The Last Line of Defense: How AI-Powered Real-Time Phishing Detection Builds Phishing Resistance

Picture this: Your employee receives security awareness training, your email filters catch 90% of phishing attempts, and your network security is top-notch.

Yet, while browsing a trusted financial news site, that employee clicks on what appears to be a legitimate business insurance renewal ad—but it’s actually malvertising. The link takes the employee to a fake but convincing banking login page.

What happens in those critical seconds before they enter their credentials?

At Dashlane, we've built the final piece of the cybersecurity puzzle: Real-time, AI-powered phishing detection that runs directly in the browser. When your employee visits a malicious webpage by typing in a URL or clicking a link, our AI analyzes the malicious webpage in real time before any sensitive information can be entered.

Once a malicious webpage is detected, the employee receives an in-context alert, even if they’re not logged into Dashlane. In addition, admins get actionable insights into every employee’s phishing risks.

Even the most comprehensive security strategies have vulnerabilities that sophisticated attackers exploit:

Security training: While essential, human psychology remains the weakest link. Phishers craft pages so convincing that subtle differences escape detection. A single moment of distraction or urgency can undo months of training, even for cybersecurity experts.

Email filtering: This method is great for catching direct email threats, but it’s powerless against phishing links shared through legitimate channels like LinkedIn messages, ads, Google Docs links, Slack conversations, or social media. Modern phishing often bypasses email entirely.

Blocklist protection: These systems excel at blocking known threats but fail against zero-day/ zero-hour attacks. With many phishing sites created and destroyed within the same day, traditional static blocklists are always playing catch-up.

Existing browser solutions: Current browser-based protection relies heavily on detecting phishing attempts in login forms because they’re trained on publicly available datasets. This approach misses sophisticated attacks that use OTP (one-time password), payment, "apply here" workflows, or other non-traditional credential harvesting methods.

Example of a real phishing payment form used to trick users into entering sensitive information

The reality? No single solution is perfect. That's why we built our real-time phishing detection to complete these essential security layers, not replace them.

Our approach is straightforward: Detect phishing attempts the moment a user is about to interact with a potentially malicious webpage, regardless of how they arrived there.

Creating effective phishing detection starts with understanding what legitimate sites look like. Fortunately, we had a significant advantage: Our existing autofill technology had already taught us to recognize diverse authentic web forms across millions of sites.

Our autofill dataset provides our AI with extensive examples of legitimate form patterns. Thus, the "good" helps define the "bad."

We complement this with frequently updated phishing examples from crowdsourced threat intelligence platforms like PhishTank, which our machine learning team reviews and filters to capture the evolving tactics of malicious sites as soon as they appear online.

This dual approach gives our model the critical ability to distinguish between authentic pages and sophisticated fakes designed to steal credentials.

Here's where things get interesting. At Dashlane, our zero-knowledge architecture means we never have access to your browsing data, passwords, or personal information. This creates a unique constraint: Our phishing detection must run entirely on your device, with no data leaving your browser.

Because of this, we can't use massive cloud-based AI models that require sending webpage content to our servers or train a third-party AI model. Instead, we need a lightweight model that delivers accurate results locally while respecting your privacy completely.

But constraints often breed innovation. Rather than seeing the full HTML of a page (which would be too much data for a local model anyway), we extract specific tell-tale indicators that phishers inadvertently leave behind.

Through extensive research and testing, we've identified 79 distinct indicators that reveal when a webpage isn't what it appears to be. Here are three examples that illustrate how phishers betray themselves:

Hidden login forms: A phishing site might display what looks like a legitimate bank login page but hide invisible form fields or redirect actions in the code. For example, while users may see normal username and password fields that appear to submit to "yourbank.com," hidden code could actually send their credentials to "evil-hacker-site.com." Legitimate sites don't need to hide where your login information goes, but phishing sites do.

External link ratios: Authentic sites typically have 80 to 90 percent of their links pointing to their own domain (yourbank.com/login, yourbank.com/services, and so on). Phishing sites pretending to be that bank might have 60 percent of their links pointing to external domains because they're hastily copying content from multiple sources. This unusual ratio raises a red flag. Why would "yourbank.com" have most of its links going elsewhere unless it was a phishing site?

Concealed iframes: A phishing site might display a fake PayPal login page while embedding an invisible 1x1 pixel iframe that secretly loads the real PayPal.com. When you type credentials on the fake page, the hidden iframe captures keystrokes and tests them on the real site, giving attackers verified login details. Legitimate sites don't need to hide what other sites they're loading.

These indicators, invisible to human users, create a unique fingerprint that our AI can recognize instantly.

Example of the indicators we extract from a webpage on wikipedia.com

With our features defined, we faced another challenge: Selecting the optimal model architecture and hyperparameters for local execution. The solution space is vast, with many model types, hyperparameter combinations, and configuration options.

Think of hyperparameters as the dials and switches you set before training begins. For a Random Forest model, you decide how many decision trees to grow (50? 500?) and how deep each tree can be.

For neural networks, you choose the learning rate (how big of steps to take when correcting mistakes; 0.001 versus 0.1 makes a huge difference), batch size (process 32 examples at once or 128?), and how many hidden layers to stack up.

Support Vector Machines need you to pick the kernel type (linear, polynomial, or radial) and regularization strength.

Unlike the patterns the model learns from data, these settings must be chosen upfront and dramatically affect if your model will be accurate, fast, or even work. Rather than manually testing every combination (which would take years), we use Bayesian optimization through Optuna.

This approach starts with a random model configuration, evaluates its performance, then systematically explores variations based on what it learns from each test. It's like having a smart assistant that remembers every experiment and uses that knowledge to suggest the next most promising configuration to try.

As the web evolves and our dataset grows, we automatically repeat this optimization process, ensuring we always deploy the highest-performing model possible. Here’s an example of a model optimization experiment. 

The algorithms with the highest accuracy are MLPClassifier, GradientBoostingClassifier, and BernoulliNB. The algorithm with the lowest accuracy is SGDClassifier.

When you open a webpage, here's what happens behind the scenes in approximately 200 milliseconds:

All of this happens locally on your device in real time with zero data sent to our servers—or anyone else’s.

Remember that employee we mentioned at the very beginning, the one who received training and whose email filters worked perfectly, but they still found themselves face to face with a convincing phishing page?

We built our solution specifically to address the gaps that put them in that vulnerable position, protecting them from:

Sophisticated credential-harvesting attacks: By training our AI on the diverse landscape of forms from our autofill technology, we ensure there's no credential harvesting technique our model hasn't encountered before. 

The limitations of static analysis: Unlike email detection systems that only see URLs or static content, our browser-based detector inspects the fully rendered page as users actually experience it. This live visibility transforms our defensive approach, enabling us to move beyond passive detection to active prevention that stops attacks at the crucial moment before credentials are entered.

Zero-hour threats: Running analysis in real time means we catch brand-new phishing sites the moment they're encountered, regardless of how the user arrived there. There's no waiting for blocklists to update or threat intelligence to propagate.

Privacy invasion: Just like with our autofill technology, we've proven that cutting-edge AI protection doesn't require sacrificing privacy. Our phishing detection operates entirely on your device, analyzing web content without ever transmitting your browsing data externally.

Real-time, AI-powered phishing detection for every employee provides your enterprise with a critical layer of phishing protection. When a phishing threat slips through every other defense, you have a final, intelligent guardian protecting your digital interactions.