Palo Alto Networks Recognizes SquareX’s Research on Secure Web Gateway Limitations Against Last Mile Reassembly Attacks

Posted on by

YOBB-SWGs-CyberNews-1200x720_1758100200j4Yf6WQGHL

PALO ALTO, Calif., Sept. 18, 2025 — Last Mile Reassembly Attacks were initially uncovered and brought to light last year, alerting the cybersecurity sector to over 20 attack methods that enable threat actors to circumvent leading SASE/SSE solutions and infiltrate malware via web browsers. Even though these findings were responsibly shared with all major SASE/SSE vendors, none had issued an official warning to their clients about this vulnerability for 13 months, until approximately two weeks prior.
With an increasing number of attackers employing Last Mile Reassembly tactics to target businesses, SASE/SSE providers are starting to acknowledge that proxy-based defenses are inadequate for countering browser-centric attacks. Palo Alto Networks is the first to openly confirm that Secure Web Gateways (SWGs) are fundamentally incapable of guarding against Last Mile Reassembly attacks. In its recent blog post, Palo Alto Networks described these as “encrypted, evasive attacks that assemble inside the browser and bypass traditional secure web gateways.” The company’s announcement further emphasized that “the browser is becoming the new operating system for the enterprise, the primary interface for AI and cloud applications. Securing it is not optional.”
This event signifies a pivotal turning point in cybersecurity, as a prominent established SASE/SSE vendor publicly concedes the inherent restrictions of Secure Web Gateways (SWGs) and recognizes the vital necessity of browser-native security solutions – a stance SquareX has championed since initiating its groundbreaking research.

What are Last Mile Reassembly Attacks?
Last Mile Reassembly attacks represent a category of methods that leverage architectural weaknesses in SWGs to bypass malicious files through the proxy layer, which are then reassembled into active malware within the target’s browser. One approach involves attackers fragmenting malware into multiple pieces. Individually, these fragments do not trigger SWG detection. After circumventing proxy inspection, the malware is subsequently reassembled in the browser.
In another instance, threat actors transport these malicious files through binary channels such as WebRTC, gRPC, and WebSockets. These are typical communication pathways utilized by web applications like video conferencing and streaming tools, yet they remain entirely unmonitored by SWGs. Indeed, many SWG providers openly acknowledge this on their websites and advise clients to deactivate these channels.
Altogether, more than 20 such methods exist that fully circumvent SWGs. Although Palo Alto Networks is the first to publicly acknowledge this deficiency, SquareX has shown that all major SASE/SSE vendors are susceptible and has engaged with numerous solution providers through responsible disclosure and discussions about alternative defense strategies.

Data Splicing Attacks: Exfiltrating Data with Last Mile Reassembly Techniques
Following the identification of Last Mile Reassembly Attacks, SquareX’s research division pursued additional studies to explore how these tactics could be exploited for exfiltrating sensitive information. During BSides San Francisco this year, SquareX’s talk on Data Splicing Attacks illustrated how analogous methods can be employed by insider threats and external attackers to transmit confidential documents and copy-paste sensitive data within the browser, entirely circumventing both endpoint DLP and cloud SASE/SSE DLP systems. Notably, there has been a rise in P2P file-sharing platforms that permit users to send any file without any DLP inspection.

The Year of Browser Bugs: Pioneering Critical Browser Security Research
As browsers evolve into one of the most frequent initial access vectors for threat actors, research into browser security is crucial for comprehending and counteracting cutting-edge browser-based assaults. Motivated by the implications of Last Mile Reassembly, SquareX initiated a research initiative titled The Year of Browser Bugs, revealing a significant architectural vulnerability each month since January. Key discoveries include Rogue Extensions, a malicious extension capable of covertly mimicking password managers and cryptocurrency wallets to pilfer credentials and crypto assets, and Passkey Bypass, a significant passkey implementation flaw unveiled at DEF CON 33 this year.

“Research has consistently been fundamental to SquareX’s identity. We hold the conviction that staying ahead of attackers is the sole method to defend against advanced attacks. In the last year alone, we have identified more than 10 zero-day vulnerabilities in browsers, many of which we revealed at major conferences such as DEF CON and Black Hat, given the significant risk they present to enterprises,” states Vivek Ramachandran, Founder of SquareX. He adds, “Palo Alto Networks’ acknowledgment of Last Mile Reassembly attacks signifies a considerable shift in established viewpoints on browser security. At SquareX, our research continuously shapes how we develop browser-native defenses, enabling us to safeguard our clients from Last Mile Reassembly attacks and other innovative browser-native threats even prior to our initial disclosure last year.”
To advance browser security education, SquareX partnered with CISOs from prominent organizations, including Campbell’s and Arista Networks, to co-author Browser Security: The Definitive Guide for CISOs. Unveiled at Black Hat this year, the publication functions as a technical resource for cybersecurity professionals, detailing advanced attacks and corresponding mitigation strategies.

Fair Use Disclaimer
This platform may feature copyrighted content (including, but not limited to, the recent blog post by Palo Alto Networks dated September 4, 2025), the usage of which may not have always received explicit authorization from the copyright holder. These materials are provided to enhance comprehension of matters pertaining to Last Mile Reassembly attacks, thereby constituting a “fair use” of any such copyrighted material as stipulated by relevant laws. Should you intend to utilize copyrighted content from this site for personal purposes that extend beyond fair use, you are required to secure permission from the respective copyright owner.

About SquareX
SquareX’s innovative browser extension transforms any browser on any device into a robust, enterprise-grade secure browsing environment. As the industry’s first Browser Detection and Response (BDR) solution, SquareX equips organizations to proactively guard against browser-native threats, encompassing Last Mile Reassembly Attacks, unauthorized AI agents, harmful extensions, and identity-based assaults. In contrast to proprietary enterprise browsers, SquareX integrates effortlessly with users’ current consumer browsers, ensuring high-level security without degrading the user experience. Further details on SquareX’s research-driven innovations are available at www.sqrx.com.

Contact

Head of PR
Junice Liew
SquareX
junice@sqrx.com

A photo accompanying this announcement is available at https://ml.globenewswire.com/Resource/Download/48082cb6-e696-41f2-9844-4861219b6748