Menlo Security Acquires Votiro to Deliver Easy, AI-driven Data Security to Enterprises
Read Blog
GhostFrame represents a significant shift in phishing tactics, moving from static email lures to dynamic, browser-based attacks designed to evade traditional security controls. The framework utilizes hidden, rapidly rotating iframes to deliver credential harvesting, malware, and spoofed login portals, all while maintaining the unchanged visible page. This allowed GhostFrame to launch over a million attacks while slipping past URL inspection, sandboxing, and reputation-based detections.
Organizations across every sector were at risk, particularly those that relied heavily on SaaS applications, cloud services, and browser-centric workflows. The consequences ranged from large-scale credential theft to difficult-to-trace intrusions that strained SOC workloads and complicated incident response.
GhostFrame highlights a growing reality: modern phishing campaigns now utilize the browser as their primary delivery vehicle, and traditional detection tools struggle to keep pace. Isolation architecture has emerged as one of the only reliable ways to neutralize these threats. By executing all web code in a cloud-based environment and delivering only a safe visual stream to the user, Menlo Security prevents GhostFrame-style attacks before they begin and strengthens defenses against the next generation of phishing frameworks.
Phishing hasn’t just evolved; it has industrialized. Attackers now utilize automated frameworks that scale quickly, adapt on the fly, and evade security controls more rapidly than most organizations can respond. GhostFrame is one of the clearest and most concerning examples: a campaign that built momentum quietly while slipping past defenses many companies still assume will keep them safe.
Browser-based attacks are rapidly becoming the preferred method for compromise, and this shift carries significant consequences for how we approach security. This breakdown walks through what happened with GhostFrame, why it worked, and what it signals for the threats ahead.
GhostFrame didn’t arrive quietly. Researchers at Barracuda uncovered the new phishing framework after noticing a surge of evasive attacks slipping past traditional email and web defenses. What they found was a purpose-built system that uses stealth iframe injection to hide malicious content beneath the surface of an otherwise ordinary page. This technique enables attackers to layer multiple payloads, rotate them in real-time, and keep users unaware of what is actually executing in their browser. By the time the investigation concluded, GhostFrame had already been used in over a million phishing attempts.
Its scale isn’t the only concern. GhostFrame represents a clear evolution in Phishing-as-a-Service, where attackers no longer rely on crude imitation pages or static malicious links. Instead, they deploy infrastructure designed to evade detection at every step, exploiting the exact blind spots where traditional filters, URL scanners, and signature-based tools fall short. For security teams, the takeaway is straightforward: this campaign signals a shift toward browser-based attacks engineered to bypass the defenses most organizations still depend on.
GhostFrame’s power stems from its use of the browser itself as the delivery system. Instead of relying on a single malicious page or a static phishing link, the framework quietly loads multiple hidden iframes inside the webpage or email the victim opens. Each iframe acts as its own delivery channel, capable of serving different types of malicious content: a credential-harvesting form in one frame, malware in another, a spoofed login portal in a third, and even behavioral tracking in the background.
What makes this so effective is the way GhostFrame continually cycles and swaps the content inside those frames. Detection tools that look for a stable pattern or a fixed payload never see the full picture, because the page is constantly shifting behind the scenes. And since attackers can update those payloads in real time without changing anything the user can see, security controls are left analyzing a moving target. The result is a phishing infrastructure built to stay one step ahead of both defenders and their tools.
GhostFrame was so successful because it exploited gaps that most organizations overlook. Traditional URL inspection and sandboxing were built for static threats: a single page, a single payload, something that can be scanned, scored, and either allowed or blocked. GhostFrame’s layered, constantly rotating iframes break that model. By the time a sandbox captures one version of the page, the underlying content has already changed. Detection engines that rely on reputation scores or signatures often lack a stable sample to analyze, so nothing appears overtly malicious.
The attackers also counted on something simple but powerful: trust. When users see a familiar brand, a standard login screen, or a page that looks exactly like what they expect, they don’t question it. The browser reinforces that trust by executing the iframe content natively, making every interaction feel seamless and legitimate. GhostFrame exploited that built-in confidence, hiding hostile elements behind the veneer of normalcy. It didn’t need to break the browser to succeed. It just needed to work within the way the browser was already designed.
GhostFrame’s reach wasn’t limited to a specific sector or type of user. Its design made nearly any organization a viable target, especially those whose employees depend on SaaS applications, cloud services, or routine email-based communication. In other words, almost everyone. Industries that rely on constant external exchange, such as finance, insurance, government agencies, and healthcare providers, faced even greater exposure because their teams regularly interact with unfamiliar senders, shared portals, and customer-submitted content.
The rise of remote and hybrid work only widened the attack surface. With so much daily activity funneled through the browser, employees often use personal networks, unmanaged devices, or multiple SaaS platforms that sit outside traditional security perimeters. GhostFrame thrived in that environment. It didn’t need privileged access or specialized exploits; it simply took advantage of the everyday workflows that modern organizations rely on.
The fallout from GhostFrame wasn’t limited to a single stolen password or one compromised inbox. Its entire purpose was scale. By harvesting credentials for Microsoft 365, Google Workspace, and numerous SaaS applications, attackers gained access to the systems that organizations depend on the most. Once inside, the door opened to far more serious issues: bypassing MFA through session hijacking, launching business email compromise schemes, stealing sensitive data, or using the foothold to deploy ransomware.
What made this even harder for defenders was GhostFrame’s fleeting nature. The malicious iframes changed so quickly that by the time security teams investigated an alert, the original content had already been removed. Logs lacked consistent indicators, making it difficult to reconstruct the attack path or confirm what users had actually encountered. Meanwhile, SOC teams were overwhelmed by a flood of inconsistent detections and false positives, struggling to distinguish real threats from noise. GhostFrame didn’t just compromise accounts. It strained the very systems meant to protect them.
GhostFrame excelled in the exact places where traditional defenses fall short. Sandboxes, for example, capture a single moment in time, a snapshot of a URL that may look harmless when analyzed. They never see the rapid rotation of iframes that happens only when a real user interacts with the page. Secure email gateways face a similar limitation. They can scan attachments, rewrite links, and block known malicious senders, but they can’t detect behavior that doesn’t unfold until the browser begins rendering the page.
Detection-based tools were equally outmatched. They rely on signatures, heuristics, or reputation scores to flag suspicious activity, but GhostFrame’s real-time content swapping meant there was no stable pattern to identify. Every user could see something different, and every moment of the attack could deliver a different payload. By the time a tool recognized a threat, the frame had already changed.
All of this worked in GhostFrame’s favor because the browser itself became the execution point. Once malicious content reached the browser, it operated outside the visibility of endpoint controls that monitor files, processes, and system behavior. Traditional tools weren’t broken; they just weren’t built for an attack that lives entirely in the fluid, dynamic layer of the web.
GhostFrame worked because it relied on the browser to execute its shifting, hidden payloads. Menlo Security shuts that avenue down entirely by preventing the browser from ever touching live web code. Instead of passing a webpage’s scripts, iframes, and dynamic content to the user’s device, Menlo processes everything in a cloud-based isolation environment. The user only receives a safe visual stream, essentially a real-time rendering of the page, while all active code remains contained where it can’t do harm.
That approach breaks the GhostFrame attack chain at its foundation. Rapidly rotating iframe payloads have nowhere to execute locally, which eliminates the very technique GhostFrame depends on. Because Menlo isn’t analyzing signatures or reputation, it doesn’t matter how often attackers update their content or how convincingly they disguise it. Malicious behavior typically occurs in isolation, never at the endpoint, and never in front of the user.
This model also protects against credential traps. Fake login prompts and spoofed SaaS portals may load in the isolated session, but they can’t interact with the user’s device, steal credentials, or manipulate browser data. Menlo’s zero-trust approach to web access treats every site as hostile until proven safe, countering GhostFrame’s strategy of hiding malicious code inside pages that appear legitimate.
For SOC teams, the impact is significant. Instead of chasing unstable indicators generated by fast-changing iframes, they see clean, consistent logs and fewer false positives. GhostFrame weaponized the browser. Menlo removes the browser as an execution surface, entirely turning a once-powerful attack vector into a safe, controlled viewing layer.
For security teams, GhostFrame is more than a single campaign. It’s a preview of where phishing is headed. Attacks are moving away from static email lures and toward dynamic browser-based exploitation that unfolds only when a user loads a page. Traditional tools struggle because they’re built to detect known patterns, not constantly shifting iframe payloads that never appear the same way twice. That puts credential theft front and center as one of the most reliable paths attackers have into enterprise SaaS environments.
Breaking that chain requires a different approach. Browser isolation has emerged as one of the few controls capable of neutralizing threats like GhostFrame because it prevents malicious code from ever executing on the endpoint. Prevention at the browser layer is quickly becoming essential, not an optional add-on, especially as attackers continue to lean on techniques that outpace detection.
GhostFrame shows how rapidly these frameworks are evolving. If your defenses still depend on signatures, URL filtering, or sandbox snapshots, they’re operating a step behind the threat. Menlo Security offers a way to get ahead of this shift with real-time browser isolation and zero-trust web access designed to stop GhostFrame-style attacks before they begin.
See how Menlo can strengthen your defenses where they’re needed most. Book a live demo to experience the difference.
Menlo Security
