[{"data":1,"prerenderedAt":4155},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/an-investigation-guide-for-assessing-app-to-app-oauth-integration-risk":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"ogImage":118,"summary":1282,"title":1296,"subtitle":118,"metaTitle":1297,"synopsis":1292,"hashTags":118,"publishedDate":1298,"slug":1299,"tagsCollection":1300,"relatedBlogPostsCollection":1310,"authorsCollection":3597,"content":3601,"_id":4151,"_type":4115,"_source":4152,"_file":4153,"_stem":4154,"_extension":4115},"/blog/an-investigation-guide-for-assessing-app-to-app-oauth-integration-risk","blog",{"id":1280,"publishedAt":1281},"3cvobsSnd6xjB6tHhWt4bX","2023-08-07T10:35:39.350Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1295},{},[1286],{"data":1287,"content":1288,"nodeType":1294},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"An employee has added a new integration to your Azure tenant or Google Workspace. How do you assess risk? We’ll cover a few techniques in this article.","text","paragraph","document","An investigation guide for assessing app-to-app OAuth integration risk","An investigation guide for assessing app-to-app integration risk","2023-03-15T00:00:00.000Z","an-investigation-guide-for-assessing-app-to-app-oauth-integration-risk",{"items":1301},[1302,1306],{"sys":1303,"name":1305},{"id":1304},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"sys":1307,"name":1309},{"id":1308},"1gZi8NrRy2v9OqPV7C4dwD","Risk management",{"items":1311},[1312,2658,3142],{"__typename":1313,"sys":1314,"content":1316,"title":2639,"synopsis":1331,"hashTags":118,"publishedDate":2640,"slug":2641,"tagsCollection":2642,"authorsCollection":2650},"BlogPosts",{"id":1315},"3JXKiUMGU8JBpndhLRYOCJ",{"json":1317},{"nodeType":1295,"data":1318,"content":1319},{},[1320,1327,1334,1342,1350,1376,1383,1390,1397,1404,1411,1447,1453,1460,1581,1588,1595,1851,1858,1865,1871,1904,1911,1918,1924,1931,1937,1944,1951,1957,1964,1971,1977,1984,1991,1997,2004,2020,2026,2033,2066,2073,2093,2100,2107,2114,2120,2158,2178,2233,2240,2247,2267,2286,2293,2326,2332,2339,2346,2353,2360,2367,2374,2394,2400,2407,2426,2433,2440,2446,2453,2460,2466,2473,2519,2526,2532,2539,2545,2552,2559,2592,2599,2606,2613,2620,2627,2633],{"nodeType":1294,"data":1321,"content":1322},{},[1323],{"nodeType":1293,"value":1324,"marks":1325,"data":1326},"With the proliferation of SaaS apps and integrations comes an equal helping of uncertainty surrounding the associated security risks. If you’ve ever found yourself in a position where you’ve had to review a SaaS app integration, whether it’s during the remediation stage of an incident or simply during the process of tending to a user request, then keep on reading. ",[],{},{"nodeType":1294,"data":1328,"content":1329},{},[1330],{"nodeType":1293,"value":1331,"marks":1332,"data":1333},"This article covers common ways an app could lead to compromise in Microsoft Azure, and what to look out for when determining risk to your organization.",[],{},{"nodeType":1335,"data":1336,"content":1337},"heading-1",{},[1338],{"nodeType":1293,"value":1339,"marks":1340,"data":1341},"Consent phishing",[],{},{"nodeType":1343,"data":1344,"content":1345},"heading-2",{},[1346],{"nodeType":1293,"value":1347,"marks":1348,"data":1349},"The issue:",[],{},{"nodeType":1294,"data":1351,"content":1352},{},[1353,1357,1372],{"nodeType":1293,"value":1354,"marks":1355,"data":1356},"This method of compromising user accounts has been covered a ",[],{},{"nodeType":1358,"data":1359,"content":1365},"entry-hyperlink",{"target":1360},{"sys":1361},{"id":1362,"type":1363,"linkType":1364},"1bV8YTSQHvveCTnRc4H8su","Link","Entry",[1366],{"nodeType":1293,"value":1367,"marks":1368,"data":1371},"few times",[1369],{"type":1370},"underline",{},{"nodeType":1293,"value":1373,"marks":1374,"data":1375}," by Push. Without rehashing too much of the content, the main idea behind consent phishing is to get a user to perform an integration while the app masquerades as something official. ",[],{},{"nodeType":1294,"data":1377,"content":1378},{},[1379],{"nodeType":1293,"value":1380,"marks":1381,"data":1382},"As an example, a user is sent an email where the content is either surprisingly legitimate, or sparks sufficient curiosity to make them want to access the data behind the link. They are directed to a Microsoft or Google login page, where the app asks for certain permissions, such as mailbox access. The user, having performed these actions before, thinks nothing of it and clicks ‘allow’. The attacker successfully tricked the user to give them access to their mailbox (or whichever privileges the app was requesting).",[],{},{"nodeType":1384,"data":1385,"content":1389},"embedded-entry-block",{"target":1386},{"sys":1387},{"id":1388,"type":1363,"linkType":1364},"2zeeE8NrgX4MnpHdIjszot",[],{"nodeType":1343,"data":1391,"content":1392},{},[1393],{"nodeType":1293,"value":1394,"marks":1395,"data":1396},"The solution:",[],{},{"nodeType":1294,"data":1398,"content":1399},{},[1400],{"nodeType":1293,"value":1401,"marks":1402,"data":1403},"There are two ways to help prevent this type of compromise:",[],{},{"nodeType":1294,"data":1405,"content":1406},{},[1407],{"nodeType":1293,"value":1408,"marks":1409,"data":1410},"The first is to go the “block everything” route by preventing any integrations from being added to your tenants at all. This is quite heavy-handed and a bit like throwing the baby out with the bathwater, as this approach leads to IT/security departments becoming known as the departments of ‘NO’, potentially resulting in users circumventing controls, and the emergence of shadow IT.",[],{},{"nodeType":1294,"data":1412,"content":1413},{},[1414,1418,1428,1432,1443],{"nodeType":1293,"value":1415,"marks":1416,"data":1417},"The second is to be sensible about what to allow and what to prevent during SaaS integrations. For instance, in Microsoft 365 administrators are able to ",[],{},{"nodeType":1419,"data":1420,"content":1422},"hyperlink",{"uri":1421},"https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-permission-classifications",[1423],{"nodeType":1293,"value":1424,"marks":1425,"data":1427},"specify low-risk scopes",[1426],{"type":1370},{},{"nodeType":1293,"value":1429,"marks":1430,"data":1431},", such as ones specifically used for performing social logins (which are okay to do ",[],{},{"nodeType":1358,"data":1433,"content":1437},{"target":1434},{"sys":1435},{"id":1436,"type":1363,"linkType":1364},"68syxk4cmD6QOdVRcDqgEZ",[1438],{"nodeType":1293,"value":1439,"marks":1440,"data":1442},"by the way",[1441],{"type":1370},{},{"nodeType":1293,"value":1444,"marks":1445,"data":1446},"). Admins can then allow employees to perform social logins, and integrate apps making use of other low-risk scopes from  verified apps only. Employees can also request access to anything requiring other scopes. This is a great way to enable users to perform their jobs, while preventing them from accidentally exposing themselves or the wider organization to unnecessary risk.",[],{},{"nodeType":1384,"data":1448,"content":1452},{"target":1449},{"sys":1450},{"id":1451,"type":1363,"linkType":1364},"44NsMwlLpX4qnZP94GyTSO",[],{"nodeType":1294,"data":1454,"content":1455},{},[1456],{"nodeType":1293,"value":1457,"marks":1458,"data":1459},"When configuring the above for the first time, Microsoft provides a list of 5 scopes:",[],{},{"nodeType":1461,"data":1462,"content":1463},"table",{},[1464,1489,1512,1535,1558],{"nodeType":1465,"data":1466,"content":1467},"table-row",{},[1468,1479],{"nodeType":1469,"data":1470,"content":1471},"table-cell",{},[1472],{"nodeType":1294,"data":1473,"content":1474},{},[1475],{"nodeType":1293,"value":1476,"marks":1477,"data":1478},"profile",[],{},{"nodeType":1469,"data":1480,"content":1481},{},[1482],{"nodeType":1294,"data":1483,"content":1484},{},[1485],{"nodeType":1293,"value":1486,"marks":1487,"data":1488},"View user's basic profile",[],{},{"nodeType":1465,"data":1490,"content":1491},{},[1492,1502],{"nodeType":1469,"data":1493,"content":1494},{},[1495],{"nodeType":1294,"data":1496,"content":1497},{},[1498],{"nodeType":1293,"value":1499,"marks":1500,"data":1501},"openid",[],{},{"nodeType":1469,"data":1503,"content":1504},{},[1505],{"nodeType":1294,"data":1506,"content":1507},{},[1508],{"nodeType":1293,"value":1509,"marks":1510,"data":1511},"Sign users in",[],{},{"nodeType":1465,"data":1513,"content":1514},{},[1515,1525],{"nodeType":1469,"data":1516,"content":1517},{},[1518],{"nodeType":1294,"data":1519,"content":1520},{},[1521],{"nodeType":1293,"value":1522,"marks":1523,"data":1524},"email",[],{},{"nodeType":1469,"data":1526,"content":1527},{},[1528],{"nodeType":1294,"data":1529,"content":1530},{},[1531],{"nodeType":1293,"value":1532,"marks":1533,"data":1534},"View user's email address",[],{},{"nodeType":1465,"data":1536,"content":1537},{},[1538,1548],{"nodeType":1469,"data":1539,"content":1540},{},[1541],{"nodeType":1294,"data":1542,"content":1543},{},[1544],{"nodeType":1293,"value":1545,"marks":1546,"data":1547},"User.Read",[],{},{"nodeType":1469,"data":1549,"content":1550},{},[1551],{"nodeType":1294,"data":1552,"content":1553},{},[1554],{"nodeType":1293,"value":1555,"marks":1556,"data":1557},"Sign in and read user profile",[],{},{"nodeType":1465,"data":1559,"content":1560},{},[1561,1571],{"nodeType":1469,"data":1562,"content":1563},{},[1564],{"nodeType":1294,"data":1565,"content":1566},{},[1567],{"nodeType":1293,"value":1568,"marks":1569,"data":1570},"Offline_access",[],{},{"nodeType":1469,"data":1572,"content":1573},{},[1574],{"nodeType":1294,"data":1575,"content":1576},{},[1577],{"nodeType":1293,"value":1578,"marks":1579,"data":1580},"Maintain access to data you. have given it access to (refresh tokens)",[],{},{"nodeType":1294,"data":1582,"content":1583},{},[1584],{"nodeType":1293,"value":1585,"marks":1586,"data":1587},"The above scopes are the minimum required to enable social logins to take place, and would cover a good amount of apps that only require basic information for account creation purposes. ",[],{},{"nodeType":1294,"data":1589,"content":1590},{},[1591],{"nodeType":1293,"value":1592,"marks":1593,"data":1594},"If you’d like to go a step further, you should also consider approving the following to allow users to integrate these relatively common scopes from verified apps:",[],{},{"nodeType":1461,"data":1596,"content":1597},{},[1598,1621,1644,1667,1690,1713,1736,1759,1782,1805,1828],{"nodeType":1465,"data":1599,"content":1600},{},[1601,1611],{"nodeType":1469,"data":1602,"content":1603},{},[1604],{"nodeType":1294,"data":1605,"content":1606},{},[1607],{"nodeType":1293,"value":1608,"marks":1609,"data":1610},"Calendars.Read",[],{},{"nodeType":1469,"data":1612,"content":1613},{},[1614],{"nodeType":1294,"data":1615,"content":1616},{},[1617],{"nodeType":1293,"value":1618,"marks":1619,"data":1620},"Read user calendars",[],{},{"nodeType":1465,"data":1622,"content":1623},{},[1624,1634],{"nodeType":1469,"data":1625,"content":1626},{},[1627],{"nodeType":1294,"data":1628,"content":1629},{},[1630],{"nodeType":1293,"value":1631,"marks":1632,"data":1633},"Calendars.ReadWrite",[],{},{"nodeType":1469,"data":1635,"content":1636},{},[1637],{"nodeType":1294,"data":1638,"content":1639},{},[1640],{"nodeType":1293,"value":1641,"marks":1642,"data":1643},"Have full access to user calendars",[],{},{"nodeType":1465,"data":1645,"content":1646},{},[1647,1657],{"nodeType":1469,"data":1648,"content":1649},{},[1650],{"nodeType":1294,"data":1651,"content":1652},{},[1653],{"nodeType":1293,"value":1654,"marks":1655,"data":1656},"Calendars.ReadWrite.Shared",[],{},{"nodeType":1469,"data":1658,"content":1659},{},[1660],{"nodeType":1294,"data":1661,"content":1662},{},[1663],{"nodeType":1293,"value":1664,"marks":1665,"data":1666},"Read and write user and shared calendars",[],{},{"nodeType":1465,"data":1668,"content":1669},{},[1670,1680],{"nodeType":1469,"data":1671,"content":1672},{},[1673],{"nodeType":1294,"data":1674,"content":1675},{},[1676],{"nodeType":1293,"value":1677,"marks":1678,"data":1679},"Contacts.Read",[],{},{"nodeType":1469,"data":1681,"content":1682},{},[1683],{"nodeType":1294,"data":1684,"content":1685},{},[1686],{"nodeType":1293,"value":1687,"marks":1688,"data":1689},"Read user contacts",[],{},{"nodeType":1465,"data":1691,"content":1692},{},[1693,1703],{"nodeType":1469,"data":1694,"content":1695},{},[1696],{"nodeType":1294,"data":1697,"content":1698},{},[1699],{"nodeType":1293,"value":1700,"marks":1701,"data":1702},"Contacts.Read.Shared",[],{},{"nodeType":1469,"data":1704,"content":1705},{},[1706],{"nodeType":1294,"data":1707,"content":1708},{},[1709],{"nodeType":1293,"value":1710,"marks":1711,"data":1712},"Read user and shared contacts",[],{},{"nodeType":1465,"data":1714,"content":1715},{},[1716,1726],{"nodeType":1469,"data":1717,"content":1718},{},[1719],{"nodeType":1294,"data":1720,"content":1721},{},[1722],{"nodeType":1293,"value":1723,"marks":1724,"data":1725},"Contacts.ReadWrite",[],{},{"nodeType":1469,"data":1727,"content":1728},{},[1729],{"nodeType":1294,"data":1730,"content":1731},{},[1732],{"nodeType":1293,"value":1733,"marks":1734,"data":1735},"Have full access to user contacts",[],{},{"nodeType":1465,"data":1737,"content":1738},{},[1739,1749],{"nodeType":1469,"data":1740,"content":1741},{},[1742],{"nodeType":1294,"data":1743,"content":1744},{},[1745],{"nodeType":1293,"value":1746,"marks":1747,"data":1748},"Contacts.ReadWrite.Shared",[],{},{"nodeType":1469,"data":1750,"content":1751},{},[1752],{"nodeType":1294,"data":1753,"content":1754},{},[1755],{"nodeType":1293,"value":1756,"marks":1757,"data":1758},"Read and write user and shared contacts",[],{},{"nodeType":1465,"data":1760,"content":1761},{},[1762,1772],{"nodeType":1469,"data":1763,"content":1764},{},[1765],{"nodeType":1294,"data":1766,"content":1767},{},[1768],{"nodeType":1293,"value":1769,"marks":1770,"data":1771},"People.Read",[],{},{"nodeType":1469,"data":1773,"content":1774},{},[1775],{"nodeType":1294,"data":1776,"content":1777},{},[1778],{"nodeType":1293,"value":1779,"marks":1780,"data":1781},"Read users' relevant people lists",[],{},{"nodeType":1465,"data":1783,"content":1784},{},[1785,1795],{"nodeType":1469,"data":1786,"content":1787},{},[1788],{"nodeType":1294,"data":1789,"content":1790},{},[1791],{"nodeType":1293,"value":1792,"marks":1793,"data":1794},"Files.Read.Selected",[],{},{"nodeType":1469,"data":1796,"content":1797},{},[1798],{"nodeType":1294,"data":1799,"content":1800},{},[1801],{"nodeType":1293,"value":1802,"marks":1803,"data":1804},"Read files that the user selects",[],{},{"nodeType":1465,"data":1806,"content":1807},{},[1808,1818],{"nodeType":1469,"data":1809,"content":1810},{},[1811],{"nodeType":1294,"data":1812,"content":1813},{},[1814],{"nodeType":1293,"value":1815,"marks":1816,"data":1817},"Files.ReadWrite.Selected",[],{},{"nodeType":1469,"data":1819,"content":1820},{},[1821],{"nodeType":1294,"data":1822,"content":1823},{},[1824],{"nodeType":1293,"value":1825,"marks":1826,"data":1827},"Read and write files that the user selects",[],{},{"nodeType":1465,"data":1829,"content":1830},{},[1831,1841],{"nodeType":1469,"data":1832,"content":1833},{},[1834],{"nodeType":1294,"data":1835,"content":1836},{},[1837],{"nodeType":1293,"value":1838,"marks":1839,"data":1840},"User.ReadWrite",[],{},{"nodeType":1469,"data":1842,"content":1843},{},[1844],{"nodeType":1294,"data":1845,"content":1846},{},[1847],{"nodeType":1293,"value":1848,"marks":1849,"data":1850},"Read and write access to user profile",[],{},{"nodeType":1294,"data":1852,"content":1853},{},[1854],{"nodeType":1293,"value":1855,"marks":1856,"data":1857},"We’ve determined these scopes to be relatively low-risk, but this would depend on the risk appetite of your organization. Pre-approving the scopes will go a long way towards enabling your users to make use of SaaS apps without raising unnecessary approval requests from your IT or security team.",[],{},{"nodeType":1335,"data":1859,"content":1860},{},[1861],{"nodeType":1293,"value":1862,"marks":1863,"data":1864},"Unverified apps",[],{},{"nodeType":1343,"data":1866,"content":1867},{},[1868],{"nodeType":1293,"value":1347,"marks":1869,"data":1870},[],{},{"nodeType":1294,"data":1872,"content":1873},{},[1874,1878,1887,1891,1900],{"nodeType":1293,"value":1875,"marks":1876,"data":1877},"First, let’s define what causes an app to be classified as unverified. When you see an app in your tenant that’s marked as unverified, it means that the tenant that publishes the app has not gone through the ",[],{},{"nodeType":1419,"data":1879,"content":1881},{"uri":1880},"https://learn.microsoft.com/en-gb/azure/active-directory/develop/publisher-verification-overview",[1882],{"nodeType":1293,"value":1883,"marks":1884,"data":1886},"Publisher Verification",[1885],{"type":1370},{},{"nodeType":1293,"value":1888,"marks":1889,"data":1890}," process. Going through the verification process requires the publisher to have a Microsoft Partner Network (MPN) account, which typically involves ",[],{},{"nodeType":1419,"data":1892,"content":1894},{"uri":1893},"https://learn.microsoft.com/en-us/partner-center/verification-responses",[1895],{"nodeType":1293,"value":1896,"marks":1897,"data":1899},"verifying",[1898],{"type":1370},{},{"nodeType":1293,"value":1901,"marks":1902,"data":1903}," their business address, email address, and a few additional due diligence tasks. ",[],{},{"nodeType":1294,"data":1905,"content":1906},{},[1907],{"nodeType":1293,"value":1908,"marks":1909,"data":1910},"While I’m sure this is not a 100% infallible process, at the very least it provides you with the confidence that someone at Microsoft had reached out to the company and spoken to someone who claims they are who they say they are. This is opposed to a random person creating a Microsoft Azure tenant and marking their app as being published by Adobe, as an example.",[],{},{"nodeType":1294,"data":1912,"content":1913},{},[1914],{"nodeType":1293,"value":1915,"marks":1916,"data":1917},"At Push, we’ve noticed plenty of unverified apps published by legitimate vendors. This could be related to vendors having multiple tenants, and not having completed the verification process across all yet. As an example, we have a few of Adobe’s apps for Microsoft 365:",[],{},{"nodeType":1384,"data":1919,"content":1923},{"target":1920},{"sys":1921},{"id":1922,"type":1363,"linkType":1364},"4eDWZKrMau1AfU4pXgOW42",[],{"nodeType":1294,"data":1925,"content":1926},{},[1927],{"nodeType":1293,"value":1928,"marks":1929,"data":1930},"In the above image, we have a verified app from Adobe, Inc. We know this due to the ‘Verified Publisher’ attribute that is included when parsing the information provided by Microsoft. We can also see that the only reply url is one associated directly with Adobe – adobe.com. Next, we have an unverified app:",[],{},{"nodeType":1384,"data":1932,"content":1936},{"target":1933},{"sys":1934},{"id":1935,"type":1363,"linkType":1364},"5e5RhdYiMh0Q3CZzmNoRDI",[],{"nodeType":1294,"data":1938,"content":1939},{},[1940],{"nodeType":1293,"value":1941,"marks":1942,"data":1943},"This app does not include the ‘verified publisher’ attribute when reading the information provided by Microsoft. However, the app only has one reply url, and this is again a subdomain of adobe.com.",[],{},{"nodeType":1294,"data":1945,"content":1946},{},[1947],{"nodeType":1293,"value":1948,"marks":1949,"data":1950},"The takeaway here is that not all unverified apps are malicious. More often than not it’s related to the vendor not having gone through the verification process, but this means it unfortunately becomes the security team’s burden to figure out.",[],{},{"nodeType":1343,"data":1952,"content":1953},{},[1954],{"nodeType":1293,"value":1394,"marks":1955,"data":1956},[],{},{"nodeType":1294,"data":1958,"content":1959},{},[1960],{"nodeType":1293,"value":1961,"marks":1962,"data":1963},"At Push, we attempt to review every application we come across to determine if it's legit and whether it belongs to the vendor it claims to originate from. There are multiple ways to do this, but as a general rule of thumb if all the app’s reply urls are associated with the vendor, you are good. You can perform an integration from the app’s website to verify that the particular app ID (seen in the metadata tag above) is the one you are looking at in your environment.",[],{},{"nodeType":1335,"data":1965,"content":1966},{},[1967],{"nodeType":1293,"value":1968,"marks":1969,"data":1970},"Apps with excessive privileges",[],{},{"nodeType":1343,"data":1972,"content":1973},{},[1974],{"nodeType":1293,"value":1347,"marks":1975,"data":1976},[],{},{"nodeType":1294,"data":1978,"content":1979},{},[1980],{"nodeType":1293,"value":1981,"marks":1982,"data":1983},"When you first start doing deep dives on permissions associated with apps in your environment, you find yourself looking at some apps and wonder out loud “we’re granting this vendor access to what?!",[],{},{"nodeType":1294,"data":1985,"content":1986},{},[1987],{"nodeType":1293,"value":1988,"marks":1989,"data":1990},"It’s a totally normal response, but don't worry, we’re here to help. Let’s take diagrams.net as an example:",[],{},{"nodeType":1384,"data":1992,"content":1996},{"target":1993},{"sys":1994},{"id":1995,"type":1363,"linkType":1364},"7DcPUSZ0nDYKmIy4E9xEHs",[],{"nodeType":1294,"data":1998,"content":1999},{},[2000],{"nodeType":1293,"value":2001,"marks":2002,"data":2003},"At first glance this doesn’t seem too bad. For the purposes of this example, let’s say the app was approved by 49 users. That means if diagrams.net got compromised, an attacker would potentially have access to 49 of your user’s OneDrive files. “That’s OK!” you say. “This will only affect a handful of files they’ve been working on locally. Our policy specifies that any company data, specifically data containing PII, be stored in SharePoint.”",[],{},{"nodeType":1294,"data":2005,"content":2006},{},[2007,2011,2016],{"nodeType":1293,"value":2008,"marks":2009,"data":2010},"And then comes the part where you notice the following permission: ",[],{},{"nodeType":1293,"value":2012,"marks":2013,"data":2015},"Sites.Read.All",[2014],{"type":312},{},{"nodeType":1293,"value":2017,"marks":2018,"data":2019},". This permission gives the application the ability to read every file across all SharePoint sites in your organization (that the users have permission to access.) Suddenly the scope of data access is much larger than you hoped.",[],{},{"nodeType":1343,"data":2021,"content":2022},{},[2023],{"nodeType":1293,"value":1394,"marks":2024,"data":2025},[],{},{"nodeType":1294,"data":2027,"content":2028},{},[2029],{"nodeType":1293,"value":2030,"marks":2031,"data":2032},"When faced with the dilemma of granting apps access to resources within your organization, the best course of action is to do a risk assessment.",[],{},{"nodeType":1294,"data":2034,"content":2035},{},[2036,2040,2049,2053,2062],{"nodeType":1293,"value":2037,"marks":2038,"data":2039},"This requires some good ol’ googling and reviewing the security policies of the app’s creator. You ideally also want to know who they use to process your data. Through this process, I found a ",[],{},{"nodeType":1419,"data":2041,"content":2043},{"uri":2042},"https://www.diagrams.net/blog/data-protection",[2044],{"nodeType":1293,"value":2045,"marks":2046,"data":2048},"blog post",[2047],{"type":1370},{},{"nodeType":1293,"value":2050,"marks":2051,"data":2052}," on diagrams.net detailing their approach to security and user privacy. They do make note that they don’t ",[],{},{"nodeType":1419,"data":2054,"content":2056},{"uri":2055},"https://www.diagrams.net/blog/data-protection#:~:text=Because%20your%20sensitive%20diagram%20data%20doesn%E2%80%99t%20leave%20your%20infrastructure%20and%20is%20never%20stored%20on%20the%20diagrams.net%20servers%2C%20diagrams.net%20is%20a%20tool%20which%20lets%20you%20comply%20with%20data%20protection%20certifications%20(ISO%2027000%2C%2027001%20and%2027002)%20and%20the%20GDPR.",[2057],{"nodeType":1293,"value":2058,"marks":2059,"data":2061},"store any sensitive customer data data on their servers",[2060],{"type":1370},{},{"nodeType":1293,"value":2063,"marks":2064,"data":2065},", and thus let you comply with GDPR, ISO 2700* etc. certifications if you use their services.",[],{},{"nodeType":1294,"data":2067,"content":2068},{},[2069],{"nodeType":1293,"value":2070,"marks":2071,"data":2072},"While this is great from a tick box exercise perspective, this doesn’t address the original concern – how much risk are you taking on by letting their app integrate with your environment? What could an attacker who compromises diagrams.net have access to and how do you lessen the risk while still allowing employees to use the app?",[],{},{"nodeType":1294,"data":2074,"content":2075},{},[2076,2080,2089],{"nodeType":1293,"value":2077,"marks":2078,"data":2079},"Further in the same blog post, they link to a GitHub ",[],{},{"nodeType":1419,"data":2081,"content":2083},{"uri":2082},"https://github.com/jgraph/security-privacy-legal",[2084],{"nodeType":1293,"value":2085,"marks":2086,"data":2088},"repository",[2087],{"type":1370},{},{"nodeType":1293,"value":2090,"marks":2091,"data":2092}," that contains their security and privacy processes, policies, and even some pentest reports. They do a great job of including this information, by the way, so cheers to diagrams.net!",[],{},{"nodeType":1294,"data":2094,"content":2095},{},[2096],{"nodeType":1293,"value":2097,"marks":2098,"data":2099},"At this point you should have a better understanding of the security of the vendor you’re integrating into your organization, and whether it’s okay to accept the risk. Documenting and adding the information you found to your risk register is also a good idea. Likely, you’ll be taking this information to your Information Security Manager for risk acceptance. ",[],{},{"nodeType":1294,"data":2101,"content":2102},{},[2103],{"nodeType":1293,"value":2104,"marks":2105,"data":2106},"We’re working on ways to provide this information to our clients through the Push app dashboard in future, too. Sign up or subscribe to our blog to get product updates when features like this are introduced. ",[],{},{"nodeType":1335,"data":2108,"content":2109},{},[2110],{"nodeType":1293,"value":2111,"marks":2112,"data":2113},"Hijackable urls and implicit grant flow",[],{},{"nodeType":1343,"data":2115,"content":2116},{},[2117],{"nodeType":1293,"value":1347,"marks":2118,"data":2119},[],{},{"nodeType":1294,"data":2121,"content":2122},{},[2123,2128,2138,2143,2153],{"nodeType":1293,"value":2124,"marks":2125,"data":2127},"Developer side note: The implicit grant flow is no longer recommended due to security-related concerns and that it won’t function where ",[2126],{"type":312},{},{"nodeType":1419,"data":2129,"content":2131},{"uri":2130},"https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-third-party-cookies-spas#:~:text=Many%20browsers%20block%20third%2Dparty%20cookies%2C%20cookies%20on%20requests%20to%20domains%20other%20than%20the%20domain%20shown%20in%20the%20browser%27s%20address%20bar.%20This%20block%20breaks%20the%20implicit%20flow%20and%20requires%20new%20authentication%20patterns%20to%20successfully%20sign%20in%20users.",[2132],{"nodeType":1293,"value":2133,"marks":2134,"data":2137},"3rd party cookies are blocked in browsers",[2135,2136],{"type":1370},{"type":312},{},{"nodeType":1293,"value":2139,"marks":2140,"data":2142},". Instead, you should switch to using the ",[2141],{"type":312},{},{"nodeType":1419,"data":2144,"content":2146},{"uri":2145},"https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow",[2147],{"nodeType":1293,"value":2148,"marks":2149,"data":2152},"authorization code flow",[2150,2151],{"type":1370},{"type":312},{},{"nodeType":1293,"value":2154,"marks":2155,"data":2157}," if applicable to your requirements.",[2156],{"type":312},{},{"nodeType":1294,"data":2159,"content":2160},{},[2161,2165,2174],{"nodeType":1293,"value":2162,"marks":2163,"data":2164},"Let’s quickly go over how OAuth2’s implicit grant flow works so you can better understand how to spot potentially risky apps and integrations, and why this can result in a security concern. Microsoft provides a great ",[],{},{"nodeType":1419,"data":2166,"content":2168},{"uri":2167},"https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow",[2169],{"nodeType":1293,"value":2170,"marks":2171,"data":2173},"breakdown",[2172],{"type":1370},{},{"nodeType":1293,"value":2175,"marks":2176,"data":2177}," of the implicit grant flow, however for the purposes of brevity (and simplicity), it does the following:",[],{},{"nodeType":2179,"data":2180,"content":2181},"ordered-list",{},[2182,2193,2203,2213,2223],{"nodeType":2183,"data":2184,"content":2185},"list-item",{},[2186],{"nodeType":1294,"data":2187,"content":2188},{},[2189],{"nodeType":1293,"value":2190,"marks":2191,"data":2192},"A user goes to a web app and clicks a login link",[],{},{"nodeType":2183,"data":2194,"content":2195},{},[2196],{"nodeType":1294,"data":2197,"content":2198},{},[2199],{"nodeType":1293,"value":2200,"marks":2201,"data":2202},"The web app redirects the user to authenticate and authorize the app. This is performed against your identity provider (in this example, Microsoft)",[],{},{"nodeType":2183,"data":2204,"content":2205},{},[2206],{"nodeType":1294,"data":2207,"content":2208},{},[2209],{"nodeType":1293,"value":2210,"marks":2211,"data":2212},"If this is the first time authorizing the app, the user is presented with a list of scopes (permissions) the app will need access to, and the user clicks “approve”",[],{},{"nodeType":2183,"data":2214,"content":2215},{},[2216],{"nodeType":1294,"data":2217,"content":2218},{},[2219],{"nodeType":1293,"value":2220,"marks":2221,"data":2222},"This responds with a token to one of the hard-coded reply urls associated with the app integration (e.g. https://apps.diagrams.net/microsoft as with the ‘Apps with excessive privileges’ example)",[],{},{"nodeType":2183,"data":2224,"content":2225},{},[2226],{"nodeType":1294,"data":2227,"content":2228},{},[2229],{"nodeType":1293,"value":2230,"marks":2231,"data":2232},"The app uses the token to access the user’s resources with the permissions approved in step 3",[],{},{"nodeType":1294,"data":2234,"content":2235},{},[2236],{"nodeType":1293,"value":2237,"marks":2238,"data":2239},"Based on the flow above, if an attacker gets their hands on the token from step 4, they can perform requests as the user, granting them access to your resources. To get the token, you need to control one of the hardcoded reply url endpoints, and convince a user to authenticate to the app – perhaps via a phishing attack.",[],{},{"nodeType":1294,"data":2241,"content":2242},{},[2243],{"nodeType":1293,"value":2244,"marks":2245,"data":2246},"As an example, some of the apps we’ve reviewed contained reply urls which were subdomains of azurewebsites.net and ngrok.io. These urls don’t appear problematic at first. However, the urls could have been used during the development process, and were forgotten about at the conclusion of the project. During the review process we follow at Push, we found multiple examples of such urls that were no longer in use.",[],{},{"nodeType":1294,"data":2248,"content":2249},{},[2250,2254,2263],{"nodeType":1293,"value":2251,"marks":2252,"data":2253},"This could allow an attacker to register the urls and perform phishing attacks against organizations that use these particular apps, granting the attacker access to previously- approved scopes and resources. The outcome of this attack would be similar to ",[],{},{"nodeType":1419,"data":2255,"content":2257},{"uri":2256},"https://www.oauth.com/oauth2-servers/authorization/security-considerations/#:~:text=Redirect%20URL%20Manipulation",[2258],{"nodeType":1293,"value":2259,"marks":2260,"data":2262},"redirect URL manipulation",[2261],{"type":1370},{},{"nodeType":1293,"value":2264,"marks":2265,"data":2266},", but instead of taking advantage of an open or misconfigured redirect, the attacker is in control of the endpoint where the token ends up.",[],{},{"nodeType":1294,"data":2268,"content":2269},{},[2270,2274,2282],{"nodeType":1293,"value":2271,"marks":2272,"data":2273},"How would you even go about detecting if an app makes use of the implicit grant flow? This requires getting your hands dirty with making authorization requests to your tenant for the specific app ID, and passing the “response_type=token” parameter in the url. This should return an error if the app is not configured with the implicit grant flow. If you’d like to test this yourself, you can follow the “Run in Postman” link at the top of ",[],{},{"nodeType":1419,"data":2275,"content":2276},{"uri":2167},[2277],{"nodeType":1293,"value":2278,"marks":2279,"data":2281},"this article",[2280],{"type":1370},{},{"nodeType":1293,"value":2283,"marks":2284,"data":2285}," to make this process a bit easier.",[],{},{"nodeType":1294,"data":2287,"content":2288},{},[2289],{"nodeType":1293,"value":2290,"marks":2291,"data":2292},"Another example of a hijackable url includes dangling DNS records. Let’s say your app includes a reply url pointing to a legacy server used for development (eg. apptesting-dev.ctrlaltsecure.com). This server was hosted on an EC2 instance in AWS, and has long since been decommissioned. However, the IP address associated with the instance is still pointing to the same address. A determined attacker could potentially gain access to the IP address by spinning up resources until it’s assigned to them.",[],{},{"nodeType":1294,"data":2294,"content":2295},{},[2296,2300,2309,2313,2322],{"nodeType":1293,"value":2297,"marks":2298,"data":2299},"OWASP has ",[],{},{"nodeType":1419,"data":2301,"content":2303},{"uri":2302},"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/10-Test_for_Subdomain_Takeover",[2304],{"nodeType":1293,"value":2305,"marks":2306,"data":2308},"published an article",[2307],{"type":1370},{},{"nodeType":1293,"value":2310,"marks":2311,"data":2312}," and HackerOne ",[],{},{"nodeType":1419,"data":2314,"content":2316},{"uri":2315},"https://www.hackerone.com/application-security/guide-subdomain-takeovers",[2317],{"nodeType":1293,"value":2318,"marks":2319,"data":2321},"posted a guide",[2320],{"type":1370},{},{"nodeType":1293,"value":2323,"marks":2324,"data":2325}," highlighting ways to take over subdomains , and it’s very easy to overlook.",[],{},{"nodeType":1343,"data":2327,"content":2328},{},[2329],{"nodeType":1293,"value":1394,"marks":2330,"data":2331},[],{},{"nodeType":1294,"data":2333,"content":2334},{},[2335],{"nodeType":1293,"value":2336,"marks":2337,"data":2338},"Unfortunately there is no elegant solution to this problem, and it’s not easy to spot as you would need to review each url to see if it’s still in use, in addition to figuring out if the app makes use of the implicit grant flow. Even then, is the active url being used by the developer, or has an attacker already claimed it.",[],{},{"nodeType":1294,"data":2340,"content":2341},{},[2342],{"nodeType":1293,"value":2343,"marks":2344,"data":2345},"The best course of action here is likely to make use of a proxy that prevents users from accessing unclassified urls, or urls with a low reputation. However, you will risk breaking applications and making your developers angry. This also does not solve the dangling DNS issue, as with the EC2 instance problem above.",[],{},{"nodeType":1294,"data":2347,"content":2348},{},[2349],{"nodeType":1293,"value":2350,"marks":2351,"data":2352},"Another option is to contact vendors of apps that you’ve noticed including such urls in their apps and ask them to remove the stale entries from their apps.",[],{},{"nodeType":1335,"data":2354,"content":2355},{},[2356],{"nodeType":1293,"value":2357,"marks":2358,"data":2359},"You think you’ve been compromised. Now what?",[],{},{"nodeType":1294,"data":2361,"content":2362},{},[2363],{"nodeType":1293,"value":2364,"marks":2365,"data":2366},"\nRegardless of the method of compromise, there’s a few steps you can take to review what happened and to prevent further access into your environment.",[],{},{"nodeType":1343,"data":2368,"content":2369},{},[2370],{"nodeType":1293,"value":2371,"marks":2372,"data":2373},"Review app sign-in logs",[],{},{"nodeType":1294,"data":2375,"content":2376},{},[2377,2381,2390],{"nodeType":1293,"value":2378,"marks":2379,"data":2380},"In Azure Active Directory, head to ",[],{},{"nodeType":1419,"data":2382,"content":2384},{"uri":2383},"https://portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId~/null",[2385],{"nodeType":1293,"value":2386,"marks":2387,"data":2389},"Enterprise applications",[2388],{"type":1370},{},{"nodeType":1293,"value":2391,"marks":2392,"data":2393}," and click on the app you want to review. In the new window, click on sign-in logs. You will be presented with a list of user sign-ins (interactive and non-interactive), service principal sign-ins, and managed identity sign-ins.",[],{},{"nodeType":1384,"data":2395,"content":2399},{"target":2396},{"sys":2397},{"id":2398,"type":1363,"linkType":1364},"2L7vf2zjZBelGMJSjP2inY",[],{"nodeType":1294,"data":2401,"content":2402},{},[2403],{"nodeType":1293,"value":2404,"marks":2405,"data":2406},"What you typically need to look for is non-interactive user sign-in logs. Non-interactive sign-ins are related to login events performed on behalf of a user where usernames and passwords were not used (read: tokens). You want to review the sign-ins to determine if there were authentication events from IP addresses unrelated to normal employee activity, which can include discrepancies in geographical locations, and out-of-hours activity. Service principal sign-ins would also be of interest, however it would be more difficult to determine odd behavior as you wouldn’t have user sign-ins to compare with.",[],{},{"nodeType":1294,"data":2408,"content":2409},{},[2410,2414,2422],{"nodeType":1293,"value":2411,"marks":2412,"data":2413},"You could also review Azure’s ",[],{},{"nodeType":1419,"data":2415,"content":2417},{"uri":2416},"https://portal.azure.com/#view/Microsoft_AAD_IAM/SecurityMenuBlade/~/RiskySignIns",[2418],{"nodeType":1293,"value":2419,"marks":2420,"data":2421},"risky sign-ins ",[],{},{"nodeType":1293,"value":2423,"marks":2424,"data":2425},"page, as these issues are likely to show up already classified. Just make sure your filters include non-interactive sign-in methods.",[],{},{"nodeType":1343,"data":2427,"content":2428},{},[2429],{"nodeType":1293,"value":2430,"marks":2431,"data":2432},"Review app audit logs",[],{},{"nodeType":1294,"data":2434,"content":2435},{},[2436],{"nodeType":1293,"value":2437,"marks":2438,"data":2439},"In the same window underneath sign-in logs, you’ll find the audit logs section. Audit logs will provide you with crucial information relating to when an app was integrated, by who, and which permissions were delegated.",[],{},{"nodeType":1384,"data":2441,"content":2445},{"target":2442},{"sys":2443},{"id":2444,"type":1363,"linkType":1364},"5HRLoa9zlIWZdZGLN84Yae",[],{"nodeType":1343,"data":2447,"content":2448},{},[2449],{"nodeType":1293,"value":2450,"marks":2451,"data":2452},"Disable the app",[],{},{"nodeType":1294,"data":2454,"content":2455},{},[2456],{"nodeType":1293,"value":2457,"marks":2458,"data":2459},"If you’ve determined that an app was involved in an incident, the first step would be to disable the app to prevent malicious actors from performing any further authentication. Under the application’s properties, change the setting “Enable for users to sign-in?” from “Yes” to “No”, followed by clicking “Save.”",[],{},{"nodeType":1384,"data":2461,"content":2465},{"target":2462},{"sys":2463},{"id":2464,"type":1363,"linkType":1364},"12NnJ8OhD3K27rFRJ48t6a",[],{"nodeType":1343,"data":2467,"content":2468},{},[2469],{"nodeType":1293,"value":2470,"marks":2471,"data":2472},"Revoke all refresh tokens",[],{},{"nodeType":1294,"data":2474,"content":2475},{},[2476,2480,2489,2493,2502,2506,2515],{"nodeType":1293,"value":2477,"marks":2478,"data":2479},"Disabling the app is not enough to prevent attackers from maintaining access to your environment. ",[],{},{"nodeType":1419,"data":2481,"content":2483},{"uri":2482},"https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens",[2484],{"nodeType":1293,"value":2485,"marks":2486,"data":2488},"Refresh tokens",[2487],{"type":1370},{},{"nodeType":1293,"value":2490,"marks":2491,"data":2492}," provide a way for apps to retrieve new access tokens without bugging users with pesky sign-in screens. Tokens are typically valid for between ",[],{},{"nodeType":1419,"data":2494,"content":2496},{"uri":2495},"https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#access-token-lifetime:~:text=The%20default%20lifetime%20of%20an%20access%20token%20is%20variable.%20When%20issued%2C%20the%20default%20lifetime%20of%20an%20access%20token%20is%20assigned%20a%20random%20value%20ranging%20between%2060%2D90%20minutes%20(75%20minutes%20on%20average).",[2497],{"nodeType":1293,"value":2498,"marks":2499,"data":2501},"60 to 90 minutes",[2500],{"type":1370},{},{"nodeType":1293,"value":2503,"marks":2504,"data":2505},", and if a refresh token has been issued, the token holder can request new tokens for ",[],{},{"nodeType":1419,"data":2507,"content":2509},{"uri":2508},"https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens#:~:text=The%20default%20lifetime%20for%20the%20refresh%20tokens%20is%2024%20hours%20for%20single%20page%20apps%20and%2090%20days%20for%20all%20other%20scenarios",[2510],{"nodeType":1293,"value":2511,"marks":2512,"data":2514},"up to 90 days",[2513],{"type":1370},{},{"nodeType":1293,"value":2516,"marks":2517,"data":2518},"! ",[],{},{"nodeType":1294,"data":2520,"content":2521},{},[2522],{"nodeType":1293,"value":2523,"marks":2524,"data":2525},"So, revoking refresh tokens is an important step as part of the mitigation and recovery steps. This step can be performed with some PowerShell – luckily Microsoft provides pre-generated scripts for you to copy and paste. Click on ‘Permissions’ for the app, followed by ‘Review permissions.’ ",[],{},{"nodeType":1384,"data":2527,"content":2531},{"target":2528},{"sys":2529},{"id":2530,"type":1363,"linkType":1364},"7vuFmlmZbzfNhWHPj8ToHm",[],{"nodeType":1294,"data":2533,"content":2534},{},[2535],{"nodeType":1293,"value":2536,"marks":2537,"data":2538},"In the new window, click on ‘This application is malicious and I’m compromised.’ This will present you with the necessary PowerShell scripts to remove users from the app, revoke all permissions granted to the app, and finally to revoke refresh tokens associated with the app.",[],{},{"nodeType":1384,"data":2540,"content":2544},{"target":2541},{"sys":2542},{"id":2543,"type":1363,"linkType":1364},"4NnD6WKRHlnzKE0F4GUDEm",[],{"nodeType":1343,"data":2546,"content":2547},{},[2548],{"nodeType":1293,"value":2549,"marks":2550,"data":2551},"What to do if the initial access token was stolen",[],{},{"nodeType":1294,"data":2553,"content":2554},{},[2555],{"nodeType":1293,"value":2556,"marks":2557,"data":2558},"The initial access token cannot be revoked. In practice, if an attacker has managed to steal an access token it will be valid for the remainder of its lifespan, which is typically one hour. This is true even if the account is disabled, the compromised app deleted, and all refresh tokens revoked. If you’re responding to an incident, you will need to keep an eye on audit logs for an hour or more after performing the above steps to make sure the valid access token wasn’t still being used to perform actions in the environment.",[],{},{"nodeType":1294,"data":2560,"content":2561},{},[2562,2566,2575,2579,2588],{"nodeType":1293,"value":2563,"marks":2564,"data":2565},"Microsoft’s response to this was to develop something called ",[],{},{"nodeType":1419,"data":2567,"content":2569},{"uri":2568},"https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation",[2570],{"nodeType":1293,"value":2571,"marks":2572,"data":2574},"continuous access evaluation",[2573],{"type":1370},{},{"nodeType":1293,"value":2576,"marks":2577,"data":2578},". However, they admit in the article that it does not address a scenario where an attacker exfiltrated the token outside of a ",[],{},{"nodeType":1419,"data":2580,"content":2582},{"uri":2581},"https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation#:~:text=Token%20export%20to%20a%20machine%20outside%20of%20a%20trusted%20network%20can%20be%20prevented%20with%20Conditional%20Access%20location%20policies",[2583],{"nodeType":1293,"value":2584,"marks":2585,"data":2587},"trusted network",[2586],{"type":1370},{},{"nodeType":1293,"value":2589,"marks":2590,"data":2591},", in which case conditional access policy enforcement would be required to address the issue. Continuous access evaluation is ideal for handling specific cases of user access into the environment such as employee contract termination, or scenarios where conditional access policies are violated.",[],{},{"nodeType":1335,"data":2593,"content":2594},{},[2595],{"nodeType":1293,"value":2596,"marks":2597,"data":2598},"Conclusion",[],{},{"nodeType":1294,"data":2600,"content":2601},{},[2602],{"nodeType":1293,"value":2603,"marks":2604,"data":2605},"This article should have given you a better understanding of the most common issues presented when reviewing SaaS apps integrated into your environment. ",[],{},{"nodeType":1294,"data":2607,"content":2608},{},[2609],{"nodeType":1293,"value":2610,"marks":2611,"data":2612},"Determining whether using an app would result in compromise is not a simple task, especially if you haven’t observed malicious behavior. As such, the best course of action is to consider all angles, which include the business case of users requiring its use, the permission scopes, and whether the vendor’s security practices are in line with your requirements.",[],{},{"nodeType":1294,"data":2614,"content":2615},{},[2616],{"nodeType":1293,"value":2617,"marks":2618,"data":2619},"SaaS is a new(ish) frontier that can be really daunting to defend against attackers, but it's not impossible to reduce risk without simply blocking access to SaaS. And, remember: denying users access to tools will make them find ways around the limitations.",[],{},{"nodeType":1294,"data":2621,"content":2622},{},[2623],{"nodeType":1293,"value":2624,"marks":2625,"data":2626},"We hope this article helps you get a better handle on how to determine if you’ve been compromised, and respond to incidents involving SaaS apps and/or OAuth integrations to your core work platforms.",[],{},{"nodeType":1384,"data":2628,"content":2632},{"target":2629},{"sys":2630},{"id":2631,"type":1363,"linkType":1364},"2y0INxqAi594O7rCAVKhTI",[],{"nodeType":1294,"data":2634,"content":2635},{},[2636],{"nodeType":1293,"value":37,"marks":2637,"data":2638},[],{},"How attackers compromise Azure organizations through SaaS apps ","2023-01-03T00:00:00.000Z","how-attackers-compromise-azure-organizations-through-saas-apps",{"items":2643},[2644,2648],{"sys":2645,"name":2647},{"id":2646},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":2649,"name":1305},{"id":1304},{"items":2651},[2652],{"fullName":2653,"firstName":2654,"jobTitle":2655,"profilePicture":2656},"Johann Scheepers","Johann","Senior Security Engineer",{"url":2657},"https://images.ctfassets.net/y1cdw1ablpvd/75IEOH93vR0hbvxuqTu1m3/f6222745ee6892ea07bc18727a5a5ae7/T016S22KZ96-U02LU3SKC2D-e1e755770536-512.png",{"__typename":1313,"sys":2659,"content":2661,"title":3126,"synopsis":3127,"hashTags":118,"publishedDate":3128,"slug":3129,"tagsCollection":3130,"authorsCollection":3138},{"id":2660},"14NiRrBrLFVkR8h05RCD7F",{"json":2662},{"data":2663,"content":2664,"nodeType":1295},{},[2665,2673,2681,2703,2711,2732,2739,2745,2752,2759,2766,2773,2780,2787,2794,2801,2808,2814,2821,2828,2835,2842,2860,2866,2873,2879,2886,2892,2899,2906,2913,2957,2964,2984,2991,3081,3101,3107,3114,3120],{"data":2666,"content":2667,"nodeType":1294},{},[2668],{"data":2669,"marks":2670,"value":2672,"nodeType":1293},{},[2671],{"type":312},"You get a call from your CFO: “Jenkins! ACME just called to find out why we haven’t paid invoices for the last 3 months? Didn’t you make payment last week?”",{"data":2674,"content":2675,"nodeType":1294},{},[2676],{"data":2677,"marks":2678,"value":2680,"nodeType":1293},{},[2679],{"type":312},"You think back a bit. “Yip! I received another invoice a few days ago and made payment yesterday. I also paid the contractor doing renovations on your house. By the way, congrats on the new kitchen.”",{"data":2682,"content":2683,"nodeType":1294},{},[2684,2688,2699],{"data":2685,"marks":2686,"value":2687,"nodeType":1293},{},[],"Many companies have had similar incidents occur over the last couple of years - it’s a classic ",{"data":2689,"content":2693,"nodeType":1358},{"target":2690},{"sys":2691},{"id":2692,"type":1363,"linkType":1364},"pj2eLZXa4PyrY1DD4NCHt",[2694],{"data":2695,"marks":2696,"value":2698,"nodeType":1293},{},[2697],{"type":1370},"Business Email Compromise",{"data":2700,"marks":2701,"value":2702,"nodeType":1293},{},[]," (BEC) scenario. An attacker managed to gain access to Jenkins in accounting’s email and intercepted email from legitimate creditors, replacing their banking details with the attacker's own, and even forging invoices from non-existent suppliers. Forged emails are then sent from the CEO or CFO to approve the payments.",{"data":2704,"content":2705,"nodeType":1294},{},[2706],{"data":2707,"marks":2708,"value":2710,"nodeType":1293},{},[2709],{"type":312},"But how did they manage to gain access to the account? Our security team enforced multi-factor authentication (MFA) a few weeks ago. We’re supposed to be secure!?",{"data":2712,"content":2713,"nodeType":1294},{},[2714,2718,2728],{"data":2715,"marks":2716,"value":2717,"nodeType":1293},{},[],"As detailed in our ",{"data":2719,"content":2722,"nodeType":1358},{"target":2720},{"sys":2721},{"id":1362,"type":1363,"linkType":1364},[2723],{"data":2724,"marks":2725,"value":2727,"nodeType":1293},{},[2726],{"type":1370},"blog post about consent phishing",{"data":2729,"marks":2730,"value":2731,"nodeType":1293},{},[],", this attack method will bypass MFA, since the paired malicious third-party integration app (sometimes called OAuth) generates an authentication token. MFA checks are only applied when logging in with your username and password, so in this case, the attacker was able to get a valid access token into Jenkins’ account. ",{"data":2733,"content":2734,"nodeType":1294},{},[2735],{"data":2736,"marks":2737,"value":2738,"nodeType":1293},{},[],"While this isn’t necessarily the same level of access provided with a username/password combo, it might be, based on the scopes Jenkins granted the third-party integration app access to when they clicked ‘Accept’. ",{"data":2740,"content":2744,"nodeType":1384},{"target":2741},{"sys":2742},{"id":2743,"type":1363,"linkType":1364},"5BIHqq49jJOHsEHLgc8Tb9",[],{"data":2746,"content":2747,"nodeType":1294},{},[2748],{"data":2749,"marks":2750,"value":2751,"nodeType":1293},{},[],"The list of third-party integration scopes can include anything from relatively benign things like retrieving your name, surname, and email address, to more dangerous or excessive permissions such as full access to your mailbox, the ability to configure mail rules to forward or delete email, and full access to your OneDrive or Sharepoint files. Worse case scenario: if you belong to groups with password reset capabilities, the attacker may be able to perform full account takeovers.",{"data":2753,"content":2754,"nodeType":1343},{},[2755],{"data":2756,"marks":2757,"value":2758,"nodeType":1293},{},[],"How do you detect and respond to such incidents?",{"data":2760,"content":2761,"nodeType":1294},{},[2762],{"data":2763,"marks":2764,"value":2765,"nodeType":1293},{},[],"The main issue is detection. In my experience as an incident responder working with Fortune 500 companies at MWR Infosecurity, I found that BEC attacks are usually detected when associated parties start asking questions about non-payment (or unrecognized payments), which can take weeks or months from the day of compromise. By this point your cloud provider’s logs are likely to have rolled over and you’re unlikely to find much useful information to populate your incident timeline.",{"data":2767,"content":2768,"nodeType":1294},{},[2769],{"data":2770,"marks":2771,"value":2772,"nodeType":1293},{},[],"Shameless plug alert: Push’s ChatOps functionality can greatly assist here as it detects such malicious rules when created, and sends a message to the owner of the account (Jenkins) asking if they created the rule. Sometimes a user will have a legitimate use for creating mail rules to forward messages to another account, and this allows them to acknowledge the rule and mark it as safe. In case they didn’t create it, they can flag it as such and this will cause an alert to be sent to their security team. This is practically instant detection and invaluable when preventing fraudulent payments. And getting input from the account owner cuts way down on alert fatigue for your team.",{"data":2774,"content":2775,"nodeType":1343},{},[2776],{"data":2777,"marks":2778,"value":2779,"nodeType":1293},{},[],"\nMitigate the attack \n",{"data":2781,"content":2782,"nodeType":1294},{},[2783],{"data":2784,"marks":2785,"value":2786,"nodeType":1293},{},[],"Once you’ve detected the incident, your next step is to remediate. Typically, this would require someone on the  security team to find the offending rule in your cloud provider’s control panel to disable it, which can take some time, depending on the team’s availability and other factors. ",{"data":2788,"content":2789,"nodeType":1294},{},[2790],{"data":2791,"marks":2792,"value":2793,"nodeType":1293},{},[],"Detecting the creation of malicious mail rules would require you to configure policies and alerts in your cloud provider’s control panel, and requires someone from the security team to monitor for notifications. If your IT person is also responsible for security in your organization, it’s unlikely that they would spend an appropriate amount of time looking at alerts and, in many cases, would need to follow up with employees to confirm if they had indeed created the rules. If you’re a larger organization, your dedicated security person will likely have higher priority tasks, too.",{"data":2795,"content":2796,"nodeType":1294},{},[2797],{"data":2798,"marks":2799,"value":2800,"nodeType":1293},{},[],"Discovering a breach is usually related to someone noticing unrecognized payments, vendors querying a lack of payments, or phishing emails being sent to fellow employees or contacts outside of your organization. If an attacker is careful to avoid causing too much interruption, then it’s likely that you won’t discover the breach until all the damage has been done. Usually by this point, performing an investigation will reveal very little due to important investigation artifacts disappearing due to logs rolling over.",{"data":2802,"content":2803,"nodeType":1294},{},[2804],{"data":2805,"marks":2806,"value":2807,"nodeType":1293},{},[],"If you’re using Push, we would automatically detect the mail rule, talk to the employee whose email the mail rule was created within, and if they didn’t set the mail rule up themselves, we would assume it was created by an attacker and alert your security team. Push’s ChatOps will disable the offending rule and mark it as suspicious.",{"data":2809,"content":2813,"nodeType":1384},{"target":2810},{"sys":2811},{"id":2812,"type":1363,"linkType":1364},"6rV4EiwTgmBsmYEaUvv55b",[],{"data":2815,"content":2816,"nodeType":1294},{},[2817],{"data":2818,"marks":2819,"value":2820,"nodeType":1293},{},[],"If this were a typical credential compromise scenario, the account’s password would be reset and everyone would go about their lives. However, since no credentials were compromised in our example, you’d go onto the next step to…",{"data":2822,"content":2823,"nodeType":1343},{},[2824],{"data":2825,"marks":2826,"value":2827,"nodeType":1293},{},[],"Remove the app’s permissions and revoke the tokens",{"data":2829,"content":2830,"nodeType":1294},{},[2831],{"data":2832,"marks":2833,"value":2834,"nodeType":1293},{},[],"As I mentioned earlier, third-party integration apps generate tokens, which can be valid for an hour to sometimes 24 hours or more, depending on the integrating app, how it is being used, and if it makes use of refresh tokens.",{"data":2836,"content":2837,"nodeType":1294},{},[2838],{"data":2839,"marks":2840,"value":2841,"nodeType":1293},{},[],"Invalidating third-party integration access permissions requires accessing your cloud provider’s control panel. In this example, you need to revoke access for a malicious app in a Microsoft 365 tenant. Microsoft’s guidance on this is very useful, but unfortunately not as simple as just pressing a button.",{"data":2843,"content":2844,"nodeType":1294},{},[2845,2849,2856],{"data":2846,"marks":2847,"value":2848,"nodeType":1293},{},[],"To view Microsoft’s recommendations for dealing with a malicious app, you’d need to navigate to the ",{"data":2850,"content":2851,"nodeType":1419},{"uri":2383},[2852],{"data":2853,"marks":2854,"value":2386,"nodeType":1293},{},[2855],{"type":1370},{"data":2857,"marks":2858,"value":2859,"nodeType":1293},{},[]," section in Azure, and locate the app by searching for its name or Application ID, which can be found in the Push app’s OAuth integrations page. In the app menu, click on ‘Permissions,’ then ‘Review permissions.’ ",{"data":2861,"content":2865,"nodeType":1384},{"target":2862},{"sys":2863},{"id":2864,"type":1363,"linkType":1364},"5Z6T2anRIJ1he2phTbcFot",[],{"data":2867,"content":2868,"nodeType":1294},{},[2869],{"data":2870,"marks":2871,"value":2872,"nodeType":1293},{},[],"On the slide-out menu, select “This application is malicious and I’m compromised.”",{"data":2874,"content":2878,"nodeType":1384},{"target":2875},{"sys":2876},{"id":2877,"type":1363,"linkType":1364},"2lGnKdKTjXAVYBiOtYrbEl",[],{"data":2880,"content":2881,"nodeType":1294},{},[2882],{"data":2883,"marks":2884,"value":2885,"nodeType":1293},{},[],"This will provide you with pre-generated PowerShell scripts to 1) Remove all users assigned to the application, 2) Revoke all permissions granted to the application, and 3) Revoke refresh tokens for all users.",{"data":2887,"content":2891,"nodeType":1384},{"target":2888},{"sys":2889},{"id":2890,"type":1363,"linkType":1364},"3qdGQ12PdZFLEyIpmMkwPi",[],{"data":2893,"content":2894,"nodeType":1343},{},[2895],{"data":2896,"marks":2897,"value":2898,"nodeType":1293},{},[],"How to prevent similar attacks",{"data":2900,"content":2901,"nodeType":1294},{},[2902],{"data":2903,"marks":2904,"value":2905,"nodeType":1293},{},[],"A very important step following a compromise is to review what happened, how it happened, and what could be done to prevent the incident from occurring again. The interesting part about this incident is that it wasn’t due to a weak password, or even the lack of MFA that led to compromise. It came down to social engineering: instructing an employee to click a link by an account masquerading as their CFO.",{"data":2907,"content":2908,"nodeType":1294},{},[2909],{"data":2910,"marks":2911,"value":2912,"nodeType":1293},{},[],"For the purposes of this hypothetical incident, we’ll establish that the following occurred:",{"data":2914,"content":2915,"nodeType":2956},{},[2916,2926,2936,2946],{"data":2917,"content":2918,"nodeType":2183},{},[2919],{"data":2920,"content":2921,"nodeType":1294},{},[2922],{"data":2923,"marks":2924,"value":2925,"nodeType":1293},{},[],"Andrew Jenkins was targeted in a phishing attack",{"data":2927,"content":2928,"nodeType":2183},{},[2929],{"data":2930,"content":2931,"nodeType":1294},{},[2932],{"data":2933,"marks":2934,"value":2935,"nodeType":1293},{},[],"Andrew authenticated via Microsoft 365, which is a legitimate and expected authentication mechanism and occurs almost daily",{"data":2937,"content":2938,"nodeType":2183},{},[2939],{"data":2940,"content":2941,"nodeType":1294},{},[2942],{"data":2943,"marks":2944,"value":2945,"nodeType":1293},{},[],"No attachments were downloaded, thus in this isolated incident there was no code execution on Andrew’s host, meaning that Anti-Virus or Endpoint Detection & Response (EDR) would not have prevented it",{"data":2947,"content":2948,"nodeType":2183},{},[2949],{"data":2950,"content":2951,"nodeType":1294},{},[2952],{"data":2953,"marks":2954,"value":2955,"nodeType":1293},{},[],"The attacker gained full access to Andrew’s mailbox","unordered-list",{"data":2958,"content":2959,"nodeType":1294},{},[2960],{"data":2961,"marks":2962,"value":2963,"nodeType":1293},{},[],"The malicious app was disabled by Microsoft after some time, so a full investigation into its capabilities was not possible. We don’t know whether another phishing page was presented after the integration took place, thus to be on the safe side we need to assume this happened and led to credential compromise.",{"data":2965,"content":2966,"nodeType":1294},{},[2967,2971,2980],{"data":2968,"marks":2969,"value":2970,"nodeType":1293},{},[],"The app was unverified, which has historically been true in most of these scenarios. Publishers need to associate a Microsoft Partner Network (MPN) ID with the app, which follows a ",{"data":2972,"content":2974,"nodeType":1419},{"uri":2973},"https://docs.microsoft.com/en-us/partner-center/verification-responses",[2975],{"data":2976,"marks":2977,"value":2979,"nodeType":1293},{},[2978],{"type":1370},"verification process",{"data":2981,"marks":2982,"value":2983,"nodeType":1293},{},[],", in order to have it appear as a verified app. This Microsoft 365 tenant was configured to allow unverified integrations due to an oversight following an app migration project.",{"data":2985,"content":2986,"nodeType":1294},{},[2987],{"data":2988,"marks":2989,"value":2990,"nodeType":1293},{},[],"This leads us to the following to help prevent similar attacks from occurring in future, and to make sure there is no opportunity for the attacker to leverage any existing foothold:",{"data":2992,"content":2993,"nodeType":2956},{},[2994,3004,3014,3024,3045,3061,3071],{"data":2995,"content":2996,"nodeType":2183},{},[2997],{"data":2998,"content":2999,"nodeType":1294},{},[3000],{"data":3001,"marks":3002,"value":3003,"nodeType":1293},{},[],"Disable the integration and remove the malicious app’s permissions",{"data":3005,"content":3006,"nodeType":2183},{},[3007],{"data":3008,"content":3009,"nodeType":1294},{},[3010],{"data":3011,"marks":3012,"value":3013,"nodeType":1293},{},[],"Reset Andrew Jenkins’ credentials",{"data":3015,"content":3016,"nodeType":2183},{},[3017],{"data":3018,"content":3019,"nodeType":1294},{},[3020],{"data":3021,"marks":3022,"value":3023,"nodeType":1293},{},[],"Be aware of and review newly created mail rules",{"data":3025,"content":3026,"nodeType":2183},{},[3027],{"data":3028,"content":3029,"nodeType":1294},{},[3030,3033,3042],{"data":3031,"marks":3032,"value":37,"nodeType":1293},{},[],{"data":3034,"content":3036,"nodeType":1419},{"uri":3035},"https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?tabs=azure-portal",[3037],{"data":3038,"marks":3039,"value":3041,"nodeType":1293},{},[3040],{"type":1370},"Confirm that the Microsoft 365 tenant is set to disallow integrations from unverified apps",{"data":3043,"marks":3044,"value":37,"nodeType":1293},{},[],{"data":3046,"content":3047,"nodeType":2183},{},[3048],{"data":3049,"content":3050,"nodeType":2956},{},[3051],{"data":3052,"content":3053,"nodeType":2183},{},[3054],{"data":3055,"content":3056,"nodeType":1294},{},[3057],{"data":3058,"marks":3059,"value":3060,"nodeType":1293},{},[],"Note: as of November 9th, 2020, integrations with unverified apps are disabled by default.",{"data":3062,"content":3063,"nodeType":2183},{},[3064],{"data":3065,"content":3066,"nodeType":1294},{},[3067],{"data":3068,"marks":3069,"value":3070,"nodeType":1293},{},[],"Communicate with employees and other affected parties to be weary of these types of attacks",{"data":3072,"content":3073,"nodeType":2183},{},[3074],{"data":3075,"content":3076,"nodeType":1294},{},[3077],{"data":3078,"marks":3079,"value":3080,"nodeType":1293},{},[],"Perform regular audits against your Microsoft 365 tenants to highlight any discrepancies and integrations with unusual or unnecessary permissions.",{"data":3082,"content":3083,"nodeType":1294},{},[3084,3088,3097],{"data":3085,"marks":3086,"value":3087,"nodeType":1293},{},[],"Microsoft implementing safe defaults towards limiting integrations from unverified publishers was a step in the right direction. However, there have been ",{"data":3089,"content":3091,"nodeType":1419},{"uri":3090},"https://www.proofpoint.com/us/blog/cloud-security/oivavoii-active-malicious-hybrid-cloud-threats-campaign",[3092],{"data":3093,"marks":3094,"value":3096,"nodeType":1293},{},[3095],{"type":1370},"cases",{"data":3098,"marks":3099,"value":3100,"nodeType":1293},{},[]," where attackers utilized compromised publishers to perform similar attacks. ",{"data":3102,"content":3103,"nodeType":1343},{},[3104],{"data":3105,"marks":3106,"value":2596,"nodeType":1293},{},[],{"data":3108,"content":3109,"nodeType":1294},{},[3110],{"data":3111,"marks":3112,"value":3113,"nodeType":1293},{},[],"While the process isn’t exactly straightforward, catching early indicators like malicious mail rules helps you prevent an attacker from launching additional attacks like phishing campaigns as they try to gain access to sensitive business data. Removing the mail rule is just the start of the process, you really need to revoke permissions and take the other steps we covered in this post to stop an attack from going any further. We’ll publish some more content on SaaS incident response on our blog, so subscribe to get our guidance straight into your inbox.",{"data":3115,"content":3119,"nodeType":1384},{"target":3116},{"sys":3117},{"id":3118,"type":1363,"linkType":1364},"6oHRbGLus4bstsAc7E0zBD",[],{"data":3121,"content":3122,"nodeType":1294},{},[3123],{"data":3124,"marks":3125,"value":37,"nodeType":1293},{},[],"How to kick off an incident response investigation for a compromised SaaS account","We'll walk through how to quickly detect and mitigate business email compromise (BEC) and then prevent future attacks.","2022-09-20T00:00:00.000Z","how-to-kick-off-an-incident-response-investigation-for-a-compromised-saas",{"items":3131},[3132,3134],{"sys":3133,"name":1305},{"id":1304},{"sys":3135,"name":3137},{"id":3136},"3pjES4THCIfSAwhGdNwBcy","Identity security",{"items":3139},[3140],{"fullName":2653,"firstName":2654,"jobTitle":2655,"profilePicture":3141},{"url":2657},{"__typename":1313,"sys":3143,"content":3145,"title":3581,"synopsis":3582,"hashTags":118,"publishedDate":3583,"slug":3584,"tagsCollection":3585,"authorsCollection":3589},{"id":3144},"3QpljiYU9YHEUhd5gsvypj",{"json":3146},{"nodeType":1295,"data":3147,"content":3148},{},[3149,3156,3163,3170,3177,3184,3190,3197,3204,3211,3218,3224,3231,3237,3258,3265,3271,3290,3310,3329,3336,3343,3350,3357,3363,3369,3376,3383,3390,3397,3403,3410,3459,3465,3471,3489,3495,3502,3508,3515,3521,3528,3535,3541,3547,3553,3560,3567,3574],{"nodeType":1294,"data":3150,"content":3151},{},[3152],{"nodeType":1293,"value":3153,"marks":3154,"data":3155},"As an attacker, we have a wide range of persistence options available to us in a traditional account or endpoint compromise scenario. From discovering a user's password, to creating new backdoor accounts, to using one of an insane number of \"run keys\" to keep an implant running beyond reboot, or even moving laterally to other internal systems - an attacker has plenty of choice.",[],{},{"nodeType":1294,"data":3157,"content":3158},{},[3159],{"nodeType":1293,"value":3160,"marks":3161,"data":3162},"But how does this change in a SaaS-first world? In this post, we'll consider some of the new challenges and opportunities that are presented to an attacker who wants to maintain persistence in the new world order, so you can better investigate incidents and quickly defend against attacks. We'll cover a variety of techniques, including malicious mail rules, OAuth backdoor tricks and document sharing links to see how persistence can be maintained, even in the event of password changes and device wipes.",[],{},{"nodeType":1335,"data":3164,"content":3165},{},[3166],{"nodeType":1293,"value":3167,"marks":3168,"data":3169},"So what’s changed?",[],{},{"nodeType":1294,"data":3171,"content":3172},{},[3173],{"nodeType":1293,"value":3174,"marks":3175,"data":3176},"In a traditional compromise scenario, a common example would be an endpoint compromised through phishing, which is used to deliver a malicious implant to establish a command and control channel with the endpoint. In order to maintain access, an attacker would likely use one or more endpoint persistence methods to ensure their implant is launched again post-reboot when the user turns their laptop off for the day. ",[],{},{"nodeType":1294,"data":3178,"content":3179},{},[3180],{"nodeType":1293,"value":3181,"marks":3182,"data":3183},"This would often become a foothold into the internal network of the compromised organization. The endpoint or user is the start, but an attacker may seek to move laterally to other endpoints and servers on the internal network, where security is often much lower than the external perimeter.",[],{},{"nodeType":1384,"data":3185,"content":3189},{"target":3186},{"sys":3187},{"id":3188,"type":1363,"linkType":1364},"5aSsHI9aZjsZIIXcV3YDYk",[],{"nodeType":1294,"data":3191,"content":3192},{},[3193],{"nodeType":1293,"value":3194,"marks":3195,"data":3196},"In a SaaS-first world, this situation has begun to change somewhat. There are many companies now that have significantly reduced the size of their internal networks or are even fully in the cloud and do not have any internal network infrastructure. In this case, traditional lateral movement becomes much more difficult or impossible. Additionally, endpoints are becoming increasingly hard targets to compromise and incident response teams have matured and have gotten better at cleaning up endpoint compromises. ",[],{},{"nodeType":1294,"data":3198,"content":3199},{},[3200],{"nodeType":1293,"value":3201,"marks":3202,"data":3203},"The consequence of this is that attackers need to make the most use of the access they have during an endpoint or user compromise and maintain access where possible, even in the event of a password reset and full laptop wipe. Additionally, new SaaS-focused persistence options are now possible, which are also often resistant to password changes and endpoints wipes, so these are increasingly attractive options for an attacker. ",[],{},{"nodeType":1294,"data":3205,"content":3206},{},[3207],{"nodeType":1293,"value":3208,"marks":3209,"data":3210},"One other change is that persistence is less binary than it has been traditionally. Typically, persistence would often be on a per-user or per-endpoint basis. Either an attacker would have full control of a user account (e.g. knowing the password) or full control of an endpoint (e.g. an implant running on the endpoint). The main differentiation would be in whether endpoint-level access was administrative level control over the endpoint or an implant running as a low-privileged user account. However, in the SaaS-world persistence is much more asset dependent and thus less binary. It could be persistent access to email, or documents, or chat conversations or any number of other assets and capabilities.",[],{},{"nodeType":1343,"data":3212,"content":3213},{},[3214],{"nodeType":1293,"value":3215,"marks":3216,"data":3217},"Mail rules",[],{},{"nodeType":1384,"data":3219,"content":3223},{"target":3220},{"sys":3221},{"id":3222,"type":1363,"linkType":1364},"3bcLzOfZupSDatdzfFrJDQ",[],{"nodeType":1294,"data":3225,"content":3226},{},[3227],{"nodeType":1293,"value":3228,"marks":3229,"data":3230},"Mail rules are a handy feature found in most email clients. You might have used them to forward emails to your teammates while you’re off sipping Piña Coladas, or to move incoming email from that spammy colleague to the “don’t read” folder. However, they can also be used for a range of malicious activities, such as forwarding emails to an external address (e.g. password resets, invoices, “confidential” emails etc) or deleting emails (e.g. security alerts!). A good example of a real-world attack involving this technique was the 2020 SANS breach.\n",[],{},{"nodeType":1384,"data":3232,"content":3236},{"target":3233},{"sys":3234},{"id":3235,"type":1363,"linkType":1364},"5RoIfopOGmTaORtG7fqYQo",[],{"nodeType":1294,"data":3238,"content":3239},{},[3240,3244,3254],{"nodeType":1293,"value":3241,"marks":3242,"data":3243},"If you want to read more about this technique, you can check out our ",[],{},{"nodeType":1358,"data":3245,"content":3249},{"target":3246},{"sys":3247},{"id":3248,"type":1363,"linkType":1364},"2zZ8kxP0t8Smi9b6hpT34k",[3250],{"nodeType":1293,"value":3251,"marks":3252,"data":3253},"previous article",[],{},{"nodeType":1293,"value":3255,"marks":3256,"data":3257},".",[],{},{"nodeType":1343,"data":3259,"content":3260},{},[3261],{"nodeType":1293,"value":3262,"marks":3263,"data":3264},"OAuth attack #1: Custom OAuth app integration",[],{},{"nodeType":1384,"data":3266,"content":3270},{"target":3267},{"sys":3268},{"id":3269,"type":1363,"linkType":1364},"7suW3GZpDsu2RnopkUiA3L",[],{"nodeType":1294,"data":3272,"content":3273},{},[3274,3278,3286],{"nodeType":1293,"value":3275,"marks":3276,"data":3277},"OAuth apps can be used to request permanent access to a set of permissions on behalf of a user. This can be as simple as the ability to verify a user’s identity for a simple social login or it could be as permissive as having full control over email, document stores, wiki pages, admin capabilities, etc. You can read more details about this in our ",[],{},{"nodeType":1358,"data":3279,"content":3282},{"target":3280},{"sys":3281},{"id":1436,"type":1363,"linkType":1364},[3283],{"nodeType":1293,"value":3251,"marks":3284,"data":3285},[],{},{"nodeType":1293,"value":3287,"marks":3288,"data":3289},". ",[],{},{"nodeType":1294,"data":3291,"content":3292},{},[3293,3297,3306],{"nodeType":1293,"value":3294,"marks":3295,"data":3296},"However, from an attacker’s perspective a custom OAuth app could be created with sensitive permissions and connected to a user’s account in order to maintain access to their data. In the event that an attacker has compromised a user’s account or endpoint, they could directly consent to their own malicious OAuth app on behalf of the user in order to gain persistence. This could also be achieved as part of a ",[],{},{"nodeType":1358,"data":3298,"content":3301},{"target":3299},{"sys":3300},{"id":1362,"type":1363,"linkType":1364},[3302],{"nodeType":1293,"value":3303,"marks":3304,"data":3305},"consent phishing",[],{},{"nodeType":1293,"value":3307,"marks":3308,"data":3309}," attack to effectively compromise a user’s account and gain this persistence at the same time. In either case, this would enable continued access to the user’s data even if their password is changed and their endpoint fully wiped.   ",[],{},{"nodeType":1294,"data":3311,"content":3312},{},[3313,3317,3325],{"nodeType":1293,"value":3314,"marks":3315,"data":3316},"Attacks utilizing these types of techniques are becoming increasingly common and Microsoft even ",[],{},{"nodeType":1419,"data":3318,"content":3320},{"uri":3319},"https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-OAuth-applications-used-to-compromise-email-servers-and-spread-spam/",[3321],{"nodeType":1293,"value":3322,"marks":3323,"data":3324},"wrote about some real-world attacks",[],{},{"nodeType":1293,"value":3326,"marks":3327,"data":3328}," they uncovered recently that involved the use of malicious OAuth apps.",[],{},{"nodeType":1343,"data":3330,"content":3331},{},[3332],{"nodeType":1293,"value":3333,"marks":3334,"data":3335},"OAuth attack #2: SaaS platform integration",[],{},{"nodeType":1294,"data":3337,"content":3338},{},[3339],{"nodeType":1293,"value":3340,"marks":3341,"data":3342},"A similar approach to using a custom OAuth app is to make use of legitimate SaaS services that allow an attacker to make sensitive integrations as a more hide-in-plain-sight approach. For example, let’s take the popular SaaS platform Canva, a graphic design tool that is used to create social media graphics, presentations, posters, documents and other visual content, as an example. Canva, like many SaaS platforms, allows you to make integrations with document stores like OneDrive and Google Drive in order to easily import and export files between Canva and them. If an attacker is interested primarily in maintaining access to a user’s files, then they could make an integration with a platform like Canva and then use that to maintain access.",[],{},{"nodeType":1294,"data":3344,"content":3345},{},[3346],{"nodeType":1293,"value":3347,"marks":3348,"data":3349},"While this doesn’t provide any raw capabilities beyond a custom OAuth app, an attacker may be more likely to go undetected in this scenario. Discovering an integration with a completely unknown, unverified OAuth app that hasn’t been seen in use elsewhere in the organization, or anywhere at all, is suspicious. Finding an integration with a major SaaS platform, particularly if it is one in use by other users in the organization, is much less suspicious. Additionally, many of them will have verified ticks having been through Microsoft’s or Google’s own verification processes. The only downside for an attacker is having to find SaaS platforms that request the correct permissions and provide the functionality that the attacker is looking for, whereas a custom OAuth app could be used to request any permissions and code could be written to use those permissions however an attacker would like.",[],{},{"nodeType":1294,"data":3351,"content":3352},{},[3353],{"nodeType":1293,"value":3354,"marks":3355,"data":3356},"If a custom OAuth app is the equivalent of a custom implant on an endpoint, then using a legitimate SaaS platform integration is the equivalent of a more living-off-the-land approach, such as using TeamViewer, RDP or Powershell, etc.\n",[],{},{"nodeType":1384,"data":3358,"content":3362},{"target":3359},{"sys":3360},{"id":3361,"type":1363,"linkType":1364},"53pL4O8zgfLBKqZbbcN3aI",[],{"nodeType":1384,"data":3364,"content":3368},{"target":3365},{"sys":3366},{"id":3367,"type":1363,"linkType":1364},"6ovQnE1bu7tVCJr4OfzfhI",[],{"nodeType":1343,"data":3370,"content":3371},{},[3372],{"nodeType":1293,"value":3373,"marks":3374,"data":3375},"OAuth attack #3: Legitimate desktop/mobile app impersonation",[],{},{"nodeType":1294,"data":3377,"content":3378},{},[3379],{"nodeType":1293,"value":3380,"marks":3381,"data":3382},"Ok, we promise this is the last OAuth variation example - but it’s another interesting way to abuse OAuth connections! Previously, we spoke of either connecting a custom OAuth app or using an OAuth integration via a legitimate SaaS platform. A custom OAuth app has the most flexibility for an attacker, but looks far more suspicious if discovered, whereas a legitimate SaaS platform looks much more….well, legitimate!",[],{},{"nodeType":1294,"data":3384,"content":3385},{},[3386],{"nodeType":1293,"value":3387,"marks":3388,"data":3389},"What if you could have both of those advantages in one? Well, that can be achieved, too! The reason SaaS platforms don’t have the same flexibility is because they keep their client IDs and secrets for their apps so the attacker can only use the OAuth app indirectly via the features provided by the SaaS platform. However, some OAuth connections are made using desktop or mobile apps that obviously can’t keep their OAuth app secrets secret from a user. While it is generally not possible for an attacker to make use of these in a consent phishing attack, due to not controlling the reply URLs, they can be used in a pure persistence scenario with an already compromised account. ",[],{},{"nodeType":1294,"data":3391,"content":3392},{},[3393],{"nodeType":1293,"value":3394,"marks":3395,"data":3396},"Let’s take Mozilla Thunderbird, a cross-platform email client, as an example. The client IDs and secrets for different OAuth apps are actually stored in the source code in this case: ",[],{},{"nodeType":1384,"data":3398,"content":3402},{"target":3399},{"sys":3400},{"id":3401,"type":1363,"linkType":1364},"3Ed90clKC3GG4BcPfeV6Nm",[],{"nodeType":1294,"data":3404,"content":3405},{},[3406],{"nodeType":1293,"value":3407,"marks":3408,"data":3409},"As an attacker, this gives us multiple advantages. ",[],{},{"nodeType":2956,"data":3411,"content":3412},{},[3413,3429,3444],{"nodeType":2183,"data":3414,"content":3415},{},[3416],{"nodeType":1294,"data":3417,"content":3418},{},[3419,3425],{"nodeType":1293,"value":3420,"marks":3421,"data":3424},"App Impersonation",[3422],{"type":3423},"bold",{},{"nodeType":1293,"value":3426,"marks":3427,"data":3428}," - These are client IDs that will be seen in use legitimately by other users and we can impersonate them. In Thunderbird’s case, the Microsoft app isn’t actually a verified app but the Google one shows as verified. Whatever the case, it looks much less suspicious than a completely unknown app with no known business use case. ",[],{},{"nodeType":2183,"data":3430,"content":3431},{},[3432],{"nodeType":1294,"data":3433,"content":3434},{},[3435,3440],{"nodeType":1293,"value":3436,"marks":3437,"data":3439},"Flexible Use",[3438],{"type":3423},{},{"nodeType":1293,"value":3441,"marks":3442,"data":3443}," - We have access to the client IDs and secrets, so we can do whatever we want with the OAuth integration, writing custom code to query APIs as we please. We are not limited to the functionality provided by Thunderbird itself.\n",[],{},{"nodeType":2183,"data":3445,"content":3446},{},[3447],{"nodeType":1294,"data":3448,"content":3449},{},[3450,3455],{"nodeType":1293,"value":3451,"marks":3452,"data":3454},"Arbitrary Permission Granting",[3453],{"type":3423},{},{"nodeType":1293,"value":3456,"marks":3457,"data":3458}," - We aren’t actually limited to just the permissions that Thunderbird would normally request (e.g. email/calendar). Since we’re in control of the OAuth secrets, we can just request whatever scopes we want. For example, shown below is us using the Microsoft Thunderbird OAuth secrets to request permissions that also include access to all files, Sharepoint, AD access, etc. \n",[],{},{"nodeType":1384,"data":3460,"content":3464},{"target":3461},{"sys":3462},{"id":3463,"type":1363,"linkType":1364},"22nQPPKCgUUEr7QPQBFHNS",[],{"nodeType":1384,"data":3466,"content":3470},{"target":3467},{"sys":3468},{"id":3469,"type":1363,"linkType":1364},"5eIVlfPzpxuO7D41r7DPfe",[],{"nodeType":2956,"data":3472,"content":3473},{},[3474],{"nodeType":2183,"data":3475,"content":3476},{},[3477],{"nodeType":1294,"data":3478,"content":3479},{},[3480,3485],{"nodeType":1293,"value":3481,"marks":3482,"data":3484},"(Semi-)Bypass Google Restricted Scopes",[3483],{"type":3423},{},{"nodeType":1293,"value":3486,"marks":3487,"data":3488}," - When it comes to arbitrary permission granting, there is a caveat with Google in that some of the more sensitive scopes Google offer are only available to selected approved and verified apps. Therefore, we can’t necessarily just request access to any permission with Google. For example, if we modify Thunderbird to request access to Google Drive (a restricted scope) then we get the following: ",[],{},{"nodeType":1384,"data":3490,"content":3494},{"target":3491},{"sys":3492},{"id":3493,"type":1363,"linkType":1364},"3HIcve3zqVFheiZ2tJILJl",[],{"nodeType":1294,"data":3496,"content":3497},{},[3498],{"nodeType":1293,"value":3499,"marks":3500,"data":3501},"Access to Gmail is also considered a restricted scope. However, obviously Thunderbird is an email client, so if it uses OAuth it’s going to want access to Gmail, right? Well, yes, the Thunderbird app ID is permitted access to Gmail data, so we can use it to gain that access and appear as a legitimate verified app, in addition to requesting any other non-restricted permissions we’re interested in: ",[],{},{"nodeType":1384,"data":3503,"content":3507},{"target":3504},{"sys":3505},{"id":3506,"type":1363,"linkType":1364},"5SqY9Q2g7DpHhCGJVQDcgF",[],{"nodeType":1343,"data":3509,"content":3510},{},[3511],{"nodeType":1293,"value":3512,"marks":3513,"data":3514},"Document-sharing links",[],{},{"nodeType":1384,"data":3516,"content":3520},{"target":3517},{"sys":3518},{"id":3519,"type":1363,"linkType":1364},"2EEC98Ros0MdMX2gt4OGKe",[],{"nodeType":1294,"data":3522,"content":3523},{},[3524],{"nodeType":1293,"value":3525,"marks":3526,"data":3527},"Ok, no more OAuth, we promise! The final option we want to highlight is the (ab-)use of document-sharing links. Many organizations make use of OneDrive, Sharepoint and Google Drive for document editing, sharing and collaboration. However, it’s pretty common to want to share documents with people outside your organization sometimes too, right? That’s where document-sharing links come in. You can create a document sharing link to share with specific individuals in other Google/Azure organizations or you can create anonymous links that anyone with knowledge of the (unguessable randomized) link can access.",[],{},{"nodeType":1294,"data":3529,"content":3530},{},[3531],{"nodeType":1293,"value":3532,"marks":3533,"data":3534},"Very similar functionality is present in both OneDrive and Google Drive, but this same legitimate functionality can also be abused by attackers to maintain backdoor access to either select files or entire root folders. Sharing a root folder will cause future files to inherit those sharing permissions. This is a modern repeat of the age-old problem of access control list (ACL) management on internal file servers, only now internet-based attackers can potentially abuse this without needing VPN or similar access. ",[],{},{"nodeType":1384,"data":3536,"content":3540},{"target":3537},{"sys":3538},{"id":3539,"type":1363,"linkType":1364},"4IUv2rbEMXrJUAdEYC9xxD",[],{"nodeType":1384,"data":3542,"content":3546},{"target":3543},{"sys":3544},{"id":3545,"type":1363,"linkType":1364},"bMAt7XvLmIEIDwzZrAawU",[],{"nodeType":1343,"data":3548,"content":3549},{},[3550],{"nodeType":1293,"value":2596,"marks":3551,"data":3552},[],{},{"nodeType":1294,"data":3554,"content":3555},{},[3556],{"nodeType":1293,"value":3557,"marks":3558,"data":3559},"We've demonstrated a few new persistence options attackers are using against organizations as they move to the cloud. While some existing persistence and lateral movement options are no longer working in these environments, attackers have been able to quickly adapt to new conditions to get at their targets.",[],{},{"nodeType":1294,"data":3561,"content":3562},{},[3563],{"nodeType":1293,"value":3564,"marks":3565,"data":3566},"Some of these attacks have already been seen in the wild and others may already be happening under the radar. In any case, being aware of how attackers will try to compromise SaaS-first organizations helps you prepare to defend and respond to these attacks. ",[],{},{"nodeType":1294,"data":3568,"content":3569},{},[3570],{"nodeType":1293,"value":3571,"marks":3572,"data":3573},"It’s extremely important for incident response teams to adapt to these changes, as a password reset and a device wipe is not sufficient to regain control of a user account, even when no lateral movement to internal systems has been performed.",[],{},{"nodeType":1294,"data":3575,"content":3576},{},[3577],{"nodeType":1293,"value":3578,"marks":3579,"data":3580},"New steps need to be added to IR playbooks in the event of user or device compromises to cover the revocation of OAuth permissions and refresh tokens, the auditing of mail rules and changes to document sharing configurations.",[],{},"Maintaining persistent access in a SaaS-first world","Attackers have loads of persistence options in an endpoint compromise scenario, but what changes in a SaaS-first world? We talk new attack methods in this post.","2022-11-29T00:00:00.000Z","maintaining-persistent-access-in-a-saas-first-world",{"items":3586},[3587],{"sys":3588,"name":2647},{"id":2646},{"items":3590},[3591],{"fullName":3592,"firstName":3593,"jobTitle":3594,"profilePicture":3595},"Luke Jennings","Luke","Vice President, R&D",{"url":3596},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg",{"items":3598},[3599],{"fullName":3592,"firstName":3593,"jobTitle":3594,"profilePicture":3600},{"url":3596},{"json":3602,"links":4062},{"data":3603,"content":3604,"nodeType":1295},{},[3605,3612,3620,3627,3660,3667,3675,3708,3728,3735,3741,3747,3755,3762,3768,3774,3781,3788,3795,3814,3820,3827,3847,3854,3860,3868,3875,3882,3901,3908,3915,3922,3928,3935,3941,3948,3954,3961,3982,3990,3997,4004,4011,4017,4035,4042,4048,4055],{"data":3606,"content":3607,"nodeType":1294},{},[3608],{"data":3609,"marks":3610,"value":3611,"nodeType":1293},{},[],"An employee has added a new app-to-app (aka OAuth) integration to your Azure tenant or Google Workspace but you’re unsure of what it is or what risk it poses to your organization. We’ll cover a few techniques to help you assess the risk in this article.",{"data":3613,"content":3614,"nodeType":1343},{},[3615],{"data":3616,"marks":3617,"value":3619,"nodeType":1293},{},[3618],{"type":3423},"Introduction",{"data":3621,"content":3622,"nodeType":1294},{},[3623],{"data":3624,"marks":3625,"value":3626,"nodeType":1293},{},[]," There are a few key questions to keep in mind when evaluating an OAuth integration:",{"data":3628,"content":3629,"nodeType":2956},{},[3630,3640,3650],{"data":3631,"content":3632,"nodeType":2183},{},[3633],{"data":3634,"content":3635,"nodeType":1294},{},[3636],{"data":3637,"marks":3638,"value":3639,"nodeType":1293},{},[],"Is the source (usually the app vendor) trustworthy?",{"data":3641,"content":3642,"nodeType":2183},{},[3643],{"data":3644,"content":3645,"nodeType":1294},{},[3646],{"data":3647,"marks":3648,"value":3649,"nodeType":1293},{},[],"What can it do if it is not trustworthy? Does it have access to your data? How much access? Does it request more permissions that it should need to function?",{"data":3651,"content":3652,"nodeType":2183},{},[3653],{"data":3654,"content":3655,"nodeType":1294},{},[3656],{"data":3657,"marks":3658,"value":3659,"nodeType":1293},{},[],"What does it actually do (i.e. what do the logs indicate)? Which teams or individuals will be using it and for what purposes?",{"data":3661,"content":3662,"nodeType":1294},{},[3663],{"data":3664,"marks":3665,"value":3666,"nodeType":1293},{},[],"There are a variety of data sources that can be considered for each of these primary questions, which we’ll break down in this next section:. ",{"data":3668,"content":3669,"nodeType":1343},{},[3670],{"data":3671,"marks":3672,"value":3674,"nodeType":1293},{},[3673],{"type":3423},"Name and Verification Status",{"data":3676,"content":3677,"nodeType":1294},{},[3678,3682,3691,3695,3704],{"data":3679,"marks":3680,"value":3681,"nodeType":1293},{},[],"Every OAuth integration has a name and both Microsoft and Google verification processes that allow OAuth integrations to be verified as belonging to a particular company. Microsoft has a ",{"data":3683,"content":3685,"nodeType":1419},{"uri":3684},"https://learn.microsoft.com/en-us/azure/active-directory/develop/publisher-verification-overview",[3686],{"data":3687,"marks":3688,"value":3690,"nodeType":1293},{},[3689],{"type":1370},"publisher verification process ",{"data":3692,"marks":3693,"value":3694,"nodeType":1293},{},[],"that’s dependent on its Microsoft Cloud Partner Program, whereas Google has a ",{"data":3696,"content":3698,"nodeType":1419},{"uri":3697},"https://support.google.com/cloud/answer/9110914?hl=en#zippy=%2Csteps-to-prepare-for-verification",[3699],{"data":3700,"marks":3701,"value":3703,"nodeType":1293},{},[3702],{"type":1370},"brand verification process",{"data":3705,"marks":3706,"value":3707,"nodeType":1293},{},[]," that also has different levels of requirements depending on the level of data access requested.",{"data":3709,"content":3710,"nodeType":1294},{},[3711,3715,3724],{"data":3712,"marks":3713,"value":3714,"nodeType":1293},{},[],"While being verified does not mean an integration poses no risk – in fact, there ",{"data":3716,"content":3718,"nodeType":1419},{"uri":3717},"https://msrc.microsoft.com/blog/2023/01/threat-actor-consent-phishing-campaign-abusing-the-verified-publisher-process/",[3719],{"data":3720,"marks":3721,"value":3723,"nodeType":1293},{},[3722],{"type":1370},"have been malicious phishing campaigns using verified publishers",{"data":3725,"marks":3726,"value":3727,"nodeType":1293},{},[]," – it at least provides some extra assurance around what the integration actually is. This is especially true with Google integrations where access to restricted scopes has been granted.",{"data":3729,"content":3730,"nodeType":1294},{},[3731],{"data":3732,"marks":3733,"value":3734,"nodeType":1293},{},[],"For example, consider the Slack OAuth integration for Google Workspace. The name and icon make it very clear what the integration is claiming to be and the verification status shows that Google has verified this data - so you can quickly ensure the vendor is who they say they are, accept them as a third-party vendor, and move on to more traditional risk assessments. You can start to address questions like, “Should Slack be used within the organization?”  Does Slack as a company meet required security and compliance standards?” “Is an OAuth integration required or should it be used purely as a web or desktop app?,” and so on.   ",{"data":3736,"content":3740,"nodeType":1384},{"target":3737},{"sys":3738},{"id":3739,"type":1363,"linkType":1364},"aYslILzQ1kwQUHy7Cw7lR",[],{"data":3742,"content":3746,"nodeType":1384},{"target":3743},{"sys":3744},{"id":3745,"type":1363,"linkType":1364},"OmghmgRgSrdtMW9kgHaoa",[],{"data":3748,"content":3749,"nodeType":1343},{},[3750],{"data":3751,"marks":3752,"value":3754,"nodeType":1293},{},[3753],{"type":3423},"Reply URLs and Approved Domains",{"data":3756,"content":3757,"nodeType":1294},{},[3758],{"data":3759,"marks":3760,"value":3761,"nodeType":1293},{},[],"Some integrations may be unverified or have very generic or confusing names that give little indication as to who is actually behind the integration. For example, consider the following Microsoft OAuth integration:",{"data":3763,"content":3767,"nodeType":1384},{"target":3764},{"sys":3765},{"id":3766,"type":1363,"linkType":1364},"2smtwpUnKZElj4tmZUcobg",[],{"data":3769,"content":3773,"nodeType":1384},{"target":3770},{"sys":3771},{"id":3772,"type":1363,"linkType":1364},"23Dg0elnnY1j0dHP3GICJc",[],{"data":3775,"content":3776,"nodeType":1294},{},[3777],{"data":3778,"marks":3779,"value":3780,"nodeType":1293},{},[],"This integration says that it’s Trello, the well known SaaS platform. However, it’s unverified, so how do we actually know it is really Trello and not a malicious app masquerading as Trello? Reply URLs (Microsoft) and approved domains (Google) are other interesting sources of data about an integration as they give authorized callback URLs. ",{"data":3782,"content":3783,"nodeType":1294},{},[3784],{"data":3785,"marks":3786,"value":3787,"nodeType":1293},{},[],"During a common code-based flow for an OAuth consent, once the user has authorized the request, a redirect needs to be made back to a domain/URL that is controlled by the OAuth app vendor to pass the code back to the app. Then the app can use the code to get a token that can be used to act on behalf of the user. ",{"data":3789,"content":3790,"nodeType":1294},{},[3791],{"data":3792,"marks":3793,"value":3794,"nodeType":1293},{},[],"If any domain or URL could be used then there would be nothing stopping an attacker from impersonating legitimate OAuth apps and having the details passed back to a domain they control. This is much less of an issue with code-based flows, since the attacker would need access to the app secrets as well. However, with implicit flows that pass the token back directly, that would mean an impersonation attack would be possible and implicit flows are still somewhat common. To guard against this, the app owner has to specify exactly which domains or URLs are permitted for sending codes and tokens to. ",{"data":3796,"content":3797,"nodeType":1294},{},[3798,3802,3810],{"data":3799,"marks":3800,"value":3801,"nodeType":1293},{},[],"For Microsoft, this is one of the many fields returned from Graph API if you ",{"data":3803,"content":3805,"nodeType":1419},{"uri":3804},"https://learn.microsoft.com/en-us/graph/api/serviceprincipal-get?view=graph-rest-1.0&tabs=http",[3806],{"data":3807,"marks":3808,"value":3809,"nodeType":1293},{},[],"enumerate the service principals for apps installed",{"data":3811,"marks":3812,"value":3813,"nodeType":1293},{},[]," on your tenant. ",{"data":3815,"content":3819,"nodeType":1384},{"target":3816},{"sys":3817},{"id":3818,"type":1363,"linkType":1364},"115UEpFqDESlZJ0F5TqMjj",[],{"data":3821,"content":3822,"nodeType":1294},{},[3823],{"data":3824,"marks":3825,"value":3826,"nodeType":1293},{},[],"In this case, the app has only one authorized reply URL, which points to trello.com. This means that authorization tokens can only be sent to this URL. So, for the integration to be used (or abused) the developer (or attacker) would need control of that domain. In this example, you’d have some assurance that this integration is legitimately associated with Trello. However, there are no guarantees. It’s possible for an attacker to put a range of domains in a malicious integration they control and they only need control of one domain to make use of it. So if attackerdomain.com was also present, then trello.com could just be an effort by an attacker to make their integration appear more legitimate. Therefore, you need to consider all domains present as a whole, as the presence of one known legitimate domain isn’t enough on its own if other domains might be questionable. ",{"data":3828,"content":3829,"nodeType":1294},{},[3830,3834,3843],{"data":3831,"marks":3832,"value":3833,"nodeType":1293},{},[],"One caveat here is that this is much less of an issue when it comes to Google apps that have been through Google brand verification. Part of the verification process involves ",{"data":3835,"content":3837,"nodeType":1419},{"uri":3836},"https://developers.google.com/identity/protocols/oauth2/production-readiness/brand-verification#authorized-domains",[3838],{"data":3839,"marks":3840,"value":3842,"nodeType":1293},{},[3841],{"type":1370},"ensuring that the vendor owns the domains",{"data":3844,"marks":3845,"value":3846,"nodeType":1293},{},[]," (approved domains) registered in any callbacks. Therefore, if it’s a Google verified app then you don’t have to worry about legitimate domains being impersonated by an attacker to give a fake sense of legitimacy. ",{"data":3848,"content":3849,"nodeType":1294},{},[3850],{"data":3851,"marks":3852,"value":3853,"nodeType":1293},{},[],"It used to be possible to query the approved domains for a Google app via an undocumented API, however, this recently stopped returning this information. However, there are still other details returned by the API that can be of use during an investigation. See an example for Slack below, but you can replace the project ID in the URL with any app project ID:",{"data":3855,"content":3859,"nodeType":1384},{"target":3856},{"sys":3857},{"id":3858,"type":1363,"linkType":1364},"4kw9ZSZaGhbmvrp3wlaJgW",[],{"data":3861,"content":3862,"nodeType":1343},{},[3863],{"data":3864,"marks":3865,"value":3867,"nodeType":1293},{},[3866],{"type":3423},"Permissions",{"data":3869,"content":3870,"nodeType":1294},{},[3871],{"data":3872,"marks":3873,"value":3874,"nodeType":1293},{},[],"Both Google and Microsoft provide a very large number of permissions to give fine-grained control of what level of data access an OAuth integration has. This can be everything from a simple social login to access to high-risk data assets, like document stores and email inboxes, as well as administrative functionality. ",{"data":3876,"content":3877,"nodeType":1294},{},[3878],{"data":3879,"marks":3880,"value":3881,"nodeType":1293},{},[],"It’s worth noting a few differences between how Microsoft and Google handle these permissions. While both have a very large number of fine-grained permissions for users to delegate, Microsoft also has the concept of App Roles, which administrative users can consent to as well. These are often similarly named to delegated permissions, except they give access to data for all users rather than just for the user granting consent. ",{"data":3883,"content":3884,"nodeType":1294},{},[3885,3889,3898],{"data":3886,"marks":3887,"value":3888,"nodeType":1293},{},[],"For example, an ordinary user might be able to consent to grant access to their exchange email inbox using a delegated permission, but an app could also request access to an app role to allow access to all users’ email inboxes and an administrative user could consent to that using the same consent screen. Google does have similar capabilities but they are managed separately ",{"data":3890,"content":3892,"nodeType":1419},{"uri":3891},"https://support.google.com/a/answer/162106?hl=en",[3893],{"data":3894,"marks":3895,"value":3897,"nodeType":1293},{},[3896],{"type":1370},"using domain-wide delegation",{"data":3899,"marks":3900,"value":3287,"nodeType":1293},{},[],{"data":3902,"content":3903,"nodeType":1294},{},[3904],{"data":3905,"marks":3906,"value":3907,"nodeType":1293},{},[],"Another important difference to consider here is that, as mentioned in the section above about verification, Google has different verification requirements depending on the data access requested. Microsoft allows even unverified apps to request access to any data, whereas Google designates some of the most sensitive data sources (such as Google Drive and Gmail) as being sensitive and requiring an app to not just be verified but to have undergone a much more stringent manual security review, including third-party security testing. ",{"data":3909,"content":3910,"nodeType":1294},{},[3911],{"data":3912,"marks":3913,"value":3914,"nodeType":1293},{},[],"Even without good reason to trust an OAuth integration, if the permissions it requests are extremely low risk then arguably it isn’t much of an issue. On the other hand, organizations with a need for a particularly stringent level of security may not be comfortable sharing high risk permissions with even fairly established SaaS vendors. Consequently, one of the most important data sources for evaluating the risk of an OAuth integration is to look at the permissions it exposes. ",{"data":3916,"content":3917,"nodeType":1294},{},[3918],{"data":3919,"marks":3920,"value":3921,"nodeType":1293},{},[],"An important factor to consider is that permissions are not necessarily fixed to be the same for every user. If more than one employee makes use of the same SaaS integration, it’s possible they may grant different permissions depending on what the integration does and how they enabled it. For example, let’s consider the Slack integration we saw before:",{"data":3923,"content":3927,"nodeType":1384},{"target":3924},{"sys":3925},{"id":3926,"type":1363,"linkType":1364},"37l3selHqmcY8PKCLZEiKN",[],{"data":3929,"content":3930,"nodeType":1294},{},[3931],{"data":3932,"marks":3933,"value":3934,"nodeType":1293},{},[],"In this particular example, we have 15 users who have granted access to three different very low risk permissions concerning their basic account information, which typically are the minimum required in order to enable a simple social login. However, additional permissions have been granted for some other users:",{"data":3936,"content":3940,"nodeType":1384},{"target":3937},{"sys":3938},{"id":3939,"type":1363,"linkType":1364},"3pJ0G2yfMnM7fNpP3IMs3a",[],{"data":3942,"content":3943,"nodeType":1294},{},[3944],{"data":3945,"marks":3946,"value":3947,"nodeType":1293},{},[],"It seems 15 users have also allowed access to their Google calendars and 5 users have also allowed full access to their Google Drive. This is due to different employees adding different Slack apps to enable calendar and file integration. For example, a standard social login to Slack using a Google account won’t even present the user with a consent screen because it only requests the most basic scopes. However, add a sensitive Slack app integration, like the one for Google Drive, and the user will receive a consent screen that looks like this, which is where this difference between users comes from:",{"data":3949,"content":3953,"nodeType":1384},{"target":3950},{"sys":3951},{"id":3952,"type":1363,"linkType":1364},"fjM0oY0viy3p9OAxdrmtT",[],{"data":3955,"content":3956,"nodeType":1294},{},[3957],{"data":3958,"marks":3959,"value":3960,"nodeType":1293},{},[],"Even if Slack is an officially used SaaS provider for an organization though, perhaps enabling complete Google Drive access to a third party would be seen as a compliance risk too far, in which case, you could revoke the file permissions to reduce risk, if desired. ",{"data":3962,"content":3963,"nodeType":1294},{},[3964,3968,3978],{"data":3965,"marks":3966,"value":3967,"nodeType":1293},{},[],"In cases of untrusted OAuth integrations or those that are difficult to verify, the overall risk still remains very low if innocuous permissions like those required for social logins are the only permissions granted. In fact, the majority of OAuth integrations we see at Push do not request anything other than social login permissions. If you want to know more about social login risk then check our previous article ",{"data":3969,"content":3973,"nodeType":1358},{"target":3970},{"sys":3971},{"id":3972,"type":1363,"linkType":1364},"1pbtctbbJRqLuz8dOsecOt",[3974],{"data":3975,"marks":3976,"value":3977,"nodeType":1293},{},[],"here",{"data":3979,"marks":3980,"value":3981,"nodeType":1293},{},[],". However, much more careful attention should be paid once you see unknown integrations with high- risk permissions, such as full access to file stores.",{"data":3983,"content":3984,"nodeType":1343},{},[3985],{"data":3986,"marks":3987,"value":3989,"nodeType":1293},{},[3988],{"type":3423},"Activity Logs",{"data":3991,"content":3992,"nodeType":1294},{},[3993],{"data":3994,"marks":3995,"value":3996,"nodeType":1293},{},[],"It’s one thing to know what an integration can access in principle, due to its permissions, but it’s another to know what it’s actually doing. In one case, an integration may have requested permissions in order to access a user’s entire file store, but it may only use that functionality when specifically directed to as a result of a user attempting to share a file or some other trigger activity.",{"data":3998,"content":3999,"nodeType":1294},{},[4000],{"data":4001,"marks":4002,"value":4003,"nodeType":1293},{},[],"That isn’t to say there is no risk, certainly if the vendor is compromised and the tokens stolen then an attacker could arbitrarily access any files they like. However, if an integration constantly accesses all users files and syncs them in their entirety then that is clearly a very different risk profile to observe. Additionally, the ability to determine what an integration has actually done in an incident response scenario is invaluable.  ",{"data":4005,"content":4006,"nodeType":1294},{},[4007],{"data":4008,"marks":4009,"value":4010,"nodeType":1293},{},[],"Microsoft and Google offer different options here, which aren’t always available by default. Google provides API call visibility for OAuth integrations, which gives extremely detailed visibility of what an OAuth integration is doing and when. Here you can see the Slack integration using its Google Drive permissions to look for notifications for file changes, while the Thunderbird email integration is accessing some gmail related label data:",{"data":4012,"content":4016,"nodeType":1384},{"target":4013},{"sys":4014},{"id":4015,"type":1363,"linkType":1364},"UqbMx5UzEimig5uvUvag7",[],{"data":4018,"content":4019,"nodeType":1294},{},[4020,4024,4031],{"data":4021,"marks":4022,"value":4023,"nodeType":1293},{},[],"The key caveat with Google is that it’s not available on all plans. You can see ",{"data":4025,"content":4027,"nodeType":1419},{"uri":4026},"https://support.google.com/a/answer/6124308?hl=en",[4028],{"data":4029,"marks":4030,"value":3977,"nodeType":1293},{},[],{"data":4032,"marks":4033,"value":4034,"nodeType":1293},{},[]," that it's only available using Enterprise, Education and Cloud Identity Premium licenses. ",{"data":4036,"content":4037,"nodeType":1294},{},[4038],{"data":4039,"marks":4040,"value":4041,"nodeType":1293},{},[],"For Microsoft, rather than separate OAuth API call data, detailed audit data available as part of Microsoft Purview often gives context that can be traced back to OAuth integrations when that was the source. For example, here you can see the Mozilla Thunderbird OAuth integration being used to download a file from OneDrive. This is the same event you would get if a file was downloaded from a web interface, but in this case you can see in the AppAccessContext that it specifies a ClientAppId, which refers to the OAuth integration performing the action. This means you can track all activity specifically back to individual OAuth integrations separately from activity performed by a user within web interfaces - a very useful capability!",{"data":4043,"content":4047,"nodeType":1384},{"target":4044},{"sys":4045},{"id":4046,"type":1363,"linkType":1364},"38oqwAXkDrQSJzP1ByECLF",[],{"data":4049,"content":4050,"nodeType":1343},{},[4051],{"data":4052,"marks":4053,"value":2596,"nodeType":1293},{},[4054],{"type":3423},{"data":4056,"content":4057,"nodeType":1294},{},[4058],{"data":4059,"marks":4060,"value":4061,"nodeType":1293},{},[],"In this article, we have seen a range of ways that OAuth integrations for both Microsoft and Google can be investigated in order to gain a better understanding of their risk profile, as well as investigating what they actually do in an incident response scenario. While there are no hard and fast rules for when an integration should be considered safe or dangerous, hopefully this gives some idea as to how to perform a risk assessment to make a call depending on your organization’s risk tolerance level. ",{"entries":4063},{"inline":4064,"hyperlink":4065,"block":4070},[],[4066],{"sys":4067,"__typename":1313,"title":4068,"slug":4069},{"id":3972},"Should I let my employees login with their work Google account?","should-i-let-my-employees-login-with-their-work-google-account",[4071,4080,4088,4096,4104,4111,4117,4124,4131,4138,4144],{"sys":4072,"__typename":4073,"title":4074,"caption":4074,"layoutMode":4075,"file":4076},{"id":3739},"Image","Social login to Slack","Left aligned",{"url":4077,"width":4078,"height":4079},"https://images.ctfassets.net/y1cdw1ablpvd/5fE5HSCtxJCwiSOiOaaG7o/639e5033b710b30c8de9b669e08572b9/image2.png",464,223,{"sys":4081,"__typename":4073,"title":4082,"caption":4083,"layoutMode":4075,"file":4084},{"id":3745},"Google admin interface Slack app","Slack integration within the Google admin interface",{"url":4085,"width":4086,"height":4087},"https://images.ctfassets.net/y1cdw1ablpvd/r04yvAAhlbTQAQRCkY8Bv/9f6bdfeb8c9210f36d7ae6bf5b72566b/image3.png",1999,965,{"sys":4089,"__typename":4073,"title":4090,"caption":4091,"layoutMode":4075,"file":4092},{"id":3766},"Trello integration unverified","An unverified Trello integration",{"url":4093,"width":4094,"height":4095},"https://images.ctfassets.net/y1cdw1ablpvd/2WSgNWcGqrWNQISb8buhOF/e058a59fc3c932824723f794dfd72637/image9.png",340,170,{"sys":4097,"__typename":4073,"title":4098,"caption":4099,"layoutMode":4075,"file":4100},{"id":3772},"Permissions for unverified Trello app","A snippet of the permissions request dialog for the Trello app",{"url":4101,"width":4102,"height":4103},"https://images.ctfassets.net/y1cdw1ablpvd/4hYioezvlfTTDxhyJrDIVt/247dc24800473451791cf403e2f125f8/image7.png",442,262,{"sys":4105,"__typename":4073,"title":4106,"caption":4106,"layoutMode":4075,"file":4107},{"id":3818},"Reply URL for unverified Trello app",{"url":4108,"width":4109,"height":4110},"https://images.ctfassets.net/y1cdw1ablpvd/ISg8hPXTh5e2rKiPECRIy/c4333b96ea789b97fbbdceea9db88d1a/image10.png",960,126,{"sys":4112,"__typename":4113,"name":4114,"type":4115,"syntax":4116},{"id":3858},"CodeBlockComponent","Undocumented Google API output for Slack app integration","json","% curl -H \"Origin: https://console.cloud.google.com\" \"https://clientauthconfig.googleapis.com/v1/brands/lookupkey/brand/19570130570?readMask=*&readOptions.staleness=0.02s&returnDeveloperBrand=true&returnDisabledBrands=true&key=AIzaSyCI-zsRP85UVOi0DjtiCwWBwQ1djDy741g\"\n{\n  \"brandId\": \"19570130570\",\n  \"projectNumbers\": [\n    \"19570130570\"\n  ],\n  \"displayName\": \"Slack\",\n  \"iconUrl\": \"https://lh3.googleusercontent.com/J5SGBWHMF0_vgcIekl1hEhJ1-_p_zsG3L0i1s_bU2bK_TiSLObT7kK1Le9tnme1h3zA\",\n  \"supportEmail\": \"help@slack-corp.com\",\n  \"homePageUrl\": \"http://slack.com/\",\n  \"termsOfServiceUrls\": [\n    \"https://slack.com/terms-of-service\"\n  ],\n  \"privacyPolicyUrls\": [\n    \"https://slack.com/privacy-policy\"\n  ],\n  \"brandState\": {\n    \"limits\": {\n      \"defaultMaxClientCount\": 36\n    }\n  },\n  \"verifiedBrand\": {\n    \"displayName\": {\n      \"value\": \"Slack\",\n      \"reason\": \"APPEALED\"\n    },\n    \"storedIconUrl\": {\n      \"value\": \"https://lh3.googleusercontent.com/J5SGBWHMF0_vgcIekl1hEhJ1-_p_zsG3L0i1s_bU2bK_TiSLObT7kK1Le9tnme1h3zA\",\n      \"reason\": \"APPEALED\"\n    },\n    \"supportEmail\": {\n      \"value\": \"help@slack-corp.com\",\n      \"reason\": \"APPEALED\"\n    },\n    \"homePageUrl\": {\n      \"value\": \"http://slack.com/\",\n      \"reason\": \"APPEALED\"\n    },\n    \"privacyPolicyUrl\": {\n      \"value\": \"https://slack.com/privacy-policy\",\n      \"reason\": \"APPEALED\"\n    },\n    \"termsOfServiceUrl\": {\n      \"value\": \"https://slack.com/terms-of-service\",\n      \"reason\": \"APPEALED\"\n    }\n  },\n  \"storedIconUrl\": \"https://lh3.googleusercontent.com/J5SGBWHMF0_vgcIekl1hEhJ1-_p_zsG3L0i1s_bU2bK_TiSLObT7kK1Le9tnme1h3zA\",\n  \"consistencyToken\": \"2020-12-04T13:12:40.648327Z\"\n}\n",{"sys":4118,"__typename":4073,"title":4119,"caption":4119,"layoutMode":4075,"file":4120},{"id":3926},"OAuth permissions shared among multiple users",{"url":4121,"width":4122,"height":4123},"https://images.ctfassets.net/y1cdw1ablpvd/1JHLqZMqeqnHasvQk9xuTQ/a77fa0afee66150bb2bac14fe15501a2/image11.png",1456,348,{"sys":4125,"__typename":4073,"title":4126,"caption":4126,"layoutMode":4075,"file":4127},{"id":3939},"Additional permissions for different users for the same integration",{"url":4128,"width":4129,"height":4130},"https://images.ctfassets.net/y1cdw1ablpvd/5TupKuFwjurR3ruCi2EjYK/d22b2158da8f57cd1d902452edd0a8d8/image8.png",1042,508,{"sys":4132,"__typename":4073,"title":4133,"caption":4133,"layoutMode":4075,"file":4134},{"id":3952},"Additional user consent screen for OAuth integration",{"url":4135,"width":4136,"height":4137},"https://images.ctfassets.net/y1cdw1ablpvd/6rR3a2Otef1eeFBoDyakDp/5696d6b2017e3e328b61938abc376e91/image6.png",470,949,{"sys":4139,"__typename":4073,"title":4140,"caption":4140,"layoutMode":4075,"file":4141},{"id":4015},"Activity log for Thunderbird email integration",{"url":4142,"width":4086,"height":4143},"https://images.ctfassets.net/y1cdw1ablpvd/1RXpUsmbZ36UYUEIQNtFu9/b8b87d063e2a3e4eface9504b623fa93/image5.png",209,{"sys":4145,"__typename":4073,"title":4146,"caption":4146,"layoutMode":4075,"file":4147},{"id":4046},"Detailed activity audit data for Thunderbird integration",{"url":4148,"width":4149,"height":4150},"https://images.ctfassets.net/y1cdw1ablpvd/xknN2HxbPK7igpYqUlbq9/969a89ace999f174c776be67ff702e9b/image1.png",1101,648,"content:blog:an-investigation-guide-for-assessing-app-to-app-oauth-integration-risk.json","content","blog/an-investigation-guide-for-assessing-app-to-app-oauth-integration-risk.json","blog/an-investigation-guide-for-assessing-app-to-app-oauth-integration-risk",1776359992505]