PhishWatch

Detects browser-native phishing attacks like ConsentFix, ClickFix, and Browser-in-the-Browser that bypass traditional security.

# PhishWatch PhishWatch helps detect browser-native phishing attacks that bypass email filters because these attacks do not activate until after delivery, inside your browser. Modern phishing no longer requires suspicious-looking domains. Attackers increasingly use legitimate cloud infrastructure, AI-generated content, and browser-native techniques to steal credentials. With 82% of detections now malware-free (CrowdStrike 2026) and ClickFix identified as a leading initial access technique (Microsoft 2025), the attack surface has shifted from the inbox to the browser. PhishWatch operates at this critical layer, where phishing attacks must execute to succeed. ## What PhishWatch Detects ### ClickFix (Windows, macOS, and FileFix) Helps detect social engineering attacks that trick users into copying and executing malicious commands disguised as verification steps, system fixes, or troubleshooting actions. Includes UNC path and File Explorer address-bar variants. Clipboard inspection occurs locally and is never transmitted. ### Adversary-in-the-Middle (AiTM) Helps identify credential-flow mismatches associated with reverse-proxy phishing attacks that relay credentials to legitimate services in real time, harvest session cookies, and bypass MFA protections. Includes WebSocket relay variants used by Tycoon 2FA. ### Identity Provider Clone Detection Helps detect login pages whose structure closely matches Microsoft or Google sign-in pages but are hosted on unverified domains, helping identify cloned authentication portals before credentials are entered. ### Device Code Phishing Helps detect abuse of OAuth device authentication flows (RFC 8628), where attackers socially engineer victims into authorizing attacker-controlled sessions using legitimate vendor authentication pages. ### ConsentFix (OAuth Token Hijacking) Helps detect attempts to paste OAuth authorization codes into credential fields on fraudulent login pages and blocks submission. ### Browser-in-the-Browser (BitB) Helps detect browser window spoofing techniques that simulate legitimate authentication pop-ups through deceptive DOM overlays. ### Passkey Downgrade Detection Helps detect attempts to redirect passkey-based authentication flows to password-based authentication on unverified hosts. ### Typosquatting and Newly Registered Domains Performs real-time brand similarity analysis and domain age evaluation against more than 500 known brands. ### Fake Update and AI Lure Detection Helps detect SocGholish-style fake browser update prompts and phishing pages impersonating AI services, particularly when combined with ClickFix social engineering techniques. ## How It Works PhishWatch monitors navigation events and evaluates browser mechanics rather than relying on blocklists or visual page appearance. Detection is event-driven and activates only when meaningful risk indicators are present. Normal browsing continues without interruption. When a risk is detected, PhishWatch presents a clear, explainable warning describing the specific mechanical reason for the alert. Users always retain the option to proceed. ## Privacy by Design Most detection runs entirely on the user's device. Cloud-based risk scoring may be triggered when local signals indicate a potential threat. When a cloud check is performed, only the domain name and sanitized signal metadata are transmitted. PhishWatch never transmits: * Clipboard contents * Page content or DOM data * Form fields * Passwords * Cookies * Session tokens * Browsing history * Personal identifiers ## For Managed Service Providers PhishWatch can be deployed through Chrome managed policies and integrates with Google Admin Console, Microsoft Intune, Group Policy, and leading RMM platforms including NinjaOne, Datto, and ConnectWise. Features include: * GDPR Article 28 documentation * NIS2 Article 21 mapping support * Frankfurt-hosted infrastructure * 30-day pilot programs for DACH-based MSPs ## Designed for Transparency * Built on Chrome Manifest V3 * No eval() usage or dynamic script injection * Deterministic and explainable detections * Fail-open design: uncertainty never blocks navigation * All warnings can be overridden by the user Privacy Policy: https://phishwatch.io/privacy MSP Pilot Program: https://phishwatch.io/pilot Website: https://phishwatch.io