[{"data":1,"prerenderedAt":4713},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/a-new-class-of-phishing-verification-phishing-and-cross-idp-impersonation":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"ogImage":118,"summary":1282,"title":1304,"subtitle":118,"metaTitle":1305,"synopsis":1306,"hashTags":118,"publishedDate":1307,"slug":1308,"tagsCollection":1309,"relatedBlogPostsCollection":1319,"authorsCollection":3302,"content":3306,"_id":4708,"_type":4709,"_source":4710,"_file":4711,"_stem":4712,"_extension":4709},"/blog/a-new-class-of-phishing-verification-phishing-and-cross-idp-impersonation","blog",{"id":1280,"publishedAt":1281},"6aIClLltBiYMQYgKtQcKqz","2024-11-26T09:10:03.805Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1303},{},[1286],{"data":1287,"content":1288,"nodeType":1302},{},[1289,1294,1298],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"P","text",{"data":1295,"marks":1296,"value":1297,"nodeType":1293},{},[],"hishing for email verification can be combined with cross-IdP impersonation gain direct access to downstream SaaS. ",{"data":1299,"marks":1300,"value":1301,"nodeType":1293},{},[],"This means that accounts normally protected by strong SSO mechanisms using phishing-resistant MFA factors like passkeys or Okta Fastpass can be directly compromised through phishing a single OTP.","paragraph","document","A new class of phishing: Verification phishing and cross-IdP impersonation","Combining Verification Phishing and Cross-IdP Impersonation","How phishing for email verification can be combined with cross-IdP impersonation to gain direct access to downstream SaaS and bypass hardened IdP accounts.\n","2024-11-23T00:00:00.000Z","a-new-class-of-phishing-verification-phishing-and-cross-idp-impersonation",{"items":1310},[1311,1315],{"sys":1312,"name":1314},{"id":1313},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1316,"name":1318},{"id":1317},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1320},[1321,2256,2963],{"__typename":1322,"sys":1323,"content":1325,"title":2238,"synopsis":2239,"hashTags":118,"publishedDate":2240,"slug":2241,"tagsCollection":2242,"authorsCollection":2248},"BlogPosts",{"id":1324},"2PpB1KSjZkmpzYDhDLRBYx",{"json":1326},{"nodeType":1303,"data":1327,"content":1328},{},[1329,1336,1343,1377,1384,1388,1396,1406,1426,1433,1440,1449,1456,1463,1488,1495,1502,1543,1550,1553,1560,1598,1604,1611,1618,1621,1629,1636,1669,1675,1682,1685,1693,1713,1720,1727,1747,1750,1758,1778,1785,1801,1817,1820,1828,1848,1855,1862,1955,1962,1968,1975,1982,2015,2022,2025,2033,2040,2047,2080,2087,2094,2097,2105,2125,2132,2139,2182,2188,2195,2214,2220,2226,2232],{"nodeType":1302,"data":1330,"content":1331},{},[1332],{"nodeType":1293,"value":1333,"marks":1334,"data":1335},"Two stories have hit the headlines in recent months involving attackers and researchers, demonstrating ways of taking over a SaaS account by accessing it using an SSO login from an IdP that you’ve never used before.",[],{},{"nodeType":1302,"data":1337,"content":1338},{},[1339],{"nodeType":1293,"value":1340,"marks":1341,"data":1342},"Yes, you read that right. An attacker created an IdP account on an IdP that you don’t use. And because the account matched your actual company domain, they used it to log into your actual downstream accounts on the apps that you use. ",[],{},{"nodeType":1302,"data":1344,"content":1345},{},[1346,1350,1359,1363,1373],{"nodeType":1293,"value":1347,"marks":1348,"data":1349},"We're calling this technique ",[],{},{"nodeType":1351,"data":1352,"content":1354},"hyperlink",{"uri":1353},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/cross-idp_impersonation/description.md",[1355],{"nodeType":1293,"value":1356,"marks":1357,"data":1358},"cross-IdP impersonation",[],{},{"nodeType":1293,"value":1360,"marks":1361,"data":1362},". If you’re familiar with our other research, this is basically ",[],{},{"nodeType":1351,"data":1364,"content":1366},{"uri":1365},"https://pushsecurity.com/blog/ghost-logins-when-forgotten-identities-come-back-to-haunt-you/",[1367],{"nodeType":1293,"value":1368,"marks":1369,"data":1372},"ghost logins",[1370],{"type":1371},"underline",{},{"nodeType":1293,"value":1374,"marks":1375,"data":1376}," on steroids — you’re effectively making your own! ",[],{},{"nodeType":1302,"data":1378,"content":1379},{},[1380],{"nodeType":1293,"value":1381,"marks":1382,"data":1383},"Let’s take a look at some examples.",[],{},{"nodeType":1385,"data":1386,"content":1387},"hr",{},[],{"nodeType":1389,"data":1390,"content":1391},"heading-1",{},[1392],{"nodeType":1293,"value":1393,"marks":1394,"data":1395},"Cross-IdP impersonation in the wild",[],{},{"nodeType":1397,"data":1398,"content":1399},"heading-2",{},[1400],{"nodeType":1293,"value":1401,"marks":1402,"data":1405},"Spoofing Zendesk support emails and infiltrating connected apps (via Apple SSO)",[1403],{"type":1404},"bold",{},{"nodeType":1302,"data":1407,"content":1408},{},[1409,1413,1422],{"nodeType":1293,"value":1410,"marks":1411,"data":1412},"A 15-year-old researcher was able to ",[],{},{"nodeType":1351,"data":1414,"content":1416},{"uri":1415},"https://gist.github.com/hackermondev/68ec8ed145fcee49d2f5e2b9d2cf2e52",[1417],{"nodeType":1293,"value":1418,"marks":1419,"data":1421},"access Zendesk support ticket history via spoofing a company’s support email, and later use it to access connected apps",[1420],{"type":1371},{},{"nodeType":1293,"value":1423,"marks":1424,"data":1425}," (Slack, in this case) via SSO, successfully targeting hundreds of companies.  ",[],{},{"nodeType":1302,"data":1427,"content":1428},{},[1429],{"nodeType":1293,"value":1430,"marks":1431,"data":1432},"The attack is based around the fact that Zendesk support tickets are easy to enumerate. The typical method of setting up Zendesk is to have your existing support email address (e.g. support@company.com) forward emails to Zendesk. ",[],{},{"nodeType":1302,"data":1434,"content":1435},{},[1436],{"nodeType":1293,"value":1437,"marks":1438,"data":1439},"The researcher was able to abuse this feature to create an account for an existing company domain on an IdP not currently being used by the company, and then use that account to authenticate to a third-party app used by the company. ",[],{},{"nodeType":1441,"data":1442,"content":1448},"embedded-entry-block",{"target":1443},{"sys":1444},{"id":1445,"type":1446,"linkType":1447},"3A6fHQ0XB2qAjQdJGvAb9N","Link","Entry",[],{"nodeType":1302,"data":1450,"content":1451},{},[1452],{"nodeType":1293,"value":1453,"marks":1454,"data":1455},"The researcher found that, although Zendesk had started blocking emails from ‘noreply@’ addresses (probably to prevent this kind of attack), Apple sent its verification emails from an ‘appleid@’ address, making the attack possible when using Apple IdP.",[],{},{"nodeType":1302,"data":1457,"content":1458},{},[1459],{"nodeType":1293,"value":1460,"marks":1461,"data":1462},"There’s a couple of things to note here:",[],{},{"nodeType":1464,"data":1465,"content":1466},"unordered-list",{},[1467,1478],{"nodeType":1468,"data":1469,"content":1470},"list-item",{},[1471],{"nodeType":1302,"data":1472,"content":1473},{},[1474],{"nodeType":1293,"value":1475,"marks":1476,"data":1477},"Apple could be swapped out for any IdP that doesn’t send verification emails from a ‘noreply@’ address.",[],{},{"nodeType":1468,"data":1479,"content":1480},{},[1481],{"nodeType":1302,"data":1482,"content":1483},{},[1484],{"nodeType":1293,"value":1485,"marks":1486,"data":1487},"Slack could be swapped out for just about any downstream SaaS app. ",[],{},{"nodeType":1302,"data":1489,"content":1490},{},[1491],{"nodeType":1293,"value":1492,"marks":1493,"data":1494},"Taking a step back — what if an attacker had discovered this exploit? The researcher states that, after Zendesk refused to acknowledge the issue through its bug bounty program operated by HackerOne, he individually contacted ‘hundreds’ of affected organizations. ",[],{},{"nodeType":1302,"data":1496,"content":1497},{},[1498],{"nodeType":1293,"value":1499,"marks":1500,"data":1501},"So that’s hundreds of vulnerable organizations, and potentially tens to hundreds of business apps per victim organization that could be accessed via Apple SSO. Any app that allows ‘sign in with Apple’ could be targeted where:",[],{},{"nodeType":1464,"data":1503,"content":1504},{},[1505,1524],{"nodeType":1468,"data":1506,"content":1507},{},[1508],{"nodeType":1302,"data":1509,"content":1510},{},[1511,1515,1520],{"nodeType":1293,"value":1512,"marks":1513,"data":1514},"An app with an ",[],{},{"nodeType":1293,"value":1516,"marks":1517,"data":1519},"existing",[1518],{"type":1371},{},{"nodeType":1293,"value":1521,"marks":1522,"data":1523}," account belonging to the specific email & domain combination could be taken over.",[],{},{"nodeType":1468,"data":1525,"content":1526},{},[1527],{"nodeType":1302,"data":1528,"content":1529},{},[1530,1534,1539],{"nodeType":1293,"value":1531,"marks":1532,"data":1533},"A ",[],{},{"nodeType":1293,"value":1535,"marks":1536,"data":1538},"new",[1537],{"type":1371},{},{"nodeType":1293,"value":1540,"marks":1541,"data":1542}," account could also be created on apps allowing anyone with a company email to join the company tenant. ",[],{},{"nodeType":1302,"data":1544,"content":1545},{},[1546],{"nodeType":1293,"value":1547,"marks":1548,"data":1549},"It’s unclear whether Zendesk will have implemented a global fix for the issue either, as the vulnerability stems from a configuration option that could be remediated by disabling email collaboration, but is on by default. ",[],{},{"nodeType":1385,"data":1551,"content":1552},{},[],{"nodeType":1397,"data":1554,"content":1555},{},[1556],{"nodeType":1293,"value":1557,"marks":1558,"data":1559},"Google domain verification bug similarities",[],{},{"nodeType":1302,"data":1561,"content":1562},{},[1563,1567,1576,1580,1585,1589,1594],{"nodeType":1293,"value":1564,"marks":1565,"data":1566},"The Zendesk attack shares some similarities with ",[],{},{"nodeType":1351,"data":1568,"content":1570},{"uri":1569},"https://krebsonsecurity.com/2024/07/crooks-bypassed-googles-email-verification-to-create-workspace-accounts-access-3rd-party-services/",[1571],{"nodeType":1293,"value":1572,"marks":1573,"data":1575},"a recent (now resolved) Google email verification vulnerability",[1574],{"type":1371},{},{"nodeType":1293,"value":1577,"marks":1578,"data":1579}," which allowed a newly created Google account/domain to be used to authenticate to downstream apps via SSO — ",[],{},{"nodeType":1293,"value":1581,"marks":1582,"data":1584},"this time",[1583],{"type":1404},{},{"nodeType":1293,"value":1586,"marks":1587,"data":1588}," ",[],{},{"nodeType":1293,"value":1590,"marks":1591,"data":1593},"without verifying ownership of the domain",[1592],{"type":1404},{},{"nodeType":1293,"value":1595,"marks":1596,"data":1597},". ",[],{},{"nodeType":1441,"data":1599,"content":1603},{"target":1600},{"sys":1601},{"id":1602,"type":1446,"linkType":1447},"6EeN0uKbhz9daUOo4E6wzR",[],{"nodeType":1302,"data":1605,"content":1606},{},[1607],{"nodeType":1293,"value":1608,"marks":1609,"data":1610},"Whereas the Zendesk attack took advantage of Apple email configs, this attack was much more direct in that Google enabled SSO to downstream apps prior to domain verification. ",[],{},{"nodeType":1302,"data":1612,"content":1613},{},[1614],{"nodeType":1293,"value":1615,"marks":1616,"data":1617},"The Google attack is definitely a bug rather than abusing a feature, and has since been patched. But, we’re starting to see a concerning pattern emerge. ",[],{},{"nodeType":1385,"data":1619,"content":1620},{},[],{"nodeType":1389,"data":1622,"content":1623},{},[1624],{"nodeType":1293,"value":1625,"marks":1626,"data":1628},"How big of a problem is this?",[1627],{"type":1404},{},{"nodeType":1302,"data":1630,"content":1631},{},[1632],{"nodeType":1293,"value":1633,"marks":1634,"data":1635},"First, let’s recap the general attack path:",[],{},{"nodeType":1464,"data":1637,"content":1638},{},[1639,1649,1659],{"nodeType":1468,"data":1640,"content":1641},{},[1642],{"nodeType":1302,"data":1643,"content":1644},{},[1645],{"nodeType":1293,"value":1646,"marks":1647,"data":1648},"The attacker signs up for an account on an app that functions as an IdP, linking it to the victim’s existing company email address via the ‘use existing email’ option.",[],{},{"nodeType":1468,"data":1650,"content":1651},{},[1652],{"nodeType":1302,"data":1653,"content":1654},{},[1655],{"nodeType":1293,"value":1656,"marks":1657,"data":1658},"The attacker either bypasses domain verification or verifies the domain via email (typically by clicking a link or entering a one-time password) either through an attack like the ones above, or by social engineering the victim user.",[],{},{"nodeType":1468,"data":1660,"content":1661},{},[1662],{"nodeType":1302,"data":1663,"content":1664},{},[1665],{"nodeType":1293,"value":1666,"marks":1667,"data":1668},"The attacker logs into an account on a downstream app using the ‘sign in with …’ SSO login option. ",[],{},{"nodeType":1441,"data":1670,"content":1674},{"target":1671},{"sys":1672},{"id":1673,"type":1446,"linkType":1447},"5lz0Nqq3j3Q1XasHYszRXy",[],{"nodeType":1302,"data":1676,"content":1677},{},[1678],{"nodeType":1293,"value":1679,"marks":1680,"data":1681},"Let’s look more closely at why this is a cause for concern.",[],{},{"nodeType":1385,"data":1683,"content":1684},{},[],{"nodeType":1397,"data":1686,"content":1687},{},[1688],{"nodeType":1293,"value":1689,"marks":1690,"data":1692},"It gets around your most hardened IdP accounts",[1691],{"type":1404},{},{"nodeType":1302,"data":1694,"content":1695},{},[1696,1700,1709],{"nodeType":1293,"value":1697,"marks":1698,"data":1699},"The notion of IdP impersonation isn’t necessarily new. Take for example ",[],{},{"nodeType":1351,"data":1701,"content":1703},{"uri":1702},"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",[1704],{"nodeType":1293,"value":1705,"marks":1706,"data":1708},"cross-tenant impersonation",[1707],{"type":1371},{},{"nodeType":1293,"value":1710,"marks":1711,"data":1712},", which focuses on mapping an attacker-controlled Okta tenant to a compromised Okta tenant to give full access to connected user accounts and enable unrestricted lateral movement.",[],{},{"nodeType":1302,"data":1714,"content":1715},{},[1716],{"nodeType":1293,"value":1717,"marks":1718,"data":1719},"Cross-IdP impersonation, however, doesn’t require that you’ve already compromised an IdP admin account. You pick a user account (or multiple) that you want to take over, you enroll them with a new IdP matching the tenant and address structure, and then authenticate to whichever apps you’re interested in taking over. ",[],{},{"nodeType":1302,"data":1721,"content":1722},{},[1723],{"nodeType":1293,"value":1724,"marks":1725,"data":1726},"So, compromising your target’s main IdP isn’t necessary when the data and functionality that you’re most interested in lives in downstream apps. This means that even if your primary IdP is super locked down with phishing-resistant authentication (e.g. passkeys) this technique enables attackers to get around it. ",[],{},{"nodeType":1302,"data":1728,"content":1729},{},[1730,1734,1743],{"nodeType":1293,"value":1731,"marks":1732,"data":1733},"And a smart attacker who does their OSINT will identify potential app admins whose accounts to mirror, eliminating any noise that would be generated by privilege escalation & lateral movement attempts such as ",[],{},{"nodeType":1351,"data":1735,"content":1737},{"uri":1736},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/in-app_phishing/description.md",[1738],{"nodeType":1293,"value":1739,"marks":1740,"data":1742},"in-app phishing.",[1741],{"type":1371},{},{"nodeType":1293,"value":1744,"marks":1745,"data":1746}," ",[],{},{"nodeType":1385,"data":1748,"content":1749},{},[],{"nodeType":1397,"data":1751,"content":1752},{},[1753],{"nodeType":1293,"value":1754,"marks":1755,"data":1757},"App-based prevention measures are inconsistent",[1756],{"type":1404},{},{"nodeType":1302,"data":1759,"content":1760},{},[1761,1765,1774],{"nodeType":1293,"value":1762,"marks":1763,"data":1764},"It’s worth noting that this attack doesn’t work the same on all apps. At the point of using a new login method to access an app, ",[],{},{"nodeType":1351,"data":1766,"content":1768},{"uri":1767},"https://auth0.com/docs/manage-users/user-accounts/user-account-linking",[1769],{"nodeType":1293,"value":1770,"marks":1771,"data":1773},"it is considered best practice to require re-verification",[1772],{"type":1371},{},{"nodeType":1293,"value":1775,"marks":1776,"data":1777}," — for example by logging in with the original login method, or approving the request via an email code or link. ",[],{},{"nodeType":1302,"data":1779,"content":1780},{},[1781],{"nodeType":1293,"value":1782,"marks":1783,"data":1784},"Requiring re-authentication with the original login method is probably game over for the attacker, but if the attacker has already found a way of verifying a new IdP via email, the latter option is probably less of an obstacle. ",[],{},{"nodeType":1302,"data":1786,"content":1787},{},[1788,1792,1797],{"nodeType":1293,"value":1789,"marks":1790,"data":1791},"But not all apps follow these best practices around adding new login methods. We tested a range of the most popular apps that our customers use by creating an account, adding a password and an SSO method, and subsequently adding another SSO method using a different IdP, and ",[],{},{"nodeType":1293,"value":1793,"marks":1794,"data":1796},"found that 60% (3 in 5) of the apps we tested do not require re-verification by default",[1795],{"type":1404},{},{"nodeType":1293,"value":1798,"marks":1799,"data":1800}," when adding a new SSO login method.",[],{},{"nodeType":1802,"data":1803,"content":1804},"blockquote",{},[1805],{"nodeType":1302,"data":1806,"content":1807},{},[1808,1813],{"nodeType":1293,"value":1809,"marks":1810,"data":1812},"60% (3 in 5) of the apps we tested do not require re-verification by default",[1811],{"type":1404},{},{"nodeType":1293,"value":1814,"marks":1815,"data":1816}," when adding a new SSO login method",[],{},{"nodeType":1385,"data":1818,"content":1819},{},[],{"nodeType":1397,"data":1821,"content":1822},{},[1823],{"nodeType":1293,"value":1824,"marks":1825,"data":1827},"There are more IdPs than you realize",[1826],{"type":1404},{},{"nodeType":1302,"data":1829,"content":1830},{},[1831,1835,1844],{"nodeType":1293,"value":1832,"marks":1833,"data":1834},"IdP accounts have always been a valuable target. Earlier this year we saw ",[],{},{"nodeType":1351,"data":1836,"content":1838},{"uri":1837},"https://www.bleepingcomputer.com/news/security/okta-warns-of-unprecedented-credential-stuffing-attacks-on-customers/",[1839],{"nodeType":1293,"value":1840,"marks":1841,"data":1843},"a dramatic spike in the attacks on Okta accounts",[1842],{"type":1371},{},{"nodeType":1293,"value":1845,"marks":1846,"data":1847},", for example. But these accounts are often well protected with strong credentials (or passkeys) and MFA. ",[],{},{"nodeType":1302,"data":1849,"content":1850},{},[1851],{"nodeType":1293,"value":1852,"marks":1853,"data":1854},"In contrast, cross-IdP impersonation gives attackers a way of getting the benefit of an IdP compromise without needing to take over a locked down IdP account. ",[],{},{"nodeType":1302,"data":1856,"content":1857},{},[1858],{"nodeType":1293,"value":1859,"marks":1860,"data":1861},"Apps accept a wide variety of SSO login options. An app might support any combination of, for example:",[],{},{"nodeType":1464,"data":1863,"content":1864},{},[1865,1875,1885,1895,1905,1915,1925,1935,1945],{"nodeType":1468,"data":1866,"content":1867},{},[1868],{"nodeType":1302,"data":1869,"content":1870},{},[1871],{"nodeType":1293,"value":1872,"marks":1873,"data":1874},"Log in with Google",[],{},{"nodeType":1468,"data":1876,"content":1877},{},[1878],{"nodeType":1302,"data":1879,"content":1880},{},[1881],{"nodeType":1293,"value":1882,"marks":1883,"data":1884},"Log in with Facebook",[],{},{"nodeType":1468,"data":1886,"content":1887},{},[1888],{"nodeType":1302,"data":1889,"content":1890},{},[1891],{"nodeType":1293,"value":1892,"marks":1893,"data":1894},"Log in with Apple",[],{},{"nodeType":1468,"data":1896,"content":1897},{},[1898],{"nodeType":1302,"data":1899,"content":1900},{},[1901],{"nodeType":1293,"value":1902,"marks":1903,"data":1904},"Log in with X",[],{},{"nodeType":1468,"data":1906,"content":1907},{},[1908],{"nodeType":1302,"data":1909,"content":1910},{},[1911],{"nodeType":1293,"value":1912,"marks":1913,"data":1914},"Log in with Microsoft",[],{},{"nodeType":1468,"data":1916,"content":1917},{},[1918],{"nodeType":1302,"data":1919,"content":1920},{},[1921],{"nodeType":1293,"value":1922,"marks":1923,"data":1924},"Log in with GitHub",[],{},{"nodeType":1468,"data":1926,"content":1927},{},[1928],{"nodeType":1302,"data":1929,"content":1930},{},[1931],{"nodeType":1293,"value":1932,"marks":1933,"data":1934},"Log in with Okta ",[],{},{"nodeType":1468,"data":1936,"content":1937},{},[1938],{"nodeType":1302,"data":1939,"content":1940},{},[1941],{"nodeType":1293,"value":1942,"marks":1943,"data":1944},"Log in with SAML",[],{},{"nodeType":1468,"data":1946,"content":1947},{},[1948],{"nodeType":1302,"data":1949,"content":1950},{},[1951],{"nodeType":1293,"value":1952,"marks":1953,"data":1954},"Log in with SSO",[],{},{"nodeType":1302,"data":1956,"content":1957},{},[1958],{"nodeType":1293,"value":1959,"marks":1960,"data":1961},"And there are many, many IdPs — probably more than you realize — all of which could potentially be hijacked by an attacker to impersonate your organization.  ",[],{},{"nodeType":1441,"data":1963,"content":1967},{"target":1964},{"sys":1965},{"id":1966,"type":1446,"linkType":1447},"3EOOr4dVQoiPjl2ucUs1mA",[],{"nodeType":1302,"data":1969,"content":1970},{},[1971],{"nodeType":1293,"value":1972,"marks":1973,"data":1974},"But it’s not just about attackers creating new IdP accounts: What other IdPs might your users have inadvertently created? And are these accounts as securely configured as your primary company IdP (most commonly Okta, Microsoft Entra, or Google Workspace)?",[],{},{"nodeType":1302,"data":1976,"content":1977},{},[1978],{"nodeType":1293,"value":1979,"marks":1980,"data":1981},"In fact, there are a few different scenarios to be aware of here:",[],{},{"nodeType":1464,"data":1983,"content":1984},{},[1985,1995,2005],{"nodeType":1468,"data":1986,"content":1987},{},[1988],{"nodeType":1302,"data":1989,"content":1990},{},[1991],{"nodeType":1293,"value":1992,"marks":1993,"data":1994},"An attacker creates a new account on a previously unused IdP mapping to your company domain and email, and exploits a flaw to bypass domain verification.",[],{},{"nodeType":1468,"data":1996,"content":1997},{},[1998],{"nodeType":1302,"data":1999,"content":2000},{},[2001],{"nodeType":1293,"value":2002,"marks":2003,"data":2004},"An attacker creates a new account on a previously unused IdP mapping to your company domain and email, and social engineers the target user to convince them to complete the domain verification request. ",[],{},{"nodeType":1468,"data":2006,"content":2007},{},[2008],{"nodeType":1302,"data":2009,"content":2010},{},[2011],{"nodeType":1293,"value":2012,"marks":2013,"data":2014},"A legitimate user signs up for an account that functions as an IdP with their company email, using a weak password and no MFA. This account is later compromised by an attacker. ",[],{},{"nodeType":1302,"data":2016,"content":2017},{},[2018],{"nodeType":1293,"value":2019,"marks":2020,"data":2021},"In all of these cases, an attacker would be able to authenticate to downstream apps and take over user accounts. ",[],{},{"nodeType":1385,"data":2023,"content":2024},{},[],{"nodeType":1397,"data":2026,"content":2027},{},[2028],{"nodeType":1293,"value":2029,"marks":2030,"data":2032},"We’re only scratching the surface of what’s possible",[2031],{"type":1404},{},{"nodeType":1302,"data":2034,"content":2035},{},[2036],{"nodeType":1293,"value":2037,"marks":2038,"data":2039},"The Zendesk attack demonstrates a creative way of abusing an app’s functionality, combined with the way in which the Apple IdP is configured. ",[],{},{"nodeType":1302,"data":2041,"content":2042},{},[2043],{"nodeType":1293,"value":2044,"marks":2045,"data":2046},"It would be naive to suggest that similar issues don’t exist for other IdPs. Or that apps other than Zendesk don’t have features that can be exploited.",[],{},{"nodeType":1302,"data":2048,"content":2049},{},[2050,2054,2063,2067,2076],{"nodeType":1293,"value":2051,"marks":2052,"data":2053},"For example, we’ve previously documented ",[],{},{"nodeType":1351,"data":2055,"content":2057},{"uri":2056},"https://pushsecurity.com/blog/nearly-invisible-attack-chain/#id-an-example-attack-zapier",[2058],{"nodeType":1293,"value":2059,"marks":2060,"data":2062},"using Zapier to create malicious automated workflows",[2061],{"type":1371},{},{"nodeType":1293,"value":2064,"marks":2065,"data":2066}," to compromise integrated apps, or ",[],{},{"nodeType":1351,"data":2068,"content":2070},{"uri":2069},"https://pushsecurity.com/blog/oktajacking/",[2071],{"nodeType":1293,"value":2072,"marks":2073,"data":2075},"changing the SAML configuration of an app",[2074],{"type":1371},{},{"nodeType":1293,"value":2077,"marks":2078,"data":2079}," to direct logins to a malicious Okta tenant. ",[],{},{"nodeType":1302,"data":2081,"content":2082},{},[2083],{"nodeType":1293,"value":2084,"marks":2085,"data":2086},"Until now, there hasn’t been much research in this space. It’s not surprising when we consider that this kind of bug bounty isn’t paying out, and I know of only a handful of forward-thinking security consultancies conducting any real offensive security testing with their clients in this space. ",[],{},{"nodeType":1302,"data":2088,"content":2089},{},[2090],{"nodeType":1293,"value":2091,"marks":2092,"data":2093},"All organizations should be taking SaaS and identity attacks seriously — a good starting point would be to normalize SaaS and IdP configuration testing as part of routine security assessments, as well as demonstrating in-app post exploitation activity to raise awareness of how direct and dangerous these attacks can be. ",[],{},{"nodeType":1385,"data":2095,"content":2096},{},[],{"nodeType":1389,"data":2098,"content":2099},{},[2100],{"nodeType":1293,"value":2101,"marks":2102,"data":2104},"Expect more cross-IdP impersonation in future",[2103],{"type":1404},{},{"nodeType":1302,"data":2106,"content":2107},{},[2108,2112,2121],{"nodeType":1293,"value":2109,"marks":2110,"data":2111},"With the ",[],{},{"nodeType":1351,"data":2113,"content":2115},{"uri":2114},"https://pushsecurity.com/blog/identity-attacks-in-the-wild/#id-snowflake-june-2024",[2116],{"nodeType":1293,"value":2117,"marks":2118,"data":2120},"success of the attacks on Snowflake customers",[2119],{"type":1371},{},{"nodeType":1293,"value":2122,"marks":2123,"data":2124}," it feels like attackers and researchers are starting to take note, and the research scrutiny is amping up. It would be wise to expect more of these attacks in future. ",[],{},{"nodeType":1302,"data":2126,"content":2127},{},[2128],{"nodeType":1293,"value":2129,"marks":2130,"data":2131},"Cross-IdP impersonation could be largely prevented if all apps required re-verification upon adding a new login method by default (specifically, requiring that you log in with the original method, not approving via email link/code). This is yet another example of the inconsistencies in SaaS authentication introducing vulnerabilities. ",[],{},{"nodeType":1302,"data":2133,"content":2134},{},[2135],{"nodeType":1293,"value":2136,"marks":2137,"data":2138},"As this is unlikely to happen anytime soon, to mitigate the threat of cross-IdP impersonation we recommend that you:",[],{},{"nodeType":1464,"data":2140,"content":2141},{},[2142,2152,2162,2172],{"nodeType":1468,"data":2143,"content":2144},{},[2145],{"nodeType":1302,"data":2146,"content":2147},{},[2148],{"nodeType":1293,"value":2149,"marks":2150,"data":2151},"Set email alerts for employees receiving IdP activation emails to their corporate mailbox and forward to your SIEM. This will provide visibility both of unauthorized IdPs being connected to your domain by employees (which can lead to your corporate apps and accounts being compromised via less secure accounts, such as their Apple, LinkedIn, X, etc.), and of attackers attempting to register a new IdP as part of an attack. ",[],{},{"nodeType":1468,"data":2153,"content":2154},{},[2155],{"nodeType":1302,"data":2156,"content":2157},{},[2158],{"nodeType":1293,"value":2159,"marks":2160,"data":2161},"Warn users of the risks associated with creating new IdP accounts and connecting them to their primary corporate email (as well as the possibility of phishing scams designed to trick the user into completing the verification process or passing on a verification code). ",[],{},{"nodeType":1468,"data":2163,"content":2164},{},[2165],{"nodeType":1302,"data":2166,"content":2167},{},[2168],{"nodeType":1293,"value":2169,"marks":2170,"data":2171},"Where configurable, require downstream applications to enforce re-verification when adding new SSO methods. Requiring login with the original method, rather than email approval, is a more secure approach.",[],{},{"nodeType":1468,"data":2173,"content":2174},{},[2175],{"nodeType":1302,"data":2176,"content":2177},{},[2178],{"nodeType":1293,"value":2179,"marks":2180,"data":2181},"Where possible, prevent the conversion of personal accounts to corporate accounts within the main IdP providers. For example, Apple Business Manager recently released the ability to lock your domain and prevent new accounts being created, as well as locking the authentication to your preferred IdP (preventing local accounts from being created) — convenient timing!",[],{},{"nodeType":1441,"data":2183,"content":2187},{"target":2184},{"sys":2185},{"id":2186,"type":1446,"linkType":1447},"56sqxSy9QuTxzOGvUmcYBK",[],{"nodeType":1302,"data":2189,"content":2190},{},[2191],{"nodeType":1293,"value":2192,"marks":2193,"data":2194},"However, your ability to prevent attackers from creating new accounts on IdPs and connecting them to your domain is going to vary from IdP to IdP, so complete remediation may not be possible. And unless handled carefully, joining multiple IdPs to your primary IdP has the potential to increase your attack surface, not reduce it!",[],{},{"nodeType":1302,"data":2196,"content":2197},{},[2198,2202,2210],{"nodeType":1293,"value":2199,"marks":2200,"data":2201},"If you want a bit more technical detail on how this technique can be combined with verification phishing to reliably create new IdP accounts, ",[],{},{"nodeType":1351,"data":2203,"content":2205},{"uri":2204},"https://pushsecurity.com/blog/a-new-class-of-phishing-verification-phishing-and-cross-idp-impersonation/",[2206],{"nodeType":1293,"value":2207,"marks":2208,"data":2209},"check out this blog post.",[],{},{"nodeType":1293,"value":2211,"marks":2212,"data":2213}," Here's a quick demo of the attack chain to whet your appetite... ",[],{},{"nodeType":1441,"data":2215,"content":2219},{"target":2216},{"sys":2217},{"id":2218,"type":1446,"linkType":1447},"1rfmqEdOlYeWCkpQE0c0IE",[],{"nodeType":1302,"data":2221,"content":2222},{},[2223],{"nodeType":1293,"value":37,"marks":2224,"data":2225},[],{},{"nodeType":1441,"data":2227,"content":2231},{"target":2228},{"sys":2229},{"id":2230,"type":1446,"linkType":1447},"3MGuq0h7IfW7F2ueNbc5v4",[],{"nodeType":1302,"data":2233,"content":2234},{},[2235],{"nodeType":1293,"value":37,"marks":2236,"data":2237},[],{},"Cross-IdP impersonation: Hijacking SSO to access downstream apps","Cross-IdP impersonation is a method of hijacking SSO to access downstream apps — without needing to compromise accounts on your company’s main IdP. ","2024-11-19T00:00:00.000Z","cross-idp-impersonation",{"items":2243},[2244,2246],{"sys":2245,"name":1314},{"id":1313},{"sys":2247,"name":1318},{"id":1317},{"items":2249},[2250],{"fullName":2251,"firstName":2252,"jobTitle":2253,"profilePicture":2254},"Dan Green","Dan","Threat Research",{"url":2255},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"__typename":1322,"sys":2257,"content":2259,"title":2945,"synopsis":2946,"hashTags":118,"publishedDate":2947,"slug":2948,"tagsCollection":2949,"authorsCollection":2955},{"id":2258},"6XHbplcolYfUeAB6x3olYQ",{"json":2260},{"nodeType":1303,"data":2261,"content":2262},{},[2263,2270,2290,2323,2330,2336,2343,2350,2383,2390,2397,2404,2411,2418,2425,2432,2439,2446,2453,2460,2467,2474,2481,2488,2495,2502,2508,2514,2521,2528,2535,2542,2548,2555,2562,2582,2589,2609,2615,2622,2629,2636,2643,2649,2656,2663,2670,2677,2684,2690,2696,2703,2710,2717,2724,2731,2738,2744,2751,2758,2765,2772,2779,2785,2791,2798,2805,2812,2818,2825,2832,2839,2845,2852,2858,2865,2872,2890,2908,2915,2933,2939],{"nodeType":1389,"data":2264,"content":2265},{},[2266],{"nodeType":1293,"value":2267,"marks":2268,"data":2269},"Picking up where we left off...",[],{},{"nodeType":1302,"data":2271,"content":2272},{},[2273,2277,2286],{"nodeType":1293,"value":2274,"marks":2275,"data":2276},"In our previous ",[],{},{"nodeType":1351,"data":2278,"content":2280},{"uri":2279},"https://pushsecurity.com/blog/how-aitm-phishing-kits-evade-detection/",[2281],{"nodeType":1293,"value":2282,"marks":2283,"data":2285},"blog post",[2284],{"type":1371},{},{"nodeType":1293,"value":2287,"marks":2288,"data":2289},", we looked at a range of techniques implemented by a then-recent instance of the NakedPages AiTM phishing kit for evading detection. The techniques covered previously were mostly intended to make two detection strategies for defenders much more difficult:",[],{},{"nodeType":1464,"data":2291,"content":2292},{},[2293,2308],{"nodeType":1468,"data":2294,"content":2295},{},[2296],{"nodeType":1302,"data":2297,"content":2298},{},[2299,2304],{"nodeType":1293,"value":2300,"marks":2301,"data":2303},"Writing toolkit signatures",[2302],{"type":1404},{},{"nodeType":1293,"value":2305,"marks":2306,"data":2307},": Through heavy use of randomization, constantly changing hosting domains/IPs, legitimate hosting options etc., it becomes very difficult for defenders to maintain effective signatures to detect either generic phishing kit code or where they are hosted.",[],{},{"nodeType":1468,"data":2309,"content":2310},{},[2311],{"nodeType":1302,"data":2312,"content":2313},{},[2314,2319],{"nodeType":1293,"value":2315,"marks":2316,"data":2318},"Automating dynamic analysis",[2317],{"type":1404},{},{"nodeType":1293,"value":2320,"marks":2321,"data":2322},": Similarly to sandbox evasion for malware, phishing kits are designed to evade automated discovery and analysis, e.g. by using Cloudflare Turnstile bot detection, and requiring legitimate browser interaction and JavaScript execution in order for execution flow to reach the malicious phishing functionality.",[],{},{"nodeType":1302,"data":2324,"content":2325},{},[2326],{"nodeType":1293,"value":2327,"marks":2328,"data":2329},"In this blog post, we're diving deeper into a specific category of signature-based detection and how attackers are getting around them: Login page signatures. ",[],{},{"nodeType":1441,"data":2331,"content":2335},{"target":2332},{"sys":2333},{"id":2334,"type":1446,"linkType":1447},"1aaDMth4Cxv6CMT0PJW5py",[],{"nodeType":1389,"data":2337,"content":2338},{},[2339],{"nodeType":1293,"value":2340,"marks":2341,"data":2342},"Login page signatures 101",[],{},{"nodeType":1302,"data":2344,"content":2345},{},[2346],{"nodeType":1293,"value":2347,"marks":2348,"data":2349},"The overwhelming majority of common AiTM phishing kits in the wild now are targeting the most dominant identity providers (IdPs), such as Microsoft Entra or Google Workspace. They typically emulate the login pages of these platforms to ensure the victim uses the correct password and MFA factor and completes the login process, so the attacker can steal the valid session.",[],{},{"nodeType":1302,"data":2351,"content":2352},{},[2353,2357,2362,2365,2370,2374,2379],{"nodeType":1293,"value":2354,"marks":2355,"data":2356},"As a result, security product vendors are naturally looking to move away from unreliable detections based on signaturing ever-changing phishing kits, toward detecting login pages that ",[],{},{"nodeType":1293,"value":2358,"marks":2359,"data":2361},"look like",[2360],{"type":1404},{},{"nodeType":1293,"value":1586,"marks":2363,"data":2364},[],{},{"nodeType":1293,"value":2366,"marks":2367,"data":2369},"Microsoft Entra, Google Workspace",[2368],{"type":1404},{},{"nodeType":1293,"value":2371,"marks":2372,"data":2373}," (or any other common IdP) ",[],{},{"nodeType":1293,"value":2375,"marks":2376,"data":2378},"but are not hosted on the official domains",[2377],{"type":1404},{},{"nodeType":1293,"value":2380,"marks":2381,"data":2382},". The benefit here is that you’re focusing on a fixed, known target, rather than a constantly moving one (e.g. phishing kit codebases).",[],{},{"nodeType":1302,"data":2384,"content":2385},{},[2386],{"nodeType":1293,"value":2387,"marks":2388,"data":2389},"However, attackers have managed to stay one step ahead and are already using a wide range of techniques to break these detections and counter the countermeasures.",[],{},{"nodeType":1389,"data":2391,"content":2392},{},[2393],{"nodeType":1293,"value":2394,"marks":2395,"data":2396},"Signature evasion strategies",[],{},{"nodeType":1302,"data":2398,"content":2399},{},[2400],{"nodeType":1293,"value":2401,"marks":2402,"data":2403},"Well, like most good ideas, someone else has already had it — many phishing kits pre-emptively take steps to evade detections based on login page signatures. The specific evasion techniques used are a useful insight into what detection techniques are out there and are needing to be circumvented. ",[],{},{"nodeType":1302,"data":2405,"content":2406},{},[2407],{"nodeType":1293,"value":2408,"marks":2409,"data":2410},"Before we delve into the specific examples, let’s first consider the general strategies for this: document object model (DOM) obfuscation, and visual obfuscation. ",[],{},{"nodeType":1397,"data":2412,"content":2413},{},[2414],{"nodeType":1293,"value":2415,"marks":2416,"data":2417},"DOM obfuscation",[],{},{"nodeType":1302,"data":2419,"content":2420},{},[2421],{"nodeType":1293,"value":2422,"marks":2423,"data":2424},"This is the more traditional evasion approach. The goal for an attacker is to have a login page that is visually identical to the real page when viewed with the human eye. ",[],{},{"nodeType":1302,"data":2426,"content":2427},{},[2428],{"nodeType":1293,"value":2429,"marks":2430,"data":2431},"But that doesn’t mean the underlying DOM (or loaded HTML, CSS, and JS code) needs to be the same, or even similar, to the real login page. It’s possible to  construct a completely different DOM that ensures the same visual output with a very different underlying code. ",[],{},{"nodeType":1302,"data":2433,"content":2434},{},[2435],{"nodeType":1293,"value":2436,"marks":2437,"data":2438},"It’s also possible to use dynamic modification techniques to ensure the DOM changes during execution to frustrate fixed point-in-time analysis controls, like those that may be used by web proxies.  ",[],{},{"nodeType":1397,"data":2440,"content":2441},{},[2442],{"nodeType":1293,"value":2443,"marks":2444,"data":2445},"Visual obfuscation",[],{},{"nodeType":1302,"data":2447,"content":2448},{},[2449],{"nodeType":1293,"value":2450,"marks":2451,"data":2452},"With the ever-increasing capabilities of machine learning (ML) and other artificial intelligence (AI) technologies, we don’t just have to look at the underlying code and text signatures anymore. There are a range of computer vision based techniques that can be used to simulate a more human approach to assessing if a login page matches another example. ",[],{},{"nodeType":1302,"data":2454,"content":2455},{},[2456],{"nodeType":1293,"value":2457,"marks":2458,"data":2459},"Therefore, another approach to defeat login page signatures would be to perform visual obfuscation techniques that can frustrate computer vision-based detections, while still fooling a human user.",[],{},{"nodeType":1389,"data":2461,"content":2462},{},[2463],{"nodeType":1293,"value":2464,"marks":2465,"data":2466},"DOM obfuscation techniques",[],{},{"nodeType":1302,"data":2468,"content":2469},{},[2470],{"nodeType":1293,"value":2471,"marks":2472,"data":2473},"For consistency, we’re going to focus on Microsoft login phishing kits as they are the most common (by far), but we’ll pick from some different samples we’ve observed. Let’s start with a few examples of DOM obfuscation we have seen in the wild:",[],{},{"nodeType":1397,"data":2475,"content":2476},{},[2477],{"nodeType":1293,"value":2478,"marks":2479,"data":2480},"#1 – DOM structure change",[],{},{"nodeType":1302,"data":2482,"content":2483},{},[2484],{"nodeType":1293,"value":2485,"marks":2486,"data":2487},"If an attacker were to simply clone Microsoft’s login page, then we’d expect to see a very similar (if not identical) DOM structure, right? After all, the simplest way to emulate a web page visually is either to copy the HTML directly or transparently proxy requests to the real target with minimal changes, as tools like Evilginx do. This would make detection far simpler as we’d have a known code structure to look for. ",[],{},{"nodeType":1302,"data":2489,"content":2490},{},[2491],{"nodeType":1293,"value":2492,"marks":2493,"data":2494},"Unfortunately, it’s pretty common for attackers to deliberately use a completely different DOM structure for something that’s almost identical to the eye. It takes a lot more effort to implement this and so the reason for it is almost certainly to avoid this detection technique.  ",[],{},{"nodeType":1302,"data":2496,"content":2497},{},[2498],{"nodeType":1293,"value":2499,"marks":2500,"data":2501},"Check out the examples below to see a high-level interpretation of the DOM structure for a legitimate Microsoft login page and one phishing example. You can see how they are visually very similar, but radically different from one another when looking at DOM code:",[],{},{"nodeType":1441,"data":2503,"content":2507},{"target":2504},{"sys":2505},{"id":2506,"type":1446,"linkType":1447},"4amv144ZzTBmd9ssh66kkr",[],{"nodeType":1441,"data":2509,"content":2513},{"target":2510},{"sys":2511},{"id":2512,"type":1446,"linkType":1447},"2gC49b2f2Th4wAEWLPvAnL",[],{"nodeType":1397,"data":2515,"content":2516},{},[2517],{"nodeType":1293,"value":2518,"marks":2519,"data":2520},"#2 – Randomizing page titles",[],{},{"nodeType":1302,"data":2522,"content":2523},{},[2524],{"nodeType":1293,"value":2525,"marks":2526,"data":2527},"The HTML page title is one very specific place to check for similarity. For Microsoft, it can change slightly depending on the service, but if we use Outlook as an example then the page title is “Sign in to Outlook”. This also has a favicon of the Microsoft logo (another issue we’ll visit later in the article). \n\nIt’s unsurprising that attackers are randomizing the page title to evade basic detections – how many users would really notice any difference?",[],{},{"nodeType":1302,"data":2529,"content":2530},{},[2531],{"nodeType":1293,"value":2532,"marks":2533,"data":2534},"Some kits, such as the NakedPages case study we looked at in the previous article, use purely randomized alphanumeric text. Others use english words that may seem innocuous if a user does inspect them, but are in fact randomized between iterations to ensure any one set that is flagged will not completely block the phishing kit from operating. ",[],{},{"nodeType":1302,"data":2536,"content":2537},{},[2538],{"nodeType":1293,"value":2539,"marks":2540,"data":2541},"For example, see three refreshed examples of the same phishing kit below when compared with the legitimate Outlook login page title next to it.",[],{},{"nodeType":1441,"data":2543,"content":2547},{"target":2544},{"sys":2545},{"id":2546,"type":1446,"linkType":1447},"2KuHCssISCeGYeZNC005pV",[],{"nodeType":1397,"data":2549,"content":2550},{},[2551],{"nodeType":1293,"value":2552,"marks":2553,"data":2554},"#3 – Desktop control techniques (e.g. NoVNC)",[],{},{"nodeType":1302,"data":2556,"content":2557},{},[2558],{"nodeType":1293,"value":2559,"marks":2560,"data":2561},"The most common AiTM phishing technique is some form of a web proxy method, where the victim interacts with a legitimate website that is proxying certain requests to the real backend. However, this is not the only method. Some tools utilize a Browser-in-the-Middle (BiTM) technique that involves using desktop sharing technologies to remotely control an attacker’s browser instead. ",[],{},{"nodeType":1302,"data":2563,"content":2564},{},[2565,2569,2578],{"nodeType":1293,"value":2566,"marks":2567,"data":2568},"If you want to know more about this, check out our ",[],{},{"nodeType":1351,"data":2570,"content":2572},{"uri":2571},"https://pushsecurity.com/blog/phishing-2-0-how-phishing-toolkits-are-evolving-with-aitm/",[2573],{"nodeType":1293,"value":2574,"marks":2575,"data":2577},"previous article on AiTM phishing",[2576],{"type":1371},{},{"nodeType":1293,"value":2579,"marks":2580,"data":2581},".",[],{},{"nodeType":1302,"data":2583,"content":2584},{},[2585],{"nodeType":1293,"value":2586,"marks":2587,"data":2588},"The upside of this for an attacker is that the website is actually completely different from the target website under the hood. If anything, it just looks like any other website making use of similar technologies like NoVNC.",[],{},{"nodeType":1302,"data":2590,"content":2591},{},[2592,2596,2605],{"nodeType":1293,"value":2593,"marks":2594,"data":2595},"For example, see the following screenshot example of using the open-source BiTM tool, ",[],{},{"nodeType":1351,"data":2597,"content":2599},{"uri":2598},"https://github.com/JoelGMSec/EvilnoVNC",[2600],{"nodeType":1293,"value":2601,"marks":2602,"data":2604},"EvilNoVNC",[2603],{"type":1371},{},{"nodeType":1293,"value":2606,"marks":2607,"data":2608},". You can see how the underlying HTML and DOM are completely different due to the use of this technique, with effectively the entire page just being an HTML canvas element that is rendered like a video.",[],{},{"nodeType":1441,"data":2610,"content":2614},{"target":2611},{"sys":2612},{"id":2613,"type":1446,"linkType":1447},"60Jt2P0ip14ycdtS9qLPhc",[],{"nodeType":1397,"data":2616,"content":2617},{},[2618],{"nodeType":1293,"value":2619,"marks":2620,"data":2621},"#4 – Dynamic text decoding",[],{},{"nodeType":1302,"data":2623,"content":2624},{},[2625],{"nodeType":1293,"value":2626,"marks":2627,"data":2628},"Sometimes there may be very specific strings that detection tools might try to signature on. Let’s use the example of text that appears visually on the login page. While most login text can be pretty generic, e.g. “Sign in”, that’s not always the case. To appear authentic, it’s better for an attacker to keep it the same, but that leaves it vulnerable to signature detection. ",[],{},{"nodeType":1302,"data":2630,"content":2631},{},[2632],{"nodeType":1293,"value":2633,"marks":2634,"data":2635},"For example, the placeholder text on Microsoft’s login page is “Email, phone, or Skype”. Particularly given Microsoft’s historical acquisition of Skype, this is actually a pretty specific piece of text that you won’t usually find in the username field of a login page very often. ",[],{},{"nodeType":1302,"data":2637,"content":2638},{},[2639],{"nodeType":1293,"value":2640,"marks":2641,"data":2642},"So how do you keep this text but make it harder to signature on? Well you fall back to classic decoding techniques to avoid static signatures. In this case, that is decoded from base64 using JavaScript’s atob() function in order to load that text dynamically during execution rather than have it statically within the HTML. This makes it harder to create a signature using common point-in-time static analysis techniques.",[],{},{"nodeType":1441,"data":2644,"content":2648},{"target":2645},{"sys":2646},{"id":2647,"type":1446,"linkType":1447},"1PymaE09il5CubFvwSfLqW",[],{"nodeType":1397,"data":2650,"content":2651},{},[2652],{"nodeType":1293,"value":2653,"marks":2654,"data":2655},"#5 – Image element obfuscation",[],{},{"nodeType":1302,"data":2657,"content":2658},{},[2659],{"nodeType":1293,"value":2660,"marks":2661,"data":2662},"We’re starting to shift towards more visual-based obfuscation elements now, but first let’s cover  an interesting example that straddles the two.",[],{},{"nodeType":1302,"data":2664,"content":2665},{},[2666],{"nodeType":1293,"value":2667,"marks":2668,"data":2669},"Many login pages will have very clear examples of vendor logos present in specific locations and elements as part of a login page. This is a huge part of an authentic visual experience and so attackers would like to keep them there. However, as defenders we could specifically look for these elements, both for pure structural matching techniques or as a pre-processing step for visual matching techniques later (e.g. visually matching a logo, rather than the entire page). ",[],{},{"nodeType":1302,"data":2671,"content":2672},{},[2673],{"nodeType":1293,"value":2674,"marks":2675,"data":2676},"For this reason, attackers might want to obfuscate this aspect in order to make it difficult to match or locate the images used within the login page, while still ensuring they appear visually identical to a user.",[],{},{"nodeType":1302,"data":2678,"content":2679},{},[2680],{"nodeType":1293,"value":2681,"marks":2682,"data":2683},"Below, we can see a comparison of a legitimate Microsoft login page and a phishing kit. You can see how in the original a standard HTML \u003Cimg> element of a specific size and name are used. In comparison, our phishing kit has replaced this with a \u003Cdiv> element of a different size and made use of background image styling to ensure the \u003Cdiv> ends up with the same visual appearance despite the structural differences.",[],{},{"nodeType":1441,"data":2685,"content":2689},{"target":2686},{"sys":2687},{"id":2688,"type":1446,"linkType":1447},"4MvwXZDjMA56ZYSdjKpu9R",[],{"nodeType":1441,"data":2691,"content":2695},{"target":2692},{"sys":2693},{"id":2694,"type":1446,"linkType":1447},"6tNMjTvHuAWkuK0x7ZEgKr",[],{"nodeType":1389,"data":2697,"content":2698},{},[2699],{"nodeType":1293,"value":2700,"marks":2701,"data":2702},"Visual obfuscation techniques",[],{},{"nodeType":1302,"data":2704,"content":2705},{},[2706],{"nodeType":1293,"value":2707,"marks":2708,"data":2709},"As if that wasn’t enough, let’s move on to some visual obfuscation techniques that attackers are also using.",[],{},{"nodeType":1397,"data":2711,"content":2712},{},[2713],{"nodeType":1293,"value":2714,"marks":2715,"data":2716},"#6 – Favicon changes",[],{},{"nodeType":1302,"data":2718,"content":2719},{},[2720],{"nodeType":1293,"value":2721,"marks":2722,"data":2723},"We effectively saw this earlier when speaking about HTML page title randomization. The favicon is also an easy place to look for the obvious use of vendor logos. How many legitimate websites are going to have the Microsoft logo as their favicon? If they do, they may quickly end up with a cease and desist letter!",[],{},{"nodeType":1302,"data":2725,"content":2726},{},[2727],{"nodeType":1293,"value":2728,"marks":2729,"data":2730},"Favicons also render at a fixed size, so if an attacker wants to ensure that the Microsoft logo appears as the favicon for their page, it gives defenders a fixed target to perform image recognition against for cloned logos. ",[],{},{"nodeType":1302,"data":2732,"content":2733},{},[2734],{"nodeType":1293,"value":2735,"marks":2736,"data":2737},"In this phishing kit example, it looks like the authors have decided they are better off just leaving the favicon empty to avoid being vulnerable to this detection technique.",[],{},{"nodeType":1441,"data":2739,"content":2743},{"target":2740},{"sys":2741},{"id":2742,"type":1446,"linkType":1447},"7FknWWF9ri9eZvu8Prhkd5",[],{"nodeType":1397,"data":2745,"content":2746},{},[2747],{"nodeType":1293,"value":2748,"marks":2749,"data":2750},"#7 – Blurred background images",[],{},{"nodeType":1302,"data":2752,"content":2753},{},[2754],{"nodeType":1293,"value":2755,"marks":2756,"data":2757},"Ok, this is a pretty clever one. Let’s say as a defender we wanted to perform sophisticated image recognition techniques to detect websites that look visually very similar to Microsoft’s login page overall. There may be many challenges around rendering resolution etc to deal with but conceptually we could look to match on the whole page. ",[],{},{"nodeType":1302,"data":2759,"content":2760},{},[2761],{"nodeType":1293,"value":2762,"marks":2763,"data":2764},"However, if an attacker makes a substantial visual change to the page that still appears authentic then this would prevent the technique from operating effectively. One common graphic design method used when a modal pops up is to blur the background. Some phishing kits use similar techniques on their login pages with a variety of different background images that are derived from legitimate Microsoft sources. ",[],{},{"nodeType":1302,"data":2766,"content":2767},{},[2768],{"nodeType":1293,"value":2769,"marks":2770,"data":2771},"The first time you see this, it’s easy to think you’ve seen this a hundred times before. It just seems very familiar and authentic… except it’s not. The real login page has a blank background. Therefore, any algorithms looking for visual similarity of the overall page are not going to match because they are actually radically different. ",[],{},{"nodeType":1302,"data":2773,"content":2774},{},[2775],{"nodeType":1293,"value":2776,"marks":2777,"data":2778},"This is a trick on the human brain and the way we interpret images, not a trick on a computer vision algorithm. Take a look at the phishing example and the real Microsoft login page below:",[],{},{"nodeType":1441,"data":2780,"content":2784},{"target":2781},{"sys":2782},{"id":2783,"type":1446,"linkType":1447},"6KnrHECqltSOgSCGHIjYEL",[],{"nodeType":1441,"data":2786,"content":2790},{"target":2787},{"sys":2788},{"id":2789,"type":1446,"linkType":1447},"1nb6K1MyBkON2eBHk1365B",[],{"nodeType":1397,"data":2792,"content":2793},{},[2794],{"nodeType":1293,"value":2795,"marks":2796,"data":2797},"#8 – Logo substitution",[],{},{"nodeType":1302,"data":2799,"content":2800},{},[2801],{"nodeType":1293,"value":2802,"marks":2803,"data":2804},"You might have noticed one other change with the previous image – the logo that was used. We saw earlier how some phishing kits make it harder to identify individual logos within an image through DOM obfuscation techniques. However, the other approach is to substitute logos for similar ones that give a sense of authenticity to the user but are visually completely different.",[],{},{"nodeType":1302,"data":2806,"content":2807},{},[2808],{"nodeType":1293,"value":2809,"marks":2810,"data":2811},"In this case, the phishing kit has chosen to use the newer purple hexagon Microsoft 365 logo in place of the standard Microsoft logo on the login page. Users will no doubt be familiar with this logo as belonging to Microsoft and so it still gives the sense of authenticity. A computer vision algorithm looking to match the original logo won’t know that though!",[],{},{"nodeType":1441,"data":2813,"content":2817},{"target":2814},{"sys":2815},{"id":2816,"type":1446,"linkType":1447},"5o1WRmupkYPr9QmeQUf5uF",[],{"nodeType":1397,"data":2819,"content":2820},{},[2821],{"nodeType":1293,"value":2822,"marks":2823,"data":2824},"#9 - Sub-image obfuscation",[],{},{"nodeType":1302,"data":2826,"content":2827},{},[2828],{"nodeType":1293,"value":2829,"marks":2830,"data":2831},"Ok, so let’s say an attacker wants to use the real logo and they’ve even used the image element obfuscation method we saw earlier to dynamically set the image as a background image for a \u003Cdiv> element. ",[],{},{"nodeType":1302,"data":2833,"content":2834},{},[2835],{"nodeType":1293,"value":2836,"marks":2837,"data":2838},"However, it’s not impossible for these images to be isolated and analyzed. Perhaps a defender might enumerate all divs, compute the background images and analyze them all. We can see an example of using code to do this to determine the image used by a \u003Cdiv> element in a phishing kit below:",[],{},{"nodeType":1441,"data":2840,"content":2844},{"target":2841},{"sys":2842},{"id":2843,"type":1446,"linkType":1447},"79e7r8I5p0Nh9hpqrRs9eJ",[],{"nodeType":1302,"data":2846,"content":2847},{},[2848],{"nodeType":1293,"value":2849,"marks":2850,"data":2851},"This gives us the base64 image data that was set as the background image. However, if we look at that image data directly we see it’s an obfuscated form of the image, even though it displays correctly when properly cropped as it’s embedded in the overall page:",[],{},{"nodeType":1441,"data":2853,"content":2857},{"target":2854},{"sys":2855},{"id":2856,"type":1446,"linkType":1447},"jXlXRHrezWsZ27CiQIyBO",[],{"nodeType":1302,"data":2859,"content":2860},{},[2861],{"nodeType":1293,"value":2862,"marks":2863,"data":2864},"This makes it harder for a visual algorithm to match the logo as it’s clearly not exactly the same. Instead, careful construction of the div and related DOM has ensured that these obfuscated edge pieces do not show visually to the user.",[],{},{"nodeType":1389,"data":2866,"content":2867},{},[2868],{"nodeType":1293,"value":2869,"marks":2870,"data":2871},"Conclusion",[],{},{"nodeType":1302,"data":2873,"content":2874},{},[2875,2879,2886],{"nodeType":1293,"value":2876,"marks":2877,"data":2878},"In ",[],{},{"nodeType":1351,"data":2880,"content":2881},{"uri":2279},[2882],{"nodeType":1293,"value":2883,"marks":2884,"data":2885},"our previous article",[],{},{"nodeType":1293,"value":2887,"marks":2888,"data":2889},", we looked at a higher level set of techniques used by phishing kits to avoid detection. In this article, we’ve dived deeper into one particular strategy of breaking login page signatures and have shown how, even inside of this one strategy, there are many different sub-techniques being used to evade common detections.",[],{},{"nodeType":1302,"data":2891,"content":2892},{},[2893,2897,2904],{"nodeType":1293,"value":2894,"marks":2895,"data":2896},"Looking at the evasion techniques discussed here and in ",[],{},{"nodeType":1351,"data":2898,"content":2899},{"uri":2279},[2900],{"nodeType":1293,"value":2901,"marks":2902,"data":2903},"Part 1",[],{},{"nodeType":1293,"value":2905,"marks":2906,"data":2907},", it’s pretty clear that attackers are consciously looking to bypass automated detection techniques typically implemented through either web traffic analysis (using a web proxy inspection tool or Secure Web Gateway) or website sandboxing (for example link analysis provided by an email security appliance).",[],{},{"nodeType":1302,"data":2909,"content":2910},{},[2911],{"nodeType":1293,"value":2912,"marks":2913,"data":2914},"On a positive note, this shows us that (at least some) detection tools are trending upwards on the Pyramid of Pain — moving away from nearly pointless signatures like IP addresses and domains towards more in-depth detections of specific tool techniques. Though it’s also fair to say that, in this cat-and-mouse game, it seems the attackers are maintaining the advantage. This may be because these detection technologies are widely available, and attackers can test their kits against these tools and change them just enough to bypass them.",[],{},{"nodeType":1302,"data":2916,"content":2917},{},[2918,2922,2930],{"nodeType":1293,"value":2919,"marks":2920,"data":2921},"If you’re interested in how Push is able to detect these attacks despite all these ever evolving evasion techniques by using browser telemetry and evaluating user interaction with these kits — ",[],{},{"nodeType":1351,"data":2923,"content":2925},{"uri":2924},"https://pushsecurity.com/blog/detecting-and-blocking-phishing-attacks-in-the-browser/",[2926],{"nodeType":1293,"value":2927,"marks":2928,"data":2929},"take a look at how we do phishing detection.",[],{},{"nodeType":1293,"value":37,"marks":2931,"data":2932},[],{},{"nodeType":1441,"data":2934,"content":2938},{"target":2935},{"sys":2936},{"id":2937,"type":1446,"linkType":1447},"6H8HmAmYiGvs3T7kQLA4dd",[],{"nodeType":1302,"data":2940,"content":2941},{},[2942],{"nodeType":1293,"value":37,"marks":2943,"data":2944},[],{},"How AitM phishing kits evade detection: Part 2","How attackers are breaking detection signatures designed to identify phishing sites impersonating real login pages.","2024-11-12T00:00:00.000Z","how-aitm-phishing-kits-evade-detection-p2",{"items":2950},[2951,2953],{"sys":2952,"name":1318},{"id":1317},{"sys":2954,"name":1314},{"id":1313},{"items":2956},[2957],{"fullName":2958,"firstName":2959,"jobTitle":2960,"profilePicture":2961},"Luke Jennings","Luke","Vice President, R&D",{"url":2962},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg",{"__typename":1322,"sys":2964,"content":2966,"title":3284,"synopsis":3285,"hashTags":118,"publishedDate":3286,"slug":3287,"tagsCollection":3288,"authorsCollection":3294},{"id":2965},"4bYO5rVy9n2OO3vtMVQeda",{"json":2967},{"nodeType":1303,"data":2968,"content":2969},{},[2970,2977,2996,3012,3019,3026,3029,3036,3043,3096,3103,3109,3112,3119,3126,3133,3140,3147,3164,3170,3177,3184,3201,3207,3214,3221,3228,3235,3242,3245,3252,3272,3278],{"nodeType":1389,"data":2971,"content":2972},{},[2973],{"nodeType":1293,"value":2974,"marks":2975,"data":2976},"All phishing eventually leads to the browser",[],{},{"nodeType":1302,"data":2978,"content":2979},{},[2980,2984,2993],{"nodeType":1293,"value":2981,"marks":2982,"data":2983},"The best attack detection methods are those that focus on ",[],{},{"nodeType":1351,"data":2985,"content":2987},{"uri":2986},"https://pushsecurity.com/blog/our-design-philosophy-detecting-what-matters/",[2988],{"nodeType":1293,"value":2989,"marks":2990,"data":2992},"detecting indicators that are difficult for attackers to change or obfuscate",[2991],{"type":1371},{},{"nodeType":1293,"value":1595,"marks":2994,"data":2995},[],{},{"nodeType":1302,"data":2997,"content":2998},{},[2999,3003,3008],{"nodeType":1293,"value":3000,"marks":3001,"data":3002},"For a credential phishing attack to succeed, the victim ",[],{},{"nodeType":1293,"value":3004,"marks":3005,"data":3007},"has",[3006],{"type":1371},{},{"nodeType":1293,"value":3009,"marks":3010,"data":3011}," to enter their password into a webpage. There’s no two-ways about it, attackers cannot change this. ",[],{},{"nodeType":1302,"data":3013,"content":3014},{},[3015],{"nodeType":1293,"value":3016,"marks":3017,"data":3018},"So it stands to reason that, if you can detect this user behavior, and block them from entering their password, then you can stop phishing. ",[],{},{"nodeType":1302,"data":3020,"content":3021},{},[3022],{"nodeType":1293,"value":3023,"marks":3024,"data":3025},"This is exactly what Push does.",[],{},{"nodeType":1385,"data":3027,"content":3028},{},[],{"nodeType":1397,"data":3030,"content":3031},{},[3032],{"nodeType":1293,"value":3033,"marks":3034,"data":3035},"Most anti-phishing tools are easily bypassed",[],{},{"nodeType":1302,"data":3037,"content":3038},{},[3039],{"nodeType":1293,"value":3040,"marks":3041,"data":3042},"Other anti-phishing tools rely on detecting elements of the attack that attackers can change and hide, such as domains or the webpage contents. Attackers use tricks to evade these detection, like:",[],{},{"nodeType":1464,"data":3044,"content":3045},{},[3046,3056,3066,3076,3086],{"nodeType":1468,"data":3047,"content":3048},{},[3049],{"nodeType":1302,"data":3050,"content":3051},{},[3052],{"nodeType":1293,"value":3053,"marks":3054,"data":3055},"Using Cloudflare Workers to block automatic analysis of their phishing site",[],{},{"nodeType":1468,"data":3057,"content":3058},{},[3059],{"nodeType":1302,"data":3060,"content":3061},{},[3062],{"nodeType":1293,"value":3063,"marks":3064,"data":3065},"Hacking a Wordpress blog to get a reputable domain that passes domain checks ",[],{},{"nodeType":1468,"data":3067,"content":3068},{},[3069],{"nodeType":1302,"data":3070,"content":3071},{},[3072],{"nodeType":1293,"value":3073,"marks":3074,"data":3075},"Using redirects and rotating the URLs delivered to the victim to bypass link analysis",[],{},{"nodeType":1468,"data":3077,"content":3078},{},[3079],{"nodeType":1302,"data":3080,"content":3081},{},[3082],{"nodeType":1293,"value":3083,"marks":3084,"data":3085},"Randomizing the HTML title for the web page to bypass blocklists ",[],{},{"nodeType":1468,"data":3087,"content":3088},{},[3089],{"nodeType":1302,"data":3090,"content":3091},{},[3092],{"nodeType":1293,"value":3093,"marks":3094,"data":3095},"One-time phishing links that only work the first time they are clicked",[],{},{"nodeType":1302,"data":3097,"content":3098},{},[3099],{"nodeType":1293,"value":3100,"marks":3101,"data":3102},"Push is putting an end to this game of cat and mouse, by keeping it really simple; you can’t phish someone who can’t put their password into a phishing page. ",[],{},{"nodeType":1441,"data":3104,"content":3108},{"target":3105},{"sys":3106},{"id":3107,"type":1446,"linkType":1447},"6AwOZSpqaChmeksnj4SyWE",[],{"nodeType":1385,"data":3110,"content":3111},{},[],{"nodeType":1397,"data":3113,"content":3114},{},[3115],{"nodeType":1293,"value":3116,"marks":3117,"data":3118},"Domain-binding passwords",[],{},{"nodeType":1302,"data":3120,"content":3121},{},[3122],{"nodeType":1293,"value":3123,"marks":3124,"data":3125},"If you’re familiar with how passkeys are domain-bound, then think of what Push does as domain-binding passwords. We pin the password to its legitimate domain(s) and then don’t allow it to be entered into any webpage on any other domain. ",[],{},{"nodeType":1302,"data":3127,"content":3128},{},[3129],{"nodeType":1293,"value":3130,"marks":3131,"data":3132},"But just because you’ve stopped your users from being phished doesn’t mean you don’t want to know when attackers are attempting to phish your users and how. ",[],{},{"nodeType":1302,"data":3134,"content":3135},{},[3136],{"nodeType":1293,"value":3137,"marks":3138,"data":3139},"Push still inspects webpages to see if attackers are rendering cloned app login pages in the browser or if known AitM and BitM toolkits are being used. This way you don’t lose visibility of the unsuccessful attacks that are targeting your users. Think of it as a handy second and third layer of defense.",[],{},{"nodeType":1302,"data":3141,"content":3142},{},[3143],{"nodeType":1293,"value":3144,"marks":3145,"data":3146},"Lets run through a quick before and after example:",[],{},{"nodeType":1397,"data":3148,"content":3149},{},[3150,3154,3160],{"nodeType":1293,"value":3151,"marks":3152,"data":3153},"Scenario 1: An attacker attempts to phish an employee that ",[],{},{"nodeType":1293,"value":3155,"marks":3156,"data":3159},"doesn’t",[3157,3158],{"type":1371},{"type":1404},{},{"nodeType":1293,"value":3161,"marks":3162,"data":3163}," have Push deployed to their browser.",[],{},{"nodeType":1441,"data":3165,"content":3169},{"target":3166},{"sys":3167},{"id":3168,"type":1446,"linkType":1447},"2CbGMUSJsP1mNeHkmpLl6N",[],{"nodeType":1302,"data":3171,"content":3172},{},[3173],{"nodeType":1293,"value":3174,"marks":3175,"data":3176},"Here, an attacker hacks a Wordpress blog to get a reputable domain and then runs a phishing toolkit on the webpage. They email one of your employees a link to it. Your SWG / email scanning solution inspects it in a sandbox but the phish kit detects this and redirects to a benign site so that it passes the inspection. ",[],{},{"nodeType":1302,"data":3178,"content":3179},{},[3180],{"nodeType":1293,"value":3181,"marks":3182,"data":3183},"Your user gets the email with the link and is now free to interact with the phishing page. They enter their credentials plus MFA code into the page and voila! The attacker steals them and is able to compromise the user’s account.  ",[],{},{"nodeType":1397,"data":3185,"content":3186},{},[3187,3191,3197],{"nodeType":1293,"value":3188,"marks":3189,"data":3190},"Scenario 2: An attacker attempts to phish an employee that ",[],{},{"nodeType":1293,"value":3192,"marks":3193,"data":3196},"does",[3194,3195],{"type":1371},{"type":1404},{},{"nodeType":1293,"value":3198,"marks":3199,"data":3200}," have Push deployed to their browser. ",[],{},{"nodeType":1441,"data":3202,"content":3206},{"target":3203},{"sys":3204},{"id":3205,"type":1446,"linkType":1447},"77smnID1woCfFJrJPyTvKY",[],{"nodeType":1302,"data":3208,"content":3209},{},[3210],{"nodeType":1293,"value":3211,"marks":3212,"data":3213},"This time, the attacker uses the same phishing toolkit and domain from the first example. But in reality, they don’t have to send it to your employee using email, instead, they could use LinkedIn messenger, Slack, Teams, or any application that allows employees to communicate with each other. ",[],{},{"nodeType":1302,"data":3215,"content":3216},{},[3217],{"nodeType":1293,"value":3218,"marks":3219,"data":3220},"Like before, the user receives the link, opens it and starts to enter their credentials into the webpage. This time though, the Push browser extension inspects the webpage running in the user's browser. Push observes that the webpage is a login page and the user is entering their password into the page.",[],{},{"nodeType":1302,"data":3222,"content":3223},{},[3224],{"nodeType":1293,"value":3225,"marks":3226,"data":3227},"The first detection Push makes is checking that the password the user is entering matches the domain that password is pinned to. Since it doesn't match, based on this detection alone the user is automatically redirected to a blocking page. An important point to make here is that the password never leaves the user’s browser and the check is made using a shortened salted hash of the password.   ",[],{},{"nodeType":1302,"data":3229,"content":3230},{},[3231],{"nodeType":1293,"value":3232,"marks":3233,"data":3234},"The second detection Push makes is that the rendered web app is using a cloned app login page. The third detection is that a phishing toolkit is running in the web app code. ",[],{},{"nodeType":1302,"data":3236,"content":3237},{},[3238],{"nodeType":1293,"value":3239,"marks":3240,"data":3241},"In this particular scenario these second and third detections serve as useful context for understanding the nature of the phishing attack. But both will still redirect to a blocking page if they are triggered in isolation of the other phishing detections. ",[],{},{"nodeType":1385,"data":3243,"content":3244},{},[],{"nodeType":1389,"data":3246,"content":3247},{},[3248],{"nodeType":1293,"value":3249,"marks":3250,"data":3251},"We don’t just stop phishing attacks",[],{},{"nodeType":1302,"data":3253,"content":3254},{},[3255,3259,3268],{"nodeType":1293,"value":3256,"marks":3257,"data":3258},"We also detect other identity-related attack techniques used to compromise user accounts. That includes credential stuffing, password spraying and session hijacking using stolen session tokens. If you want to learn more about how Push helps you to detect and defeat common identity attack techniques, ",[],{},{"nodeType":1351,"data":3260,"content":3262},{"uri":3261},"https://pushsecurity.com/demo/",[3263],{"nodeType":1293,"value":3264,"marks":3265,"data":3267},"book some time with one of our team",[3266],{"type":1371},{},{"nodeType":1293,"value":3269,"marks":3270,"data":3271},".  ",[],{},{"nodeType":1441,"data":3273,"content":3277},{"target":3274},{"sys":3275},{"id":3276,"type":1446,"linkType":1447},"2JSmYDaiAciOx7Z1MRuJlA",[],{"nodeType":1302,"data":3279,"content":3280},{},[3281],{"nodeType":1293,"value":37,"marks":3282,"data":3283},[],{},"Detecting and blocking phishing attacks in the browser","How Push detects and blocks phishing attempts in the browser – explained in less than two minutes. ","2024-10-23T00:00:00.000Z","detecting-and-blocking-phishing-attacks-in-the-browser",{"items":3289},[3290,3292],{"sys":3291,"name":1314},{"id":1313},{"sys":3293,"name":1318},{"id":1317},{"items":3295},[3296],{"fullName":3297,"firstName":3298,"jobTitle":3299,"profilePicture":3300},"Alex Henshall","Alex","Product Team",{"url":3301},"https://images.ctfassets.net/y1cdw1ablpvd/2rz3Pre3b1MexPIQ4hzPUe/0ef8a092b7e7df00fbce3f7d1ccb96d1/Alex_Henshall.jpeg",{"items":3303},[3304],{"fullName":2958,"firstName":2959,"jobTitle":2960,"profilePicture":3305},{"url":2962},{"json":3307,"links":4595},{"nodeType":1303,"data":3308,"content":3309},{},[3310,3317,3324,3357,3364,3371,3374,3381,3399,3419,3426,3432,3450,3457,3481,3484,3491,3498,3505,3512,3519,3525,3543,3550,3553,3560,3567,3574,3581,3588,3636,3639,3645,3652,3658,3661,3667,3699,3719,3726,3732,3735,3742,3760,3780,3787,3840,3846,3849,3856,3863,3870,3945,3948,3955,3962,3969,3974,3977,3984,4003,4022,4038,4045,4048,4055,4062,4069,4076,4079,4086,4093,4100,4107,4110,4117,4124,4131,4137,4143,4146,4153,4160,4167,4173,4176,4183,4190,4197,4203,4206,4213,4220,4227,4233,4239,4246,4265,4272,4278,4285,4288,4295,4302,4309,4316,4319,4326,4333,4338,4341,4348,4355,4362,4394,4397,4404,4411,4429,4436,4443,4450,4456,4459,4466,4473,4493,4496,4502,4509,4562,4569,4576,4583,4589],{"nodeType":1302,"data":3311,"content":3312},{},[3313],{"nodeType":1293,"value":3314,"marks":3315,"data":3316},"Many organizations make use of a centralized managed identity provider (IdP) that they use as an SSO gateway, such as Microsoft Entra, Okta, Google Workspace etc. ",[],{},{"nodeType":1302,"data":3318,"content":3319},{},[3320],{"nodeType":1293,"value":3321,"marks":3322,"data":3323},"In a perfect world, every account, on every business application, would be:",[],{},{"nodeType":1464,"data":3325,"content":3326},{},[3327,3337,3347],{"nodeType":1468,"data":3328,"content":3329},{},[3330],{"nodeType":1302,"data":3331,"content":3332},{},[3333],{"nodeType":1293,"value":3334,"marks":3335,"data":3336},"Accessed via SSO from an IdP account via SAML or OIDC protocols.",[],{},{"nodeType":1468,"data":3338,"content":3339},{},[3340],{"nodeType":1302,"data":3341,"content":3342},{},[3343],{"nodeType":1293,"value":3344,"marks":3345,"data":3346},"Protected by strong authentication controls such as phishing-resistant factors such as passkeys or Okta Fastpass.",[],{},{"nodeType":1468,"data":3348,"content":3349},{},[3350],{"nodeType":1302,"data":3351,"content":3352},{},[3353],{"nodeType":1293,"value":3354,"marks":3355,"data":3356},"Configured to provide strong centralized audit logging. ",[],{},{"nodeType":1302,"data":3358,"content":3359},{},[3360],{"nodeType":1293,"value":3361,"marks":3362,"data":3363},"This would in theory provide broad protection against identity attacks — there are no credentials to steal or be phished (even using modern AiTM phish kits) and the logging would provide threat hunting and incident response teams with a great data source for detection and response. ",[],{},{"nodeType":1302,"data":3365,"content":3366},{},[3367],{"nodeType":1293,"value":3368,"marks":3369,"data":3370},"But what if it were possible to compromise downstream SaaS applications directly and circumvent every single control we just outlined? No password needed, no MFA needed, no SSO audit logs — and all it took was the ability to phish a verification code from a target user. This is what is often possible using verification phishing when combined with cross-IdP impersonation. ",[],{},{"nodeType":1385,"data":3372,"content":3373},{},[],{"nodeType":1389,"data":3375,"content":3376},{},[3377],{"nodeType":1293,"value":3378,"marks":3379,"data":3380},"What is cross-IdP impersonation?",[],{},{"nodeType":1302,"data":3382,"content":3383},{},[3384,3387,3395],{"nodeType":1293,"value":37,"marks":3385,"data":3386},[],{},{"nodeType":1351,"data":3388,"content":3389},{"uri":1353},[3390],{"nodeType":1293,"value":3391,"marks":3392,"data":3394},"Cross-IdP impersonation",[3393],{"type":1371},{},{"nodeType":1293,"value":3396,"marks":3397,"data":3398}," is when you authenticate to an application as a user but using a different IdP from the one used ordinarily by the target organization. Depending on the configuration of the target application, this can potentially allow very strict authentication controls to be either partially or completely circumvented. ",[],{},{"nodeType":1302,"data":3400,"content":3401},{},[3402,3406,3415],{"nodeType":1293,"value":3403,"marks":3404,"data":3405},"Let’s look at an example. Say an organization uses Microsoft Entra as their primary IdP. Their users have email addresses of ",[],{},{"nodeType":1351,"data":3407,"content":3409},{"uri":3408},"mailto:user@example.com",[3410],{"nodeType":1293,"value":3411,"marks":3412,"data":3414},"user@example.com",[3413],{"type":1371},{},{"nodeType":1293,"value":3416,"marks":3417,"data":3418},", they authenticate using strong MFA to Microsoft and then either SAML or OIDC login to their downstream applications. ",[],{},{"nodeType":1302,"data":3420,"content":3421},{},[3422],{"nodeType":1293,"value":3423,"marks":3424,"data":3425},"However, some of their downstream applications support many different login methods to support different customers, as is extremely common for SaaS vendors. Let’s say they are using the Atlassian suite of products, which support many different login methods as shown below:",[],{},{"nodeType":1441,"data":3427,"content":3431},{"target":3428},{"sys":3429},{"id":3430,"type":1446,"linkType":1447},"5tV8ypsY7V1P5VpVOeJXUO",[],{"nodeType":1302,"data":3433,"content":3434},{},[3435,3439,3446],{"nodeType":1293,"value":3436,"marks":3437,"data":3438},"The legitimate user normally clicks the Microsoft button to perform an OIDC social login. However, what happens if an attacker somehow gains access to an account with a different IdP using the target user’s email address? So they somehow gain access to ",[],{},{"nodeType":1351,"data":3440,"content":3441},{"uri":3408},[3442],{"nodeType":1293,"value":3411,"marks":3443,"data":3445},[3444],{"type":1371},{},{"nodeType":1293,"value":3447,"marks":3448,"data":3449}," as an account for Apple or Google. Then, in the default configuration of Atlassian, they can click the Apple or Google buttons and login directly to the downstream application without ever touching the organization’s secure Microsoft Entra tenant.",[],{},{"nodeType":1302,"data":3451,"content":3452},{},[3453],{"nodeType":1293,"value":3454,"marks":3455,"data":3456},"But how would an attacker gain access to an Apple or Google account anyway? Wouldn’t they have to authenticate using Microsoft to login to those services and so it becomes a circular problem? Well actually, no. In many cases, an organization won’t have accounts with other major IdPs and so those accounts don’t actually exist. ",[],{},{"nodeType":1302,"data":3458,"content":3459},{},[3460,3464,3468,3472,3477],{"nodeType":1293,"value":3461,"marks":3462,"data":3463},"So rather than take over ",[],{},{"nodeType":1293,"value":1516,"marks":3465,"data":3467},[3466],{"type":1371},{},{"nodeType":1293,"value":3469,"marks":3470,"data":3471}," accounts, what if an attacker could somehow ",[],{},{"nodeType":1293,"value":3473,"marks":3474,"data":3476},"create",[3475],{"type":1371},{},{"nodeType":1293,"value":3478,"marks":3479,"data":3480}," a new one?",[],{},{"nodeType":1385,"data":3482,"content":3483},{},[],{"nodeType":1389,"data":3485,"content":3486},{},[3487],{"nodeType":1293,"value":3488,"marks":3489,"data":3490},"What is verification phishing?",[],{},{"nodeType":1302,"data":3492,"content":3493},{},[3494],{"nodeType":1293,"value":3495,"marks":3496,"data":3497},"The primary concern for most organizations is preventing attackers from gaining access to core business applications and data and, consequently, the identities that allow access to those applications and data — therefore, protecting IdP accounts used for SSO is a Tier-1 priority. ",[],{},{"nodeType":1302,"data":3499,"content":3500},{},[3501],{"nodeType":1293,"value":3502,"marks":3503,"data":3504},"However, preventing accounts being created on other applications they do not use, and therefore do not contain company data, is not a direct concern — unless legitimate users start using those applications and entering company data. This is normally only considered in the context of a shadow SaaS problem — an important, but very different, security issue.",[],{},{"nodeType":1302,"data":3506,"content":3507},{},[3508],{"nodeType":1293,"value":3509,"marks":3510,"data":3511},"For SaaS vendors though, unwanted and unverified signups can be a painful issue as they are often associated with spam or general misuse of their platforms. Therefore, it’s very common (but not universal) for SaaS vendors to require some basic verification steps for new accounts to raise the bar and prevent common abuse patterns — most commonly, this involves sending an email to the given email address to require either a link to be clicked or to supply a verification code to be used to verify the address. ",[],{},{"nodeType":1302,"data":3513,"content":3514},{},[3515],{"nodeType":1293,"value":3516,"marks":3517,"data":3518},"For example, here’s what Google sends when creating a new Google account attached to an existing email address:",[],{},{"nodeType":1441,"data":3520,"content":3524},{"target":3521},{"sys":3522},{"id":3523,"type":1446,"linkType":1447},"4Smkx9soF6ob3W1BZaqy3P",[],{"nodeType":1302,"data":3526,"content":3527},{},[3528,3532,3539],{"nodeType":1293,"value":3529,"marks":3530,"data":3531},"So let’s say an attacker wants to register a new account as ",[],{},{"nodeType":1351,"data":3533,"content":3534},{"uri":3408},[3535],{"nodeType":1293,"value":3411,"marks":3536,"data":3538},[3537],{"type":1371},{},{"nodeType":1293,"value":3540,"marks":3541,"data":3542}," with an application that is not used by the target user (or even the target organization). What would they need to do? Well in many cases, they can create the account, set the password and any other details like MFA or phone number directly — all they need to do is convince the user to click the link in the verification email or supply the verification code included.",[],{},{"nodeType":1302,"data":3544,"content":3545},{},[3546],{"nodeType":1293,"value":3547,"marks":3548,"data":3549},"So that’s what verification phishing is: Using phishing, or some other form of social engineering, to convince a target user to verify an account. But how difficult is that? Well, actually, not very!",[],{},{"nodeType":1385,"data":3551,"content":3552},{},[],{"nodeType":1389,"data":3554,"content":3555},{},[3556],{"nodeType":1293,"value":3557,"marks":3558,"data":3559},"Verification phishing scenarios",[],{},{"nodeType":1302,"data":3561,"content":3562},{},[3563],{"nodeType":1293,"value":3564,"marks":3565,"data":3566},"No matter how hard we try to stop phishing with user awareness training and phishing simulations, phishing still succeeds to some extent.",[],{},{"nodeType":1302,"data":3568,"content":3569},{},[3570],{"nodeType":1293,"value":3571,"marks":3572,"data":3573},"Typically, we train users to be suspicious of clicking links in emails, to check the domains of any links carefully and to be especially careful when prompted for entering a password for an account they use.",[],{},{"nodeType":1302,"data":3575,"content":3576},{},[3577],{"nodeType":1293,"value":3578,"marks":3579,"data":3580},"But what are we asking our target users to do with verification phishing? Simply asking them to click a link, or supply a verification code, in an email from a legitimate address for an account they know does not exist — so from their perspective, what are they giving away? What’s the risk, really?",[],{},{"nodeType":1302,"data":3582,"content":3583},{},[3584],{"nodeType":1293,"value":3585,"marks":3586,"data":3587},"With a bit of clever thought behind the social engineering effort, we should see much higher success rates with verification phishing than with conventional password phishing. Let’s consider a few strategies that could be used, with differing sophistication levels:",[],{},{"nodeType":1464,"data":3589,"content":3590},{},[3591,3606,3621],{"nodeType":1468,"data":3592,"content":3593},{},[3594],{"nodeType":1302,"data":3595,"content":3596},{},[3597,3602],{"nodeType":1293,"value":3598,"marks":3599,"data":3601},"Pretext emails",[3600],{"type":1404},{},{"nodeType":1293,"value":3603,"marks":3604,"data":3605}," – a classic and simple email approach",[],{},{"nodeType":1468,"data":3607,"content":3608},{},[3609],{"nodeType":1302,"data":3610,"content":3611},{},[3612,3617],{"nodeType":1293,"value":3613,"marks":3614,"data":3616},"IM phishing",[3615],{"type":1404},{},{"nodeType":1293,"value":3618,"marks":3619,"data":3620}," – hands-on-keyboard social engineering effort but using IM",[],{},{"nodeType":1468,"data":3622,"content":3623},{},[3624],{"nodeType":1302,"data":3625,"content":3626},{},[3627,3632],{"nodeType":1293,"value":3628,"marks":3629,"data":3631},"AiTM verification phishing",[3630],{"type":1404},{},{"nodeType":1293,"value":3633,"marks":3634,"data":3635}," – a technically sophisticated approach requiring new tooling",[],{},{"nodeType":1385,"data":3637,"content":3638},{},[],{"nodeType":1397,"data":3640,"content":3641},{},[3642],{"nodeType":1293,"value":3598,"marks":3643,"data":3644},[],{},{"nodeType":1302,"data":3646,"content":3647},{},[3648],{"nodeType":1293,"value":3649,"marks":3650,"data":3651},"We could create a false pretext by emailing users ahead of time to be expecting the verification email and take advantage of the fact the incoming verification email will be from a legitimate address to create an additional sense of trust. We’ll use Google as an example in this case.",[],{},{"nodeType":1441,"data":3653,"content":3657},{"target":3654},{"sys":3655},{"id":3656,"type":1446,"linkType":1447},"4YQzNZOxyg7zGxCReAJonK",[],{"nodeType":1385,"data":3659,"content":3660},{},[],{"nodeType":1397,"data":3662,"content":3663},{},[3664],{"nodeType":1293,"value":3613,"marks":3665,"data":3666},[],{},{"nodeType":1302,"data":3668,"content":3669},{},[3670,3674,3683,3687,3696],{"nodeType":1293,"value":3671,"marks":3672,"data":3673},"IM phishing is a great way to conduct modern phishing attacks as users generally have more trust in IM platforms than email. Since the advent of Slack Connect and Teams external access, this has been possible as an external initial access vector too. If you’re interested in this technique in general, check out our previous posts on ",[],{},{"nodeType":1351,"data":3675,"content":3677},{"uri":3676},"https://pushsecurity.com/blog/slack-phishing-for-initial-access/",[3678],{"nodeType":1293,"value":3679,"marks":3680,"data":3682},"Slack phishing",[3681],{"type":1371},{},{"nodeType":1293,"value":3684,"marks":3685,"data":3686}," and ",[],{},{"nodeType":1351,"data":3688,"content":3690},{"uri":3689},"https://pushsecurity.com/blog/phishing-microsoft-teams-for-initial-access/",[3691],{"nodeType":1293,"value":3692,"marks":3693,"data":3695},"Teams phishing",[3694],{"type":1371},{},{"nodeType":1293,"value":2579,"marks":3697,"data":3698},[],{},{"nodeType":1302,"data":3700,"content":3701},{},[3702,3706,3715],{"nodeType":1293,"value":3703,"marks":3704,"data":3705},"It also has the advantage that the instant nature of it makes it great for building a social engineering pretext. This is more of a classic interactive social engineering effort over a new delivery vector (IM), than a single message or link-based phishing attack, and so is a more targeted attack strategy. It’s not too dissimilar from ",[],{},{"nodeType":1351,"data":3707,"content":3709},{"uri":3708},"https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/",[3710],{"nodeType":1293,"value":3711,"marks":3712,"data":3714},"strategies used by Scattered Spider to social engineer their way past MFA controls",[3713],{"type":1371},{},{"nodeType":1293,"value":3716,"marks":3717,"data":3718},", except they generally used phone and SMS delivery vectors. ",[],{},{"nodeType":1302,"data":3720,"content":3721},{},[3722],{"nodeType":1293,"value":3723,"marks":3724,"data":3725},"Consider the following exchange, and ask yourself how many users could fall for this strategy. I’ll play the victim myself this time and we’ll use Apple as an example.",[],{},{"nodeType":1441,"data":3727,"content":3731},{"target":3728},{"sys":3729},{"id":3730,"type":1446,"linkType":1447},"11A6zC4ZA6NRorrC5UCqUE",[],{"nodeType":1385,"data":3733,"content":3734},{},[],{"nodeType":1397,"data":3736,"content":3737},{},[3738],{"nodeType":1293,"value":3739,"marks":3740,"data":3741},"AiTM verification phishing ",[],{},{"nodeType":1302,"data":3743,"content":3744},{},[3745,3748,3756],{"nodeType":1293,"value":37,"marks":3746,"data":3747},[],{},{"nodeType":1351,"data":3749,"content":3750},{"uri":2571},[3751],{"nodeType":1293,"value":3752,"marks":3753,"data":3755},"AiTM phishing",[3754],{"type":1371},{},{"nodeType":1293,"value":3757,"marks":3758,"data":3759}," to bypass common SSO and MFA protections is now a commonly used technique by attackers, with a range of open-source and criminal tools implementing this in the wild. However, there is nothing stopping a similar approach being used to make verification phishing much more effective and scalable than it is currently. ",[],{},{"nodeType":1302,"data":3761,"content":3762},{},[3763,3767,3776],{"nodeType":1293,"value":3764,"marks":3765,"data":3766},"If current AiTM tooling, such as the popular AiTM tool ",[],{},{"nodeType":1351,"data":3768,"content":3770},{"uri":3769},"https://github.com/kgretzky/evilginx2",[3771],{"nodeType":1293,"value":3772,"marks":3773,"data":3775},"Evilginx",[3774],{"type":1371},{},{"nodeType":1293,"value":3777,"marks":3778,"data":3779},", evolves to integrate this capability then it is likely to be by far the most effective verification phishing technique.",[],{},{"nodeType":1302,"data":3781,"content":3782},{},[3783],{"nodeType":1293,"value":3784,"marks":3785,"data":3786},"Consider the IM phishing example with Slack given above turned into an interactive website.  We would probably see the following steps occur:",[],{},{"nodeType":1464,"data":3788,"content":3789},{},[3790,3800,3810,3820,3830],{"nodeType":1468,"data":3791,"content":3792},{},[3793],{"nodeType":1302,"data":3794,"content":3795},{},[3796],{"nodeType":1293,"value":3797,"marks":3798,"data":3799},"Phishing email sent with a link asking the user to register if they would like to take part in the Apple device trial",[],{},{"nodeType":1468,"data":3801,"content":3802},{},[3803],{"nodeType":1302,"data":3804,"content":3805},{},[3806],{"nodeType":1293,"value":3807,"marks":3808,"data":3809},"User clicks link and is taken to a custom phishing website that informs them they will need to verify their email for an Apple account to be provisioned for their new device",[],{},{"nodeType":1468,"data":3811,"content":3812},{},[3813],{"nodeType":1302,"data":3814,"content":3815},{},[3816],{"nodeType":1293,"value":3817,"marks":3818,"data":3819},"User clicks a verification button and the AiTM tool automatically registers a new Apple account and prompts for the verification code",[],{},{"nodeType":1468,"data":3821,"content":3822},{},[3823],{"nodeType":1302,"data":3824,"content":3825},{},[3826],{"nodeType":1293,"value":3827,"marks":3828,"data":3829},"The target user sees the verification email from Apple arrive in their inbox and copies the code into the phishing website",[],{},{"nodeType":1468,"data":3831,"content":3832},{},[3833],{"nodeType":1302,"data":3834,"content":3835},{},[3836],{"nodeType":1293,"value":3837,"marks":3838,"data":3839},"The AiTM tool verifies the Apple account using the supplied code and the attack is complete",[],{},{"nodeType":1441,"data":3841,"content":3845},{"target":3842},{"sys":3843},{"id":3844,"type":1446,"linkType":1447},"5JP8lyDNKJf3P3XcbI83Bw",[],{"nodeType":1385,"data":3847,"content":3848},{},[],{"nodeType":1389,"data":3850,"content":3851},{},[3852],{"nodeType":1293,"value":3853,"marks":3854,"data":3855},"Putting it all together (with demo)",[],{},{"nodeType":1302,"data":3857,"content":3858},{},[3859],{"nodeType":1293,"value":3860,"marks":3861,"data":3862},"Now that we’re familiar with cross-IdP impersonation and verification phishing, let’s consider what a full attack chain looks like and what the impact is. ",[],{},{"nodeType":1302,"data":3864,"content":3865},{},[3866],{"nodeType":1293,"value":3867,"marks":3868,"data":3869},"In doing so, we’ll consider an organization that uses Microsoft Entra as their SSO with strong phishing-resistant MFA and logging and an example downstream SaaS app being Atlassian, which is accessed using a Microsoft social login for SSO. ",[],{},{"nodeType":1464,"data":3871,"content":3872},{},[3873,3894,3904,3914,3935],{"nodeType":1468,"data":3874,"content":3875},{},[3876],{"nodeType":1302,"data":3877,"content":3878},{},[3879,3883,3890],{"nodeType":1293,"value":3880,"marks":3881,"data":3882},"Attacker registers for an IdP account, such as an Apple account with ",[],{},{"nodeType":1351,"data":3884,"content":3885},{"uri":3408},[3886],{"nodeType":1293,"value":3411,"marks":3887,"data":3889},[3888],{"type":1371},{},{"nodeType":1293,"value":3891,"marks":3892,"data":3893}," and sets a password",[],{},{"nodeType":1468,"data":3895,"content":3896},{},[3897],{"nodeType":1302,"data":3898,"content":3899},{},[3900],{"nodeType":1293,"value":3901,"marks":3902,"data":3903},"Attacker begins the verification phishing process and convinces a user to supply the verification code",[],{},{"nodeType":1468,"data":3905,"content":3906},{},[3907],{"nodeType":1302,"data":3908,"content":3909},{},[3910],{"nodeType":1293,"value":3911,"marks":3912,"data":3913},"Attacker verifies their newly created Apple account using the verification code",[],{},{"nodeType":1468,"data":3915,"content":3916},{},[3917],{"nodeType":1302,"data":3918,"content":3919},{},[3920,3924,3931],{"nodeType":1293,"value":3921,"marks":3922,"data":3923},"Attacker logs in to Atlassian using “Login with Apple” as ",[],{},{"nodeType":1351,"data":3925,"content":3926},{"uri":3408},[3927],{"nodeType":1293,"value":3411,"marks":3928,"data":3930},[3929],{"type":1371},{},{"nodeType":1293,"value":3932,"marks":3933,"data":3934},", without having to know the user’s password or MFA factors",[],{},{"nodeType":1468,"data":3936,"content":3937},{},[3938],{"nodeType":1302,"data":3939,"content":3940},{},[3941],{"nodeType":1293,"value":3942,"marks":3943,"data":3944},"There are no logs generated in Microsoft to show an SSO login to Atlassian was made as it happened via the attacker’s Apple account – the only logs would be within Atlassian itself",[],{},{"nodeType":1385,"data":3946,"content":3947},{},[],{"nodeType":1397,"data":3949,"content":3950},{},[3951],{"nodeType":1293,"value":3952,"marks":3953,"data":3954},"Cross-IdP impersonation attack demo",[],{},{"nodeType":1302,"data":3956,"content":3957},{},[3958],{"nodeType":1293,"value":3959,"marks":3960,"data":3961},"At this point, there’s no better way to demonstrate the attack than to show it. The following narrated video shows cross-idp impersonation in action to compromise an Atlassian account that is normally accessed using a Microsoft Entra account for SSO that is strongly protected with passkeys. ",[],{},{"nodeType":1302,"data":3963,"content":3964},{},[3965],{"nodeType":1293,"value":3966,"marks":3967,"data":3968},"For the purposes of this demo, we assume some form of successful verification phishing is performed and focus on demonstrating the cross-IdP impersonation aspect.",[],{},{"nodeType":1441,"data":3970,"content":3973},{"target":3971},{"sys":3972},{"id":2218,"type":1446,"linkType":1447},[],{"nodeType":1385,"data":3975,"content":3976},{},[],{"nodeType":1389,"data":3978,"content":3979},{},[3980],{"nodeType":1293,"value":3981,"marks":3982,"data":3983},"It doesn't stop there: cross-IdP impersonation for persistence",[],{},{"nodeType":1302,"data":3985,"content":3986},{},[3987,3991,3999],{"nodeType":1293,"value":3988,"marks":3989,"data":3990},"The problems with cross-IdP impersonation don’t stop at the initial access layer. Consider an attacker who has gained temporary control of an SSO user account, or email inbox, through some other means and is looking to maintain access. Perhaps they have used an ",[],{},{"nodeType":1351,"data":3992,"content":3993},{"uri":2571},[3994],{"nodeType":1293,"value":3995,"marks":3996,"data":3998},"AiTM phishing attack",[3997],{"type":1371},{},{"nodeType":1293,"value":4000,"marks":4001,"data":4002}," to compromise the user’s core SSO identity. ",[],{},{"nodeType":1302,"data":4004,"content":4005},{},[4006,4010,4018],{"nodeType":1293,"value":4007,"marks":4008,"data":4009},"A common method for achieving this is to create ",[],{},{"nodeType":1351,"data":4011,"content":4013},{"uri":4012},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/ghost_logins/description.md",[4014],{"nodeType":1293,"value":1368,"marks":4015,"data":4017},[4016],{"type":1371},{},{"nodeType":1293,"value":4019,"marks":4020,"data":4021}," on downstream SaaS applications. This depends on what each application supports but it can involve connecting secondary email addresses, connecting separate social accounts, creating API keys or any method that allows a different way to authenticate to the application. These allow the attacker to maintain their access to those applications even if their access to the core SSO identity for the user is revoked. The downside is that it has to be performed on a per-application basis.",[],{},{"nodeType":1302,"data":4023,"content":4024},{},[4025,4029,4034],{"nodeType":1293,"value":4026,"marks":4027,"data":4028},"However, ",[],{},{"nodeType":1293,"value":4030,"marks":4031,"data":4033},"cross-IdP impersonation is arguably the most powerful ghost login method available",[4032],{"type":1404},{},{"nodeType":1293,"value":4035,"marks":4036,"data":4037},". If you already have access to a user’s email inbox through another attack then there is no need to perform verification phishing. Simply register an account with Google/Apple/LinkedIn/X/GitHub or any other major IdP using the email address you have control over, verifying the accounts, and then deleting the email evidence.",[],{},{"nodeType":1302,"data":4039,"content":4040},{},[4041],{"nodeType":1293,"value":4042,"marks":4043,"data":4044},"An attacker who does this will then maintain the ability to login to any downstream SaaS applications that support any of those login methods without additional verification steps — even if original SSO/email compromise efforts are discovered and contained. In effect, a single persistence technique could potentially maintain access to a range of different downstream applications. ",[],{},{"nodeType":1385,"data":4046,"content":4047},{},[],{"nodeType":1389,"data":4049,"content":4050},{},[4051],{"nodeType":1293,"value":4052,"marks":4053,"data":4054},"Why (and when) is this attack possible?",[],{},{"nodeType":1302,"data":4056,"content":4057},{},[4058],{"nodeType":1293,"value":4059,"marks":4060,"data":4061},"Most SaaS applications support a range of different authentication methods to provide flexibility for the wide range of customers they have and generally make it as simple to sign up as possible — a consequence of product-led growth marketing strategies.",[],{},{"nodeType":1302,"data":4063,"content":4064},{},[4065],{"nodeType":1293,"value":4066,"marks":4067,"data":4068},"Using more secure, locked-down authentication methods is often left as a task for the administrators of a given customer’s tenant. However, when hundreds of SaaS apps are in use, this doesn’t always happen — maybe the app was self-adopted by a specific team and the security team doesn’t know about it, or they simply haven’t gotten around to it. ",[],{},{"nodeType":1302,"data":4070,"content":4071},{},[4072],{"nodeType":1293,"value":4073,"marks":4074,"data":4075},"There are far too many applications out there to provide an exhaustive list of what configurations and behaviors are available. Instead, I’ll provide some examples of the different types of controls/configuration you may encounter that can help or hinder this attack technique.",[],{},{"nodeType":1385,"data":4077,"content":4078},{},[],{"nodeType":1397,"data":4080,"content":4081},{},[4082],{"nodeType":1293,"value":4083,"marks":4084,"data":4085},"1) Default allow",[],{},{"nodeType":1302,"data":4087,"content":4088},{},[4089],{"nodeType":1293,"value":4090,"marks":4091,"data":4092},"This is the primary vulnerable case like we have seen with the Atlassian example in this article. Once you have created an account on an application then all other sign-in methods are available by default, making it a prime target for cross-IdP impersonation. ",[],{},{"nodeType":1302,"data":4094,"content":4095},{},[4096],{"nodeType":1293,"value":4097,"marks":4098,"data":4099},"An important caveat here is this is not a case of Atlassian being uniquely vulnerable. This is a widespread issue with many SaaS apps behaving this way by default. We just used Atlassian as an example because it’s a particularly popular app. ",[],{},{"nodeType":1302,"data":4101,"content":4102},{},[4103],{"nodeType":1293,"value":4104,"marks":4105,"data":4106},"This also doesn’t mean you have to accept this limitation. It’s often possible to disable other methods, but it requires that app administrators proactively take that step. For example, Atlassian allows third-party logins to be disabled entirely, and more advanced control of authentication options is possible using the Atlassian Guard product too. (See the section on configurable controls, below.)",[],{},{"nodeType":1385,"data":4108,"content":4109},{},[],{"nodeType":1397,"data":4111,"content":4112},{},[4113],{"nodeType":1293,"value":4114,"marks":4115,"data":4116},"2) Email verification",[],{},{"nodeType":1302,"data":4118,"content":4119},{},[4120],{"nodeType":1293,"value":4121,"marks":4122,"data":4123},"Some applications will require their own email verification when a new login method is used. This does not completely prevent the issue, as it’s possible to perform verification phishing of this too, but it’s definitely a mitigating factor that makes an attacker’s life more difficult.",[],{},{"nodeType":1302,"data":4125,"content":4126},{},[4127],{"nodeType":1293,"value":4128,"marks":4129,"data":4130},"The following screenshots show how this works for Adobe as an example. When logging in with a Google account in this case, it prompts for a verification code from email in order to connect the Google account to the pre-existing Adobe account.",[],{},{"nodeType":1441,"data":4132,"content":4136},{"target":4133},{"sys":4134},{"id":4135,"type":1446,"linkType":1447},"92VAmeVKmQ3FWSwSP3mHv",[],{"nodeType":1441,"data":4138,"content":4142},{"target":4139},{"sys":4140},{"id":4141,"type":1446,"linkType":1447},"6UqNnTdjZxisCUA7Q2gZWQ",[],{"nodeType":1385,"data":4144,"content":4145},{},[],{"nodeType":1397,"data":4147,"content":4148},{},[4149],{"nodeType":1293,"value":4150,"marks":4151,"data":4152},"3) Device Verification",[],{},{"nodeType":1302,"data":4154,"content":4155},{},[4156],{"nodeType":1293,"value":4157,"marks":4158,"data":4159},"Some applications will treat any login from a new device (typically a new browser without a specific cookie set) as requiring a verification code from the linked email account. Again, this isn’t full protection as it still allows a second verification phishing attack, but it is a significant mitigating factor.",[],{},{"nodeType":1302,"data":4161,"content":4162},{},[4163],{"nodeType":1293,"value":4164,"marks":4165,"data":4166},"An example of this with HubSpot is shown below:",[],{},{"nodeType":1441,"data":4168,"content":4172},{"target":4169},{"sys":4170},{"id":4171,"type":1446,"linkType":1447},"4QcTjWAgv4w0LSqxXTw2CT",[],{"nodeType":1385,"data":4174,"content":4175},{},[],{"nodeType":1397,"data":4177,"content":4178},{},[4179],{"nodeType":1293,"value":4180,"marks":4181,"data":4182},"4) Pinned authentication",[],{},{"nodeType":1302,"data":4184,"content":4185},{},[4186],{"nodeType":1293,"value":4187,"marks":4188,"data":4189},"This is probably the most effective default control that some SaaS apps implement. Once an account has been created, the original authentication method is pinned as being the only acceptable authentication method. Authenticating using a different method will produce an error that cannot be circumvented without using the original authentication method first.",[],{},{"nodeType":1302,"data":4191,"content":4192},{},[4193],{"nodeType":1293,"value":4194,"marks":4195,"data":4196},"We can see an example of this with Mailchimp below, where we can see after a successful authentication with our malicious Google account we receive an error to indicate that the account is not connected to Google and the original credentials must be used instead.",[],{},{"nodeType":1441,"data":4198,"content":4202},{"target":4199},{"sys":4200},{"id":4201,"type":1446,"linkType":1447},"27b5V0Pmguo4rpwwHHSO7v",[],{"nodeType":1385,"data":4204,"content":4205},{},[],{"nodeType":1397,"data":4207,"content":4208},{},[4209],{"nodeType":1293,"value":4210,"marks":4211,"data":4212},"5) Configurable controls",[],{},{"nodeType":1302,"data":4214,"content":4215},{},[4216],{"nodeType":1293,"value":4217,"marks":4218,"data":4219},"Many SaaS applications, even if they have no controls in place by default, allow administrators to lock the configuration down if they want to. For example, all supported authentication methods may work by default but it may be possible to disable these individually to ensure only the intended authentication method is possible.",[],{},{"nodeType":1302,"data":4221,"content":4222},{},[4223],{"nodeType":1293,"value":4224,"marks":4225,"data":4226},"For example, in the case of the Atlassian example we used earlier, it’s possible to disable third-party logins entirely in a basic subscription. More advanced controls over authentication are available using a separate Atlassian Guard subscription:",[],{},{"nodeType":1441,"data":4228,"content":4232},{"target":4229},{"sys":4230},{"id":4231,"type":1446,"linkType":1447},"7JA8XMaUJsMcvqsQOLUTVQ",[],{"nodeType":1441,"data":4234,"content":4238},{"target":4235},{"sys":4236},{"id":4237,"type":1446,"linkType":1447},"29n6vvFCjz3s667ESNdgW5",[],{"nodeType":1302,"data":4240,"content":4241},{},[4242],{"nodeType":1293,"value":4243,"marks":4244,"data":4245},"To give another example, a default Datadog instance may allow Google logins and so be vulnerable to cross-IdP impersonation if password logins or SAML-based SSO logins are normally used. However, an administrator can disable Google logins across the entire organization or on a per-user basis if they wish. ",[],{},{"nodeType":1302,"data":4247,"content":4248},{},[4249,4253,4262],{"nodeType":1293,"value":4250,"marks":4251,"data":4252},"Alternatively, if an administrator disables both Google and password-based logins then only SAML-based logins will be allowed. Datadog refers to this as ",[],{},{"nodeType":1351,"data":4254,"content":4256},{"uri":4255},"https://docs.datadoghq.com/account_management/saml/",[4257],{"nodeType":1293,"value":4258,"marks":4259,"data":4261},"‘SAML strict’",[4260],{"type":1371},{},{"nodeType":1293,"value":1595,"marks":4263,"data":4264},[],{},{"nodeType":1302,"data":4266,"content":4267},{},[4268],{"nodeType":1293,"value":4269,"marks":4270,"data":4271},"This functionality is available without any separate subscriptions:",[],{},{"nodeType":1441,"data":4273,"content":4277},{"target":4274},{"sys":4275},{"id":4276,"type":1446,"linkType":1447},"5RMHXJpjSgnZJJx8uf3214",[],{"nodeType":1302,"data":4279,"content":4280},{},[4281],{"nodeType":1293,"value":4282,"marks":4283,"data":4284},"To give credit where it’s due, it’s worth noting that the examples we’ve used in this blog post offer ways of mitigating this attack – but this isn’t always the case. Many more apps don’t offer this kind of in-app control, leaving customers exposed.  ",[],{},{"nodeType":1385,"data":4286,"content":4287},{},[],{"nodeType":1389,"data":4289,"content":4290},{},[4291],{"nodeType":1293,"value":4292,"marks":4293,"data":4294},"What steps can SaaS customers take to protect against this threat?",[],{},{"nodeType":1302,"data":4296,"content":4297},{},[4298],{"nodeType":1293,"value":4299,"marks":4300,"data":4301},"In an ideal world, all SaaS vendors would only support the strongest authentication methods available, default to pinning authentication to the first method used for an account, and allow administrators to flexibly configure authentication rules where required. ",[],{},{"nodeType":1302,"data":4303,"content":4304},{},[4305],{"nodeType":1293,"value":4306,"marks":4307,"data":4308},"But we don’t live in an ideal world. Many SaaS apps don’t even support SSO and the overwhelming majority of them default to single-factor authentication when users sign up. So how can the average organizations stop their strong SSO controls from being bypassed using cross-IdP impersonation and verification phishing?",[],{},{"nodeType":1302,"data":4310,"content":4311},{},[4312],{"nodeType":1293,"value":4313,"marks":4314,"data":4315},"Luckily, there are some pragmatic options to significantly increase resilience to these attacks.",[],{},{"nodeType":1385,"data":4317,"content":4318},{},[],{"nodeType":1397,"data":4320,"content":4321},{},[4322],{"nodeType":1293,"value":4323,"marks":4324,"data":4325},"Lock your domain with other IdPs",[],{},{"nodeType":1302,"data":4327,"content":4328},{},[4329],{"nodeType":1293,"value":4330,"marks":4331,"data":4332},"Some IdPs allow you to register and lock your domain with them in order to prevent the creation of personal accounts with them. Apple is one example where you can lock your domain using Apple Business Manager. Maybe you aren’t an Apple user as an organization overall but you want to make sure nobody can create Apple accounts on your domain. Well, you can use this feature to entirely prevent this threat! (For Apple, at least.)",[],{},{"nodeType":1441,"data":4334,"content":4337},{"target":4335},{"sys":4336},{"id":2186,"type":1446,"linkType":1447},[],{"nodeType":1385,"data":4339,"content":4340},{},[],{"nodeType":1397,"data":4342,"content":4343},{},[4344],{"nodeType":1293,"value":4345,"marks":4346,"data":4347},"Create detection rules for verification emails from IdP vendors",[],{},{"nodeType":1302,"data":4349,"content":4350},{},[4351],{"nodeType":1293,"value":4352,"marks":4353,"data":4354},"There are a relatively small number of IdPs that account for the overwhelming majority of social login methods that can be used across a larger number of SaaS apps and the verification emails they send come from predictable addresses with predictable subjects and body formats.  ",[],{},{"nodeType":1302,"data":4356,"content":4357},{},[4358],{"nodeType":1293,"value":4359,"marks":4360,"data":4361},"Your threat hunting teams can create detection rules for this so you are alerted any time a verification request is made on a different IdP vendor. Whether this is from verification phishing, persistence mechanisms or just legitimate users creating shadow SaaS identities, it’s very easy for you to find out about it and then take actions accordingly.",[],{},{"nodeType":1302,"data":4363,"content":4364},{},[4365,4369,4378,4382,4390],{"nodeType":1293,"value":4366,"marks":4367,"data":4368},"Our friends at ",[],{},{"nodeType":1351,"data":4370,"content":4372},{"uri":4371},"https://sublime.security/",[4373],{"nodeType":1293,"value":4374,"marks":4375,"data":4377},"Sublime Security",[4376],{"type":1371},{},{"nodeType":1293,"value":4379,"marks":4380,"data":4381}," don't miss a beat, and have already ",[],{},{"nodeType":1351,"data":4383,"content":4385},{"uri":4384},"https://github.com/sublime-security/sublime-rules/blob/8f8ef92f605f1bd87197315939beb0035c28869f/discovery-rules/new_account_verification_code.yml",[4386],{"nodeType":1293,"value":4387,"marks":4388,"data":4389},"released a detection rule",[],{},{"nodeType":1293,"value":4391,"marks":4392,"data":4393}," for this, allowing you to alert on new account creation emails for Apple, GitHub, Microsoft, Google, and Slack.",[],{},{"nodeType":1385,"data":4395,"content":4396},{},[],{"nodeType":1397,"data":4398,"content":4399},{},[4400],{"nodeType":1293,"value":4401,"marks":4402,"data":4403},"Audit your SaaS applications for susceptibility to cross-IdP impersonation",[],{},{"nodeType":1302,"data":4405,"content":4406},{},[4407],{"nodeType":1293,"value":4408,"marks":4409,"data":4410},"Ok, this one is more work, as you might have hundreds of SaaS applications in use overall. It’s better to start with a shortlist of the most widely used and sensitive applications (you’re probably looking at 10 to 20 apps). ",[],{},{"nodeType":1302,"data":4412,"content":4413},{},[4414,4418,4425],{"nodeType":1293,"value":4415,"marks":4416,"data":4417},"Discovering all the applications in use across your organization and the login methods they use to them is the first part of the problem. It’s also common for multiple login methods to be in use for the same application, a problem known as ",[],{},{"nodeType":1351,"data":4419,"content":4420},{"uri":1365},[4421],{"nodeType":1293,"value":1368,"marks":4422,"data":4424},[4423],{"type":1371},{},{"nodeType":1293,"value":4426,"marks":4427,"data":4428},". When you factor in how tricky it is to collect information on application accounts and login methods, and the mixed controls available to enforce the desired configuration in-app, This step is actually much harder than it sounds.",[],{},{"nodeType":1302,"data":4430,"content":4431},{},[4432],{"nodeType":1293,"value":4433,"marks":4434,"data":4435},"Once you have a list of applications, have your security teams create accounts with other IdPs and then see which of your SaaS applications allow them to login with cross-IdP impersonation, or otherwise which of the controls listed previously apply (e.g. email verification, device verification, pinned authentication etc).",[],{},{"nodeType":1302,"data":4437,"content":4438},{},[4439],{"nodeType":1293,"value":4440,"marks":4441,"data":4442},"Depending on the results of this, you can reduce vulnerability on an app-by-app basis. Where apps allow it through configuration, have the application owners configure your tenant to restrict authentication options. ",[],{},{"nodeType":1302,"data":4444,"content":4445},{},[4446],{"nodeType":1293,"value":4447,"marks":4448,"data":4449},"And if you find an application that does not support this feature then pressure the vendor with a feature request, the same as you might for a vendor that doesn’t support SSO.",[],{},{"nodeType":1441,"data":4451,"content":4455},{"target":4452},{"sys":4453},{"id":4454,"type":1446,"linkType":1447},"6lsemiR9tRQ1eOPOh3rtfc",[],{"nodeType":1385,"data":4457,"content":4458},{},[],{"nodeType":1397,"data":4460,"content":4461},{},[4462],{"nodeType":1293,"value":4463,"marks":4464,"data":4465},"Ask your red teams to add this technique to their attack simulations",[],{},{"nodeType":1302,"data":4467,"content":4468},{},[4469],{"nodeType":1293,"value":4470,"marks":4471,"data":4472},"Whether using internal or external red teams, proper adversarial simulation is key to understanding the realistic vulnerability of your organization to a range of attack scenarios. Next time you have a red team operation planned, ask them if they can attempt cross-IdP impersonation and verification phishing as part of an end-to-end attack chain to assess your vulnerability and detection and response controls appropriately. ",[],{},{"nodeType":1302,"data":4474,"content":4475},{},[4476,4480,4489],{"nodeType":1293,"value":4477,"marks":4478,"data":4479},"In fact, you should probably be asking them to be putting a huge focus on identity attacks in general. Ask them if they can use the ",[],{},{"nodeType":1351,"data":4481,"content":4483},{"uri":4482},"https://github.com/pushsecurity/saas-attacks",[4484],{"nodeType":1293,"value":4485,"marks":4486,"data":4488},"open-source SaaS attacks matrix ",[4487],{"type":1371},{},{"nodeType":1293,"value":4490,"marks":4491,"data":4492},"as a basis for an identity attack focused red team operation.",[],{},{"nodeType":1385,"data":4494,"content":4495},{},[],{"nodeType":1389,"data":4497,"content":4498},{},[4499],{"nodeType":1293,"value":2869,"marks":4500,"data":4501},[],{},{"nodeType":1302,"data":4503,"content":4504},{},[4505],{"nodeType":1293,"value":4506,"marks":4507,"data":4508},"We’ve seen how cross-IdP impersonation enables SaaS applications to be accessed using accounts outside the control of an organization and thus bypassing all controls enforced by SSO, such as:",[],{},{"nodeType":1464,"data":4510,"content":4511},{},[4512,4522,4532,4542,4552],{"nodeType":1468,"data":4513,"content":4514},{},[4515],{"nodeType":1302,"data":4516,"content":4517},{},[4518],{"nodeType":1293,"value":4519,"marks":4520,"data":4521},"Strong password requirements",[],{},{"nodeType":1468,"data":4523,"content":4524},{},[4525],{"nodeType":1302,"data":4526,"content":4527},{},[4528],{"nodeType":1293,"value":4529,"marks":4530,"data":4531},"MFA",[],{},{"nodeType":1468,"data":4533,"content":4534},{},[4535],{"nodeType":1302,"data":4536,"content":4537},{},[4538],{"nodeType":1293,"value":4539,"marks":4540,"data":4541},"Phishing-resistant authentication e.g. passkeys or Okta Fastpass",[],{},{"nodeType":1468,"data":4543,"content":4544},{},[4545],{"nodeType":1302,"data":4546,"content":4547},{},[4548],{"nodeType":1293,"value":4549,"marks":4550,"data":4551},"IP/Location restrictions",[],{},{"nodeType":1468,"data":4553,"content":4554},{},[4555],{"nodeType":1302,"data":4556,"content":4557},{},[4558],{"nodeType":1293,"value":4559,"marks":4560,"data":4561},"Authentication logs",[],{},{"nodeType":1302,"data":4563,"content":4564},{},[4565],{"nodeType":1293,"value":4566,"marks":4567,"data":4568},"During the initial access phase of an attack, combining cross-IdP impersonation with verification phishing can allow external attackers to gain permanent access to a range of downstream SaaS applications through the compromise of a single verification code, even if they are normally protected by a rock-solid SSO implementation.",[],{},{"nodeType":1302,"data":4570,"content":4571},{},[4572],{"nodeType":1293,"value":4573,"marks":4574,"data":4575},"During the persistence phase of a compromise, an attacker can utilize cross-IdP impersonation as an extremely powerful ghost login method in order to maintain access to a range of SaaS applications through a single mechanism, even if containment exercises later remove their access to the original SSO account or email inbox they compromised.",[],{},{"nodeType":1302,"data":4577,"content":4578},{},[4579],{"nodeType":1293,"value":4580,"marks":4581,"data":4582},"It is extremely important that organizations understand the threat these attacks pose, evaluate their vulnerability to these attacks and implement the prevention and detection controls provided above accordingly. ",[],{},{"nodeType":1441,"data":4584,"content":4588},{"target":4585},{"sys":4586},{"id":4587,"type":1446,"linkType":1447},"3j4TX3jabfyWrhlXjo8ZHX",[],{"nodeType":1302,"data":4590,"content":4591},{},[4592],{"nodeType":1293,"value":37,"marks":4593,"data":4594},[],{},{"entries":4596},{"hyperlink":4597,"inline":4598,"block":4599},[],[],[4600,4608,4615,4622,4629,4637,4646,4654,4659,4665,4670,4676,4683,4690,4697,4703],{"sys":4601,"__typename":4602,"title":4603,"caption":4603,"layoutMode":118,"file":4604},{"id":3430},"Image","Default Atlassian login page showing the range of social login methods available",{"url":4605,"width":4606,"height":4607},"https://images.ctfassets.net/y1cdw1ablpvd/7G7oxoeV5vQNAbOrjs7LWh/fc4570accb729c55c23186db302cd0f9/image10.png",397,516,{"sys":4609,"__typename":4602,"title":4610,"caption":4610,"layoutMode":118,"file":4611},{"id":3523},"Google email verification example",{"url":4612,"width":4613,"height":4614},"https://images.ctfassets.net/y1cdw1ablpvd/1j2a1rr1xZJs4jhgUMphQc/9b8e23fa928f15873b8cffed1cd7421e/image8.png",852,776,{"sys":4616,"__typename":4602,"title":4617,"caption":4617,"layoutMode":118,"file":4618},{"id":3656},"Pretext email example to perform verification phishing",{"url":4619,"width":4620,"height":4621},"https://images.ctfassets.net/y1cdw1ablpvd/6tHP6GZWFDK38IMQHMWI5B/090ed3f69bf0479afde71001c13d8141/image3__1_.png",560,720,{"sys":4623,"__typename":4602,"title":4624,"caption":4624,"layoutMode":118,"file":4625},{"id":3730},"Slack social engineering example for verification phishing",{"url":4626,"width":4627,"height":4628},"https://images.ctfassets.net/y1cdw1ablpvd/1JFyQPB1Gk1HPCKxhh7Eus/e0a7c69d12e1374c0a3761a0b00eefce/image6.png",818,652,{"sys":4630,"__typename":4631,"type":4632,"ctaText":4633,"buttonLabel":4634,"buttonColour":4635,"buttonUrl":4636},{"id":3844},"CtaWidget","Custom","Want to learn more about why AiTM attacks are so successful? Register for our webinar on Dec 5th to find out how phishing toolkits are getting through your detection controls.","Register Now","sea blue","https://pushsecurity.com/webinar/phish-kit-teardown",{"sys":4638,"__typename":4639,"title":4640,"youTubeUrl":4641,"imagePlaceholder":4642},{"id":2218},"ExternalVideo","Verification Phishing & Cross-IdP Impersonation Demo","https://www.youtube.com/watch?v=53JMEmZV6ck",{"url":4643,"width":4644,"height":4645},"https://images.ctfassets.net/y1cdw1ablpvd/KXQAXbpFMRJprAkzoKhtx/ac370fb92687122022e753120bb7cb47/Slide_Front_Cover__20_.png",1920,1080,{"sys":4647,"__typename":4602,"title":4648,"caption":4649,"layoutMode":118,"file":4650},{"id":4135},"Adobe Google account linking and verification","Adobe Google account linking and verification (1)",{"url":4651,"width":4652,"height":4653},"https://images.ctfassets.net/y1cdw1ablpvd/3KeKxlgHPx3H2TbBd8WfQ1/ae1bdb07d43eaef106b74cd23752fbcf/image4.png",1436,900,{"sys":4655,"__typename":4602,"title":4656,"caption":4656,"layoutMode":118,"file":4657},{"id":4141},"Adobe Google account linking and verification (2)",{"url":4658,"width":4652,"height":4653},"https://images.ctfassets.net/y1cdw1ablpvd/6YVMDFtLttuF8E4g88G4la/b7dc3a4e37f5dd39c36ee739700e7048/image1.png",{"sys":4660,"__typename":4602,"title":4661,"caption":4661,"layoutMode":118,"file":4662},{"id":4171},"HubSpot unrecognized device email verification",{"url":4663,"width":4652,"height":4664},"https://images.ctfassets.net/y1cdw1ablpvd/1S8swPaBQ9K8PzU81NTphI/69bf04d6084e7df74b47f211d935d271/image7.png",824,{"sys":4666,"__typename":4602,"title":4667,"caption":4667,"layoutMode":118,"file":4668},{"id":4201},"Mailchimp pinned authentication requiring original login method",{"url":4669,"width":4652,"height":4653},"https://images.ctfassets.net/y1cdw1ablpvd/1fNIa9cZywrQ9CxuuZkWUA/b344fa67a49acb7f8fcd015517a4fc87/image11.png",{"sys":4671,"__typename":4602,"title":4672,"caption":4672,"layoutMode":118,"file":4673},{"id":4231},"Basic Atlassian authentication policies allowing third-party logins to be disabled",{"url":4674,"width":4675,"height":4653},"https://images.ctfassets.net/y1cdw1ablpvd/1SlxwxNhriIrLHho1acSsJ/99e99d1ec5445286fd42692a9d4772de/image12.png",1475,{"sys":4677,"__typename":4602,"title":4678,"caption":4678,"layoutMode":118,"file":4679},{"id":4237},"Atlassian Guard allows more advanced controls, including enforced SSO",{"url":4680,"width":4681,"height":4682},"https://images.ctfassets.net/y1cdw1ablpvd/716nNbqfT1A0xtWQPaFqp/e64839cb4c1eed8dcfe4d7460063fc53/image9.png",434,471,{"sys":4684,"__typename":4602,"title":4685,"caption":4685,"layoutMode":118,"file":4686},{"id":4276},"Datadog administrative screen for enabling/disabling login methods",{"url":4687,"width":4688,"height":4689},"https://images.ctfassets.net/y1cdw1ablpvd/4wwOBe1ojQ0noPXv1aWU8Q/df962016e42277e46454acd38baabef1/image5.png",935,620,{"sys":4691,"__typename":4602,"title":4692,"caption":4692,"layoutMode":118,"file":4693},{"id":2186},"Apple business manager update providing more options to manage verified domains",{"url":4694,"width":4695,"height":4696},"https://images.ctfassets.net/y1cdw1ablpvd/3NH2d6WMqAmPfrPMQas4e0/35676fdc69d7e91c3c1dd163fe3ff51d/image2.png",1394,942,{"sys":4698,"__typename":4631,"type":4699,"ctaText":4700,"buttonLabel":4701,"buttonColour":4702,"buttonUrl":3261},{"id":4454},"Demo","See how Push helps you to find and fix vulnerable identities at-scale, by identifying applications, login methods, and insecure configurations","Book Demo","sunny orange",{"sys":4704,"__typename":4631,"type":4632,"ctaText":4705,"buttonLabel":4706,"buttonColour":4635,"buttonUrl":4707},{"id":4587},"To read more about Cross-IdP impersonation and examples in the wild, check out this blog post","Read Blog","https://pushsecurity.com/blog/cross-idp-impersonation/","content:blog:a-new-class-of-phishing-verification-phishing-and-cross-idp-impersonation.json","json","content","blog/a-new-class-of-phishing-verification-phishing-and-cross-idp-impersonation.json","blog/a-new-class-of-phishing-verification-phishing-and-cross-idp-impersonation",1776359986873]