[{"data":1,"prerenderedAt":4324},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/2025-hipaa-rule-change":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"ogImage":118,"summary":1282,"title":1296,"subtitle":118,"metaTitle":1297,"synopsis":1292,"hashTags":118,"publishedDate":1298,"slug":1299,"tagsCollection":1300,"relatedBlogPostsCollection":1310,"authorsCollection":3962,"content":3969,"_id":4319,"_type":4320,"_source":4321,"_file":4322,"_stem":4323,"_extension":4320},"/blog/2025-hipaa-rule-change","blog",{"id":1280,"publishedAt":1281},"1DXre707DVy7nUQeuxaPvL","2025-05-29T13:49:45.186Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1295},{},[1286],{"data":1287,"content":1288,"nodeType":1294},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"The HIPAA Security Rule is getting a long-overdue facelift in 2025. Here's our quick overview of the key changes and how Push can help you to be compliant. ","text","paragraph","document","Navigating the 2025 HIPAA Security Rule changes: What you need to know (and how Push can help)","Navigating the 2025 HIPAA Security Rule changes","2025-05-29T00:00:00.000Z","2025-hipaa-rule-change",{"items":1301},[1302,1306],{"sys":1303,"name":1305},{"id":1304},"3pjES4THCIfSAwhGdNwBcy","Identity security",{"sys":1307,"name":1309},{"id":1308},"1gZi8NrRy2v9OqPV7C4dwD","Risk management",{"items":1311},[1312,2228,2569],{"__typename":1313,"sys":1314,"content":1316,"title":2208,"synopsis":2209,"hashTags":118,"publishedDate":2210,"slug":2211,"tagsCollection":2212,"authorsCollection":2220},"BlogPosts",{"id":1315},"1VGP8VIzwMh0zjNOzU5qaq",{"json":1317},{"nodeType":1295,"data":1318,"content":1319},{},[1320,1327,1334,1341,1350,1354,1364,1386,1393,1400,1407,1432,1440,1443,1451,1458,1465,1472,1479,1485,1492,1499,1532,1539,1548,1554,1561,1581,1601,1609,1629,1635,1642,1649,1682,1690,1697,1703,1710,1717,1750,1758,1778,1786,1806,1814,1821,1827,1834,1837,1845,1865,1921,1928,1935,1943,1950,1973,1980,1999,2005,2012,2018,2025,2088,2096,2116,2123,2146,2149,2157,2164,2170,2177,2196,2202],{"nodeType":1294,"data":1321,"content":1322},{},[1323],{"nodeType":1293,"value":1324,"marks":1325,"data":1326},"A lot happened last year in the world of identity security — particularly in terms of the attacks we’ve experienced targeting internet applications and services. With this trend certain to continue in 2025, it’s more important than ever that product vendors build products with a secure baseline of fundamental controls and safeguards.",[],{},{"nodeType":1294,"data":1328,"content":1329},{},[1330],{"nodeType":1293,"value":1331,"marks":1332,"data":1333},"The vast majority of the identity vulnerabilities we observe in the wild are the result of multiple auth mechanisms being attached to a single account. The more methods that are configured (or are configurable), the greater the risk that insecure identities will be created — and exploited by attackers. ",[],{},{"nodeType":1294,"data":1335,"content":1336},{},[1337],{"nodeType":1293,"value":1338,"marks":1339,"data":1340},"The good news is that with a coordinated response from app vendors, this surface can be significantly reduced. The bad news is that right now, we’re very far from a universal standard when it comes to how apps handle authentication and identities. ",[],{},{"nodeType":1342,"data":1343,"content":1349},"embedded-entry-block",{"target":1344},{"sys":1345},{"id":1346,"type":1347,"linkType":1348},"4QoPUiP5q6Mwj1eWUZT15Q","Link","Entry",[],{"nodeType":1351,"data":1352,"content":1353},"hr",{},[],{"nodeType":1355,"data":1356,"content":1357},"heading-1",{},[1358],{"nodeType":1293,"value":1359,"marks":1360,"data":1363},"Where to start?",[1361],{"type":1362},"bold",{},{"nodeType":1294,"data":1365,"content":1366},{},[1367,1371,1382],{"nodeType":1293,"value":1368,"marks":1369,"data":1370},"The ",[],{},{"nodeType":1372,"data":1373,"content":1375},"hyperlink",{"uri":1374},"https://mvsp.dev/mvsp.en/",[1376],{"nodeType":1293,"value":1377,"marks":1378,"data":1381},"Minimum Viable Secure Product (MVSP)",[1379],{"type":1380},"underline",{},{"nodeType":1293,"value":1383,"marks":1384,"data":1385}," initiative is a great resource for product and engineering teams that sets out essential controls that should be implemented in enterprise-ready products and services. MVSP does a fantastic job of getting to the heart of what’s important for vendor products, as compared to more general frameworks and standards like ISO and NIST that cover wider controls that should be implemented across the enterprise. ",[],{},{"nodeType":1294,"data":1387,"content":1388},{},[1389],{"nodeType":1293,"value":1390,"marks":1391,"data":1392},"We don’t want to reinvent the wheel, so we won’t be redoing the fundamentals already covered in MVSP. But MVSP inspired us to think – what are the vendor controls that would make a meaningful difference against the identity attacks we’re seeing in the wild? ",[],{},{"nodeType":1294,"data":1394,"content":1395},{},[1396],{"nodeType":1293,"value":1397,"marks":1398,"data":1399},"With better, consistent security standards, SaaS developers can close off a number of ATO techniques and generally make life much more difficult for attackers. ",[],{},{"nodeType":1294,"data":1401,"content":1402},{},[1403],{"nodeType":1293,"value":1404,"marks":1405,"data":1406},"We’ve identified two key areas of potential improvement which would make a material difference to ATO resilience:",[],{},{"nodeType":1408,"data":1409,"content":1410},"unordered-list",{},[1411,1422],{"nodeType":1412,"data":1413,"content":1414},"list-item",{},[1415],{"nodeType":1294,"data":1416,"content":1417},{},[1418],{"nodeType":1293,"value":1419,"marks":1420,"data":1421},"Many of the emerging TTPs could be seriously impaired (or prevented entirely) with improved authentication and identity management controls. ",[],{},{"nodeType":1412,"data":1423,"content":1424},{},[1425],{"nodeType":1294,"data":1426,"content":1427},{},[1428],{"nodeType":1293,"value":1429,"marks":1430,"data":1431},"Detecting attacks and responding to identity breaches on third-party apps is a nightmare due to the availability of log data (or lack thereof). ",[],{},{"nodeType":1294,"data":1433,"content":1434},{},[1435],{"nodeType":1293,"value":1436,"marks":1437,"data":1439},"Let’s look at the changes that app vendors can make to improve the situation. ",[1438],{"type":1362},{},{"nodeType":1351,"data":1441,"content":1442},{},[],{"nodeType":1355,"data":1444,"content":1445},{},[1446],{"nodeType":1293,"value":1447,"marks":1448,"data":1450},"Provide the visibility and control to manage and harden identities",[1449],{"type":1362},{},{"nodeType":1294,"data":1452,"content":1453},{},[1454],{"nodeType":1293,"value":1455,"marks":1456,"data":1457},"In the context of SaaS, identity security controls are your best (and in many cases, your last) defense against cyber attacks. ",[],{},{"nodeType":1294,"data":1459,"content":1460},{},[1461],{"nodeType":1293,"value":1462,"marks":1463,"data":1464},"Pretty much every SaaS attack involves ATO through identity-based techniques, such as phishing, credential stuffing, or session hijacking using stolen cookies. In contrast, very few involve classic vulnerability exploitation (e.g. injection vulns, cross-site scripting, etc.). ",[],{},{"nodeType":1294,"data":1466,"content":1467},{},[1468],{"nodeType":1293,"value":1469,"marks":1470,"data":1471},"When all an attacker needs to do is log into an app and dump the data to succeed, there isn’t much in the way of post-ATO activity to detect and respond to (even if you had the logs you need, more on this later) — which is why robust authentication controls to prevent unauthorized access are so important. ",[],{},{"nodeType":1294,"data":1473,"content":1474},{},[1475],{"nodeType":1293,"value":1476,"marks":1477,"data":1478},"If post-ATO activity does occur, it is often to compromise additional accounts with in-app administrative privileges as opposed to pivoting to other environments. ",[],{},{"nodeType":1342,"data":1480,"content":1484},{"target":1481},{"sys":1482},{"id":1483,"type":1347,"linkType":1348},"3l9SxYjTtls6URgbI0NiU3",[],{"nodeType":1294,"data":1486,"content":1487},{},[1488],{"nodeType":1293,"value":1489,"marks":1490,"data":1491},"As you’d expect, many apps prioritize a frictionless user experience over security. This is one of the main drivers of insecure authentication implementation. Consistent implementation of identity and authentication controls would go a long way to reducing the susceptibility of apps to the majority of identity attack techniques. ",[],{},{"nodeType":1294,"data":1493,"content":1494},{},[1495],{"nodeType":1293,"value":1496,"marks":1497,"data":1498},"In terms of authentication and identity management, MVSP focuses on:",[],{},{"nodeType":1408,"data":1500,"content":1501},{},[1502,1512,1522],{"nodeType":1412,"data":1503,"content":1504},{},[1505],{"nodeType":1294,"data":1506,"content":1507},{},[1508],{"nodeType":1293,"value":1509,"marks":1510,"data":1511},"Providing an SSO mechanism, ",[],{},{"nodeType":1412,"data":1513,"content":1514},{},[1515],{"nodeType":1294,"data":1516,"content":1517},{},[1518],{"nodeType":1293,"value":1519,"marks":1520,"data":1521},"Implementing a robust password policy, and ",[],{},{"nodeType":1412,"data":1523,"content":1524},{},[1525],{"nodeType":1294,"data":1526,"content":1527},{},[1528],{"nodeType":1293,"value":1529,"marks":1530,"data":1531},"Logically separating data/functions based on the needs of a user type/group. ",[],{},{"nodeType":1294,"data":1533,"content":1534},{},[1535],{"nodeType":1293,"value":1536,"marks":1537,"data":1538},"We can go beyond these basic auth controls to prevent identity attacks by providing better default security configurations, and giving admins more visibility and control over identities. ",[],{},{"nodeType":1540,"data":1541,"content":1542},"heading-2",{},[1543],{"nodeType":1293,"value":1544,"marks":1545,"data":1547},"1. Allow one active login method (and require external re-verification to change to another).",[1546],{"type":1362},{},{"nodeType":1342,"data":1549,"content":1553},{"target":1550},{"sys":1551},{"id":1552,"type":1347,"linkType":1348},"65YwkaNS3LjB1vZsYQtXQH",[],{"nodeType":1294,"data":1555,"content":1556},{},[1557],{"nodeType":1293,"value":1558,"marks":1559,"data":1560},"There is very rarely a need for multiple authentication methods to be active for the same account at the same time. Perhaps you upgrade from a local password to OIDC or SAML — but there’s no need to have multiple SSO logins from different providers at once, and there’s no need to continue using a local password after adding an SSO method. One exception is Administrators retaining local password access to access the tenant in case SAML configuration breaks (commonly because certificates expire) but in all other cases it’s an anti-pattern to allow any user more than one auth method. ",[],{},{"nodeType":1294,"data":1562,"content":1563},{},[1564,1568,1577],{"nodeType":1293,"value":1565,"marks":1566,"data":1567},"We call these alternative login methods (especially when they are in addition to SAML — so e.g. local password or OIDC logins using Google or Microsoft) ",[],{},{"nodeType":1372,"data":1569,"content":1571},{"uri":1570},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/ghost_logins/description.md",[1572],{"nodeType":1293,"value":1573,"marks":1574,"data":1576},"ghost logins",[1575],{"type":1380},{},{"nodeType":1293,"value":1578,"marks":1579,"data":1580}," because they provide attackers with a way around a company’s chosen enterprise SSO option. ",[],{},{"nodeType":1294,"data":1582,"content":1583},{},[1584,1588,1597],{"nodeType":1293,"value":1585,"marks":1586,"data":1587},"This situation most commonly arises because apps automatically merge login methods. So for example, if a user normally logs in with a password, but then attempts to login using an OIDC of social login — many apps automatically merge that new login method with the existing account. This is particularly problematic when it’s done without further verification steps — leading to ",[],{},{"nodeType":1372,"data":1589,"content":1591},{"uri":1590},"https://pushsecurity.com/blog/a-new-class-of-phishing-verification-phishing-and-cross-idp-impersonation/",[1592],{"nodeType":1293,"value":1593,"marks":1594,"data":1596},"cross-IdP attacks",[1595],{"type":1380},{},{"nodeType":1293,"value":1598,"marks":1599,"data":1600},". Ideally, apps should disable the old log method when a new one is enabled, but at the very least, external verification of the change should be required (e.g. via email). ",[],{},{"nodeType":1540,"data":1602,"content":1603},{},[1604],{"nodeType":1293,"value":1605,"marks":1606,"data":1608},"2. Require external verification of changes to IdP configuration settings.",[1607],{"type":1362},{},{"nodeType":1294,"data":1610,"content":1611},{},[1612,1616,1625],{"nodeType":1293,"value":1613,"marks":1614,"data":1615},"Attackers that are able to compromise one account with the level of privilege required to change the SAML settings in-app (typically an app admin), even on an app that is otherwise uninteresting or low risk – can perform an attack technique known as ",[],{},{"nodeType":1372,"data":1617,"content":1619},{"uri":1618},"https://pushsecurity.com/blog/samljacking-a-poisoned-tenant/",[1620],{"nodeType":1293,"value":1621,"marks":1622,"data":1624},"SAMLjacking",[1623],{"type":1380},{},{"nodeType":1293,"value":1626,"marks":1627,"data":1628},". This can be used to direct users to authenticate to the app via an attacker-controlled IdP tenant (so e.g. an attacker’s own Okta instance or phishing page that looks like Okta/MS/Google) to capture additional credentials and facilitate further compromise of accounts. ",[],{},{"nodeType":1342,"data":1630,"content":1634},{"target":1631},{"sys":1632},{"id":1633,"type":1347,"linkType":1348},"4YfQDIY2hhE77h2xDr9Ja",[],{"nodeType":1294,"data":1636,"content":1637},{},[1638],{"nodeType":1293,"value":1639,"marks":1640,"data":1641},"To mitigate this, any SAML changes should require external verification, ideally through an out-of-band method like DNS Verification. If this can’t be achieved and you need to rely on email, the request should be sent to all app admins (to increase awareness of the risky change) and come with a cooldown period before the change takes effect. This improves the chance that an attacker’s SAMLjacking attack can be intercepted before half of the victim’s workforce gets keylogged — not after!",[],{},{"nodeType":1294,"data":1643,"content":1644},{},[1645],{"nodeType":1293,"value":1646,"marks":1647,"data":1648},"Other viable control options include:",[],{},{"nodeType":1408,"data":1650,"content":1651},{},[1652,1662,1672],{"nodeType":1412,"data":1653,"content":1654},{},[1655],{"nodeType":1294,"data":1656,"content":1657},{},[1658],{"nodeType":1293,"value":1659,"marks":1660,"data":1661},"Once SAML is configured, ensure it can't be edited without contacting the app developer",[],{},{"nodeType":1412,"data":1663,"content":1664},{},[1665],{"nodeType":1294,"data":1666,"content":1667},{},[1668],{"nodeType":1293,"value":1669,"marks":1670,"data":1671},"Service Provider initiated flows not enabled by default to stop attackers from hijacking logins using Home Realm Discovery for domains they don't own",[],{},{"nodeType":1412,"data":1673,"content":1674},{},[1675],{"nodeType":1294,"data":1676,"content":1677},{},[1678],{"nodeType":1293,"value":1679,"marks":1680,"data":1681},"Disallow new signups using password or OIDC logins when a domain is connected via SAML",[],{},{"nodeType":1540,"data":1683,"content":1684},{},[1685],{"nodeType":1293,"value":1686,"marks":1687,"data":1689},"3. Provide admins with visibility of account authentication (login methods, MFA methods, IdPs used) and allow them to be restricted or removed. ",[1688],{"type":1362},{},{"nodeType":1294,"data":1691,"content":1692},{},[1693],{"nodeType":1293,"value":1694,"marks":1695,"data":1696},"Many apps provide very limited information to admins about the configuration of identities within their tenant, and fewer still provide any mechanism for admins to take action if gaps or potential weak points are discovered. Some don’t even provide information about which accounts have access to the tenant at all. As a security team member this is maddening. ",[],{},{"nodeType":1342,"data":1698,"content":1702},{"target":1699},{"sys":1700},{"id":1701,"type":1347,"linkType":1348},"5z3zNE7z9TWUJsYCmwew1S",[],{"nodeType":1294,"data":1704,"content":1705},{},[1706],{"nodeType":1293,"value":1707,"marks":1708,"data":1709},"It’s vital that, at the bare minimum, admins can access information (ideally in a dashboard) with the accounts, all login methods configured, MFA factors set, and the SSO methods used (specifying the IdP and protocol). All login methods should be visible to security admins, including secondary email addresses, social login connections, and so on. ",[],{},{"nodeType":1294,"data":1711,"content":1712},{},[1713],{"nodeType":1293,"value":1714,"marks":1715,"data":1716},"It should then also be possible to set a preferred method (e.g. only SAML from Microsoft, or OIDC from Google) and delete or disable ones that pose a risk. ",[],{},{"nodeType":1294,"data":1718,"content":1719},{},[1720,1724,1733,1737,1746],{"nodeType":1293,"value":1721,"marks":1722,"data":1723},"For security teams to be able to clean up insecure identities, they need to be able to make changes inside the app without requiring an action from the user. This means removing phishable MFA factors to prevent ",[],{},{"nodeType":1372,"data":1725,"content":1727},{"uri":1726},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/mfa_fatigue/description.md",[1728],{"nodeType":1293,"value":1729,"marks":1730,"data":1732},"MFA fatigue",[1731],{"type":1380},{},{"nodeType":1293,"value":1734,"marks":1735,"data":1736}," and ",[],{},{"nodeType":1372,"data":1738,"content":1740},{"uri":1739},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/mfa_downgrade/description.md",[1741],{"nodeType":1293,"value":1742,"marks":1743,"data":1745},"MFA downgrade",[1744],{"type":1380},{},{"nodeType":1293,"value":1747,"marks":1748,"data":1749}," attacks.  ",[],{},{"nodeType":1540,"data":1751,"content":1752},{},[1753],{"nodeType":1293,"value":1754,"marks":1755,"data":1757},"4. Support the use of domain-bound credentials (whether in the form of a passkey or MFA method) that are phishing resistant (FIDO key).",[1756],{"type":1362},{},{"nodeType":1294,"data":1759,"content":1760},{},[1761,1765,1774],{"nodeType":1293,"value":1762,"marks":1763,"data":1764},"It’s no longer the case that simply having MFA is enough to stop identity attacks. The vast majority of phishing campaigns now make use of ",[],{},{"nodeType":1372,"data":1766,"content":1768},{"uri":1767},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/aitm_phishing/description.md",[1769],{"nodeType":1293,"value":1770,"marks":1771,"data":1773},"AitM toolkits designed to bypass MFA",[1772],{"type":1380},{},{"nodeType":1293,"value":1775,"marks":1776,"data":1777},". The only MFA methods considered to be phishing resistant are those using device-bound authentication methods such as passkeys/WebAuthn. However, only a handful of apps actually support these authentication methods. While the majority of SSO apps do support them, apps should provide support locally as well, particularly for B2C use-cases where enterprise SSO isn’t being used. ",[],{},{"nodeType":1540,"data":1779,"content":1780},{},[1781],{"nodeType":1293,"value":1782,"marks":1783,"data":1785},"5. Allow active sessions to be viewed and remotely terminated by administrators.",[1784],{"type":1362},{},{"nodeType":1294,"data":1787,"content":1788},{},[1789,1793,1802],{"nodeType":1293,"value":1790,"marks":1791,"data":1792},"Most apps have no way of viewing valid sessions and session activity, even as an administrator. With session hijacking attacks using ",[],{},{"nodeType":1372,"data":1794,"content":1796},{"uri":1795},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/session_cookie_theft/description.md",[1797],{"nodeType":1293,"value":1798,"marks":1799,"data":1801},"stolen session cookies",[1800],{"type":1380},{},{"nodeType":1293,"value":1803,"marks":1804,"data":1805}," on the rise, being able to (at the very least) terminate sessions that are suspected to have been compromised is key to effective incident response. In an ideal world, you would be able to view the properties of the session (such as the browser, IP, location that the session is being accessed from) to identify unusual or suspicious activity, which could in turn be leveraged by SecOps teams for their detection workflows. ",[],{},{"nodeType":1540,"data":1807,"content":1808},{},[1809],{"nodeType":1293,"value":1810,"marks":1811,"data":1813},"6. Allow admins to prevent users with a matching domain from auto-joining a company tenant without being invited or approved by an admin, and notify when they do. ",[1812],{"type":1362},{},{"nodeType":1294,"data":1815,"content":1816},{},[1817],{"nodeType":1293,"value":1818,"marks":1819,"data":1820},"Many apps do not provide the level of granular permissions that we’ve come to associate with enterprise cloud platforms — often because it simply isn’t necessary. This means that a lot of the time, the average user can access most, if not all of the data stored within an app. This is problematic if any user with a matching domain can join a company’s app tenant. This creates insider risk, as well as increasing the blast radius of ATO of an IdP account in terms of affected apps — it’s not just the apps they’re actively using, but any they can sign up to as well. ",[],{},{"nodeType":1342,"data":1822,"content":1826},{"target":1823},{"sys":1824},{"id":1825,"type":1347,"linkType":1348},"SKchIQFHSWumQsORBYNs5",[],{"nodeType":1294,"data":1828,"content":1829},{},[1830],{"nodeType":1293,"value":1831,"marks":1832,"data":1833},"To address this, apps should allow admins to lock down their app tenant to be invite-only should they desire (and enable it by default), and at least issue email notifications to admins whenever a new user joins the company’s app tenant — prompting the admin to check that the event is expected. ",[],{},{"nodeType":1351,"data":1835,"content":1836},{},[],{"nodeType":1355,"data":1838,"content":1839},{},[1840],{"nodeType":1293,"value":1841,"marks":1842,"data":1844},"Enable security teams to detect and respond to identity attacks",[1843],{"type":1362},{},{"nodeType":1294,"data":1846,"content":1847},{},[1848,1852,1861],{"nodeType":1293,"value":1849,"marks":1850,"data":1851},"Security teams required to respond to incidents affecting SaaS apps are ",[],{},{"nodeType":1372,"data":1853,"content":1855},{"uri":1854},"https://mayakaczorowski.com/blogs/what-sucks-in-security",[1856],{"nodeType":1293,"value":1857,"marks":1858,"data":1860},"united in how painful it is",[1859],{"type":1380},{},{"nodeType":1293,"value":1862,"marks":1863,"data":1864},": ",[],{},{"nodeType":1408,"data":1866,"content":1867},{},[1868,1891,1901,1911],{"nodeType":1412,"data":1869,"content":1870},{},[1871],{"nodeType":1294,"data":1872,"content":1873},{},[1874,1878,1887],{"nodeType":1293,"value":1875,"marks":1876,"data":1877},"Many SaaS providers don’t offer audit logs at all (",[],{},{"nodeType":1372,"data":1879,"content":1881},{"uri":1880},"https://audit-logs.tax/",[1882],{"nodeType":1293,"value":1883,"marks":1884,"data":1886},"or charge extra for the privilege",[1885],{"type":1380},{},{"nodeType":1293,"value":1888,"marks":1889,"data":1890},"). ",[],{},{"nodeType":1412,"data":1892,"content":1893},{},[1894],{"nodeType":1294,"data":1895,"content":1896},{},[1897],{"nodeType":1293,"value":1898,"marks":1899,"data":1900},"Even when logs are available, they might be incomplete, like missing login events, or critical pieces of information in the event needed to decide whether it’s malicious or not.",[],{},{"nodeType":1412,"data":1902,"content":1903},{},[1904],{"nodeType":1294,"data":1905,"content":1906},{},[1907],{"nodeType":1293,"value":1908,"marks":1909,"data":1910},"The lack of standardization across tools creates ingestion challenges, with each app requiring custom development work.",[],{},{"nodeType":1412,"data":1912,"content":1913},{},[1914],{"nodeType":1294,"data":1915,"content":1916},{},[1917],{"nodeType":1293,"value":1918,"marks":1919,"data":1920},"The logs you really need can’t always be accessed programmatically. The provider might have them, but you’ll need to put in a request – that could take hours or days to respond to. ",[],{},{"nodeType":1294,"data":1922,"content":1923},{},[1924],{"nodeType":1293,"value":1925,"marks":1926,"data":1927},"All of this makes it very challenging to ingest meaningful security log data from SaaS and harness it for detection and response. Hours or days is an eternity when you’re in the midst of a live incident, and is inevitably going to result in a worse outcome for the business. ",[],{},{"nodeType":1294,"data":1929,"content":1930},{},[1931],{"nodeType":1293,"value":1932,"marks":1933,"data":1934},"MVSP specifies that authentication events should be logged (and for how long they should be stored), but practically there is little consistency in the types of event and the fields captured. App vendors should make sure that the data points they provide (and the format that logs are provided in) can be practically used by security teams. ",[],{},{"nodeType":1540,"data":1936,"content":1937},{},[1938],{"nodeType":1293,"value":1939,"marks":1940,"data":1942},"7. Log detailed authentication/login information.",[1941],{"type":1362},{},{"nodeType":1294,"data":1944,"content":1945},{},[1946],{"nodeType":1293,"value":1947,"marks":1948,"data":1949},"Authentication information is arguably the most important log source in the context of SaaS services which lack granular permissions management, because: ",[],{},{"nodeType":1408,"data":1951,"content":1952},{},[1953,1963],{"nodeType":1412,"data":1954,"content":1955},{},[1956],{"nodeType":1294,"data":1957,"content":1958},{},[1959],{"nodeType":1293,"value":1960,"marks":1961,"data":1962},"If you know a malicious user accessed the app, you can infer/assume the likely impact, and respond accordingly. ",[],{},{"nodeType":1412,"data":1964,"content":1965},{},[1966],{"nodeType":1294,"data":1967,"content":1968},{},[1969],{"nodeType":1293,"value":1970,"marks":1971,"data":1972},"Attacker behavior in-app is often indistinguishable from typical user behavior.",[],{},{"nodeType":1294,"data":1974,"content":1975},{},[1976],{"nodeType":1293,"value":1977,"marks":1978,"data":1979},"This means it’s vital to understand who accessed the app, at what time, and from where.",[],{},{"nodeType":1294,"data":1981,"content":1982},{},[1983,1986,1995],{"nodeType":1293,"value":1368,"marks":1984,"data":1985},[],{},{"nodeType":1372,"data":1987,"content":1989},{"uri":1988},"https://eventmaturitymatrix.com/#salesforce-real-time-event-monitoring-urieventstream",[1990],{"nodeType":1293,"value":1991,"marks":1992,"data":1994},"SaaS Event Maturity Matrix",[1993],{"type":1380},{},{"nodeType":1293,"value":1996,"marks":1997,"data":1998}," provides a great starting point when looking at the availability of authentication logs across different platforms. ",[],{},{"nodeType":1342,"data":2000,"content":2004},{"target":2001},{"sys":2002},{"id":2003,"type":1347,"linkType":1348},"4NppB8YnmXHIQjvLwx79JW",[],{"nodeType":1294,"data":2006,"content":2007},{},[2008],{"nodeType":1293,"value":2009,"marks":2010,"data":2011},"We recommend that all providers include the following Authentication and MFA Verification log fields:",[],{},{"nodeType":1342,"data":2013,"content":2017},{"target":2014},{"sys":2015},{"id":2016,"type":1347,"linkType":1348},"67uAYr6RA3DIr7mUCBgzyn",[],{"nodeType":1294,"data":2019,"content":2020},{},[2021],{"nodeType":1293,"value":2022,"marks":2023,"data":2024},"With this level of granular information it will be much easier for security teams to reliably differentiate malicious from legitimate access, independently or when combined with other data points:",[],{},{"nodeType":1408,"data":2026,"content":2027},{},[2028,2038,2048,2058,2068,2078],{"nodeType":1412,"data":2029,"content":2030},{},[2031],{"nodeType":1294,"data":2032,"content":2033},{},[2034],{"nodeType":1293,"value":2035,"marks":2036,"data":2037},"Identify suspicious logins due to location/impossible travel",[],{},{"nodeType":1412,"data":2039,"content":2040},{},[2041],{"nodeType":1294,"data":2042,"content":2043},{},[2044],{"nodeType":1293,"value":2045,"marks":2046,"data":2047},"Identify failed login attempts due to either credential or MFA failures, indicating possible credential stuffing attacks",[],{},{"nodeType":1412,"data":2049,"content":2050},{},[2051],{"nodeType":1294,"data":2052,"content":2053},{},[2054],{"nodeType":1293,"value":2055,"marks":2056,"data":2057},"Identify the IdP used to login to detect unapproved or unusual IdP logins (a possible indicator of cross-IdP impersonation)",[],{},{"nodeType":1412,"data":2059,"content":2060},{},[2061],{"nodeType":1294,"data":2062,"content":2063},{},[2064],{"nodeType":1293,"value":2065,"marks":2066,"data":2067},"Identify where an unexpected (less secure) MFA method is used, indicating a potential MFA downgrade attack",[],{},{"nodeType":1412,"data":2069,"content":2070},{},[2071],{"nodeType":1294,"data":2072,"content":2073},{},[2074],{"nodeType":1293,"value":2075,"marks":2076,"data":2077},"Detect risky changes to authentication such as initiating SAML configuration changes, tracking which user initiated it and when it completed",[],{},{"nodeType":1412,"data":2079,"content":2080},{},[2081],{"nodeType":1294,"data":2082,"content":2083},{},[2084],{"nodeType":1293,"value":2085,"marks":2086,"data":2087},"Differentiate active session location from the device/client/location of the original session (to detect session hijacking attacks)",[],{},{"nodeType":1540,"data":2089,"content":2090},{},[2091],{"nodeType":1293,"value":2092,"marks":2093,"data":2095},"8. Make audit logs available in a format and using a mechanism that is easy to ingest into common security tools. ",[2094],{"type":1362},{},{"nodeType":1294,"data":2097,"content":2098},{},[2099,2103,2112],{"nodeType":1293,"value":2100,"marks":2101,"data":2102},"Even where logs are available, security teams often have to wrestle with the format they are provided in to be able to make use of them. While JSON is pretty much the de facto standard nowadays, the absence of a common schema and field names is often the tricky part — complicated by the fact that there are multiple competing standards. At the very least, complying with at least one of the more established schemas (e.g. the ",[],{},{"nodeType":1372,"data":2104,"content":2106},{"uri":2105},"https://www.elastic.co/guide/en/ecs/current/ecs-reference.html",[2107],{"nodeType":1293,"value":2108,"marks":2109,"data":2111},"Elastic Common Schema",[2110],{"type":1380},{},{"nodeType":1293,"value":2113,"marks":2114,"data":2115},") will provide a level of standardisation to make things easier for security teams.",[],{},{"nodeType":1294,"data":2117,"content":2118},{},[2119],{"nodeType":1293,"value":2120,"marks":2121,"data":2122},"Arguably an even bigger challenge is pulling the events you actually need from the data — so making it possible to stream logs or access them programmatically to minimize collection delays is a key change that app developers can implement regardless of the schema used, that will make life easier for SecOps teams. With that in mind: ",[],{},{"nodeType":1408,"data":2124,"content":2125},{},[2126,2136],{"nodeType":1412,"data":2127,"content":2128},{},[2129],{"nodeType":1294,"data":2130,"content":2131},{},[2132],{"nodeType":1293,"value":2133,"marks":2134,"data":2135},"Login events indicating a potential identity attack should emit preconfigured webhook events to enable security teams to better detect and respond, (such as in the context of the use cases above). ",[],{},{"nodeType":1412,"data":2137,"content":2138},{},[2139],{"nodeType":1294,"data":2140,"content":2141},{},[2142],{"nodeType":1293,"value":2143,"marks":2144,"data":2145},"API access should also be provided to ensure that logs can be extracted to inform point-in-time investigations in the event of a suspected incident. (It’s no good if you have to request that certain logs be sent to you during a time-sensitive security incident.) ",[],{},{"nodeType":1351,"data":2147,"content":2148},{},[],{"nodeType":1355,"data":2150,"content":2151},{},[2152],{"nodeType":1293,"value":2153,"marks":2154,"data":2156},"Final thoughts",[2155],{"type":1362},{},{"nodeType":1294,"data":2158,"content":2159},{},[2160],{"nodeType":1293,"value":2161,"marks":2162,"data":2163},"The key takeaway here is that the scope for identity attacks and abuse could be significantly mitigated with a better standard of app-level controls. If you’re familiar with Push, you’ll recognize that many of our features compensate for these gaps in visibility and control — made necessary by the fact that so many apps don’t provide basic information about the accounts within your tenant, or give you any controls to manage authentication in accordance with your risk profile.",[],{},{"nodeType":1342,"data":2165,"content":2169},{"target":2166},{"sys":2167},{"id":2168,"type":1347,"linkType":1348},"2skTQlf4ssC083ilExzKPW",[],{"nodeType":1294,"data":2171,"content":2172},{},[2173],{"nodeType":1293,"value":2174,"marks":2175,"data":2176},"If you agree with us and think that stronger identity controls around authentication and security logging are needed, then consider adding these suggestions to your procurement requirements when on-boarding new apps and services. ",[],{},{"nodeType":1294,"data":2178,"content":2179},{},[2180,2183,2192],{"nodeType":1293,"value":37,"marks":2181,"data":2182},[],{},{"nodeType":1372,"data":2184,"content":2186},{"uri":2185},"https://pushsecurity.com/demo/",[2187],{"nodeType":1293,"value":2188,"marks":2189,"data":2191},"Book a demo",[2190],{"type":1380},{},{"nodeType":1293,"value":2193,"marks":2194,"data":2195}," to find out how Push can mitigate widespread application security gaps and secure your identity attack surface. ",[],{},{"nodeType":1342,"data":2197,"content":2201},{"target":2198},{"sys":2199},{"id":2200,"type":1347,"linkType":1348},"34OTFgwuW60VWzW4FAqwXi",[],{"nodeType":1294,"data":2203,"content":2204},{},[2205],{"nodeType":1293,"value":37,"marks":2206,"data":2207},[],{},"Minimum Viable Identity Security","How app developers can go beyond Minimum Viable Secure Product (MVSP) to implement better identity protections and prevent identity-based attacks. ","2025-02-10T00:00:00.000Z","minimum-viable-identity-security",{"items":2213},[2214,2216],{"sys":2215,"name":1305},{"id":1304},{"sys":2217,"name":2219},{"id":2218},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":2221},[2222],{"fullName":2223,"firstName":2224,"jobTitle":2225,"profilePicture":2226},"Dan Green","Dan","Threat Research",{"url":2227},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"__typename":1313,"sys":2229,"content":2231,"title":2549,"synopsis":2550,"hashTags":118,"publishedDate":2551,"slug":2552,"tagsCollection":2553,"authorsCollection":2561},{"id":2230},"4bYO5rVy9n2OO3vtMVQeda",{"json":2232},{"nodeType":1295,"data":2233,"content":2234},{},[2235,2242,2262,2278,2285,2292,2295,2302,2309,2362,2369,2375,2378,2385,2392,2399,2406,2413,2430,2436,2443,2450,2467,2473,2480,2487,2494,2501,2508,2511,2518,2537,2543],{"nodeType":1355,"data":2236,"content":2237},{},[2238],{"nodeType":1293,"value":2239,"marks":2240,"data":2241},"All phishing eventually leads to the browser",[],{},{"nodeType":1294,"data":2243,"content":2244},{},[2245,2249,2258],{"nodeType":1293,"value":2246,"marks":2247,"data":2248},"The best attack detection methods are those that focus on ",[],{},{"nodeType":1372,"data":2250,"content":2252},{"uri":2251},"https://pushsecurity.com/blog/our-design-philosophy-detecting-what-matters/",[2253],{"nodeType":1293,"value":2254,"marks":2255,"data":2257},"detecting indicators that are difficult for attackers to change or obfuscate",[2256],{"type":1380},{},{"nodeType":1293,"value":2259,"marks":2260,"data":2261},". ",[],{},{"nodeType":1294,"data":2263,"content":2264},{},[2265,2269,2274],{"nodeType":1293,"value":2266,"marks":2267,"data":2268},"For a credential phishing attack to succeed, the victim ",[],{},{"nodeType":1293,"value":2270,"marks":2271,"data":2273},"has",[2272],{"type":1380},{},{"nodeType":1293,"value":2275,"marks":2276,"data":2277}," to enter their password into a webpage. There’s no two-ways about it, attackers cannot change this. ",[],{},{"nodeType":1294,"data":2279,"content":2280},{},[2281],{"nodeType":1293,"value":2282,"marks":2283,"data":2284},"So it stands to reason that, if you can detect this user behavior, and block them from entering their password, then you can stop phishing. ",[],{},{"nodeType":1294,"data":2286,"content":2287},{},[2288],{"nodeType":1293,"value":2289,"marks":2290,"data":2291},"This is exactly what Push does.",[],{},{"nodeType":1351,"data":2293,"content":2294},{},[],{"nodeType":1540,"data":2296,"content":2297},{},[2298],{"nodeType":1293,"value":2299,"marks":2300,"data":2301},"Most anti-phishing tools are easily bypassed",[],{},{"nodeType":1294,"data":2303,"content":2304},{},[2305],{"nodeType":1293,"value":2306,"marks":2307,"data":2308},"Other anti-phishing tools rely on detecting elements of the attack that attackers can change and hide, such as domains or the webpage contents. Attackers use tricks to evade these detection, like:",[],{},{"nodeType":1408,"data":2310,"content":2311},{},[2312,2322,2332,2342,2352],{"nodeType":1412,"data":2313,"content":2314},{},[2315],{"nodeType":1294,"data":2316,"content":2317},{},[2318],{"nodeType":1293,"value":2319,"marks":2320,"data":2321},"Using Cloudflare Workers to block automatic analysis of their phishing site",[],{},{"nodeType":1412,"data":2323,"content":2324},{},[2325],{"nodeType":1294,"data":2326,"content":2327},{},[2328],{"nodeType":1293,"value":2329,"marks":2330,"data":2331},"Hacking a Wordpress blog to get a reputable domain that passes domain checks ",[],{},{"nodeType":1412,"data":2333,"content":2334},{},[2335],{"nodeType":1294,"data":2336,"content":2337},{},[2338],{"nodeType":1293,"value":2339,"marks":2340,"data":2341},"Using redirects and rotating the URLs delivered to the victim to bypass link analysis",[],{},{"nodeType":1412,"data":2343,"content":2344},{},[2345],{"nodeType":1294,"data":2346,"content":2347},{},[2348],{"nodeType":1293,"value":2349,"marks":2350,"data":2351},"Randomizing the HTML title for the web page to bypass blocklists ",[],{},{"nodeType":1412,"data":2353,"content":2354},{},[2355],{"nodeType":1294,"data":2356,"content":2357},{},[2358],{"nodeType":1293,"value":2359,"marks":2360,"data":2361},"One-time phishing links that only work the first time they are clicked",[],{},{"nodeType":1294,"data":2363,"content":2364},{},[2365],{"nodeType":1293,"value":2366,"marks":2367,"data":2368},"Push is putting an end to this game of cat and mouse, by keeping it really simple; you can’t phish someone who can’t put their password into a phishing page. ",[],{},{"nodeType":1342,"data":2370,"content":2374},{"target":2371},{"sys":2372},{"id":2373,"type":1347,"linkType":1348},"6AwOZSpqaChmeksnj4SyWE",[],{"nodeType":1351,"data":2376,"content":2377},{},[],{"nodeType":1540,"data":2379,"content":2380},{},[2381],{"nodeType":1293,"value":2382,"marks":2383,"data":2384},"Domain-binding passwords",[],{},{"nodeType":1294,"data":2386,"content":2387},{},[2388],{"nodeType":1293,"value":2389,"marks":2390,"data":2391},"If you’re familiar with how passkeys are domain-bound, then think of what Push does as domain-binding passwords. We pin the password to its legitimate domain(s) and then don’t allow it to be entered into any webpage on any other domain. ",[],{},{"nodeType":1294,"data":2393,"content":2394},{},[2395],{"nodeType":1293,"value":2396,"marks":2397,"data":2398},"But just because you’ve stopped your users from being phished doesn’t mean you don’t want to know when attackers are attempting to phish your users and how. ",[],{},{"nodeType":1294,"data":2400,"content":2401},{},[2402],{"nodeType":1293,"value":2403,"marks":2404,"data":2405},"Push still inspects webpages to see if attackers are rendering cloned app login pages in the browser or if known AitM and BitM toolkits are being used. This way you don’t lose visibility of the unsuccessful attacks that are targeting your users. Think of it as a handy second and third layer of defense.",[],{},{"nodeType":1294,"data":2407,"content":2408},{},[2409],{"nodeType":1293,"value":2410,"marks":2411,"data":2412},"Lets run through a quick before and after example:",[],{},{"nodeType":1540,"data":2414,"content":2415},{},[2416,2420,2426],{"nodeType":1293,"value":2417,"marks":2418,"data":2419},"Scenario 1: An attacker attempts to phish an employee that ",[],{},{"nodeType":1293,"value":2421,"marks":2422,"data":2425},"doesn’t",[2423,2424],{"type":1380},{"type":1362},{},{"nodeType":1293,"value":2427,"marks":2428,"data":2429}," have Push deployed to their browser.",[],{},{"nodeType":1342,"data":2431,"content":2435},{"target":2432},{"sys":2433},{"id":2434,"type":1347,"linkType":1348},"2CbGMUSJsP1mNeHkmpLl6N",[],{"nodeType":1294,"data":2437,"content":2438},{},[2439],{"nodeType":1293,"value":2440,"marks":2441,"data":2442},"Here, an attacker hacks a Wordpress blog to get a reputable domain and then runs a phishing toolkit on the webpage. They email one of your employees a link to it. Your SWG / email scanning solution inspects it in a sandbox but the phish kit detects this and redirects to a benign site so that it passes the inspection. ",[],{},{"nodeType":1294,"data":2444,"content":2445},{},[2446],{"nodeType":1293,"value":2447,"marks":2448,"data":2449},"Your user gets the email with the link and is now free to interact with the phishing page. They enter their credentials plus MFA code into the page and voila! The attacker steals them and is able to compromise the user’s account.  ",[],{},{"nodeType":1540,"data":2451,"content":2452},{},[2453,2457,2463],{"nodeType":1293,"value":2454,"marks":2455,"data":2456},"Scenario 2: An attacker attempts to phish an employee that ",[],{},{"nodeType":1293,"value":2458,"marks":2459,"data":2462},"does",[2460,2461],{"type":1380},{"type":1362},{},{"nodeType":1293,"value":2464,"marks":2465,"data":2466}," have Push deployed to their browser. ",[],{},{"nodeType":1342,"data":2468,"content":2472},{"target":2469},{"sys":2470},{"id":2471,"type":1347,"linkType":1348},"77smnID1woCfFJrJPyTvKY",[],{"nodeType":1294,"data":2474,"content":2475},{},[2476],{"nodeType":1293,"value":2477,"marks":2478,"data":2479},"This time, the attacker uses the same phishing toolkit and domain from the first example. But in reality, they don’t have to send it to your employee using email, instead, they could use LinkedIn messenger, Slack, Teams, or any application that allows employees to communicate with each other. ",[],{},{"nodeType":1294,"data":2481,"content":2482},{},[2483],{"nodeType":1293,"value":2484,"marks":2485,"data":2486},"Like before, the user receives the link, opens it and starts to enter their credentials into the webpage. This time though, the Push browser extension inspects the webpage running in the user's browser. Push observes that the webpage is a login page and the user is entering their password into the page.",[],{},{"nodeType":1294,"data":2488,"content":2489},{},[2490],{"nodeType":1293,"value":2491,"marks":2492,"data":2493},"The first detection Push makes is checking that the password the user is entering matches the domain that password is pinned to. Since it doesn't match, based on this detection alone the user is automatically redirected to a blocking page. An important point to make here is that the password never leaves the user’s browser and the check is made using a shortened salted hash of the password.   ",[],{},{"nodeType":1294,"data":2495,"content":2496},{},[2497],{"nodeType":1293,"value":2498,"marks":2499,"data":2500},"The second detection Push makes is that the rendered web app is using a cloned app login page. The third detection is that a phishing toolkit is running in the web app code. ",[],{},{"nodeType":1294,"data":2502,"content":2503},{},[2504],{"nodeType":1293,"value":2505,"marks":2506,"data":2507},"In this particular scenario these second and third detections serve as useful context for understanding the nature of the phishing attack. But both will still redirect to a blocking page if they are triggered in isolation of the other phishing detections. ",[],{},{"nodeType":1351,"data":2509,"content":2510},{},[],{"nodeType":1355,"data":2512,"content":2513},{},[2514],{"nodeType":1293,"value":2515,"marks":2516,"data":2517},"We don’t just stop phishing attacks",[],{},{"nodeType":1294,"data":2519,"content":2520},{},[2521,2525,2533],{"nodeType":1293,"value":2522,"marks":2523,"data":2524},"We also detect other identity-related attack techniques used to compromise user accounts. That includes credential stuffing, password spraying and session hijacking using stolen session tokens. If you want to learn more about how Push helps you to detect and defeat common identity attack techniques, ",[],{},{"nodeType":1372,"data":2526,"content":2527},{"uri":2185},[2528],{"nodeType":1293,"value":2529,"marks":2530,"data":2532},"book some time with one of our team",[2531],{"type":1380},{},{"nodeType":1293,"value":2534,"marks":2535,"data":2536},".  ",[],{},{"nodeType":1342,"data":2538,"content":2542},{"target":2539},{"sys":2540},{"id":2541,"type":1347,"linkType":1348},"2JSmYDaiAciOx7Z1MRuJlA",[],{"nodeType":1294,"data":2544,"content":2545},{},[2546],{"nodeType":1293,"value":37,"marks":2547,"data":2548},[],{},"Detecting and blocking phishing attacks in the browser","How Push detects and blocks phishing attempts in the browser – explained in less than two minutes. ","2024-10-23T00:00:00.000Z","detecting-and-blocking-phishing-attacks-in-the-browser",{"items":2554},[2555,2559],{"sys":2556,"name":2558},{"id":2557},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":2560,"name":2219},{"id":2218},{"items":2562},[2563],{"fullName":2564,"firstName":2565,"jobTitle":2566,"profilePicture":2567},"Alex Henshall","Alex","Product Team",{"url":2568},"https://images.ctfassets.net/y1cdw1ablpvd/2rz3Pre3b1MexPIQ4hzPUe/0ef8a092b7e7df00fbce3f7d1ccb96d1/Alex_Henshall.jpeg",{"__typename":1313,"sys":2570,"content":2572,"title":3948,"synopsis":3949,"hashTags":118,"publishedDate":3950,"slug":3951,"tagsCollection":3952,"authorsCollection":3958},{"id":2571},"wgpdyHDn9NcpIJNr7jnFp",{"json":2573},{"nodeType":1295,"data":2574,"content":2575},{},[2576,2582,2590,2597,2630,2636,2644,2677,2719,2725,2733,2751,2757,2760,2768,2775,2781,2826,2984,2987,2995,3002,3010,3041,3047,3055,3075,3082,3088,3095,3101,3120,3128,3146,3154,3161,3168,3171,3179,3186,3192,3199,3207,3225,3232,3238,3246,3253,3260,3293,3299,3306,3314,3321,3327,3360,3368,3388,3395,3401,3409,3429,3436,3499,3505,3508,3516,3523,3530,3561,3564,3572,3580,3586,3593,3601,3607,3614,3621,3627,3634,3642,3649,3656,3663,3682,3701,3708,3715,3721,3728,3736,3743,3750,3756,3763,3771,3778,3785,3792,3798,3805,3813,3820,3839,3845,3852,3873,3879,3886,3906,3912,3915,3923,3930],{"nodeType":1342,"data":2577,"content":2581},{"target":2578},{"sys":2579},{"id":2580,"type":1347,"linkType":1348},"6BjaSruVecmhn1NoHreRni",[],{"nodeType":1355,"data":2583,"content":2584},{},[2585],{"nodeType":1293,"value":2586,"marks":2587,"data":2589},"Background: Who are Scattered Spider?",[2588],{"type":1362},{},{"nodeType":1294,"data":2591,"content":2592},{},[2593],{"nodeType":1293,"value":2594,"marks":2595,"data":2596},"Scattered Spider (also tracked as 0ktapus, Octo Tempest, Scatter Swine, Muddled Libra, and UNC3944) is a native English speaking, financially motivated criminal collective known for high-profile cyber breaches in recent years, including MoneyGram, Transport for London, Caesars, MGM Resorts, Clorox, DoorDash, Twilio, Reddit, Coinbase, MailChimp, Okta, HubSpot, Cloudflare, Activision, Pure Storage, and the ongoing Marks & Spencer, Co-op, and Harrods incidents.",[],{},{"nodeType":1294,"data":2598,"content":2599},{},[2600,2604,2613,2617,2626],{"nodeType":1293,"value":2601,"marks":2602,"data":2603},"Scattered Spider shares similar characteristics and TTPs with a number of named threat groups such as ",[],{},{"nodeType":1372,"data":2605,"content":2607},{"uri":2606},"https://www.cisa.gov/sites/default/files/2023-08/CSRB_Lapsus%24_508c.pdf",[2608],{"nodeType":1293,"value":2609,"marks":2610,"data":2612},"Lapsus$, Yanluowang, Karakurt",[2611],{"type":1380},{},{"nodeType":1293,"value":2614,"marks":2615,"data":2616},", and ",[],{},{"nodeType":1372,"data":2618,"content":2620},{"uri":2619},"https://pushsecurity.com/blog/snowflake-retro/",[2621],{"nodeType":1293,"value":2622,"marks":2623,"data":2625},"ShinyHunters",[2624],{"type":1380},{},{"nodeType":1293,"value":2627,"marks":2628,"data":2629}," (behind the Snowflake attacks in 2024).",[],{},{"nodeType":1342,"data":2631,"content":2635},{"target":2632},{"sys":2633},{"id":2634,"type":1347,"linkType":1348},"4sgT2Jw3iODUTdG2oPOrFC",[],{"nodeType":1540,"data":2637,"content":2638},{},[2639],{"nodeType":1293,"value":2640,"marks":2641,"data":2643},"Case study: MGM Resorts",[2642],{"type":1362},{},{"nodeType":1294,"data":2645,"content":2646},{},[2647,2651,2660,2664,2673],{"nodeType":1293,"value":2648,"marks":2649,"data":2650},"One of Scattered Spider’s most notorious and well-documented attacks was that affecting ",[],{},{"nodeType":1372,"data":2652,"content":2654},{"uri":2653},"https://pushsecurity.com/blog/identity-attacks-in-the-wild/#id-mgm-resorts-september-2023",[2655],{"nodeType":1293,"value":2656,"marks":2657,"data":2659},"MGM Resorts",[2658],{"type":1380},{},{"nodeType":1293,"value":2661,"marks":2662,"data":2663},". Scattered Spider socially engineered MGM Resorts helpdesk personnel bypass MFA and log into accounts for which they had acquired valid login credentials for via credential phishing and historical infostealer compromises. They specifically targeted accounts with Super Administrator privileges within MGM Resorts’ Okta tenant, which they then used to register a second, attacker-controlled IdP via ",[],{},{"nodeType":1372,"data":2665,"content":2667},{"uri":2666},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/inbound_federation/description.md",[2668],{"nodeType":1293,"value":2669,"marks":2670,"data":2672},"inbound federation",[2671],{"type":1380},{},{"nodeType":1293,"value":2674,"marks":2675,"data":2676},", which enabled them to impersonate any user within the Okta tenant. This then enabled them to abuse SSO access to downstream apps and platforms from various accounts, culminating in deployment of ransomware to around 100 ESXi servers and data exfiltration. ",[],{},{"nodeType":1294,"data":2678,"content":2679},{},[2680,2684,2689,2693,2698,2702,2707,2711,2716],{"nodeType":1293,"value":2681,"marks":2682,"data":2683},"The breach resulted in a ",[],{},{"nodeType":1293,"value":2685,"marks":2686,"data":2688},"36-hour outage",[2687],{"type":1362},{},{"nodeType":1293,"value":2690,"marks":2691,"data":2692},", a ",[],{},{"nodeType":1293,"value":2694,"marks":2695,"data":2697},"$100M ",[2696],{"type":1362},{},{"nodeType":1293,"value":2699,"marks":2700,"data":2701},"hit to its Q3 results, one-time cyber consulting fees in the region of ",[],{},{"nodeType":1293,"value":2703,"marks":2704,"data":2706},"$10M",[2705],{"type":1362},{},{"nodeType":1293,"value":2708,"marks":2709,"data":2710},", and a class-action lawsuit later settled for ",[],{},{"nodeType":1293,"value":2712,"marks":2713,"data":2715},"$45M",[2714],{"type":1362},{},{"nodeType":1293,"value":2259,"marks":2717,"data":2718},[],{},{"nodeType":1342,"data":2720,"content":2724},{"target":2721},{"sys":2722},{"id":2723,"type":1347,"linkType":1348},"2vYvBXqFeKt7Ix0Ynh8cZu",[],{"nodeType":1540,"data":2726,"content":2727},{},[2728],{"nodeType":1293,"value":2729,"marks":2730,"data":2732},"Case Study: Snowflake",[2731],{"type":1362},{},{"nodeType":1294,"data":2734,"content":2735},{},[2736,2740,2747],{"nodeType":1293,"value":2737,"marks":2738,"data":2739},"Members of Scattered Spider have been affiliated with ShinyHunters, the group behind the ",[],{},{"nodeType":1372,"data":2741,"content":2742},{"uri":2619},[2743],{"nodeType":1293,"value":2744,"marks":2745,"data":2746},"Snowflake breaches in mid-2024",[],{},{"nodeType":1293,"value":2748,"marks":2749,"data":2750},". ShinyHunters associates targeted ~165 organizations that were subjected to account takeover attacks using stolen credentials harvested from historical infostealer infections dating back as far as 2020, according to Mandiant’s investigation. In total, 9 public victims were named following the breach, collectively impacting hundreds of millions of people. Snowflake was a watershed moment that signalled the significant opportunity presented by identity attacks on cloud services. It demonstrated how comparatively unsophisticated methods (logging in to user accounts with stolen credentials and dumping the data) can have the same or greater impact as a traditional network or endpoint based cyber attack involving vulnerability exploitation, malware deployment, ransomware, etc.",[],{},{"nodeType":1342,"data":2752,"content":2756},{"target":2753},{"sys":2754},{"id":2755,"type":1347,"linkType":1348},"49nJMPQjQ37Mfr2yWA56P3",[],{"nodeType":1351,"data":2758,"content":2759},{},[],{"nodeType":1355,"data":2761,"content":2762},{},[2763],{"nodeType":1293,"value":2764,"marks":2765,"data":2767},"Arrests haven’t slowed Scattered Spider",[2766],{"type":1362},{},{"nodeType":1294,"data":2769,"content":2770},{},[2771],{"nodeType":1293,"value":2772,"marks":2773,"data":2774},"In late 2024 following the Transport for London attacks (which resulted in prolonged disruption to key online services underpinning London’s public transport network, theft of 5,000 users bank details, and all 30,000 staff members having to reset their online credentials in person) a series of arrests were made in the UK and USA. ",[],{},{"nodeType":1342,"data":2776,"content":2780},{"target":2777},{"sys":2778},{"id":2779,"type":1347,"linkType":1348},"2X2nyhO2hOqm9f0Le4lDC5",[],{"nodeType":1294,"data":2782,"content":2783},{},[2784,2788,2797,2801,2810,2813,2822],{"nodeType":1293,"value":2785,"marks":2786,"data":2787},"However, this doesn’t seem to have impacted Scattered Spider’s ability to operate, with the ongoing campaign against UK retail companies including ",[],{},{"nodeType":1372,"data":2789,"content":2791},{"uri":2790},"https://www.bleepingcomputer.com/news/security/marks-and-spencer-breach-linked-to-scattered-spider-ransomware-attack/",[2792],{"nodeType":1293,"value":2793,"marks":2794,"data":2796},"Marks and Spencer",[2795],{"type":1380},{},{"nodeType":1293,"value":2798,"marks":2799,"data":2800},", ",[],{},{"nodeType":1372,"data":2802,"content":2804},{"uri":2803},"https://www.bleepingcomputer.com/news/security/co-op-confirms-data-theft-after-dragonforce-ransomware-claims-attack/",[2805],{"nodeType":1293,"value":2806,"marks":2807,"data":2809},"Co-op",[2808],{"type":1380},{},{"nodeType":1293,"value":2614,"marks":2811,"data":2812},[],{},{"nodeType":1372,"data":2814,"content":2816},{"uri":2815},"https://www.bleepingcomputer.com/news/security/harrods-the-next-uk-retailer-targeted-in-a-cyberattack/",[2817],{"nodeType":1293,"value":2818,"marks":2819,"data":2821},"Harrods",[2820],{"type":1380},{},{"nodeType":1293,"value":2823,"marks":2824,"data":2825}," being strongly linked to Scattered Spider. Beginning on Easter weekend, the Marks and Spencer attack has had the biggest impact so far, resulting in severe disruption to the retailer with agency staff told not to come into work, online shopping services being taken offline, stores running low on products, £300M in lost profits, and almost £1B wiped off the company’s stock market valuation at one stage. ",[],{},{"nodeType":1294,"data":2827,"content":2828},{},[2829,2833,2842,2845,2854,2857,2866,2869,2878,2881,2890,2893,2902,2905,2914,2918,2926,2929,2937,2940,2948,2951,2959,2962,2969,2972,2980],{"nodeType":1293,"value":2830,"marks":2831,"data":2832},"A series of attacks against retailers worldwide soon followed, at an unprecedented rate. ",[],{},{"nodeType":1372,"data":2834,"content":2836},{"uri":2835},"https://www.bleepingcomputer.com/news/security/fashion-giant-dior-discloses-cyberattack-warns-of-data-breach/",[2837],{"nodeType":1293,"value":2838,"marks":2839,"data":2841},"Dior",[2840],{"type":1380},{},{"nodeType":1293,"value":2798,"marks":2843,"data":2844},[],{},{"nodeType":1372,"data":2846,"content":2848},{"uri":2847},"https://www.bleepingcomputer.com/news/security/the-north-face-warns-customers-of-april-credential-stuffing-attack/",[2849],{"nodeType":1293,"value":2850,"marks":2851,"data":2853},"The North Face",[2852],{"type":1380},{},{"nodeType":1293,"value":2798,"marks":2855,"data":2856},[],{},{"nodeType":1372,"data":2858,"content":2860},{"uri":2859},"https://www.bleepingcomputer.com/news/security/cartier-discloses-data-breach-amid-fashion-brand-cyberattacks/",[2861],{"nodeType":1293,"value":2862,"marks":2863,"data":2865},"Cartier",[2864],{"type":1380},{},{"nodeType":1293,"value":2798,"marks":2867,"data":2868},[],{},{"nodeType":1372,"data":2870,"content":2872},{"uri":2871},"https://www.bleepingcomputer.com/news/security/victorias-secret-delays-earnings-release-after-security-incident/",[2873],{"nodeType":1293,"value":2874,"marks":2875,"data":2877},"Victoria’s Secret",[2876],{"type":1380},{},{"nodeType":1293,"value":2798,"marks":2879,"data":2880},[],{},{"nodeType":1372,"data":2882,"content":2884},{"uri":2883},"https://www.bleepingcomputer.com/news/security/adidas-warns-of-data-breach-after-customer-service-provider-hack/",[2885],{"nodeType":1293,"value":2886,"marks":2887,"data":2889},"Adidas",[2888],{"type":1380},{},{"nodeType":1293,"value":2798,"marks":2891,"data":2892},[],{},{"nodeType":1372,"data":2894,"content":2896},{"uri":2895},"https://www.scworld.com/brief/separate-ransomware-attacks-purportedly-hit-coca-cola-bottling-partner",[2897],{"nodeType":1293,"value":2898,"marks":2899,"data":2901},"Coca-Cola",[2900],{"type":1380},{},{"nodeType":1293,"value":2614,"marks":2903,"data":2904},[],{},{"nodeType":1372,"data":2906,"content":2908},{"uri":2907},"https://www.bleepingcomputer.com/news/security/grocery-wholesale-giant-united-natural-foods-hit-by-cyberattack/",[2909],{"nodeType":1293,"value":2910,"marks":2911,"data":2913},"United Natural Foods",[2912],{"type":1380},{},{"nodeType":1293,"value":2915,"marks":2916,"data":2917}," were among the retailers to suffer a breach between May-June 2025. More recently, Scattered Spider has targeted U.S. insurance giant ",[],{},{"nodeType":1372,"data":2919,"content":2921},{"uri":2920},"https://www.bleepingcomputer.com/news/security/aflac-discloses-breach-amidst-scattered-spider-insurance-attacks/",[2922],{"nodeType":1293,"value":2923,"marks":2924,"data":2925},"Aflac",[],{},{"nodeType":1293,"value":2798,"marks":2927,"data":2928},[],{},{"nodeType":1372,"data":2930,"content":2932},{"uri":2931},"https://www.bleepingcomputer.com/news/security/google-warns-scattered-spider-hackers-now-target-us-insurance-companies/",[2933],{"nodeType":1293,"value":2934,"marks":2935,"data":2936},"Philadelphia Insurance Companies",[],{},{"nodeType":1293,"value":2798,"marks":2938,"data":2939},[],{},{"nodeType":1372,"data":2941,"content":2943},{"uri":2942},"https://www.bleepingcomputer.com/news/security/erie-insurance-confirms-cyberattack-behind-business-disruptions/amp/",[2944],{"nodeType":1293,"value":2945,"marks":2946,"data":2947},"Erie Insurance",[],{},{"nodeType":1293,"value":2798,"marks":2949,"data":2950},[],{},{"nodeType":1372,"data":2952,"content":2954},{"uri":2953},"https://www.bleepingcomputer.com/news/security/scattered-spider-hackers-shift-focus-to-aviation-transportation-firms/",[2955],{"nodeType":1293,"value":2956,"marks":2957,"data":2958},"Hawaiian Airlines",[],{},{"nodeType":1293,"value":2798,"marks":2960,"data":2961},[],{},{"nodeType":1372,"data":2963,"content":2964},{"uri":2953},[2965],{"nodeType":1293,"value":2966,"marks":2967,"data":2968},"WestJet",[],{},{"nodeType":1293,"value":2614,"marks":2970,"data":2971},[],{},{"nodeType":1372,"data":2973,"content":2975},{"uri":2974},"https://www.bleepingcomputer.com/news/security/qantas-is-being-extorted-in-recent-data-theft-cyberattack/",[2976],{"nodeType":1293,"value":2977,"marks":2978,"data":2979},"Qantas",[],{},{"nodeType":1293,"value":2981,"marks":2982,"data":2983},".",[],{},{"nodeType":1351,"data":2985,"content":2986},{},[],{"nodeType":1355,"data":2988,"content":2989},{},[2990],{"nodeType":1293,"value":2991,"marks":2992,"data":2994},"Scattered Spider TTP analysis",[2993],{"type":1362},{},{"nodeType":1294,"data":2996,"content":2997},{},[2998],{"nodeType":1293,"value":2999,"marks":3000,"data":3001},"Along with a clear MO (financial gain via data exfiltration and extortion) Scattered Spider has demonstrated a pattern of go-to TTPs over recent years. ",[],{},{"nodeType":1540,"data":3003,"content":3004},{},[3005],{"nodeType":1293,"value":3006,"marks":3007,"data":3009},"Social engineering, help desk scams, and SIM swapping",[3008],{"type":1362},{},{"nodeType":1294,"data":3011,"content":3012},{},[3013,3017,3026,3029,3037],{"nodeType":1293,"value":3014,"marks":3015,"data":3016},"The public breaches associated with Scattered Spider have predominantly featured social engineering heavy initial access, mainly through help desk scams where the attacker contacts support personnel specifically to bypass MFA for accounts where they have acquired valid credentials via credential phishing or infostealers, but cannot access the account due the additional layer of protection. They have similarly used ",[],{},{"nodeType":1372,"data":3018,"content":3020},{"uri":3019},"https://cloud.google.com/blog/topics/threat-intelligence/unc3944-sms-phishing-sim-swapping-ransomware/",[3021],{"nodeType":1293,"value":3022,"marks":3023,"data":3025},"SIM swapping, smishing",[3024],{"type":1380},{},{"nodeType":1293,"value":1734,"marks":3027,"data":3028},[],{},{"nodeType":1372,"data":3030,"content":3031},{"uri":1726},[3032],{"nodeType":1293,"value":3033,"marks":3034,"data":3036},"MFA fatigue/push bombing",[3035],{"type":1380},{},{"nodeType":1293,"value":3038,"marks":3039,"data":3040}," to achieve account takeover.",[],{},{"nodeType":1342,"data":3042,"content":3046},{"target":3043},{"sys":3044},{"id":3045,"type":1347,"linkType":1348},"2Z7qnaK4LXRhnQDvPT2ZXe",[],{"nodeType":1540,"data":3048,"content":3049},{},[3050],{"nodeType":1293,"value":3051,"marks":3052,"data":3054},"Impersonating and targeting SaaS services",[3053],{"type":1362},{},{"nodeType":1294,"data":3056,"content":3057},{},[3058,3062,3071],{"nodeType":1293,"value":3059,"marks":3060,"data":3061},"Scattered Spider have also been known to ",[],{},{"nodeType":1372,"data":3063,"content":3065},{"uri":3064},"https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications",[3066],{"nodeType":1293,"value":3067,"marks":3068,"data":3070},"target SaaS applications and cloud services",[3069],{"type":1380},{},{"nodeType":1293,"value":3072,"marks":3073,"data":3074}," — both as part of their phishing strategies by impersonating app providers, as well as in their lateral movement and exploitation when an identity has been compromised. This has included applications such as vCenter, CyberArk, SalesForce, Azure, CrowdStrike, AWS, and GCP. ",[],{},{"nodeType":1294,"data":3076,"content":3077},{},[3078],{"nodeType":1293,"value":3079,"marks":3080,"data":3081},"When conducting phishing campaigns, they’ve created custom domains for their phishing sites based on the organizations they are targeting: ",[],{},{"nodeType":1342,"data":3083,"content":3087},{"target":3084},{"sys":3085},{"id":3086,"type":1347,"linkType":1348},"3ufdtfyJpZ4FUWbKR2yNNm",[],{"nodeType":1294,"data":3089,"content":3090},{},[3091],{"nodeType":1293,"value":3092,"marks":3093,"data":3094},"And they have impersonated many software brands — either as targets themselves, or as convincing third-parties to lure their targets to interact with. ",[],{},{"nodeType":1342,"data":3096,"content":3100},{"target":3097},{"sys":3098},{"id":3099,"type":1347,"linkType":1348},"XgrG1qKwXrpd399BwkHiR",[],{"nodeType":1294,"data":3102,"content":3103},{},[3104,3108,3117],{"nodeType":1293,"value":3105,"marks":3106,"data":3107},"(Shout out to the excellent analysis by the folks at ",[],{},{"nodeType":1372,"data":3109,"content":3111},{"uri":3110},"https://www.silentpush.com/blog/scattered-spider-2025/#h-new-scattered-spider-ttps-for-2025",[3112],{"nodeType":1293,"value":3113,"marks":3114,"data":3116},"Silent Push",[3115],{"type":1380},{},{"nodeType":1293,"value":1888,"marks":3118,"data":3119},[],{},{"nodeType":1540,"data":3121,"content":3122},{},[3123],{"nodeType":1293,"value":3124,"marks":3125,"data":3127},"Targeting identity providers to abuse OAuth and SSO",[3126],{"type":1362},{},{"nodeType":1294,"data":3129,"content":3130},{},[3131,3135,3142],{"nodeType":1293,"value":3132,"marks":3133,"data":3134},"A key part of this approach is abusing OAuth by targeting identity providers (IdPs) such as Okta and Microsoft Entra. By compromising IdP accounts with administrator privileges, Scattered Spider has leveraged techniques such as ",[],{},{"nodeType":1372,"data":3136,"content":3137},{"uri":2666},[3138],{"nodeType":1293,"value":2669,"marks":3139,"data":3141},[3140],{"type":1380},{},{"nodeType":1293,"value":3143,"marks":3144,"data":3145}," to gain unrestricted access to the identities within the target IdP tenant (the equivalent of a full Active Directory compromise on-premise).",[],{},{"nodeType":1540,"data":3147,"content":3148},{},[3149],{"nodeType":1293,"value":3150,"marks":3151,"data":3153},"Encryption of cloud servers and data theft for extortion",[3152],{"type":1362},{},{"nodeType":1294,"data":3155,"content":3156},{},[3157],{"nodeType":1293,"value":3158,"marks":3159,"data":3160},"When executing the final stages of an attack, Scattered Spider first exfiltrates data through a variety of methods, even using SaaS services such as DropBox and FiveTran to extract copies of high-value service databases, such as SalesForce and ZenDesk, using API connectors. ",[],{},{"nodeType":1294,"data":3162,"content":3163},{},[3164],{"nodeType":1293,"value":3165,"marks":3166,"data":3167},"In a typical \"double-extortion\" style, they then deploy ransomware by targeting cloud server environments such as VMWare ESXi (specifically to avoid security tools by targeting the hypervisor layer). Scattered Spider have been known to act as affiliates for various ransomware operations, including RansomHub, Qilin, and DragonForce.",[],{},{"nodeType":1351,"data":3169,"content":3170},{},[],{"nodeType":1355,"data":3172,"content":3173},{},[3174],{"nodeType":1293,"value":3175,"marks":3176,"data":3178},"Scattered Spider TTP evolution in 2025",[3177],{"type":1362},{},{"nodeType":1294,"data":3180,"content":3181},{},[3182],{"nodeType":1293,"value":3183,"marks":3184,"data":3185},"In 2025, security researchers have observed a significant increase in Scattered Spider phishing activity, particularly in the form of MFA-bypassing Attacker-in-the-Middle (AiTM) phishing pages. ",[],{},{"nodeType":1342,"data":3187,"content":3191},{"target":3188},{"sys":3189},{"id":3190,"type":1347,"linkType":1348},"2jH5TrpHueIE8qpU3lunJi",[],{"nodeType":1294,"data":3193,"content":3194},{},[3195],{"nodeType":1293,"value":3196,"marks":3197,"data":3198},"Along with this shift, a number of TTPs have been observed relating to detection evasion measures implemented on these phishing pages.",[],{},{"nodeType":1540,"data":3200,"content":3201},{},[3202],{"nodeType":1293,"value":3203,"marks":3204,"data":3206},"Rapid phishing domain rotation",[3205],{"type":1362},{},{"nodeType":1294,"data":3208,"content":3209},{},[3210,3213,3221],{"nodeType":1293,"value":37,"marks":3211,"data":3212},[],{},{"nodeType":1372,"data":3214,"content":3215},{"uri":3110},[3216],{"nodeType":1293,"value":3217,"marks":3218,"data":3220},"According to researchers",[3219],{"type":1380},{},{"nodeType":1293,"value":3222,"marks":3223,"data":3224}," Scattered Spider have been observed using phishing pages hosted on short-lived domains that included specific keywords such as “okta,” “sso,” “help,” “hr,” “corp,” “my,” “internal,” “sso,” or “vpn,”, which were quickly operationalized within minutes of registering a domain. After a couple of hours, the domain would often be taken down by the registrar. However, as we’ve discussed in various blog posts, this is to be expected. Domains are highly disposable by nature and attackers plan to get through them in large numbers. They don’t need their phishing pages to live indefinitely — just as long as it takes for someone to be successfully phished.",[],{},{"nodeType":1294,"data":3226,"content":3227},{},[3228],{"nodeType":1293,"value":3229,"marks":3230,"data":3231},"You would expect these kinds of untrusted links to be flagged by enterprise security tools, but through clever use of obfuscation methods such as using legitimate apps to host the phishing link, using an initially benign link to a document or other source with the malicious link, or avoiding email as the delivery vector altogether, network and email-based controls are being routinely bypassed.  ",[],{},{"nodeType":1342,"data":3233,"content":3237},{"target":3234},{"sys":3235},{"id":3236,"type":1347,"linkType":1348},"2DviJNOMbKgbcqwkNl0LDP",[],{"nodeType":1540,"data":3239,"content":3240},{},[3241],{"nodeType":1293,"value":3242,"marks":3243,"data":3245},"Using custom subdomains that allow public registrations",[3244],{"type":1362},{},{"nodeType":1294,"data":3247,"content":3248},{},[3249],{"nodeType":1293,"value":3250,"marks":3251,"data":3252},"Scattered Spider have been observed registering their malicious domains on publicly rentable subdomains such as it[.]com. This limits the information that can be gathered about the domain (for example, preventing WHOIS information from being accessed) ",[],{},{"nodeType":1294,"data":3254,"content":3255},{},[3256],{"nodeType":1293,"value":3257,"marks":3258,"data":3259},"This is incredibly deceptive to the user and will fool many people glancing at the link. It doesn’t look as obviously suspicious as the typical .xyz or .biz, and has the feel of a legitimate domain. As these convincing rentable subdomains start to appear online more frequently, it becomes easier for attackers to pick up convincing domain names with fewer obvious deviations from the real one, without needing to resort to special characters or other tactics that might be spotted. ",[],{},{"nodeType":1294,"data":3261,"content":3262},{},[3263,3267,3276,3280,3289],{"nodeType":1293,"value":3264,"marks":3265,"data":3266},"This is strikingly similar ",[],{},{"nodeType":1372,"data":3268,"content":3270},{"uri":3269},"https://pushsecurity.com/blog/investigating-a-recent-malvertising-campaign-targeting-onfido-customers/",[3271],{"nodeType":1293,"value":3272,"marks":3273,"data":3275},"to an attack we investigated recently",[3274],{"type":1380},{},{"nodeType":1293,"value":3277,"marks":3278,"data":3279},", where an attacker was using the us[.]com domain to impersonate Onfido, the digital identity platform. These malicious links were actually distributed via malicious advertising on Google, which is an increasingly popular tactic ",[],{},{"nodeType":1372,"data":3281,"content":3283},{"uri":3282},"https://pushsecurity.com/blog/why-most-phishing-attacks-feel-like-a-zero-day/",[3284],{"nodeType":1293,"value":3285,"marks":3286,"data":3288},"to evade email and network detection controls",[3287],{"type":1380},{},{"nodeType":1293,"value":3290,"marks":3291,"data":3292}," for phishing links and pages. ",[],{},{"nodeType":1342,"data":3294,"content":3298},{"target":3295},{"sys":3296},{"id":3297,"type":1347,"linkType":1348},"34ZpjuFhaSMC6MtjThQsnK",[],{"nodeType":1294,"data":3300,"content":3301},{},[3302],{"nodeType":1293,"value":3303,"marks":3304,"data":3305},"This comparison is also interesting when you consider…",[],{},{"nodeType":1540,"data":3307,"content":3308},{},[3309],{"nodeType":1293,"value":3310,"marks":3311,"data":3313},"Using commercial AiTM toolkits like Evilginx to bypass MFA and evade detection",[3312],{"type":1362},{},{"nodeType":1294,"data":3315,"content":3316},{},[3317],{"nodeType":1293,"value":3318,"marks":3319,"data":3320},"Scattered Spider have been observed frequently using Evilginx as their phishing kit of choice. Evilginx is a great choice for attackers looking to target non-standard web apps because it is capable of emulating a range of domains — it’s designed to be flexible and work for any page without generating a load of custom JavaScript that might stand out to security tools/analysts. See an example of Evilginx being used to phish a user below.",[],{},{"nodeType":1342,"data":3322,"content":3326},{"target":3323},{"sys":3324},{"id":3325,"type":1347,"linkType":1348},"7IuP0mcRZJkL8YGNoZo5Dj",[],{"nodeType":1294,"data":3328,"content":3329},{},[3330,3334,3343,3347,3356],{"nodeType":1293,"value":3331,"marks":3332,"data":3333},"By default, Evilginx redirects any site visitor not following the correct url path or supplying the correct parameters to the YouTube video for Rick Astley’s “Never Gonna Give You Up” (aka “Rickrolling”). This behavior has been observed on Scattered Spider phishing sites. Interestingly, we also observed this in the Onfido malvertising example above, ",[],{},{"nodeType":1372,"data":3335,"content":3337},{"uri":3336},"https://www.linkedin.com/feed/update/urn:li:activity:7323102794813505536?commentUrn=urn%3Ali%3Acomment%3A%28activity%3A7323102794813505536%2C7323308731813814272%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287323308731813814272%2Curn%3Ali%3Aactivity%3A7323102794813505536%29",[3338],{"nodeType":1293,"value":3339,"marks":3340,"data":3342},"while members of the infosec community",[3341],{"type":1380},{},{"nodeType":1293,"value":3344,"marks":3345,"data":3346}," are increasingly seeing phishing attacks with this behavior. (This example also features use of ",[],{},{"nodeType":1372,"data":3348,"content":3350},{"uri":3349},"https://pushsecurity.com/blog/how-consent-phishing-is-evolving/",[3351],{"nodeType":1293,"value":3352,"marks":3353,"data":3355},"consent phishing",[3354],{"type":1380},{},{"nodeType":1293,"value":3357,"marks":3358,"data":3359}," to prevent analysis of the malicious link by hiding it behind a legit Microsoft app consent page, another detection evasion tactic). ",[],{},{"nodeType":1540,"data":3361,"content":3362},{},[3363],{"nodeType":1293,"value":3364,"marks":3365,"data":3367},"Pre-populating victim information using targeted phishing links",[3366],{"type":1362},{},{"nodeType":1294,"data":3369,"content":3370},{},[3371,3375,3384],{"nodeType":1293,"value":3372,"marks":3373,"data":3374},"A general trend that we’re seeing in the wild, also utilized by Scattered Spider, is phishing attacks becoming increasingly targeted. This includes using redirects to legitimate apps unless specific parameters are supplied, ",[],{},{"nodeType":1372,"data":3376,"content":3378},{"uri":3377},"https://www.bleepingcomputer.com/news/security/phishing-kits-now-vet-victims-in-real-time-before-stealing-credentials/",[3379],{"nodeType":1293,"value":3380,"marks":3381,"data":3383},"only loading malicious content for specific usernames",[3382],{"type":1380},{},{"nodeType":1293,"value":3385,"marks":3386,"data":3387}," (and redirecting to benign sites otherwise) implementing the use of one-time phishing links (essentially magic links that work once for the victim, preventing security teams or tools from accessing the page to analyse it later), and pre-populating the victim information on the page to make it feel more genuine (you would expect a website you have visited and logged into before to pre-populate some of your details, like your username/email). ",[],{},{"nodeType":1294,"data":3389,"content":3390},{},[3391],{"nodeType":1293,"value":3392,"marks":3393,"data":3394},"See an example of this (along with a few of the detection evasion techniques we've mentioned) below. ",[],{},{"nodeType":1342,"data":3396,"content":3400},{"target":3397},{"sys":3398},{"id":3399,"type":1347,"linkType":1348},"1zn1G6CutY0HBkXHUIo159",[],{"nodeType":1540,"data":3402,"content":3403},{},[3404],{"nodeType":1293,"value":3405,"marks":3406,"data":3408},"Varying login pages to evade cloned page detections",[3407],{"type":1362},{},{"nodeType":1294,"data":3410,"content":3411},{},[3412,3416,3425],{"nodeType":1293,"value":3413,"marks":3414,"data":3415},"Attackers are routinely using a ",[],{},{"nodeType":1372,"data":3417,"content":3419},{"uri":3418},"https://pushsecurity.com/blog/how-aitm-phishing-kits-evade-detection-p2/",[3420],{"nodeType":1293,"value":3421,"marks":3422,"data":3424},"combination of visual and DOM-based obfuscation techniques",[3423],{"type":1380},{},{"nodeType":1293,"value":3426,"marks":3427,"data":3428}," to create convincing phishing pages that are different enough from the real page being impersonated so that detections based on cloned pages do not fire. ",[],{},{"nodeType":1294,"data":3430,"content":3431},{},[3432],{"nodeType":1293,"value":3433,"marks":3434,"data":3435},"While Okta accounts remain a key target for Scattered Spider, they are using a range of customized landing pages to target Okta accounts for various organizations at URLs like:",[],{},{"nodeType":1408,"data":3437,"content":3438},{},[3439,3449,3459,3469,3479,3489],{"nodeType":1412,"data":3440,"content":3441},{},[3442],{"nodeType":1294,"data":3443,"content":3444},{},[3445],{"nodeType":1293,"value":3446,"marks":3447,"data":3448},"corp-hubspot[.]com – HubSpot",[],{},{"nodeType":1412,"data":3450,"content":3451},{},[3452],{"nodeType":1294,"data":3453,"content":3454},{},[3455],{"nodeType":1293,"value":3456,"marks":3457,"data":3458},"morningstar-okta[.]com – Morningstar",[],{},{"nodeType":1412,"data":3460,"content":3461},{},[3462],{"nodeType":1294,"data":3463,"content":3464},{},[3465],{"nodeType":1293,"value":3466,"marks":3467,"data":3468},"pure-okta[.]com – Pure Storage",[],{},{"nodeType":1412,"data":3470,"content":3471},{},[3472],{"nodeType":1294,"data":3473,"content":3474},{},[3475],{"nodeType":1293,"value":3476,"marks":3477,"data":3478},"signin-nydig[.]com – New York Digital Investment Group",[],{},{"nodeType":1412,"data":3480,"content":3481},{},[3482],{"nodeType":1294,"data":3483,"content":3484},{},[3485],{"nodeType":1293,"value":3486,"marks":3487,"data":3488},"sso-instacart[.]com – Instacart",[],{},{"nodeType":1412,"data":3490,"content":3491},{},[3492],{"nodeType":1294,"data":3493,"content":3494},{},[3495],{"nodeType":1293,"value":3496,"marks":3497,"data":3498},"sts-vodafone[.]com – Vodafone",[],{},{"nodeType":1342,"data":3500,"content":3504},{"target":3501},{"sys":3502},{"id":3503,"type":1347,"linkType":1348},"38EyQfvJWcqHukYq8rm8ap",[],{"nodeType":1351,"data":3506,"content":3507},{},[],{"nodeType":1355,"data":3509,"content":3510},{},[3511],{"nodeType":1293,"value":3512,"marks":3513,"data":3515},"Defend your organization from Scattered Spider",[3514],{"type":1362},{},{"nodeType":1294,"data":3517,"content":3518},{},[3519],{"nodeType":1293,"value":3520,"marks":3521,"data":3522},"Scattered Spider have proven to be a highly creative and adaptable threat group, using a range of identity-centric TTPs and evolving (or rather, adding to) their repertoire over time. ",[],{},{"nodeType":1294,"data":3524,"content":3525},{},[3526],{"nodeType":1293,"value":3527,"marks":3528,"data":3529},"Although Scattered Spider have a number of telltale actions and behaviors, like targeting and leveraging SaaS services, utilizing AiTM phishing kits like Evilginx to target IdP accounts like Okta, and deploying ransomware to cloud servers, they are able to flex their approach to take down their targets. ",[],{},{"nodeType":1294,"data":3531,"content":3532},{},[3533,3537,3546,3550,3558],{"nodeType":1293,"value":3534,"marks":3535,"data":3536},"Scattered Spider’s behavior demonstrates that they are extremely ",[],{},{"nodeType":1372,"data":3538,"content":3540},{"uri":3539},"https://www.crowdstrike.com/en-us/resources/crowdcasts/cloud-threat-summit/",[3541],{"nodeType":1293,"value":3542,"marks":3543,"data":3545},"cloud-conscious",[3544],{"type":1380},{},{"nodeType":1293,"value":3547,"marks":3548,"data":3549}," (as many modern threat actors are) and are leveraging modern TTPs designed to evade traditional security controls and exploit blind-spots in enterprise security visibility. For example, by constantly rotating their phishing domains and pages, Scattered Spider (and many threat actors like them) are routinely evading common phishing detection controls, taking advantage of the limitations of ",[],{},{"nodeType":1372,"data":3551,"content":3552},{"uri":3282},[3553],{"nodeType":1293,"value":3554,"marks":3555,"data":3557},"blocklist-driven approaches to phishing detection",[3556],{"type":1380},{},{"nodeType":1293,"value":2259,"marks":3559,"data":3560},[],{},{"nodeType":1351,"data":3562,"content":3563},{},[],{"nodeType":1355,"data":3565,"content":3566},{},[3567],{"nodeType":1293,"value":3568,"marks":3569,"data":3571},"Aligning Push Security’s capabilities against Scattered Spider’s TTPs",[3570],{"type":1362},{},{"nodeType":1294,"data":3573,"content":3574},{},[3575],{"nodeType":1293,"value":3576,"marks":3577,"data":3579},"Push provides a multi-layered set of detections and controls for defending against the TTPs known to be used by Scattered Spider. ",[3578],{"type":1362},{},{"nodeType":1342,"data":3581,"content":3585},{"target":3582},{"sys":3583},{"id":3584,"type":1347,"linkType":1348},"6aB3mLLXZIhrlyuCx2hOzY",[],{"nodeType":1540,"data":3587,"content":3588},{},[3589],{"nodeType":1293,"value":3590,"marks":3591,"data":3592},"Detect and block AiTM phishing toolkits",[],{},{"nodeType":1294,"data":3594,"content":3595},{},[3596],{"nodeType":1293,"value":3597,"marks":3598,"data":3600},"The Push browser agent will detect when employees visit websites running MFA-bypassing phishing toolkits such as Evilginx. ",[3599],{"type":1362},{},{"nodeType":1342,"data":3602,"content":3606},{"target":3603},{"sys":3604},{"id":3605,"type":1347,"linkType":1348},"I19TQYItDFlaOgisrST6P",[],{"nodeType":1294,"data":3608,"content":3609},{},[3610],{"nodeType":1293,"value":3611,"marks":3612,"data":3613},"The Push browser agent analyzes the behavioral attributes of phishing tools, e.g. “something the toolkit does” vs. just a static signature like a URL path or domain.",[],{},{"nodeType":1294,"data":3615,"content":3616},{},[3617],{"nodeType":1293,"value":3618,"marks":3619,"data":3620},"Based on your configuration, Push can then warn or block employees from accessing those phishing sites using a customisable blocking page or banner.",[],{},{"nodeType":1342,"data":3622,"content":3626},{"target":3623},{"sys":3624},{"id":3625,"type":1347,"linkType":1348},"4ixcEsEW4EyqckOTmP5Pbb",[],{"nodeType":1540,"data":3628,"content":3629},{},[3630],{"nodeType":1293,"value":3631,"marks":3632,"data":3633},"Detect cloned login pages",[],{},{"nodeType":1294,"data":3635,"content":3636},{},[3637],{"nodeType":1293,"value":3638,"marks":3639,"data":3641},"The Push browser agent will detect when employees visit websites using cloned login screens to steal credentials - i.e. a cloned Okta login page.",[3640],{"type":1362},{},{"nodeType":1294,"data":3643,"content":3644},{},[3645],{"nodeType":1293,"value":3646,"marks":3647,"data":3648},"Push does this by fingerprinting the page structure and resources of your legitimate login pages and monitoring for pages that are very similar.",[],{},{"nodeType":1294,"data":3650,"content":3651},{},[3652],{"nodeType":1293,"value":3653,"marks":3654,"data":3655},"Push will then emit a webhook event when it detects that an employee has visited a page that appears to be a clone of a legitimate login page.",[],{},{"nodeType":1540,"data":3657,"content":3658},{},[3659],{"nodeType":1293,"value":3660,"marks":3661,"data":3662},"Pin your sensitive passwords to specific sites",[],{},{"nodeType":1294,"data":3664,"content":3665},{},[3666,3671,3677],{"nodeType":1293,"value":3667,"marks":3668,"data":3670},"The Push browser agent will detect when employees attempt to enter their IdP password (such as Okta) into webpages that ",[3669],{"type":1362},{},{"nodeType":1293,"value":3672,"marks":3673,"data":3676},"do not",[3674,3675],{"type":1380},{"type":1362},{},{"nodeType":1293,"value":3678,"marks":3679,"data":3681}," belong to that IdP.",[3680],{"type":1362},{},{"nodeType":1294,"data":3683,"content":3684},{},[3685,3689,3698],{"nodeType":1293,"value":3686,"marks":3687,"data":3688},"When observing logins, the Push browser agent generates a salted partial hash of the user’s password, known as a fingerprint. This fingerprint is then stored locally in the browser to allow Push to perform password comparisons. You can read more about how the extension securely observes passwords in this ",[],{},{"nodeType":1372,"data":3690,"content":3692},{"uri":3691},"https://pushsecurity.com/help/10065/#start",[3693],{"nodeType":1293,"value":3694,"marks":3695,"data":3697},"help article",[3696],{"type":1380},{},{"nodeType":1293,"value":2981,"marks":3699,"data":3700},[],{},{"nodeType":1294,"data":3702,"content":3703},{},[3704],{"nodeType":1293,"value":3705,"marks":3706,"data":3707},"To detect phishing attempts against Okta (and other identity providers), the Push browser agent compares the observed Okta password fingerprint to the known Okta fingerprint that already exists in local storage.",[],{},{"nodeType":1294,"data":3709,"content":3710},{},[3711],{"nodeType":1293,"value":3712,"marks":3713,"data":3714},"If an employee has entered their valid Okta password on a webpage that does not belong to Okta — i.e. a phishing page — Push will enforce the SSO password protection settings set by an administrator (block or warn). This serves as a second layer of defense when used in conjunction with AiTM and cloned login page detections. ",[],{},{"nodeType":1342,"data":3716,"content":3720},{"target":3717},{"sys":3718},{"id":3719,"type":1347,"linkType":1348},"20FIoIyuQYxep3V4SFWdoK",[],{"nodeType":1540,"data":3722,"content":3723},{},[3724],{"nodeType":1293,"value":3725,"marks":3726,"data":3727},"Detect compromised sessions",[],{},{"nodeType":1294,"data":3729,"content":3730},{},[3731],{"nodeType":1293,"value":3732,"marks":3733,"data":3735},"By correlating Push telemetry with Okta logs, Push can detect compromised Okta sessions originating from outside employees’ supported browsers. ",[3734],{"type":1362},{},{"nodeType":1294,"data":3737,"content":3738},{},[3739],{"nodeType":1293,"value":3740,"marks":3741,"data":3742},"Using the Push browser agent, you can inject a unique marker into the User Agent string of Okta sessions that occur in browsers enrolled in Push.",[],{},{"nodeType":1294,"data":3744,"content":3745},{},[3746],{"nodeType":1293,"value":3747,"marks":3748,"data":3749},"By then comparing against Okta logs, you can identify sessions that both have the Push marker and those that lack the marker, the latter indicating the session is being used from a machine without the Push extension and therefore the session token may have been stolen.",[],{},{"nodeType":1342,"data":3751,"content":3755},{"target":3752},{"sys":3753},{"id":3754,"type":1347,"linkType":1348},"1XNNkaoW64t3PPvC54KGXF",[],{"nodeType":1540,"data":3757,"content":3758},{},[3759],{"nodeType":1293,"value":3760,"marks":3761,"data":3762},"Detect when employee credentials are stolen",[],{},{"nodeType":1294,"data":3764,"content":3765},{},[3766],{"nodeType":1293,"value":3767,"marks":3768,"data":3770},"Push will detect when valid credentials appear for sale on criminal forums. ",[3769],{"type":1362},{},{"nodeType":1294,"data":3772,"content":3773},{},[3774],{"nodeType":1293,"value":3775,"marks":3776,"data":3777},"The Push platform detects valid, stolen credentials on criminal forums by ingesting threat intelligence data and then verifying which credentials flagged by TI sources are still being used by employees.",[],{},{"nodeType":1294,"data":3779,"content":3780},{},[3781],{"nodeType":1293,"value":3782,"marks":3783,"data":3784},"When suspected stolen credentials for the corporate domain are present, Push hashes and salts the passwords and then sends those fingerprints to the relevant browser agents for comparison. If the stolen credential fingerprint matches a known credential fingerprint observed to be in use by the Push browser agent, the platform returns a validated true positive alert.",[],{},{"nodeType":1294,"data":3786,"content":3787},{},[3788],{"nodeType":1293,"value":3789,"marks":3790,"data":3791},"You can choose to receive alerts for this detection via webhook, ChatOps notification, or in the Push admin console.",[],{},{"nodeType":1342,"data":3793,"content":3797},{"target":3794},{"sys":3795},{"id":3796,"type":1347,"linkType":1348},"6wfLCTzvHeMzagyuEWGyJg",[],{"nodeType":1540,"data":3799,"content":3800},{},[3801],{"nodeType":1293,"value":3802,"marks":3803,"data":3804},"Map login methods and remove ghost logins",[],{},{"nodeType":1294,"data":3806,"content":3807},{},[3808],{"nodeType":1293,"value":3809,"marks":3810,"data":3812},"Push maps all the identities used by employees to access workforce apps, including local, non-Okta identities. This data can be used to migrate more apps and accounts to Okta SSO and reduce the overall identity attack surface. ",[3811],{"type":1362},{},{"nodeType":1294,"data":3814,"content":3815},{},[3816],{"nodeType":1293,"value":3817,"marks":3818,"data":3819},"The Push browser agent observes employees using their corporate identities to access work applications. Push customers gain accurate visibility across all Okta and non-Okta identities, the employees that are using them, the apps they are accessing and the authentication methods being used. ",[],{},{"nodeType":1294,"data":3821,"content":3822},{},[3823,3827,3835],{"nodeType":1293,"value":3824,"marks":3825,"data":3826},"Armed with this data, security teams can get more workforce apps and accounts behind SSO to reduce the overall identity attack surface, while removing any ",[],{},{"nodeType":1372,"data":3828,"content":3830},{"uri":3829},"https://pushsecurity.com/blog/ghost-logins-when-forgotten-identities-come-back-to-haunt-you/",[3831],{"nodeType":1293,"value":1573,"marks":3832,"data":3834},[3833],{"type":1380},{},{"nodeType":1293,"value":3836,"marks":3837,"data":3838}," that enable attackers to circumvent MFA by logging in directly to the app/page. ",[],{},{"nodeType":1342,"data":3840,"content":3844},{"target":3841},{"sys":3842},{"id":3843,"type":1347,"linkType":1348},"dbDM075qSd4P3wnXuXX2Z",[],{"nodeType":1540,"data":3846,"content":3847},{},[3848],{"nodeType":1293,"value":3849,"marks":3850,"data":3851},"Verify help desk caller identities with in-browser verification codes",[],{},{"nodeType":1294,"data":3853,"content":3854},{},[3855,3859,3869],{"nodeType":1293,"value":3856,"marks":3857,"data":3858},"To help combat help desk scams, we recently released ",[],{},{"nodeType":1372,"data":3860,"content":3862},{"uri":3861},"https://pushsecurity.com/blog/employee-identity-verification-codes-release/",[3863],{"nodeType":1293,"value":3864,"marks":3865,"data":3868},"Employee Identity Verification Codes",[3866,3867],{"type":1380},{"type":1362},{},{"nodeType":1293,"value":3870,"marks":3871,"data":3872}," — a simple, browser-based identity check that gives your help desk a reliable way to confirm they’re talking to someone from your organization.",[],{},{"nodeType":1342,"data":3874,"content":3878},{"target":3875},{"sys":3876},{"id":3877,"type":1347,"linkType":1348},"1TEpCjh8UGwmejgYSGC1by",[],{"nodeType":1294,"data":3880,"content":3881},{},[3882],{"nodeType":1293,"value":3883,"marks":3884,"data":3885},"It enables legitimate help desk callers to quickly verify that they’re in possession of their primary device (i.e. laptop) by relaying a rotating 6-digit verification code in their browser via the Push extension. This is a great way to securely confirm caller identity and sniff out fraudulent callers, and can be used as part of a phishing-resistant help desk process. ",[],{},{"nodeType":1294,"data":3887,"content":3888},{},[3889,3893,3902],{"nodeType":1293,"value":3890,"marks":3891,"data":3892},"You can use Employee Verification Codes as a free tool by installing the Push browser extension. Simply ",[],{},{"nodeType":1372,"data":3894,"content":3896},{"uri":3895},"https://pushsecurity.com/free-tool/employee-verification-codes",[3897],{"nodeType":1293,"value":3898,"marks":3899,"data":3901},"sign up for a trial account and you can deploy the extension organization-wide to make use of this feature",[3900],{"type":1380},{},{"nodeType":1293,"value":3903,"marks":3904,"data":3905},". While you’re at it, you can trial Push’s full features for up to 10 users for free. ",[],{},{"nodeType":1342,"data":3907,"content":3911},{"target":3908},{"sys":3909},{"id":3910,"type":1347,"linkType":1348},"6Td0hDBYdeT8tlnnfwipmD",[],{"nodeType":1351,"data":3913,"content":3914},{},[],{"nodeType":1355,"data":3916,"content":3917},{},[3918],{"nodeType":1293,"value":3919,"marks":3920,"data":3922},"Learn more",[3921],{"type":1362},{},{"nodeType":1294,"data":3924,"content":3925},{},[3926],{"nodeType":1293,"value":3927,"marks":3928,"data":3929},"It doesn’t stop there — Push provides comprehensive identity attack detection and response capabilities against techniques like credential stuffing, password spraying and session hijacking using stolen session tokens. You can also use Push to find and fix identity vulnerabilities across every app that your employees use like: ghost logins; SSO coverage gaps; MFA gaps; weak, breached and reused passwords; risky OAuth integrations; and more. ",[],{},{"nodeType":1294,"data":3931,"content":3932},{},[3933,3937,3945],{"nodeType":1293,"value":3934,"marks":3935,"data":3936},"If you want to learn more about how Push helps you to detect and defeat common identity attack techniques, ",[],{},{"nodeType":1372,"data":3938,"content":3940},{"uri":3939},"https://pushsecurity.com/demo?utm_campaign=12081956-FY25Q2_Hacker-News-Article&utm_source=thehackernews&utm_medium=sponsored&utm_content=external-article",[3941],{"nodeType":1293,"value":3942,"marks":3943,"data":3944},"book some time with one of our team for a live demo",[],{},{"nodeType":1293,"value":2981,"marks":3946,"data":3947},[],{},"Scattered Spider: TTP evolution in 2025","How the notorious Scattered Spider cyber criminal group are switching up their TTPs in 2025 to bypass MFA and breach cloud services via account takeover.","2025-05-06T00:00:00.000Z","scattered-spider-ttp-evolution-in-2025",{"items":3953},[3954,3956],{"sys":3955,"name":2558},{"id":2557},{"sys":3957,"name":2219},{"id":2218},{"items":3959},[3960],{"fullName":2223,"firstName":2224,"jobTitle":2225,"profilePicture":3961},{"url":2227},{"items":3963},[3964],{"fullName":3965,"firstName":3966,"jobTitle":2566,"profilePicture":3967},"Peyton Padfield","Peyton",{"url":3968},"https://images.ctfassets.net/y1cdw1ablpvd/1GU01HXElmc07nwi89qP3b/3188050420106c62e9df2ed4e4893b7f/1677005177901__1_.jpeg",{"json":3970,"links":4281},{"data":3971,"content":3972,"nodeType":1295},{},[3973,3989,3996,4003,4006,4014,4029,4049,4056,4076,4096,4102,4105,4113,4120,4127,4147,4153,4156,4164,4171,4178,4198,4218,4224,4230,4233,4241,4248,4255,4262],{"data":3974,"content":3975,"nodeType":1294},{},[3976,3980,3985],{"data":3977,"marks":3978,"value":3979,"nodeType":1293},{},[],"If you work in healthcare, or support teams that do, you already know that regulatory change can be both necessary ",{"data":3981,"marks":3982,"value":3984,"nodeType":1293},{},[3983],{"type":312},"and",{"data":3986,"marks":3987,"value":3988,"nodeType":1293},{},[]," disruptive. The updates bring welcome clarity and stronger security expectations, but they also ask a lot from security teams that are already stretched thin.",{"data":3990,"content":3991,"nodeType":1294},{},[3992],{"data":3993,"marks":3994,"value":3995,"nodeType":1293},{},[],"Here at Push, we think these changes are a step in the right direction. Better protection for patient data is always the goal. But implementing these new requirements isn’t easy, especially in complex environments with a mix of legacy systems, shadow SaaS, and a hybrid workforce.",{"data":3997,"content":3998,"nodeType":1294},{},[3999],{"data":4000,"marks":4001,"value":4002,"nodeType":1293},{},[],"So, let’s walk through a few of the biggest changes coming in 2025, why they matter, and how healthcare orgs can begin navigating them effectively.",{"data":4004,"content":4005,"nodeType":1351},{},[],{"data":4007,"content":4008,"nodeType":1355},{},[4009],{"data":4010,"marks":4011,"value":4013,"nodeType":1293},{},[4012],{"type":1362},"MFA is no longer optional",{"data":4015,"content":4016,"nodeType":1294},{},[4017,4021,4026],{"data":4018,"marks":4019,"value":4020,"nodeType":1293},{},[],"In the past, HIPAA called multi-factor authentication an \"addressable\" control. That gave organizations some wiggle room to implement it where feasible. The 2025 update removes the ambiguity. If your systems handle electronic protected health information, MFA is now ",{"data":4022,"marks":4023,"value":4025,"nodeType":1293},{},[4024],{"type":312},"mandatory",{"data":4027,"marks":4028,"value":2981,"nodeType":1293},{},[],{"data":4030,"content":4031,"nodeType":1294},{},[4032,4036,4045],{"data":4033,"marks":4034,"value":4035,"nodeType":1293},{},[],"This is a good move. Passwords alone just don’t cut it anymore, especially with the rise of credential stuffing, ",{"data":4037,"content":4039,"nodeType":1372},{"uri":4038},"https://pushsecurity.com/uc/zero-day-phishing-protection",[4040],{"data":4041,"marks":4042,"value":4044,"nodeType":1293},{},[4043],{"type":1380},"sophisticated phishing attacks",{"data":4046,"marks":4047,"value":4048,"nodeType":1293},{},[],", and social engineering. But rolling out MFA across every user? That’s a big lift.",{"data":4050,"content":4051,"nodeType":1294},{},[4052],{"data":4053,"marks":4054,"value":4055,"nodeType":1293},{},[],"What we often see teams struggle with is coverage. Ensuring MFA is enforced on all apps in your environment is often pretty tough, but starting with a thorough review of application access across the organization is a good first step. Once you have that visibility, you can better assess where gaps in MFA enforcement might exist and then start closing them.",{"data":4057,"content":4058,"nodeType":1294},{},[4059,4063,4072],{"data":4060,"marks":4061,"value":4062,"nodeType":1293},{},[],"And those gaps are more common than many teams realize. The average employee ",{"data":4064,"content":4066,"nodeType":1372},{"uri":4065},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have/#id-identity-configurations-and-how-they-can-be-exploited",[4067],{"data":4068,"marks":4069,"value":4071,"nodeType":1293},{},[4070],{"type":1380},"uses 15 different work applications",{"data":4073,"marks":4074,"value":4075,"nodeType":1293},{},[],", yet only 28% of those apps have MFA enabled. Even more worrying, nearly half of those apps missing MFA protection are also using weak or leaked passwords, compounding the risk. ",{"data":4077,"content":4078,"nodeType":1294},{},[4079,4083,4092],{"data":4080,"marks":4081,"value":4082,"nodeType":1293},{},[],"While this shift will take planning, the good news is that there are tools that can help make it more manageable. Our ",{"data":4084,"content":4086,"nodeType":1372},{"uri":4085},"https://pushsecurity.com/product/",[4087],{"data":4088,"marks":4089,"value":4091,"nodeType":1293},{},[4090],{"type":1380},"browser-based agent",{"data":4093,"marks":4094,"value":4095,"nodeType":1293},{},[]," gives you a way to monitor login activity across your workforce, surfacing when users aren't registered for MFA on apps they regularly use for work. We can even enforce MFA on those accounts, prompting users to set up MFA using a customizable in-browser banner, which helps teams get better coverage without needing to chase down every individual. This is all done where the users are actually logging into their accounts in the browser. No integrations required.",{"data":4097,"content":4101,"nodeType":1342},{"target":4098},{"sys":4099},{"id":4100,"type":1347,"linkType":1348},"6VMovx9xzsokZGQQryKlyA",[],{"data":4103,"content":4104,"nodeType":1351},{},[],{"data":4106,"content":4107,"nodeType":1355},{},[4108],{"data":4109,"marks":4110,"value":4112,"nodeType":1293},{},[4111],{"type":1362},"Know your assets and your data flows",{"data":4114,"content":4115,"nodeType":1294},{},[4116],{"data":4117,"marks":4118,"value":4119,"nodeType":1293},{},[],"One of the more technical (but important!) updates in the 2025 rule is the new requirement to maintain a detailed inventory of all systems that interact with electronic protected health information. This includes not just physical devices and on-prem systems, but cloud services and software as well. The goal is to understand exactly which systems interact with ePHI, how they do it, and where that data goes.",{"data":4121,"content":4122,"nodeType":1294},{},[4123],{"data":4124,"marks":4125,"value":4126,"nodeType":1293},{},[],"Importantly, this new guidance also requires orgs to remove extraneous software from any systems that handle ePHI. That could mean eliminating unused or redundant apps, retiring legacy systems that no longer meet security standards, or re-evaluating the use of consumer-grade tools for sensitive workflows.",{"data":4128,"content":4129,"nodeType":1294},{},[4130,4134,4143],{"data":4131,"marks":4132,"value":4133,"nodeType":1293},{},[],"Getting a complete view of your assets is easier said than done, especially when staff are able to ",{"data":4135,"content":4137,"nodeType":1372},{"uri":4136},"https://pushsecurity.com/uc/shadow-saas",[4138],{"data":4139,"marks":4140,"value":4142,"nodeType":1293},{},[4141],{"type":1380},"self-adopt",{"data":4144,"marks":4145,"value":4146,"nodeType":1293},{},[]," new tools to increase their productivity. Push tracks the apps your users log into with their work credentials, no matter if those apps are officially sanctioned or not. This helps you uncover your true application footprint, so you can begin reviewing which SaaS apps are essential and which ones pose unnecessary risk and should be blocked. With better visibility into real-world usage, it becomes much easier to decide which tools are worth keeping.",{"data":4148,"content":4152,"nodeType":1342},{"target":4149},{"sys":4150},{"id":4151,"type":1347,"linkType":1348},"664FI99rvxtjfb2b6KcJqv",[],{"data":4154,"content":4155,"nodeType":1351},{},[],{"data":4157,"content":4158,"nodeType":1355},{},[4159],{"data":4160,"marks":4161,"value":4163,"nodeType":1293},{},[4162],{"type":1362},"Risk analysis needs to get real",{"data":4165,"content":4166,"nodeType":1294},{},[4167],{"data":4168,"marks":4169,"value":4170,"nodeType":1293},{},[],"The new HIPAA rule puts more emphasis on risk analysis. One-off assessments are no longer sufficient. Organizations need to demonstrate an ongoing process for identifying and evaluating threats and vulnerabilities.",{"data":4172,"content":4173,"nodeType":1294},{},[4174],{"data":4175,"marks":4176,"value":4177,"nodeType":1293},{},[],"Again, easier said than done. Risk isn’t static, and security teams can’t catch everything with quarterly audits alone. That’s why a lot of orgs are looking for ways to layer in continuous, real-time signals that can flag risk before it becomes a full-blown incident.",{"data":4179,"content":4180,"nodeType":1294},{},[4181,4185,4194],{"data":4182,"marks":4183,"value":4184,"nodeType":1293},{},[],"Behavioral signals are one way to make that process more dynamic. These give you a better view of how users interact with systems and where potential gaps might be forming. ",{"data":4186,"content":4188,"nodeType":1372},{"uri":4187},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have",[4189],{"data":4190,"marks":4191,"value":4193,"nodeType":1293},{},[4192],{"type":1380},"In our own research",{"data":4195,"marks":4196,"value":4197,"nodeType":1293},{},[],", we found that one in four IdP accounts still lack MFA. When you combine that with weak credentials and unknown app usage, you get a clearer picture of how vulnerabilities build up over time. ",{"data":4199,"content":4200,"nodeType":1294},{},[4201,4205,4214],{"data":4202,"marks":4203,"value":4204,"nodeType":1293},{},[],"Push supports that kind of ongoing risk work by providing real-time insights into user behavior. We surface unusual activity such as ",{"data":4206,"content":4208,"nodeType":1372},{"uri":4207},"https://pushsecurity.com/uc/identity-security-posture-management",[4209],{"data":4210,"marks":4211,"value":4213,"nodeType":1293},{},[4212],{"type":1380},"unusual login methods",{"data":4215,"marks":4216,"value":4217,"nodeType":1293},{},[]," or atypical app usage. These kinds of insights can help teams prioritize where attention is needed most. Even simple changes that follow from those insights, like tightening authentication policies or auditing admin access more regularly, can have a meaningful impact on your risk posture.",{"data":4219,"content":4223,"nodeType":1342},{"target":4220},{"sys":4221},{"id":4222,"type":1347,"linkType":1348},"U9FszA4eUM4zVYSkakmNY",[],{"data":4225,"content":4229,"nodeType":1342},{"target":4226},{"sys":4227},{"id":4228,"type":1347,"linkType":1348},"2F5yEv6vkdEs0Q8FYbp6uv",[],{"data":4231,"content":4232,"nodeType":1351},{},[],{"data":4234,"content":4235,"nodeType":1355},{},[4236],{"data":4237,"marks":4238,"value":4240,"nodeType":1293},{},[4239],{"type":1362},"Wrapping up",{"data":4242,"content":4243,"nodeType":1294},{},[4244],{"data":4245,"marks":4246,"value":4247,"nodeType":1293},{},[],"The 2025 HIPAA changes are thoughtful and necessary. They reflect the way people actually work today, and they challenge us to raise the bar on how we manage access, visibility, and risk. ",{"data":4249,"content":4250,"nodeType":1294},{},[4251],{"data":4252,"marks":4253,"value":4254,"nodeType":1293},{},[],"Of course, none of this is easy. It takes time to build out inventories, map data flows, and rethink risk management practices. But the end result, a more secure and resilient environment for patient data, is well worth it.",{"data":4256,"content":4257,"nodeType":1294},{},[4258],{"data":4259,"marks":4260,"value":4261,"nodeType":1293},{},[],"At Push, our goal is to make that process more manageable. We build tools to help organizations get clarity on their SaaS usage, strengthen their identity security posture, and respond to threats quickly. But more than that, we want to be a resource to teams navigating these updates.",{"data":4263,"content":4264,"nodeType":1294},{},[4265,4269,4277],{"data":4266,"marks":4267,"value":4268,"nodeType":1293},{},[],"Whether you're just starting to assess your readiness or knee-deep in implementation plans, ",{"data":4270,"content":4271,"nodeType":1372},{"uri":2185},[4272],{"data":4273,"marks":4274,"value":4276,"nodeType":1293},{},[4275],{"type":1380},"let us know",{"data":4278,"marks":4279,"value":4280,"nodeType":1293},{},[],". We’re always happy to chat.",{"entries":4282},{"hyperlink":4283,"inline":4284,"block":4285},[],[],[4286,4295,4303,4311],{"sys":4287,"__typename":4288,"title":4289,"caption":4290,"layoutMode":118,"file":4291},{"id":4100},"Image","MFA banner image","Push prompts users to enroll MFA when logging into an app if no MFA method has been detected. ",{"url":4292,"width":4293,"height":4294},"https://images.ctfassets.net/y1cdw1ablpvd/1ozt4EP9Y79qYo2uH0BEjJ/5cee60a130feeca5e1ea262e6252d243/image2.png",1440,809,{"sys":4296,"__typename":4288,"title":4297,"caption":4298,"layoutMode":118,"file":4299},{"id":4151},"Push dashboard image","Push gives you a complete view of your assets and how employees are accessing them — enabling you to monitor where data is being stored, and how secure the access methods are.",{"url":4300,"width":4301,"height":4302},"https://images.ctfassets.net/y1cdw1ablpvd/7sZsfo4pw2T0iTpfrLL29e/4674a5836647b0c55a05e321ac665092/image3.png",1999,632,{"sys":4304,"__typename":4288,"title":4305,"caption":4306,"layoutMode":118,"file":4307},{"id":4222},"Push identity inventory","Push provides a complete picture of your identity security posture, identifying and prioritising risks for remediation.  ",{"url":4308,"width":4309,"height":4310},"https://images.ctfassets.net/y1cdw1ablpvd/5WSEzq2fwOoYI4gSu5L5er/7e14ad9b56fb63806af5a5fa66f3c247/image1.png",1418,1318,{"sys":4312,"__typename":4313,"type":4314,"ctaText":4315,"buttonLabel":4316,"buttonColour":4317,"buttonUrl":4318},{"id":4228},"CtaWidget","Custom","Learn how threat actors like Scattered Spider are exploiting identity security gaps to take over accounts, steal data, and deploy ransomware. ","Watch On-demand","sunny orange","https://pushsecurity.com/webinar/scatteredspider","content:blog:2025-hipaa-rule-change.json","json","content","blog/2025-hipaa-rule-change.json","blog/2025-hipaa-rule-change",1776359984693]