Open Microsoft Edge today and there will be a little Copilot icon waiting for you in the corner. When you click it, your browser can summarize a page, translate a paragraph or write an email.
Google is adding similar capabilities to Chrome with Gemini, while lesser-known versions, Arc and Dia, are developing models that can read, reason and act for users. This marks a new chapter for agent AI-powered browsers.
These tools turn your browser into a smart assistant. But when we read that beautiful passage about the assistant coming back to us, something else may be happening that we don’t see. A hidden text, image tag or advertisement can contain instructions that the AI follows by silently sending identifying information or downloading malicious files.
Comfort comes before control
As with many user-friendly technological developments, convenience trumps control. The web browser that simplifies our daily routine can also work against us.
It’s worth thinking about how common agent browsers are becoming. These are browsers with comprehensive language design guides that can interpret and respond to web content. They offer advanced summarization and translation, advanced search and workflow automation right in the browser.
Microsoft Edge Copilot is already known. The Copilot Vision feature examines the user’s screen, scans and analyzes its content and makes suggestions.
Google integrated Gemini into Chrome, while ARC introduced a Find Me feature that searches the web, reads multiple pages and “creates the perfect tab”. This is a feature of ARC Search that the company says is still in its early stages.
Earlier this year, Brave announced its Brave Search API with ‘AI Grounding’, a feature aimed at reducing hallucinations.
As these tools become more common, new functions appear more and more. Microsoft Edge’s October 2025 beta update, which added tabs for search and desktop images, is just one recent example.
Why AI-Powered Browsers Could Put Businesses at Risk
Many features in browsers with Agent AI appeal to managers who want greater efficiency, reduced staffing and faster search capabilities.
The problem is that the deployment of AI agent browsers will accelerate and security concerns will be postponed, a pattern familiar from the IoT, the cloud, and previous technology cycles where adoption has overtaken security.
This approach leaves organizations unprotected. Agent models give browsers a high degree of agency: the ability to make decisions and act on behalf of the user.
These browsers provide coverage across all domains: email, cloud storage, SaaS applications and local files. Every new feature carries the risk of abuse.
How attackers can use proxy browsers
How can this happen? For example, this can start when a user visits a regular website. The website may contain advertisements or content from third parties. The user activates the browser’s built-in artificial intelligence assistant to summarize the article or explain the content of the page.
This interaction ensures that the large language model behind the browser reads and interprets all available content.
What the user doesn’t realize is that an attacker has inserted invisible text or metadata into the page. This may include white-on-white text, hidden HTML headers, cookies, advertising code or code embedded in an image. Invisible to the human eye, this is just additional data for the AI model.
This hidden text or code can tell the model to access the user’s email, write an email, and send the session token or password to a specific address.
Theft of credentials and data without leaving a trace
Based on these instructions, the model performs authentication tasks, data exfiltration, or file execution on behalf of the attacker.
If a user has administrative rights, the specified command can go further, such as downloading a file, renaming it, and then running it. This instantly integrates the endpoint into a botnet or opens it to remote control.
This poses a significant threat because it shows no obvious signs of compromise: no PowerShell, no malware binaries, no exploit chains.
Endpoint Detection and Response Technology (EDR) or antivirus software thinks everything is legitimate, and even the website owner may not know that malware has been spread through their ad network.
Even advertising platforms often do not realize this, because there is no obfuscated code or signature. These types of attacks are worrying and far from hypothetical. For example, Brave Software claims to have found similar rapid injection vulnerabilities in Perplexity AI and Fellou.
Behavioral analysis gathers clues
While there appears to be a significant gap in detecting these threats, the good news is that there are behavioral consequences that, when linked together, reveal a trade-off.
Signs include users sending messages that have never been sent before, large or untagged files being downloaded, new lines appearing in the inbox, and plain text passwords appearing in outgoing emails.
Behavioral analytics solutions capture these indicators in minutes. proof of concept can be reproduced in the laboratory. But many Security Operations Centers (SOCs) are still catching up.
Because of their potential severity, it is necessary to respond quickly to these threats. AI assistants can act maliciously against multiple identities and systems simultaneously, making it difficult for teams to determine who is responsible for an AI-initiated action.
There is a constant risk of employees using unproven AI add-ons and personal co-pilots in their work. Developers can also use agent CLIs in their work, increasing the risk of importing compromised packages.
Managed SOC support for small organizations
Smaller organizations will almost certainly need managed SOC support to counter these threats. Detection and control must shift from signature-based detection to behavior-based detection.
Teams need tools to catch extractions and must be able to correlate anomalies. It takes planning to automate containment. Considering the human factor, it is important that companies define a policy for the use of AI and define approved browsers and extensions.
Developers, whether they like it or not, must be monitored to enforce signed packages and private registries.
We are now in the era of agent browsers and they will prove to be extremely valuable tools. However, in light of these emerging threats, implementation must be disciplined and accompanied by a significant change in security strategy.
Control, enhanced monitoring and behavioral analytics are needed to maximize safety, productivity and creativity.