complexity and security impact. Start with browser extension whitelisting through group policy—a configuration change requiring no additional software that immediately reduces your AI tool attack surface. Next, deploy Windows Hello or Touch ID for credential protection, leveraging existing hardware on modern workstations. Browser isolation follows as a medium-term project for high-risk users, while comprehensive network segmentation represents a strategic initiative requiring architectural planning.

These controls specifically counter the mechanics of modern browser-based attacks. Extension whitelisting blocks unauthorized AI tools from establishing OAuth connections. Credential guards prevent stolen tokens from being exported even after successful phishing. Browser isolation contains malicious scripts before they can initiate device code flows. Network segmentation limits the blast radius when AI agents with legitimate permissions become compromised. Together, these measures create defense-in-depth against attacks that traditional endpoint security cannot see.

If You've Been Compromised: Containment and Recovery

When breach indicators surface—OAuth tokens appearing in criminal forums, sensitive documents on paste sites, or alerts from Microsoft about suspicious consent grants to your tenant—every minute determines whether you contain a foothold or face widespread compromise. The convergence of AI-enabled attacks with shadow AI adoption means traditional incident response playbooks miss critical containment points where attackers maintain persistence through browser-stored credentials and OAuth refresh tokens.

Begin containment by immediately revoking all OAuth tokens and consent grants across your Microsoft 365, Google Workspace, and Salesforce environments. Access your admin console's OAuth management interface and terminate all third-party application permissions, particularly those granted to AI agents and browser extensions. The Vercel breach demonstrated how compromised OAuth integrations become persistent backdoors even after password resets, as refresh tokens continue providing access until explicitly revoked.

Force immediate reauthentication for all users who accessed AI tools in the past 72 hours. Your identity provider logs will show which accounts connected to ChatGPT, Claude, Gemini, or the 16 other AI applications typically present in professional environments. These users require priority password rotation because their browser sessions likely contain stored credentials that attackers harvest through memory scraping techniques embedded in malicious browser extensions.

Document collection must capture browser-specific artifacts before users clear their caches or restart their systems. Export browser history, stored passwords, extension manifests, and localStorage contents from affected machines. The verbose code comments that indicate AI-assisted development of phishing kits often persist in browser cache even after the attacker rotates infrastructure. Preserve these artifacts using forensic imaging tools that capture browser profile directories in their entirety, including SQLite databases containing session data.

Hunt for persistence mechanisms specific to browser-based compromises. Check for unauthorized browser extensions installed across your fleet, particularly those requesting permissions to read all website data or modify HTTP headers. Review OAuth audit logs for consent grants with broad scopes like email access or file manipulation—these indicate potential device code phishing success where attackers obtained persistent access without stealing passwords.

Search for indicators of data staging and exfiltration through AI platforms. Your proxy logs should reveal uploads to AI tools from compromised accounts, particularly large file transfers or repeated clipboard operations captured by DLP sensors. The 38% of AI tool uploads occurring through personal accounts means checking both corporate and shadow IT channels for sensitive data movement.

Legal notification requirements for professional services firms trigger immediately upon confirming client data exposure. Document which client matters were accessed based on SharePoint audit logs, email folder access patterns, and document management system queries. Your incident response retainer should include specialized counsel familiar with attorney-client privilege implications and regulatory reporting obligations across multiple jurisdictions.

Engage law enforcement when you identify connections to known threat actors or discover your data advertised on criminal forums. The FBI's IC3 portal accepts detailed technical submissions about browser-based attacks, while Secret Service field offices investigate financial crimes involving stolen credentials. Provide them with preserved browser artifacts, OAuth token samples, and any malicious JavaScript recovered from phishing pages—evidence that helps attribute attacks to specific PhaaS operators.