Phishing defense that works at the point of click
HijackShield detects and blocks every major phishing technique in the browser — before credentials are entered, before malware downloads, before damage is done. When a user reports a phishing email, every copy is purged from every mailbox in under 6 minutes.
Email filters miss. Phishing lands. Then what?
Every email gateway misses phishing. Modern PhaaS kits evade sandboxes with VM detection, CAPTCHA gates, and anti-debugger traps. BEC emails from compromised trusted senders bypass filters entirely. By the time the SOC finds the threat, users have already clicked.
of breaches start with a phishing email that bypassed email security
typical time for SOC to manually find and purge phishing emails from all mailboxes
HijackShield automated remediation: report to tenant-wide purge
Real users on real machines defeat evasion
Email gateways analyze URLs in sandboxes. Phishing kits detect sandboxes and show clean pages. HijackShield runs in the user's actual browser on their actual endpoint — the kit's evasion defenses see a real user and present the real phishing page.
Two outcomes, both wins: either the phishing page renders and HijackShield blocks it instantly, or the kit exits early and the user never sees a threat. The evasion techniques that defeat email gateways are irrelevant at the browser layer.
For BEC attacks, HijackShield evaluates the page the link points to — not the email that delivered it. Sender reputation, inbox rules, Exchange whitelists — none of it matters. A phishing page is a phishing page regardless of who sent the link.
HijackShield vs. email gateways
Two components. Entirely local detection.
No cloud dependency for protection. No latency. No data leaving the device for the scoring decision.
Chrome extension scans every page
Analyzes the live DOM for phishing signals — login forms, brand impersonation, credential harvesting, OAuth abuse, phishing kit fingerprints — in real time.
Local agent scores and decides
The Go agent runs the ML model and heuristic engine on-device. BLOCK, WARN, or ALLOW in milliseconds. The user never sees the phishing page.
Sentinel receives structured telemetry
Every detection and phishing report flows into Microsoft Sentinel with full context — device identity, detection tags, email metadata — for automated response.
Every major phishing technique. Detected and blocked.
HijackShield detects and blocks every major phishing technique used in corporate attacks today — including the advanced proxy-based attacks that bypass MFA.
AiTM proxy attacks
Detects Evilginx2, EvilProxy, Tycoon2FA, Sneaky2FA, and Mamba2FA through URL pattern analysis, DOM fingerprinting, and behavioral signals.
Browser-in-the-Middle
Identifies remote desktop streaming attacks via noVNC and Apache Guacamole using a 6-tier weighted indicator system including VNC infrastructure detection.
Device code phishing
Catches OAuth 2.0 Device Authorization Grant abuse, cross-brand lures, and copy-paste instruction sequences targeting Microsoft authentication.
Brand impersonation
Purpose-built detection for Microsoft, Google, Okta, Meta, LinkedIn, and Amazon SSO impersonation with brand-specific DOM and asset analysis.
ClickFix attacks
Detects fake CAPTCHA pages that trick users into executing malicious PowerShell via Win+R, including clipboard manipulation and script pattern analysis.
Credential exfiltration
Real-time monitoring of credential theft via formjacking, keyloggers, hidden iframes, and cross-origin fetch/XHR interception.
Government impersonation
Covers 36 US agencies including state DMVs, toll systems, and federal agencies. Detects kit fingerprints, CMS clones, and payment urgency scams.
Fraudulent e-commerce
Identifies BogusBazaar and CajiPay card skimming operations with cross-origin iframe detection and payment platform mismatch analysis.
PhaaS kit fingerprinting
Identifies the specific phishing kit responsible — Tycoon2FA, Evilginx2, EvilnoVNC, BogusBazaar — giving SOC teams immediate attribution.
Report phishing. Every copy purged in 6 minutes.
When a user clicks "Report Phishing" on the HijackShield interstitial, the automated remediation pipeline searches every mailbox in the tenant and soft-deletes every copy of the phishing email. No analyst intervention. No manual Defender Threat Explorer searches.
Three-scenario intelligence
Every phishing report is auto-classified as External Phish, BEC Compromise, or Internal ATO — each triggers a different automated response.
BEC-safe purging
For known-sender BEC incidents, searches are scoped to sender AND subject — protecting legitimate past correspondence while eliminating the attack.
Internal ATO response
Internal sender incidents skip automated purge and post investigation guidance: revoke sessions, reset password, audit Entra sign-ins.
Self-documenting incidents
Every remediation run posts a formatted summary to the Sentinel incident: items found, items purged, affected mailboxes, and audit trail.
Dry run by default
Ships with Dry Run enabled. Validate the automation on real incidents before enabling live purge. Soft-delete only — nothing permanently removed.
Local detection. Cloud response.
Detection runs entirely on-device. Sentinel integration adds enterprise telemetry and automated remediation without creating a dependency on cloud availability.
No cloud dependency
Detection works offline, on VPN, behind firewalls. No latency, no privacy exposure, no single point of failure.
Resilient delivery
Events that fail to deliver to Sentinel are queued to disk and retried with exponential backoff for up to 24 hours.
Works with E3
Automated remediation uses Compliance Search — available with standard M365 E3 licensing. No Defender P2 upgrade required.
NRT analytics rules
Pre-built Sentinel rules fire on every new event with dynamic severity, entity mapping, and importable ARM templates.
Stop phishing at the point of click
Deploy HijackShield in minutes. Detect every major phishing technique. Automate tenant-wide remediation.