[{"data":1,"prerenderedAt":5154},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"blog/browser-sync-attacks-where-personal-account-hacks-lead-to-corporate-breaches":155,"use-case-page":4135},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"n0c69wxpcx","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"brpv9ps5x2",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-dloynz89rbq","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","vvf0k1j1pre",{"_path":156,"_dir":157,"_draft":6,"_partial":6,"_locale":37,"sys":158,"ogImage":118,"summary":161,"title":175,"subtitle":118,"metaTitle":176,"synopsis":171,"hashTags":118,"publishedDate":177,"slug":178,"tagsCollection":179,"relatedBlogPostsCollection":189,"authorsCollection":3474,"content":3478,"_id":4130,"_type":4131,"_source":4132,"_file":4133,"_stem":4134,"_extension":4131},"/blog/browser-sync-attacks-where-personal-account-hacks-lead-to-corporate-breaches","blog",{"id":159,"publishedAt":160},"4Mq5IZ2E0h9HRT3YkkHaLU","2026-04-15T10:01:39.512Z",{"json":162},{"data":163,"content":164,"nodeType":174},{},[165],{"data":166,"content":167,"nodeType":173},{},[168],{"data":169,"marks":170,"value":171,"nodeType":172},{},[],"Browser sync attacks result in business credentials being compromised via personal account and device breaches. Here's what you need to know. ","text","paragraph","document","Browser sync attacks: Where personal account hacks lead to corporate breaches","Analyzing browser sync attacks and how to stop them","2026-04-15T00:00:00.000Z","browser-sync-attacks-where-personal-account-hacks-lead-to-corporate-breaches",{"items":180},[181,185],{"sys":182,"name":184},{"id":183},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"sys":186,"name":188},{"id":187},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"items":190},[191,1591,2664],{"__typename":192,"sys":193,"content":195,"title":1573,"synopsis":1574,"hashTags":118,"publishedDate":1575,"slug":1576,"tagsCollection":1577,"authorsCollection":1583},"BlogPosts",{"id":194},"wI3paLVDlEKdaRI5qMYFc",{"json":196},{"nodeType":174,"data":197,"content":198},{},[199,206,231,238,247,254,261,268,274,278,288,295,301,307,324,538,550,559,566,573,580,600,606,613,616,624,631,664,671,687,708,743,749,756,775,782,789,792,800,807,901,908,915,923,930,937,944,950,958,965,972,979,985,992,1000,1019,1027,1034,1040,1043,1051,1058,1065,1176,1182,1189,1196,1203,1210,1217,1225,1232,1239,1264,1270,1286,1301,1317,1323,1331,1338,1346,1353,1356,1364,1371,1404,1410,1434,1441,1444,1452,1459,1475,1481,1488,1495,1498,1506,1524,1531],{"nodeType":173,"data":200,"content":201},{},[202],{"nodeType":172,"value":203,"marks":204,"data":205},"Here are two things that can’t both be true:",[],{},{"nodeType":207,"data":208,"content":209},"unordered-list",{},[210,221],{"nodeType":211,"data":212,"content":213},"list-item",{},[214],{"nodeType":173,"data":215,"content":216},{},[217],{"nodeType":172,"value":218,"marks":219,"data":220},"Users are the weakest link in security. They just need to stop clicking on things.",[],{},{"nodeType":211,"data":222,"content":223},{},[224],{"nodeType":173,"data":225,"content":226},{},[227],{"nodeType":172,"value":228,"marks":229,"data":230},"The internet is a giant clicking-on-things machine.",[],{},{"nodeType":173,"data":232,"content":233},{},[234],{"nodeType":172,"value":235,"marks":236,"data":237},"In particular, when we look at the TTPs of modern browser-based attacks that target employees, it’s obvious where this disconnect has real consequences. ",[],{},{"nodeType":239,"data":240,"content":246},"embedded-entry-block",{"target":241},{"sys":242},{"id":243,"type":244,"linkType":245},"2x3blnHzZYcJ8c439C4NqI","Link","Entry",[],{"nodeType":173,"data":248,"content":249},{},[250],{"nodeType":172,"value":251,"marks":252,"data":253},"Here’s why: Security tooling hasn’t kept up with adversary advances, and normal human behaviors are being expressly targeted via the browser to achieve compromise of accounts and endpoints. If you list the pitfalls facing the common end-user encountering these kinds of attack methods, the picture becomes even more stark.",[],{},{"nodeType":173,"data":255,"content":256},{},[257],{"nodeType":172,"value":258,"marks":259,"data":260},"To solve these problems, you need security tooling that sits in line with the user where they’re already working: In the browser. In this Push product guide, we’ll cover how you can use Push to provide point-in-time guidance — everything from block pages to informational banners — to protect users from modern browser-based TTPs and to guide them to remediate common vulnerabilities that can lead to account takeover.",[],{},{"nodeType":173,"data":262,"content":263},{},[264],{"nodeType":172,"value":265,"marks":266,"data":267},"We’ve also recently introduced custom branding and styling options for user-facing block pages and banners so you can provide a cohesive and trustworthy experience across your security ecosystem.",[],{},{"nodeType":239,"data":269,"content":273},{"target":270},{"sys":271},{"id":272,"type":244,"linkType":245},"7fwCnr9bz76rWWCL6EReOT",[],{"nodeType":275,"data":276,"content":277},"hr",{},[],{"nodeType":279,"data":280,"content":281},"heading-1",{},[282],{"nodeType":172,"value":283,"marks":284,"data":287},"Why you can’t train users to recognize modern browser-based attack methods",[285],{"type":286},"bold",{},{"nodeType":173,"data":289,"content":290},{},[291],{"nodeType":172,"value":292,"marks":293,"data":294},"User awareness training can help you build your workforce’s basic security baseline. But it’s not a reliable remedy for modern browser-based TTPs. When you look at the creative methods attackers are using — and rapidly improving on — it’s obvious why.",[],{},{"nodeType":239,"data":296,"content":300},{"target":297},{"sys":298},{"id":299,"type":244,"linkType":245},"eHla7GPCH5eTpdfEqW5Zo",[],{"nodeType":239,"data":302,"content":306},{"target":303},{"sys":304},{"id":305,"type":244,"linkType":245},"29vUtbEUam8fhbwnQdINRJ",[],{"nodeType":173,"data":308,"content":309},{},[310,314,320],{"nodeType":172,"value":311,"marks":312,"data":313},"To avoid account or endpoint compromise while going about your daily work as a user, you would need to accomplish these ",[],{},{"nodeType":172,"value":315,"marks":316,"data":319},"extremely 100% achievable activities",[317],{"type":318},"italic",{},{"nodeType":172,"value":321,"marks":322,"data":323},", including:",[],{},{"nodeType":325,"data":326,"content":327},"table",{},[328,355,398,421,457,492],{"nodeType":329,"data":330,"content":331},"table-row",{},[332,344],{"nodeType":333,"data":334,"content":335},"table-header-cell",{},[336],{"nodeType":173,"data":337,"content":338},{},[339],{"nodeType":172,"value":340,"marks":341,"data":343},"Scenario",[342],{"type":286},{},{"nodeType":333,"data":345,"content":346},{},[347],{"nodeType":173,"data":348,"content":349},{},[350],{"nodeType":172,"value":351,"marks":352,"data":354},"Threat",[353],{"type":286},{},{"nodeType":329,"data":356,"content":357},{},[358,384],{"nodeType":359,"data":360,"content":361},"table-cell",{},[362],{"nodeType":173,"data":363,"content":364},{},[365,369,380],{"nodeType":172,"value":366,"marks":367,"data":368},"While using search engines, never click on a ",[],{},{"nodeType":370,"data":371,"content":375},"entry-hyperlink",{"target":372},{"sys":373},{"id":374,"type":244,"linkType":245},"2YmiesBvJHGw4wiKEKzLUq",[376],{"nodeType":172,"value":377,"marks":378,"data":379},"malicious link",[],{},{"nodeType":172,"value":381,"marks":382,"data":383}," in sponsored or organic results (it's often the first link you see, too).",[],{},{"nodeType":359,"data":385,"content":386},{},[387],{"nodeType":173,"data":388,"content":389},{},[390,394],{"nodeType":172,"value":391,"marks":392,"data":393},"M",[],{},{"nodeType":172,"value":395,"marks":396,"data":397},"alvertising, SEO poisoning, compromised legitimate webpages, vibecoded phishing webpages.",[],{},{"nodeType":329,"data":399,"content":400},{},[401,411],{"nodeType":359,"data":402,"content":403},{},[404],{"nodeType":173,"data":405,"content":406},{},[407],{"nodeType":172,"value":408,"marks":409,"data":410},"Know when to trust an email coming from an app you use every day, and when it could be malicious (it looks the same).",[],{},{"nodeType":359,"data":412,"content":413},{},[414],{"nodeType":173,"data":415,"content":416},{},[417],{"nodeType":172,"value":418,"marks":419,"data":420},"Using SaaS services to distribute malicious links using trusted sites (also a handy way of evading email controls).",[],{},{"nodeType":329,"data":422,"content":423},{},[424,447],{"nodeType":359,"data":425,"content":426},{},[427],{"nodeType":173,"data":428,"content":429},{},[430,434,443],{"nodeType":172,"value":431,"marks":432,"data":433},"When reading a LinkedIn DM from a colleague, anticipate that they might have been hacked and have sent you a malicious link. (Yes, this was a ",[],{},{"nodeType":435,"data":436,"content":438},"hyperlink",{"uri":437},"https://pushsecurity.com/blog/how-push-stopped-a-high-risk-linkedin-spear-phishing-attack/",[439],{"nodeType":172,"value":440,"marks":441,"data":442},"real scenario",[],{},{"nodeType":172,"value":444,"marks":445,"data":446},"). ",[],{},{"nodeType":359,"data":448,"content":449},{},[450],{"nodeType":173,"data":451,"content":452},{},[453],{"nodeType":172,"value":454,"marks":455,"data":456},"Abuse of social media, IM platforms, and other apps where you can be directly contacted by users external to your organization. ",[],{},{"nodeType":329,"data":458,"content":459},{},[460,470],{"nodeType":359,"data":461,"content":462},{},[463],{"nodeType":173,"data":464,"content":465},{},[466],{"nodeType":172,"value":467,"marks":468,"data":469},"When logging in to an app, never follow benign-seeming but actually malicious instructions to enter a code onto a legitimate page to complete your login.",[],{},{"nodeType":359,"data":471,"content":472},{},[473],{"nodeType":173,"data":474,"content":475},{},[476,480,488],{"nodeType":172,"value":477,"marks":478,"data":479},"AiTM phishing, OAuth consent phishing, ",[],{},{"nodeType":435,"data":481,"content":483},{"uri":482},"https://pushsecurity.com/blog/device-code-phishing/",[484],{"nodeType":172,"value":485,"marks":486,"data":487},"device code phishing",[],{},{"nodeType":172,"value":489,"marks":490,"data":491},".",[],{},{"nodeType":329,"data":493,"content":494},{},[495,505],{"nodeType":359,"data":496,"content":497},{},[498],{"nodeType":173,"data":499,"content":500},{},[501],{"nodeType":172,"value":502,"marks":503,"data":504},"Know which instructions to follow and which are malicious when verifying that you're human on a CAPTCHA-style page.",[],{},{"nodeType":359,"data":506,"content":507},{},[508],{"nodeType":173,"data":509,"content":510},{},[511,514,522,526,534],{"nodeType":172,"value":37,"marks":512,"data":513},[],{},{"nodeType":435,"data":515,"content":517},{"uri":516},"https://pushsecurity.com/blog/the-most-advanced-clickfix-yet/",[518],{"nodeType":172,"value":519,"marks":520,"data":521},"ClickFix",[],{},{"nodeType":172,"value":523,"marks":524,"data":525},"-style attacks that trick the user into running a malicious script or command, or ",[],{},{"nodeType":435,"data":527,"content":529},{"uri":528},"https://pushsecurity.com/blog/consentfix/",[530],{"nodeType":172,"value":531,"marks":532,"data":533},"ConsentFix",[],{},{"nodeType":172,"value":535,"marks":536,"data":537}," (which is even sneakier and simply involves copying a URL).",[],{},{"nodeType":173,"data":539,"content":540},{},[541,545],{"nodeType":172,"value":542,"marks":543,"data":544},"And we're barely scratching the surface here. ",[],{},{"nodeType":172,"value":546,"marks":547,"data":549},"Easy, right?",[548],{"type":286},{},{"nodeType":551,"data":552,"content":553},"heading-2",{},[554],{"nodeType":172,"value":555,"marks":556,"data":558},"Can't we block users from interacting with bad content? ",[557],{"type":286},{},{"nodeType":173,"data":560,"content":561},{},[562],{"nodeType":172,"value":563,"marks":564,"data":565},"So if you can’t train your way out of these problems, what about locking down and blocking your way out of the problem?",[],{},{"nodeType":173,"data":567,"content":568},{},[569],{"nodeType":172,"value":570,"marks":571,"data":572},"This, too, simply isn’t really feasible. ",[],{},{"nodeType":173,"data":574,"content":575},{},[576],{"nodeType":172,"value":577,"marks":578,"data":579},"Modern cloud-first adversaries routinely rotate domains on malicious pages; use trusted services like SharePoint, Adobe, Google Sites, Cloudflare, and Atlassian to deliver lures; target end-users across multiple channels, including social media, forums, chat platforms, Google search results, email, and webpages; and use legitimate security tools like bot protection to bypass detection by other legitimate security tools, such as web content scanning and analysis solutions.",[],{},{"nodeType":173,"data":581,"content":582},{},[583,587,591,596],{"nodeType":172,"value":584,"marks":585,"data":586},"To safely navigate the internet today, y",[],{},{"nodeType":172,"value":588,"marks":589,"data":590},"ou need to be able to spot malicious pages and content ",[],{},{"nodeType":172,"value":592,"marks":593,"data":595},"the first time they're seen in the wild",[594],{"type":286},{},{"nodeType":172,"value":597,"marks":598,"data":599},". If you're relying on indicators of known bad, you're always a step behind, leaving users exposed.",[],{},{"nodeType":239,"data":601,"content":605},{"target":602},{"sys":603},{"id":604,"type":244,"linkType":245},"3ZfqOLRdJZJIc78rj9E9JZ",[],{"nodeType":173,"data":607,"content":608},{},[609],{"nodeType":172,"value":610,"marks":611,"data":612},"To protect users while they work online, you need a purpose-built security tool that can respond in real time to modern TTPs and guide users securely — without introducing extra work or a lot of friction. Push can help with that.",[],{},{"nodeType":275,"data":614,"content":615},{},[],{"nodeType":279,"data":617,"content":618},{},[619],{"nodeType":172,"value":620,"marks":621,"data":623},"Why in-browser controls?",[622],{"type":286},{},{"nodeType":173,"data":625,"content":626},{},[627],{"nodeType":172,"value":628,"marks":629,"data":630},"Simply put, using in-browser security controls gets you the closest to the user and their work in order to protect them from modern browser-based threats. Adding in-browser controls also solves two tricky problems for security teams: ",[],{},{"nodeType":207,"data":632,"content":633},{},[634,649],{"nodeType":211,"data":635,"content":636},{},[637],{"nodeType":173,"data":638,"content":639},{},[640,645],{"nodeType":172,"value":641,"marks":642,"data":644},"Filling the gap between solution layers",[643],{"type":286},{},{"nodeType":172,"value":646,"marks":647,"data":648}," in order to detect and block attack methods like Adversary-in-the-Middle phishing, malicious browser extensions, and ClickFix-style social engineering attacks that other tools miss.",[],{},{"nodeType":211,"data":650,"content":651},{},[652],{"nodeType":173,"data":653,"content":654},{},[655,660],{"nodeType":172,"value":656,"marks":657,"data":659},"Providing just-in-time security enforcement",[658],{"type":286},{},{"nodeType":172,"value":661,"marks":662,"data":663}," to end-users when it’s the right moment to act on that guidance, reducing your attack surface across your online apps, browser extensions, and accounts, and ensuring your app usage policies are followed.",[],{},{"nodeType":551,"data":665,"content":666},{},[667],{"nodeType":172,"value":668,"marks":669,"data":670},"Fill the gap between solution layers",[],{},{"nodeType":173,"data":672,"content":673},{},[674,678,683],{"nodeType":172,"value":675,"marks":676,"data":677},"Most existing security solutions operate just ",[],{},{"nodeType":172,"value":679,"marks":680,"data":682},"outside",[681],{"type":318},{},{"nodeType":172,"value":684,"marks":685,"data":686}," the context of a user interacting with a webpage. This leaves blind spots that attackers are exploiting between layers of security tooling.",[],{},{"nodeType":173,"data":688,"content":689},{},[690,694,704],{"nodeType":172,"value":691,"marks":692,"data":693},"For example, network proxies see HTTP requests, URLs, and page headers, but not the ",[],{},{"nodeType":370,"data":695,"content":699},{"target":696},{"sys":697},{"id":698,"type":244,"linkType":245},"5caCcGCqMMPm5KlwUv0sbz",[700],{"nodeType":172,"value":701,"marks":702,"data":703},"structural elements",[],{},{"nodeType":172,"value":705,"marks":706,"data":707}," of the DOM or on-page user interactions that are key to fingerprinting the behavior of AiTM phishing kits or ClickFix-style social engineering attacks. ",[],{},{"nodeType":173,"data":709,"content":710},{},[711,715,725,729,739],{"nodeType":172,"value":712,"marks":713,"data":714},"Similarly, ",[],{},{"nodeType":370,"data":716,"content":720},{"target":717},{"sys":718},{"id":719,"type":244,"linkType":245},"6YWYKGESlyUKQxvhKmBzeH",[721],{"nodeType":172,"value":722,"marks":723,"data":724},"EDR tools",[],{},{"nodeType":172,"value":726,"marks":727,"data":728}," only see the bad thing when it hits the endpoint, and many ",[],{},{"nodeType":370,"data":730,"content":734},{"target":731},{"sys":732},{"id":733,"type":244,"linkType":245},"2k2aDK5dyQKlQBrk66pMXE",[735],{"nodeType":172,"value":736,"marks":737,"data":738},"cloud security tools",[],{},{"nodeType":172,"value":740,"marks":741,"data":742}," rely on complex policy configurations across a core set of apps to provide security protection — leaving a gap in detection and response capabilities outside their purview.",[],{},{"nodeType":239,"data":744,"content":748},{"target":745},{"sys":746},{"id":747,"type":244,"linkType":245},"50NyBpr96dKspvTzJTBOlC",[],{"nodeType":551,"data":750,"content":751},{},[752],{"nodeType":172,"value":753,"marks":754,"data":755},"Provide just-in-time security enforcement",[],{},{"nodeType":173,"data":757,"content":758},{},[759,763,771],{"nodeType":172,"value":760,"marks":761,"data":762},"As some of our customers like to say, Push provides security teams with a ",[],{},{"nodeType":435,"data":764,"content":766},{"uri":765},"/customer-stories/upvest",[767],{"nodeType":172,"value":768,"marks":769,"data":770},"“seat on the user’s side”",[],{},{"nodeType":172,"value":772,"marks":773,"data":774}," of the equation so you can enforce security best practices.",[],{},{"nodeType":173,"data":776,"content":777},{},[778],{"nodeType":172,"value":779,"marks":780,"data":781},"Having that seat on the user’s side also helps you deliver guidance in the right context for it to be followed: When the user is engaged in doing the behavior you want to influence (or prevent). The right information, at the right time, in the right format — not a belated reminder through a different channel that’s easy to ignore.",[],{},{"nodeType":173,"data":783,"content":784},{},[785],{"nodeType":172,"value":786,"marks":787,"data":788},"With those outcomes in mind, let’s look at some specific solutions from the Push platform.",[],{},{"nodeType":275,"data":790,"content":791},{},[],{"nodeType":279,"data":793,"content":794},{},[795],{"nodeType":172,"value":796,"marks":797,"data":799},"How Push helps you protect users from browser-based ATO, ClickFix, and similar attacks",[798],{"type":286},{},{"nodeType":173,"data":801,"content":802},{},[803],{"nodeType":172,"value":804,"marks":805,"data":806},"The Push platform provides out-of-the-box detections for browser-based attacks, including:",[],{},{"nodeType":207,"data":808,"content":809},{},[810,833,856,878],{"nodeType":211,"data":811,"content":812},{},[813],{"nodeType":173,"data":814,"content":815},{},[816,819,829],{"nodeType":172,"value":37,"marks":817,"data":818},[],{},{"nodeType":370,"data":820,"content":824},{"target":821},{"sys":822},{"id":823,"type":244,"linkType":245},"7KRnTSnJAbbiho69gNyN0B",[825],{"nodeType":172,"value":826,"marks":827,"data":828},"AiTM phishing kits",[],{},{"nodeType":172,"value":830,"marks":831,"data":832}," that can bypass MFA",[],{},{"nodeType":211,"data":834,"content":835},{},[836],{"nodeType":173,"data":837,"content":838},{},[839,842,852],{"nodeType":172,"value":37,"marks":840,"data":841},[],{},{"nodeType":370,"data":843,"content":847},{"target":844},{"sys":845},{"id":846,"type":244,"linkType":245},"jN3GN5ddMJZiDtl0fgUVd",[848],{"nodeType":172,"value":849,"marks":850,"data":851},"Cloned login pages",[],{},{"nodeType":172,"value":853,"marks":854,"data":855}," designed to steal user credentials",[],{},{"nodeType":211,"data":857,"content":858},{},[859],{"nodeType":173,"data":860,"content":861},{},[862,865,875],{"nodeType":172,"value":37,"marks":863,"data":864},[],{},{"nodeType":370,"data":866,"content":870},{"target":867},{"sys":868},{"id":869,"type":244,"linkType":245},"5NyiWgjMDwk16XZ0S681JK",[871],{"nodeType":172,"value":872,"marks":873,"data":874},"Malicious browser extensions",[],{},{"nodeType":172,"value":37,"marks":876,"data":877},[],{},{"nodeType":211,"data":879,"content":880},{},[881],{"nodeType":173,"data":882,"content":883},{},[884,887,897],{"nodeType":172,"value":37,"marks":885,"data":886},[],{},{"nodeType":370,"data":888,"content":892},{"target":889},{"sys":890},{"id":891,"type":244,"linkType":245},"7jygmadjoz0asAHv7e5PuK",[893],{"nodeType":172,"value":894,"marks":895,"data":896},"Malicious copy and paste attacks",[],{},{"nodeType":172,"value":898,"marks":899,"data":900}," like ClickFix, FileFix, and similar",[],{},{"nodeType":173,"data":902,"content":903},{},[904],{"nodeType":172,"value":905,"marks":906,"data":907},"For each of these attack vectors, Push delivers detection events and associated metadata for quick triage by the security team, as well as employee-facing warn or block screens, based on your selected configuration.",[],{},{"nodeType":173,"data":909,"content":910},{},[911],{"nodeType":172,"value":912,"marks":913,"data":914},"Here’s a snapshot of the capabilities of these controls and what end-users will experience.",[],{},{"nodeType":551,"data":916,"content":917},{},[918],{"nodeType":172,"value":919,"marks":920,"data":922},"The scenario:",[921],{"type":286},{},{"nodeType":173,"data":924,"content":925},{},[926],{"nodeType":172,"value":927,"marks":928,"data":929},"When a user encounters a malicious page — whether that’s an AiTM phishing tool running on a webpage, or a ClickFix-style attack — or attempts to install a malicious extension, Push immediately steps in. ",[],{},{"nodeType":173,"data":931,"content":932},{},[933],{"nodeType":172,"value":934,"marks":935,"data":936},"Push can prevent users from entering their credentials on phishing pages, including cloned login pages, or from pasting malicious clipboard contents that can run malware on their device. Push can also prevent users from installing known-bad browser extensions. ",[],{},{"nodeType":173,"data":938,"content":939},{},[940],{"nodeType":172,"value":941,"marks":942,"data":943},"In each of these scenarios, Push admins get detailed detection information they can use to triage the incident.",[],{},{"nodeType":239,"data":945,"content":949},{"target":946},{"sys":947},{"id":948,"type":244,"linkType":245},"5jR3YVUiusHGnXDOyrgYpr",[],{"nodeType":551,"data":951,"content":952},{},[953],{"nodeType":172,"value":954,"marks":955,"data":957},"How it works:",[956],{"type":286},{},{"nodeType":173,"data":959,"content":960},{},[961],{"nodeType":172,"value":962,"marks":963,"data":964},"Rather than relying on known-bad intelligence like domains or URLs, Push performs a behavioral and structural analysis of malicious pages in real time.",[],{},{"nodeType":173,"data":966,"content":967},{},[968],{"nodeType":172,"value":969,"marks":970,"data":971},"That means a phishing page never has to appear in a threat intelligence feed in order to be detected and blocked.",[],{},{"nodeType":173,"data":973,"content":974},{},[975],{"nodeType":172,"value":976,"marks":977,"data":978},"Similarly, for malicious copy and paste attacks like ClickFix, Push analyzes the content copied to the clipboard but also evaluates the context of the page to reduce false positives. In blocking mode, Push’s control for ClickFix-style attacks replaces the malicious clipboard contents with safe text — preventing potential endpoint compromise before it can occur.",[],{},{"nodeType":239,"data":980,"content":984},{"target":981},{"sys":982},{"id":983,"type":244,"linkType":245},"3OkejjEjV9xflBc5ouOVFn",[],{"nodeType":173,"data":986,"content":987},{},[988],{"nodeType":172,"value":989,"marks":990,"data":991},"Finally, for identifying malicious browser extensions, Push takes a slightly different approach — combining both behavioral detections and curated intelligence of known-bad extensions from our own research and from trusted industry sources. We’ve found this combination provides the highest-fidelity way to identify malicious extensions without relying on approaches like analyzing extension permissions, which often isn’t actionable. ",[],{},{"nodeType":551,"data":993,"content":994},{},[995],{"nodeType":172,"value":996,"marks":997,"data":999},"Your security team gets:",[998],{"type":286},{},{"nodeType":173,"data":1001,"content":1002},{},[1003,1007,1015],{"nodeType":172,"value":1004,"marks":1005,"data":1006},"Readymade detection and alerting, combined with detailed telemetry. Detections and their associated metadata can be consumed via ",[],{},{"nodeType":435,"data":1008,"content":1010},{"uri":1009},"/help/audience/administrators/docs/getting-started/#api-and-webhooks",[1011],{"nodeType":172,"value":1012,"marks":1013,"data":1014},"Push’s REST API and webhooks",[],{},{"nodeType":172,"value":1016,"marks":1017,"data":1018},". ",[],{},{"nodeType":551,"data":1020,"content":1021},{},[1022],{"nodeType":172,"value":1023,"marks":1024,"data":1026},"Your end-users see:",[1025],{"type":286},{},{"nodeType":173,"data":1028,"content":1029},{},[1030],{"nodeType":172,"value":1031,"marks":1032,"data":1033},"An immediate block screen in your company colors and brand style, providing a highly memorable, contextual moment of learning — and reassuring them that an incident has been prevented.",[],{},{"nodeType":239,"data":1035,"content":1039},{"target":1036},{"sys":1037},{"id":1038,"type":244,"linkType":245},"4QfjDDfKjohKr1qqDLRT0m",[],{"nodeType":275,"data":1041,"content":1042},{},[],{"nodeType":279,"data":1044,"content":1045},{},[1046],{"nodeType":172,"value":1047,"marks":1048,"data":1050},"How Push helps you remediate account vulnerabilities at scale",[1049],{"type":286},{},{"nodeType":173,"data":1052,"content":1053},{},[1054],{"nodeType":172,"value":1055,"marks":1056,"data":1057},"Just-in-time security enforcement works best when it’s trustworthy and contextual — without making a lot more work for your team. Push also provides readymade controls for remediating common account vulnerabilities that contribute to your attack surface online, helping you harden existing accounts and reduce behaviors that introduce new risks.",[],{},{"nodeType":173,"data":1059,"content":1060},{},[1061],{"nodeType":172,"value":1062,"marks":1063,"data":1064},"With Push, you can:",[],{},{"nodeType":207,"data":1066,"content":1067},{},[1068,1091,1129,1153],{"nodeType":211,"data":1069,"content":1070},{},[1071],{"nodeType":173,"data":1072,"content":1073},{},[1074,1077,1087],{"nodeType":172,"value":37,"marks":1075,"data":1076},[],{},{"nodeType":370,"data":1078,"content":1082},{"target":1079},{"sys":1080},{"id":1081,"type":244,"linkType":245},"6FYHbkcRUrtznPo7RarRsz",[1083],{"nodeType":172,"value":1084,"marks":1085,"data":1086},"Prevent the phishing or reuse of high-value passwords",[],{},{"nodeType":172,"value":1088,"marks":1089,"data":1090},", like your IdP, AWS, or code repository passwords.",[],{},{"nodeType":211,"data":1092,"content":1093},{},[1094],{"nodeType":173,"data":1095,"content":1096},{},[1097,1101,1111,1115,1125],{"nodeType":172,"value":1098,"marks":1099,"data":1100},"Remediate ",[],{},{"nodeType":370,"data":1102,"content":1106},{"target":1103},{"sys":1104},{"id":1105,"type":244,"linkType":245},"2WAc5HflKonFN7Jc53ROgj",[1107],{"nodeType":172,"value":1108,"marks":1109,"data":1110},"missing MFA",[],{},{"nodeType":172,"value":1112,"marks":1113,"data":1114}," or ",[],{},{"nodeType":370,"data":1116,"content":1120},{"target":1117},{"sys":1118},{"id":1119,"type":244,"linkType":245},"2dAP36chda6ZDGKzw0Itfs",[1121],{"nodeType":172,"value":1122,"marks":1123,"data":1124},"insecure passwords",[],{},{"nodeType":172,"value":1126,"marks":1127,"data":1128}," on any work app, even those not managed by your SSO solution.",[],{},{"nodeType":211,"data":1130,"content":1131},{},[1132],{"nodeType":173,"data":1133,"content":1134},{},[1135,1139,1149],{"nodeType":172,"value":1136,"marks":1137,"data":1138},"Use ",[],{},{"nodeType":370,"data":1140,"content":1144},{"target":1141},{"sys":1142},{"id":1143,"type":244,"linkType":245},"2ZpKnuljaUH0jzVaae4SMN",[1145],{"nodeType":172,"value":1146,"marks":1147,"data":1148},"in-browser banners",[],{},{"nodeType":172,"value":1150,"marks":1151,"data":1152}," to add guardrails to app usage, including blocking unapproved SaaS or collecting a business reason to access an app before approving it.",[],{},{"nodeType":211,"data":1154,"content":1155},{},[1156],{"nodeType":173,"data":1157,"content":1158},{},[1159,1162,1172],{"nodeType":172,"value":37,"marks":1160,"data":1161},[],{},{"nodeType":370,"data":1163,"content":1167},{"target":1164},{"sys":1165},{"id":1166,"type":244,"linkType":245},"3ibVBa6u0XfcXXDVtON5th",[1168],{"nodeType":172,"value":1169,"marks":1170,"data":1171},"Block unwanted or unapproved browser extensions",[],{},{"nodeType":172,"value":1173,"marks":1174,"data":1175}," from being installed, or disable them if they’ve been installed previously.",[],{},{"nodeType":173,"data":1177,"content":1178},{},[1179],{"nodeType":172,"value":912,"marks":1180,"data":1181},[],{},{"nodeType":551,"data":1183,"content":1184},{},[1185],{"nodeType":172,"value":919,"marks":1186,"data":1188},[1187],{"type":286},{},{"nodeType":173,"data":1190,"content":1191},{},[1192],{"nodeType":172,"value":1193,"marks":1194,"data":1195},"Push uses in-browser controls to intervene when a user is missing MFA; reusing a high-value password; using an insecure password; attempting to log in to an unapproved app; or attempting to install a blocked extension. ",[],{},{"nodeType":173,"data":1197,"content":1198},{},[1199],{"nodeType":172,"value":1200,"marks":1201,"data":1202},"Push can block users from reusing passwords set as “protected” (meaning they can’t be reused on any other page or app) or from using unapproved apps or extensions. Push can guide users to update their password or register for MFA on accounts where they lack it. Push can also provide any other specific security or policy guidance to employees via banners that appear on apps in your environment, including GenAI apps. ",[],{},{"nodeType":173,"data":1204,"content":1205},{},[1206],{"nodeType":172,"value":1207,"marks":1208,"data":1209},"For all of these scenarios, you can tune Push controls to your preferred mode (informing vs. blocking, for example) and select which employees, employee groups, and apps or accounts to focus on.",[],{},{"nodeType":173,"data":1211,"content":1212},{},[1213],{"nodeType":172,"value":1214,"marks":1215,"data":1216},"You can also customize the message that employees see, to match your organizational culture and policies.",[],{},{"nodeType":551,"data":1218,"content":1219},{},[1220],{"nodeType":172,"value":1221,"marks":1222,"data":1224},"How it works: ",[1223],{"type":286},{},{"nodeType":173,"data":1226,"content":1227},{},[1228],{"nodeType":172,"value":1229,"marks":1230,"data":1231},"The Push browser agent observes real-time user behavior and securely analyzes users’ account vulnerabilities in order to identify risks and execute your preconfigured controls. ",[],{},{"nodeType":173,"data":1233,"content":1234},{},[1235],{"nodeType":172,"value":1236,"marks":1237,"data":1238},"To identify MFA status, Push uses the app’s own API to query the logged-in user’s registered MFA methods. To analyze password security, Push creates a salted, truncated hash that is stored locally in the user’s browser and then used for comparison to find reused passwords, leaked passwords, and shared passwords. ",[],{},{"nodeType":173,"data":1240,"content":1241},{},[1242,1246,1251,1255,1260],{"nodeType":172,"value":1243,"marks":1244,"data":1245},"Using the ",[],{},{"nodeType":172,"value":1247,"marks":1248,"data":1250},"MFA enforcement",[1249],{"type":286},{},{"nodeType":172,"value":1252,"marks":1253,"data":1254}," and ",[],{},{"nodeType":172,"value":1256,"marks":1257,"data":1259},"Strong password enforcement",[1258],{"type":286},{},{"nodeType":172,"value":1261,"marks":1262,"data":1263}," controls, you can then automatically display a banner to users with those account vulnerabilities, guiding them to fix the issue.",[],{},{"nodeType":239,"data":1265,"content":1269},{"target":1266},{"sys":1267},{"id":1268,"type":244,"linkType":245},"7Ka4CumZk9it6GsdlNHREA",[],{"nodeType":173,"data":1271,"content":1272},{},[1273,1277,1282],{"nodeType":172,"value":1274,"marks":1275,"data":1276},"Using Push’s ",[],{},{"nodeType":172,"value":1278,"marks":1279,"data":1281},"Password protection",[1280],{"type":286},{},{"nodeType":172,"value":1283,"marks":1284,"data":1285}," control, you can select apps where you want to essentially “pin” the high-value password to only that app and prevent its reuse (or phishing) on any other domain. ",[],{},{"nodeType":173,"data":1287,"content":1288},{},[1289,1292,1297],{"nodeType":172,"value":1274,"marks":1290,"data":1291},[],{},{"nodeType":172,"value":1293,"marks":1294,"data":1296},"Browser extension blocking",[1295],{"type":286},{},{"nodeType":172,"value":1298,"marks":1299,"data":1300}," control, you can create a blocklist or allowlist of extensions and prevent users from installing or enabling blocked extensions.",[],{},{"nodeType":173,"data":1302,"content":1303},{},[1304,1308,1313],{"nodeType":172,"value":1305,"marks":1306,"data":1307},"Finally, using Push’s ",[],{},{"nodeType":172,"value":1309,"marks":1310,"data":1312},"App banners",[1311],{"type":286},{},{"nodeType":172,"value":1314,"marks":1315,"data":1316}," feature, you can add custom messages in a range of modes — from informing to blocking — to apps in use across your business, or even specific URL patterns.",[],{},{"nodeType":239,"data":1318,"content":1322},{"target":1319},{"sys":1320},{"id":1321,"type":244,"linkType":245},"5Mq4PEzEhW8p1qLvS9aZMm",[],{"nodeType":551,"data":1324,"content":1325},{},[1326],{"nodeType":172,"value":1327,"marks":1328,"data":1330},"Your security team gets: ",[1329],{"type":286},{},{"nodeType":173,"data":1332,"content":1333},{},[1334],{"nodeType":172,"value":1335,"marks":1336,"data":1337},"A flexible and highly configurable set of controls to solve account vulnerabilities at scale and to enforce your security controls around browser extensions and app usage.",[],{},{"nodeType":551,"data":1339,"content":1340},{},[1341],{"nodeType":172,"value":1342,"marks":1343,"data":1345},"Your end-users see: ",[1344],{"type":286},{},{"nodeType":173,"data":1347,"content":1348},{},[1349],{"nodeType":172,"value":1350,"marks":1351,"data":1352},"Contextual, actionable guidance in the midst of their actual workflow, helping them fix the issue or guiding them to safety.",[],{},{"nodeType":275,"data":1354,"content":1355},{},[],{"nodeType":279,"data":1357,"content":1358},{},[1359],{"nodeType":172,"value":1360,"marks":1361,"data":1363},"Implementation tips",[1362],{"type":286},{},{"nodeType":173,"data":1365,"content":1366},{},[1367],{"nodeType":172,"value":1368,"marks":1369,"data":1370},"Push allows you to set the scope and mode of each control, making it simple to roll out. ",[],{},{"nodeType":173,"data":1372,"content":1373},{},[1374,1378,1383,1387,1391,1395,1400],{"nodeType":172,"value":1375,"marks":1376,"data":1377},"We recommend starting in ",[],{},{"nodeType":172,"value":1379,"marks":1380,"data":1382},"Monitor",[1381],{"type":286},{},{"nodeType":172,"value":1384,"marks":1385,"data":1386}," mode for controls that intervene in end-user activities. That way, you can perform testing with sample malicious sites or scenarios like reused protected passwords, tune out any benign true positives, and develop the messaging you want to use on warn or block pages. (For controls without an explicit monitor mode, like ",[],{},{"nodeType":172,"value":1256,"marks":1388,"data":1390},[1389],{"type":286},{},{"nodeType":172,"value":1392,"marks":1393,"data":1394},", you can still monitor for related events on the ",[],{},{"nodeType":172,"value":1396,"marks":1397,"data":1399},"Events",[1398],{"type":286},{},{"nodeType":172,"value":1401,"marks":1402,"data":1403}," page, such as account security findings, or by consuming webhooks into a downstream tool.)",[],{},{"nodeType":239,"data":1405,"content":1409},{"target":1406},{"sys":1407},{"id":1408,"type":244,"linkType":245},"7vk8DHv01cM1o2C0ZpAvZu",[],{"nodeType":173,"data":1411,"content":1412},{},[1413,1417,1422,1425,1430],{"nodeType":172,"value":1414,"marks":1415,"data":1416},"When you’re ready, set the mode to ",[],{},{"nodeType":172,"value":1418,"marks":1419,"data":1421},"Warn",[1420],{"type":286},{},{"nodeType":172,"value":1112,"marks":1423,"data":1424},[],{},{"nodeType":172,"value":1426,"marks":1427,"data":1429},"Block",[1428],{"type":286},{},{"nodeType":172,"value":1431,"marks":1432,"data":1433}," and use the scope options to perform a phased rollout to your user population by adding additional user groups to the control until you have complete coverage of your population.",[],{},{"nodeType":173,"data":1435,"content":1436},{},[1437],{"nodeType":172,"value":1438,"marks":1439,"data":1440},"By consuming webhook events into your SIEM, you can integrate Push alerts into your existing security workflows, monitoring for new detections or tracking when account vulnerabilities are resolved.",[],{},{"nodeType":275,"data":1442,"content":1443},{},[],{"nodeType":279,"data":1445,"content":1446},{},[1447],{"nodeType":172,"value":1448,"marks":1449,"data":1451},"Enhancing user trust with custom branding",[1450],{"type":286},{},{"nodeType":173,"data":1453,"content":1454},{},[1455],{"nodeType":172,"value":1456,"marks":1457,"data":1458},"We recently released the option to customize the look and feel of all employee-facing banners and block pages. ",[],{},{"nodeType":173,"data":1460,"content":1461},{},[1462,1466,1471],{"nodeType":172,"value":1463,"marks":1464,"data":1465},"From the ",[],{},{"nodeType":172,"value":1467,"marks":1468,"data":1470},"Settings",[1469],{"type":286},{},{"nodeType":172,"value":1472,"marks":1473,"data":1474}," page in the Push admin console, you can upload your logo, add accent colors, and choose from light or dark backgrounds.",[],{},{"nodeType":239,"data":1476,"content":1480},{"target":1477},{"sys":1478},{"id":1479,"type":244,"linkType":245},"51lk1VRP20G7H4PAoRZANI",[],{"nodeType":173,"data":1482,"content":1483},{},[1484],{"nodeType":172,"value":1485,"marks":1486,"data":1487},"Custom branding increases the trustworthiness of these in-the-moment security guardrails so that users recognize them immediately and act on their guidance.",[],{},{"nodeType":173,"data":1489,"content":1490},{},[1491],{"nodeType":172,"value":1492,"marks":1493,"data":1494},"The result: Better compliance and lower friction for you and your employees.",[],{},{"nodeType":275,"data":1496,"content":1497},{},[],{"nodeType":279,"data":1499,"content":1500},{},[1501],{"nodeType":172,"value":1502,"marks":1503,"data":1505},"Learn more about Push",[1504],{"type":286},{},{"nodeType":173,"data":1507,"content":1508},{},[1509,1513,1520],{"nodeType":172,"value":1510,"marks":1511,"data":1512},"Push Security’s browser-based security platform stops browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, and session hijacking — ",[],{},{"nodeType":435,"data":1514,"content":1515},{"uri":86},[1516],{"nodeType":172,"value":1517,"marks":1518,"data":1519},"modern attack techniques",[],{},{"nodeType":172,"value":1521,"marks":1522,"data":1523}," that are the leading cause of breaches today.",[],{},{"nodeType":173,"data":1525,"content":1526},{},[1527],{"nodeType":172,"value":1528,"marks":1529,"data":1530},"You don’t need to wait until it all goes wrong either. You can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your attack surface.",[],{},{"nodeType":173,"data":1532,"content":1533},{},[1534,1538,1546,1550,1558,1562,1570],{"nodeType":172,"value":1535,"marks":1536,"data":1537},"Want to learn more about Push? Check out our latest ",[],{},{"nodeType":435,"data":1539,"content":1541},{"uri":1540},"/resources/product-brochure",[1542],{"nodeType":172,"value":1543,"marks":1544,"data":1545},"product overview",[],{},{"nodeType":172,"value":1547,"marks":1548,"data":1549},", visit our ",[],{},{"nodeType":435,"data":1551,"content":1553},{"uri":1552},"/product-demo/",[1554],{"nodeType":172,"value":1555,"marks":1556,"data":1557},"demo library",[],{},{"nodeType":172,"value":1559,"marks":1560,"data":1561},", or book some time with one of our team for a ",[],{},{"nodeType":435,"data":1563,"content":1565},{"uri":1564},"/demo",[1566],{"nodeType":172,"value":1567,"marks":1568,"data":1569},"live demo",[],{},{"nodeType":172,"value":489,"marks":1571,"data":1572},[],{},"Guide: How to use Push controls to protect your users from modern browser threats","How to use in-browser controls to stop browser-based attacks before compromise can occur","2026-04-08T00:00:00.000Z","guide-how-to-use-push-controls-to-protect-your-users-from-modern-attacks",{"items":1578},[1579,1581],{"sys":1580,"name":188},{"id":187},{"sys":1582,"name":184},{"id":183},{"items":1584},[1585],{"fullName":1586,"firstName":1587,"jobTitle":1588,"profilePicture":1589},"Kelly Davenport","Kelly","Product Team",{"url":1590},"https://images.ctfassets.net/y1cdw1ablpvd/1hi8bEuVfn5sF57LivAq6d/9a3b82426c697d765e2e450e33a18424/kelly_profile_pic.jpeg",{"__typename":192,"sys":1592,"content":1594,"title":2646,"synopsis":2647,"hashTags":118,"publishedDate":2648,"slug":2649,"tagsCollection":2650,"authorsCollection":2656},{"id":1593},"4DqTwJKeCSPnJUc6YPFC5A",{"json":1595},{"nodeType":174,"data":1596,"content":1597},{},[1598,1669,1676,1682,1685,1693,1700,1707,1715,1722,1778,1795,1802,1809,1812,1820,1827,1889,1897,1904,1910,1916,1923,1930,1948,1955,2003,2009,2017,2038,2045,2052,2145,2152,2168,2174,2181,2188,2195,2202,2263,2269,2275,2283,2290,2297,2320,2327,2333,2356,2362,2369,2376,2383,2390,2423,2442,2449,2461,2464,2472,2479,2485,2488,2496,2504,2511,2530,2537,2544,2550,2557,2564,2570,2573,2580,2596,2602],{"nodeType":173,"data":1599,"content":1600},{},[1601,1605,1615,1619,1628,1631,1640,1644,1653,1656,1665],{"nodeType":172,"value":1602,"marks":1603,"data":1604},"Attackers are doubling down on malicious browser extensions as their method of choice. Recent campaigns like ",[],{},{"nodeType":435,"data":1606,"content":1608},{"uri":1607},"https://www.bleepingcomputer.com/news/security/shadypanda-browser-extensions-amass-43m-installs-in-malicious-campaign/",[1609],{"nodeType":172,"value":1610,"marks":1611,"data":1614},"ShadyPanda",[1612],{"type":1613},"underline",{},{"nodeType":172,"value":1616,"marks":1617,"data":1618},", ",[],{},{"nodeType":435,"data":1620,"content":1622},{"uri":1621},"https://www.bleepingcomputer.com/news/security/zoom-stealer-browser-extensions-harvest-corporate-meeting-intelligence/",[1623],{"nodeType":172,"value":1624,"marks":1625,"data":1627},"ZoomStealer",[1626],{"type":1613},{},{"nodeType":172,"value":1616,"marks":1629,"data":1630},[],{},{"nodeType":435,"data":1632,"content":1634},{"uri":1633},"https://www.bleepingcomputer.com/news/security/malicious-ghostposter-browser-extensions-found-with-840-000-installs/",[1635],{"nodeType":172,"value":1636,"marks":1637,"data":1639},"GhostPoster",[1638],{"type":1613},{},{"nodeType":172,"value":1641,"marks":1642,"data":1643},", and the breaches impacting vendors like ",[],{},{"nodeType":435,"data":1645,"content":1647},{"uri":1646},"https://www.bleepingcomputer.com/news/security/cybersecurity-firms-chrome-extension-hijacked-to-steal-users-data/",[1648],{"nodeType":172,"value":1649,"marks":1650,"data":1652},"Cyberhaven",[1651],{"type":1613},{},{"nodeType":172,"value":1252,"marks":1654,"data":1655},[],{},{"nodeType":435,"data":1657,"content":1659},{"uri":1658},"https://www.bleepingcomputer.com/news/security/trust-wallet-confirms-extension-hack-led-to-7-million-crypto-theft/",[1660],{"nodeType":172,"value":1661,"marks":1662,"data":1664},"Trust Wallet",[1663],{"type":1613},{},{"nodeType":172,"value":1666,"marks":1667,"data":1668},", all highlight the threat posed by malicious extensions. ",[],{},{"nodeType":173,"data":1670,"content":1671},{},[1672],{"nodeType":172,"value":1673,"marks":1674,"data":1675},"Most malicious extensions didn’t start that way. Attackers often begin with a legitimate extension — either by creating something that is initially benign, purchasing an extension that already exists and has a large number of installs, or by phishing an extension developer’s account to publish a malicious version. Then, they bide their time, waiting for the right moment to flip the switch and deploy a malicious update, compromising every browser that they’re deployed to. ",[],{},{"nodeType":239,"data":1677,"content":1681},{"target":1678},{"sys":1679},{"id":1680,"type":244,"linkType":245},"7eTmqh5jqYA3l1Xk4GikVO",[],{"nodeType":275,"data":1683,"content":1684},{},[],{"nodeType":279,"data":1686,"content":1687},{},[1688],{"nodeType":172,"value":1689,"marks":1690,"data":1692},"Why tackling malicious extensions is a hard problem for security teams",[1691],{"type":286},{},{"nodeType":173,"data":1694,"content":1695},{},[1696],{"nodeType":172,"value":1697,"marks":1698,"data":1699},"The Chrome extension store alone has in excess of 100k extensions with a wide range of use cases. Pretty much every major app today has an extension counterpart, and there are countless smaller extensions — from AI overlays, to screen recording, spell checking, and color matching. AI-assisted development has further increased the rate at which new extensions are created and added to the marketplace (for both legit developers and malicious ones). ",[],{},{"nodeType":173,"data":1701,"content":1702},{},[1703],{"nodeType":172,"value":1704,"marks":1705,"data":1706},"For organizations just beginning to think about extension management, this isn’t an easy problem to get a handle on. If you’ve allowed your employees to freely install extensions without restriction, then there could be hundreds, if not thousands, of different extensions in use across your business. ",[],{},{"nodeType":551,"data":1708,"content":1709},{},[1710],{"nodeType":172,"value":1711,"marks":1712,"data":1714},"Malicious extensions are good at hiding bad code",[1713],{"type":286},{},{"nodeType":173,"data":1716,"content":1717},{},[1718],{"nodeType":172,"value":1719,"marks":1720,"data":1721},"Right now, extension stores are fighting a losing battle against attackers. ",[],{},{"nodeType":207,"data":1723,"content":1724},{},[1725,1748,1758,1768],{"nodeType":211,"data":1726,"content":1727},{},[1728],{"nodeType":173,"data":1729,"content":1730},{},[1731,1735,1744],{"nodeType":172,"value":1732,"marks":1733,"data":1734},"Malicious extensions are being regularly uploaded, bypassing code analysis checks, and even achieving ",[],{},{"nodeType":435,"data":1736,"content":1738},{"uri":1737},"https://thehackernews.com/2026/02/malicious-chrome-extensions-caught.html",[1739],{"nodeType":172,"value":1740,"marks":1741,"data":1743},"“Featured” or “Verified” status",[1742],{"type":1613},{},{"nodeType":172,"value":1745,"marks":1746,"data":1747}," in the app stores. This is because attackers are using dynamically compiled, stealthily smuggled code that can’t be reliably spotted through static code checks or sandbox analysis. ",[],{},{"nodeType":211,"data":1749,"content":1750},{},[1751],{"nodeType":173,"data":1752,"content":1753},{},[1754],{"nodeType":172,"value":1755,"marks":1756,"data":1757},"Bad isn't detected until an extension is observed doing malicious things in the wild. Most of the time, this is because there’s been a breach. ",[],{},{"nodeType":211,"data":1759,"content":1760},{},[1761],{"nodeType":173,"data":1762,"content":1763},{},[1764],{"nodeType":172,"value":1765,"marks":1766,"data":1767},"When an extension is reported as bad, it enters a lengthy review process. Unless there’s pressure to act quickly (e.g. there’s a large amount of reporting), it won’t get prioritized. ",[],{},{"nodeType":211,"data":1769,"content":1770},{},[1771],{"nodeType":173,"data":1772,"content":1773},{},[1774],{"nodeType":172,"value":1775,"marks":1776,"data":1777},"Just because an extension is removed from the store doesn’t mean that it’s automatically removed from browsers where it is installed. ",[],{},{"nodeType":173,"data":1779,"content":1780},{},[1781,1786,1790],{"nodeType":172,"value":1782,"marks":1783,"data":1785},"The bottom line:",[1784],{"type":286},{},{"nodeType":172,"value":1787,"marks":1788,"data":1789}," ",[],{},{"nodeType":172,"value":1791,"marks":1792,"data":1794},"The security teams at Google and Microsoft analyse and manually approve every single extension upload and code change that enters their store, and even they aren’t detecting bad before malware executes in the victim’s browser. ",[1793],{"type":286},{},{"nodeType":173,"data":1796,"content":1797},{},[1798],{"nodeType":172,"value":1799,"marks":1800,"data":1801},"Today, there’s no single magic bullet tool or control that organizations can use — unless you simply want to disable browser extensions altogether, which might not be the best option for users and their productivity.",[],{},{"nodeType":173,"data":1803,"content":1804},{},[1805],{"nodeType":172,"value":1806,"marks":1807,"data":1808},"Fortunately, Push is in a good position to help, with its ability to inventory all your browser extensions and help you find and block malicious ones.",[],{},{"nodeType":275,"data":1810,"content":1811},{},[],{"nodeType":279,"data":1813,"content":1814},{},[1815],{"nodeType":172,"value":1816,"marks":1817,"data":1819},"How to securely manage browser extensions (and how Push can help)",[1818],{"type":286},{},{"nodeType":173,"data":1821,"content":1822},{},[1823],{"nodeType":172,"value":1824,"marks":1825,"data":1826},"Here’s our step-by-step guide to securely using browser extensions in your organization.",[],{},{"nodeType":207,"data":1828,"content":1829},{},[1830,1849,1859,1869,1879],{"nodeType":211,"data":1831,"content":1832},{},[1833],{"nodeType":173,"data":1834,"content":1835},{},[1836,1840,1845],{"nodeType":172,"value":1837,"marks":1838,"data":1839},"Step 0: Enable ",[],{},{"nodeType":172,"value":1841,"marks":1842,"data":1844},"malicious browser extension detection",[1843],{"type":286},{},{"nodeType":172,"value":1846,"marks":1847,"data":1848}," to stop known-bad extensions from running in your environment. ",[],{},{"nodeType":211,"data":1850,"content":1851},{},[1852],{"nodeType":173,"data":1853,"content":1854},{},[1855],{"nodeType":172,"value":1856,"marks":1857,"data":1858},"Step 1: Establish an inventory of extensions currently in use across your users and their browsers. ",[],{},{"nodeType":211,"data":1860,"content":1861},{},[1862],{"nodeType":173,"data":1863,"content":1864},{},[1865],{"nodeType":172,"value":1866,"marks":1867,"data":1868},"Step 2: Risk-assess the extensions running in your environment using Push data.",[],{},{"nodeType":211,"data":1870,"content":1871},{},[1872],{"nodeType":173,"data":1873,"content":1874},{},[1875],{"nodeType":172,"value":1876,"marks":1877,"data":1878},"Step 3: Create an allowlist or blocklist to control the extensions active in your environment.",[],{},{"nodeType":211,"data":1880,"content":1881},{},[1882],{"nodeType":173,"data":1883,"content":1884},{},[1885],{"nodeType":172,"value":1886,"marks":1887,"data":1888},"Step 4: Monitor for risky changes.",[],{},{"nodeType":551,"data":1890,"content":1891},{},[1892],{"nodeType":172,"value":1893,"marks":1894,"data":1896},"Step 0: Enable malicious browser extension detection in the Push platform",[1895],{"type":286},{},{"nodeType":173,"data":1898,"content":1899},{},[1900],{"nodeType":172,"value":1901,"marks":1902,"data":1903},"First, we recommend you take action to ensure that extensions reported as suspicious or malicious are blocked from running in your environment. ",[],{},{"nodeType":239,"data":1905,"content":1909},{"target":1906},{"sys":1907},{"id":1908,"type":244,"linkType":245},"yniMglSNypgyxmdGVcFxJ",[],{"nodeType":239,"data":1911,"content":1915},{"target":1912},{"sys":1913},{"id":1914,"type":244,"linkType":245},"37bID8AChVgerAnD6q8NPZ",[],{"nodeType":173,"data":1917,"content":1918},{},[1919],{"nodeType":172,"value":1920,"marks":1921,"data":1922},"If you’re a Push customer, you can ensure that any extension that is reported as malicious is automatically blocked in your environment. This means that the extension gets disabled and cannot run in any browser with the Push extension installed. ",[],{},{"nodeType":173,"data":1924,"content":1925},{},[1926],{"nodeType":172,"value":1927,"marks":1928,"data":1929},"The Push Security research team maintains a global list of known-bad extensions based on threat intelligence reporting. This list is continuously updated and ensures that as soon as an extension is reported as malicious, it is blocked. ",[],{},{"nodeType":173,"data":1931,"content":1932},{},[1933,1937,1945],{"nodeType":172,"value":1934,"marks":1935,"data":1936},"You can enable the control via the Controls page in the Push admin console. Admins can configure rules in Off, Monitor, or Block mode. Block mode is recommended, meaning that extensions are disabled and web store access is blocked. You can read more about this in our ",[],{},{"nodeType":435,"data":1938,"content":1940},{"uri":1939},"https://pushsecurity.com/help/how-does-push-detect-malicious-browser-extensions",[1941],{"nodeType":172,"value":1942,"marks":1943,"data":1944},"Help Center",[],{},{"nodeType":172,"value":1016,"marks":1946,"data":1947},[],{},{"nodeType":173,"data":1949,"content":1950},{},[1951],{"nodeType":172,"value":1952,"marks":1953,"data":1954},"When an extension is flagged as malicious, a detection event will be generated and appear on the Detections page in the Push admin console. The severity of these detections is classified as follows:",[],{},{"nodeType":207,"data":1956,"content":1957},{},[1958,1973,1988],{"nodeType":211,"data":1959,"content":1960},{},[1961],{"nodeType":173,"data":1962,"content":1963},{},[1964,1969],{"nodeType":172,"value":1965,"marks":1966,"data":1968},"Low",[1967],{"type":286},{},{"nodeType":172,"value":1970,"marks":1971,"data":1972}," for an extension that has never been enabled. The control prevented either the installation or the extension from being enabled.",[],{},{"nodeType":211,"data":1974,"content":1975},{},[1976],{"nodeType":173,"data":1977,"content":1978},{},[1979,1984],{"nodeType":172,"value":1980,"marks":1981,"data":1983},"Medium",[1982],{"type":286},{},{"nodeType":172,"value":1985,"marks":1986,"data":1987}," for an extension that was installed and enabled, but has been disabled by the control. ",[],{},{"nodeType":211,"data":1989,"content":1990},{},[1991],{"nodeType":173,"data":1992,"content":1993},{},[1994,1999],{"nodeType":172,"value":1995,"marks":1996,"data":1998},"High",[1997],{"type":286},{},{"nodeType":172,"value":2000,"marks":2001,"data":2002}," if the extension was enabled and is still active (i.e. the control was in monitor mode).",[],{},{"nodeType":239,"data":2004,"content":2008},{"target":2005},{"sys":2006},{"id":2007,"type":244,"linkType":245},"1yOPlBKtLGYyN80OCJ9qMn",[],{"nodeType":551,"data":2010,"content":2011},{},[2012],{"nodeType":172,"value":2013,"marks":2014,"data":2016},"Step 1: Establish an inventory of existing extensions.",[2015],{"type":286},{},{"nodeType":173,"data":2018,"content":2019},{},[2020,2024,2029,2033],{"nodeType":172,"value":2021,"marks":2022,"data":2023},"Next, we recommend you take stock of what’s already running in your environment so you can begin to make risk-based decisions about what you allow, and what you don’t. This means building an inventory of ",[],{},{"nodeType":172,"value":2025,"marks":2026,"data":2028},"every extension ",[2027],{"type":286},{},{"nodeType":172,"value":2030,"marks":2031,"data":2032},"running in ",[],{},{"nodeType":172,"value":2034,"marks":2035,"data":2037},"every browser. ",[2036],{"type":286},{},{"nodeType":173,"data":2039,"content":2040},{},[2041],{"nodeType":172,"value":2042,"marks":2043,"data":2044},"Push provides real-time visibility of extensions installed in every browser across your workforce. ",[],{},{"nodeType":173,"data":2046,"content":2047},{},[2048],{"nodeType":172,"value":2049,"marks":2050,"data":2051},"Push tracks several key data points, including: ",[],{},{"nodeType":207,"data":2053,"content":2054},{},[2055,2065,2075,2085,2095,2105,2115,2125,2135],{"nodeType":211,"data":2056,"content":2057},{},[2058],{"nodeType":173,"data":2059,"content":2060},{},[2061],{"nodeType":172,"value":2062,"marks":2063,"data":2064},"Extension name, ID, and version number",[],{},{"nodeType":211,"data":2066,"content":2067},{},[2068],{"nodeType":173,"data":2069,"content":2070},{},[2071],{"nodeType":172,"value":2072,"marks":2073,"data":2074},"Update & homepage URL",[],{},{"nodeType":211,"data":2076,"content":2077},{},[2078],{"nodeType":173,"data":2079,"content":2080},{},[2081],{"nodeType":172,"value":2082,"marks":2083,"data":2084},"Extension permissions",[],{},{"nodeType":211,"data":2086,"content":2087},{},[2088],{"nodeType":173,"data":2089,"content":2090},{},[2091],{"nodeType":172,"value":2092,"marks":2093,"data":2094},"Host permissions (where applicable)",[],{},{"nodeType":211,"data":2096,"content":2097},{},[2098],{"nodeType":173,"data":2099,"content":2100},{},[2101],{"nodeType":172,"value":2102,"marks":2103,"data":2104},"Deployment method (e.g. managed, manual, sideloaded or development)",[],{},{"nodeType":211,"data":2106,"content":2107},{},[2108],{"nodeType":173,"data":2109,"content":2110},{},[2111],{"nodeType":172,"value":2112,"marks":2113,"data":2114},"Which employees use the extension",[],{},{"nodeType":211,"data":2116,"content":2117},{},[2118],{"nodeType":173,"data":2119,"content":2120},{},[2121],{"nodeType":172,"value":2122,"marks":2123,"data":2124},"Which browsers have the extension installed",[],{},{"nodeType":211,"data":2126,"content":2127},{},[2128],{"nodeType":173,"data":2129,"content":2130},{},[2131],{"nodeType":172,"value":2132,"marks":2133,"data":2134},"Whether the extension is enabled or disabled",[],{},{"nodeType":211,"data":2136,"content":2137},{},[2138],{"nodeType":173,"data":2139,"content":2140},{},[2141],{"nodeType":172,"value":2142,"marks":2143,"data":2144},"Useful metadata like install count, ownership history, update history, and whether the extension has been unlisted from the web store.",[],{},{"nodeType":173,"data":2146,"content":2147},{},[2148],{"nodeType":172,"value":2149,"marks":2150,"data":2151},"This information is critical for assessing risk, as well as providing an early warning of future malicious intent. ",[],{},{"nodeType":173,"data":2153,"content":2154},{},[2155,2159,2164],{"nodeType":172,"value":2156,"marks":2157,"data":2158},"You can enable browser extension visibility in the Push platform by going to ",[],{},{"nodeType":172,"value":2160,"marks":2161,"data":2163},"Settings > Organization > Browser extension visibility",[2162],{"type":286},{},{"nodeType":172,"value":2165,"marks":2166,"data":2167}," and toggling on the feature.",[],{},{"nodeType":239,"data":2169,"content":2173},{"target":2170},{"sys":2171},{"id":2172,"type":244,"linkType":245},"2LCwZNbSazYGIEfWHZKJRU",[],{"nodeType":551,"data":2175,"content":2176},{},[2177],{"nodeType":172,"value":1866,"marks":2178,"data":2180},[2179],{"type":286},{},{"nodeType":173,"data":2182,"content":2183},{},[2184],{"nodeType":172,"value":2185,"marks":2186,"data":2187},"Now that you’ve built a real-time inventory, you can start to analyse the data to find risky extensions. ",[],{},{"nodeType":173,"data":2189,"content":2190},{},[2191],{"nodeType":172,"value":2192,"marks":2193,"data":2194},"Every extension that is running in your environment expands your potential attack surface, representing another node that can be compromised by an attacker. So it makes sense to only allow those that are absolutely necessary in order to sensibly control the risk. ",[],{},{"nodeType":173,"data":2196,"content":2197},{},[2198],{"nodeType":172,"value":2199,"marks":2200,"data":2201},"You can start to investigate and prune extensions based on the properties tracked in the Push platform. For example:",[],{},{"nodeType":207,"data":2203,"content":2204},{},[2205,2215,2243,2253],{"nodeType":211,"data":2206,"content":2207},{},[2208],{"nodeType":173,"data":2209,"content":2210},{},[2211],{"nodeType":172,"value":2212,"marks":2213,"data":2214},"Extensions with a low install count from an unverified publisher. ",[],{},{"nodeType":211,"data":2216,"content":2217},{},[2218],{"nodeType":173,"data":2219,"content":2220},{},[2221,2225,2230,2234,2239],{"nodeType":172,"value":2222,"marks":2223,"data":2224},"Extensions that have been ",[],{},{"nodeType":172,"value":2226,"marks":2227,"data":2229},"sideloaded",[2228],{"type":286},{},{"nodeType":172,"value":2231,"marks":2232,"data":2233}," (installed by software on the machine) or are ",[],{},{"nodeType":172,"value":2235,"marks":2236,"data":2238},"development",[2237],{"type":286},{},{"nodeType":172,"value":2240,"marks":2241,"data":2242}," (installed from a folder off-disk when Developer mode is turned on)",[],{},{"nodeType":211,"data":2244,"content":2245},{},[2246],{"nodeType":173,"data":2247,"content":2248},{},[2249],{"nodeType":172,"value":2250,"marks":2251,"data":2252},"Extensions that are used by a small number of employees for niche / non-critical functions. ",[],{},{"nodeType":211,"data":2254,"content":2255},{},[2256],{"nodeType":173,"data":2257,"content":2258},{},[2259],{"nodeType":172,"value":2260,"marks":2261,"data":2262},"Extensions with risky permissions.",[],{},{"nodeType":239,"data":2264,"content":2268},{"target":2265},{"sys":2266},{"id":2267,"type":244,"linkType":245},"FpGNvFgEGj6eAGihoWEUi",[],{"nodeType":239,"data":2270,"content":2274},{"target":2271},{"sys":2272},{"id":2273,"type":244,"linkType":245},"5JccSPh103QIQJxIh9pk4x",[],{"nodeType":551,"data":2276,"content":2277},{},[2278],{"nodeType":172,"value":2279,"marks":2280,"data":2282},"Step 3: Create an allowlist to control the extensions active in your environment.",[2281],{"type":286},{},{"nodeType":173,"data":2284,"content":2285},{},[2286],{"nodeType":172,"value":2287,"marks":2288,"data":2289},"Using the output of your risk assessment and the data provided by the Push platform, you can control the extensions that you allow your employees to use.",[],{},{"nodeType":173,"data":2291,"content":2292},{},[2293],{"nodeType":172,"value":2294,"marks":2295,"data":2296},"To do this, you need to allowlist the extensions you’re happy for employees to use (and block everything else). That way, you remove the ability for employees to add new extensions unless approved by an admin. This means you either:",[],{},{"nodeType":207,"data":2298,"content":2299},{},[2300,2310],{"nodeType":211,"data":2301,"content":2302},{},[2303],{"nodeType":173,"data":2304,"content":2305},{},[2306],{"nodeType":172,"value":2307,"marks":2308,"data":2309},"Add every extension you currently have running in your environment to an allowlist, block everything else, and then start to prune extensions from that list. ",[],{},{"nodeType":211,"data":2311,"content":2312},{},[2313],{"nodeType":173,"data":2314,"content":2315},{},[2316],{"nodeType":172,"value":2317,"marks":2318,"data":2319},"Create a shortened allowlist from the outset. ",[],{},{"nodeType":173,"data":2321,"content":2322},{},[2323],{"nodeType":172,"value":2324,"marks":2325,"data":2326},"Both are valid ways of solving the problem, with the first option being the least potentially disruptive (i.e. you’re not switching off a load of extensions in one go). That said, this might not be a viable solution depending on your company size. ",[],{},{"nodeType":239,"data":2328,"content":2332},{"target":2329},{"sys":2330},{"id":2331,"type":244,"linkType":245},"6wQW4VqLeLXMXdPPWLhQAF",[],{"nodeType":173,"data":2334,"content":2335},{},[2336,2341,2351],{"nodeType":172,"value":2337,"marks":2338,"data":2340},"You can do this in lots of different ways depending on the OS and browsers used across your workforce. This can get messy depending on the complexity of your environment. But you can do it in a streamlined, browser-agnostic way ",[2339],{"type":286},{},{"nodeType":435,"data":2342,"content":2344},{"uri":2343},"https://pushsecurity.com/help/10138/#start",[2345],{"nodeType":172,"value":2346,"marks":2347,"data":2350},"using Push",[2348,2349],{"type":1613},{"type":286},{},{"nodeType":172,"value":2352,"marks":2353,"data":2355},". ",[2354],{"type":286},{},{"nodeType":239,"data":2357,"content":2361},{"target":2358},{"sys":2359},{"id":2360,"type":244,"linkType":245},"97dDukjKsRsAptpHV1kpn",[],{"nodeType":173,"data":2363,"content":2364},{},[2365],{"nodeType":172,"value":2366,"marks":2367,"data":2368},"Managing which extensions you’ve opted to allow is a continuous process that will change as user behavior changes and new extensions are added. It’s important that you regularly review whether your current allowlist is fit for purpose. ",[],{},{"nodeType":551,"data":2370,"content":2371},{},[2372],{"nodeType":172,"value":1886,"marks":2373,"data":2375},[2374],{"type":286},{},{"nodeType":173,"data":2377,"content":2378},{},[2379],{"nodeType":172,"value":2380,"marks":2381,"data":2382},"Finally, once you’ve begun the process of pruning the extensions in your environment and you’ve reached a baseline you’re happy with, it’s now about reviewing and approving any new extension requests, and monitoring for risky changes. ",[],{},{"nodeType":173,"data":2384,"content":2385},{},[2386],{"nodeType":172,"value":2387,"marks":2388,"data":2389},"We recommend monitoring for things like:",[],{},{"nodeType":207,"data":2391,"content":2392},{},[2393,2403,2413],{"nodeType":211,"data":2394,"content":2395},{},[2396],{"nodeType":173,"data":2397,"content":2398},{},[2399],{"nodeType":172,"value":2400,"marks":2401,"data":2402},"Regularly reviewing changes in extension ownership + recent updates",[],{},{"nodeType":211,"data":2404,"content":2405},{},[2406],{"nodeType":173,"data":2407,"content":2408},{},[2409],{"nodeType":172,"value":2410,"marks":2411,"data":2412},"Monitoring for updates to extensions to track risky permissions being added ",[],{},{"nodeType":211,"data":2414,"content":2415},{},[2416],{"nodeType":173,"data":2417,"content":2418},{},[2419],{"nodeType":172,"value":2420,"marks":2421,"data":2422},"Monitoring for new malicious browser extension detections",[],{},{"nodeType":173,"data":2424,"content":2425},{},[2426,2430,2439],{"nodeType":172,"value":2427,"marks":2428,"data":2429},"It’s super simple to use Push data to create alerts and feed your detection and response workflows. ",[],{},{"nodeType":435,"data":2431,"content":2433},{"uri":2432},"https://pushsecurity.com/help/audience/administrators/docs/connect-to-siem-or-soar/#start",[2434],{"nodeType":172,"value":2435,"marks":2436,"data":2438},"See how to connect Push to your SIEM/SOAR and learn more about the Push REST API and webhooks. ",[2437],{"type":1613},{},{"nodeType":172,"value":37,"marks":2440,"data":2441},[],{},{"nodeType":173,"data":2443,"content":2444},{},[2445],{"nodeType":172,"value":2446,"marks":2447,"data":2448},"At this point, you can then triage and investigate further to see whether additional action is required. ",[],{},{"nodeType":2450,"data":2451,"content":2452},"blockquote",{},[2453],{"nodeType":173,"data":2454,"content":2455},{},[2456],{"nodeType":172,"value":2457,"marks":2458,"data":2460},"And there you have it! You’ve secured browser extension use across your organization using Push. ",[2459],{"type":286},{},{"nodeType":275,"data":2462,"content":2463},{},[],{"nodeType":551,"data":2465,"content":2466},{},[2467],{"nodeType":172,"value":2468,"marks":2469,"data":2471},"Don’t take our word for it …",[2470],{"type":286},{},{"nodeType":173,"data":2473,"content":2474},{},[2475],{"nodeType":172,"value":2476,"marks":2477,"data":2478},"Our friends at GitLab echo our thoughts on browser extensions and the value of tools like Push that help them to solve this problem.",[],{},{"nodeType":239,"data":2480,"content":2484},{"target":2481},{"sys":2482},{"id":2483,"type":244,"linkType":245},"1m0x2Q6MmOn7ANqCtpYptu",[],{"nodeType":275,"data":2486,"content":2487},{},[],{"nodeType":279,"data":2489,"content":2490},{},[2491],{"nodeType":172,"value":2492,"marks":2493,"data":2495},"Additional tips",[2494],{"type":286},{},{"nodeType":551,"data":2497,"content":2498},{},[2499],{"nodeType":172,"value":2500,"marks":2501,"data":2503},"Disable browser syncing",[2502],{"type":286},{},{"nodeType":173,"data":2505,"content":2506},{},[2507],{"nodeType":172,"value":2508,"marks":2509,"data":2510},"If you’re in the early stages of your extension management process, an extra step you might want to consider is disabling browser syncing for extensions. ",[],{},{"nodeType":173,"data":2512,"content":2513},{},[2514,2518,2527],{"nodeType":172,"value":2515,"marks":2516,"data":2517},"When we deploy Push, we find it’s not unusual for people to sign into their work browser with a personal email profile. There’s a significant risk here — if you end up saving and syncing credentials across devices, a compromise on a (usually less secure) personal device can lead to business accounts being compromised. Notably, this was exploited in a ",[],{},{"nodeType":435,"data":2519,"content":2521},{"uri":2520},"https://sec.okta.com/articles/harfiles/",[2522],{"nodeType":172,"value":2523,"marks":2524,"data":2526},"2023 Okta security breach",[2525],{"type":1613},{},{"nodeType":172,"value":489,"marks":2528,"data":2529},[],{},{"nodeType":173,"data":2531,"content":2532},{},[2533],{"nodeType":172,"value":2534,"marks":2535,"data":2536},"The same model applies to browser extensions. By default, any extension installed from the web store is synced across devices where a profile is logged in and syncing is enabled. ",[],{},{"nodeType":173,"data":2538,"content":2539},{},[2540],{"nodeType":172,"value":2541,"marks":2542,"data":2543},"As an example, you can see how to disable browser extension syncing if you manage Chrome in Google Workspace.",[],{},{"nodeType":239,"data":2545,"content":2549},{"target":2546},{"sys":2547},{"id":2548,"type":244,"linkType":245},"23gbN24WiOzszvwP9zy2MM",[],{"nodeType":173,"data":2551,"content":2552},{},[2553],{"nodeType":172,"value":2554,"marks":2555,"data":2556},"This only applies if you haven’t yet created an allowlist for extensions in your environment, in which case any extensions not on the list will be blocked. ",[],{},{"nodeType":173,"data":2558,"content":2559},{},[2560],{"nodeType":172,"value":2561,"marks":2562,"data":2563},"You can also use Push to surface which users are logged into their browser using a non-work profile and whether the profile is synced across devices. ",[],{},{"nodeType":239,"data":2565,"content":2569},{"target":2566},{"sys":2567},{"id":2568,"type":244,"linkType":245},"421C3CL6Sfa8gmn56X7lRI",[],{"nodeType":275,"data":2571,"content":2572},{},[],{"nodeType":279,"data":2574,"content":2575},{},[2576],{"nodeType":172,"value":1502,"marks":2577,"data":2579},[2578],{"type":286},{},{"nodeType":173,"data":2581,"content":2582},{},[2583,2586,2593],{"nodeType":172,"value":1510,"marks":2584,"data":2585},[],{},{"nodeType":435,"data":2587,"content":2588},{"uri":66},[2589],{"nodeType":172,"value":2590,"marks":2591,"data":2592},"modern attack techniques that are the leading cause of breaches today",[],{},{"nodeType":172,"value":489,"marks":2594,"data":2595},[],{},{"nodeType":173,"data":2597,"content":2598},{},[2599],{"nodeType":172,"value":1528,"marks":2600,"data":2601},[],{},{"nodeType":173,"data":2603,"content":2604},{},[2605,2609,2618,2621,2630,2634,2643],{"nodeType":172,"value":2606,"marks":2607,"data":2608},"Want to learn more about Push? ",[],{},{"nodeType":435,"data":2610,"content":2612},{"uri":2611},"https://pushsecurity.com/resources/product-brochure",[2613],{"nodeType":172,"value":2614,"marks":2615,"data":2617},"Check out our latest product overview",[2616],{"type":1613},{},{"nodeType":172,"value":1616,"marks":2619,"data":2620},[],{},{"nodeType":435,"data":2622,"content":2624},{"uri":2623},"https://pushsecurity.com/product-demo/",[2625],{"nodeType":172,"value":2626,"marks":2627,"data":2629},"visit our demo library",[2628],{"type":1613},{},{"nodeType":172,"value":2631,"marks":2632,"data":2633},", or ",[],{},{"nodeType":435,"data":2635,"content":2637},{"uri":2636},"https://pushsecurity.com/demo",[2638],{"nodeType":172,"value":2639,"marks":2640,"data":2642},"book some time with one of our team for a live demo",[2641],{"type":1613},{},{"nodeType":172,"value":489,"marks":2644,"data":2645},[],{},"Guide: How to manage and block browser extensions using Push","How to detect risky and malicious extensions and block them from running in employee browsers. ","2026-03-04T00:00:00.000Z","browser-extension-management-guide",{"items":2651},[2652,2654],{"sys":2653,"name":188},{"id":187},{"sys":2655,"name":184},{"id":183},{"items":2657},[2658],{"fullName":2659,"firstName":2660,"jobTitle":2661,"profilePicture":2662},"Dan Green","Dan","Threat Research",{"url":2663},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"__typename":192,"sys":2665,"content":2667,"title":3462,"synopsis":3463,"hashTags":118,"publishedDate":3464,"slug":3465,"tagsCollection":3466,"authorsCollection":3470},{"id":2666},"PAPJPr3CIB6J20udYyy1r",{"json":2668},{"data":2669,"content":2670,"nodeType":174},{},[2671,2677,2697,2704,2711,2717,2720,2728,2735,2754,2765,2772,2779,2786,2879,2882,2890,2973,2979,2982,2990,2998,3005,3012,3020,3039,3046,3054,3061,3068,3076,3083,3090,3110,3116,3119,3127,3135,3142,3247,3254,3262,3269,3276,3282,3290,3297,3304,3311,3319,3326,3333,3340,3347,3353,3356,3364,3371,3404,3411,3430,3450,3456],{"data":2672,"content":2676,"nodeType":239},{"target":2673},{"sys":2674},{"id":2675,"type":244,"linkType":245},"1eBClNW4NOR66F0tl9h6lD",[],{"data":2678,"content":2679,"nodeType":173},{},[2680,2684,2693],{"data":2681,"marks":2682,"value":2683,"nodeType":172},{},[],"The attacks on Snowflake customers in 2024 collectively constituted the biggest cyber security event of the year in terms of the number of organizations and individuals affected (at least, if you exclude CrowdStrike causing a worldwide outage in July) — certainly, it was the largest perpetrated by a criminal group against commercial enterprises. It has been touted by some news outlets as ‘",{"data":2685,"content":2687,"nodeType":435},{"uri":2686},"https://www.wired.com/story/snowflake-breach-advanced-auto-parts-lendingtree/",[2688],{"data":2689,"marks":2690,"value":2692,"nodeType":172},{},[2691],{"type":1613},"one of the biggest breaches ever",{"data":2694,"marks":2695,"value":2696,"nodeType":172},{},[],"’.  ",{"data":2698,"content":2699,"nodeType":173},{},[2700],{"data":2701,"marks":2702,"value":2703,"nodeType":172},{},[],"Snowflake was a watershed moment that signalled the significant opportunity presented by identity attacks on cloud services. It demonstrated how comparatively unsophisticated methods (logging in to user accounts with stolen credentials and dumping the data) can have the same or greater impact as a traditional network or endpoint based cyber attack involving vulnerability exploitation, malware deployment, ransomware, etc. ",{"data":2705,"content":2706,"nodeType":173},{},[2707],{"data":2708,"marks":2709,"value":2710,"nodeType":172},{},[],"Here’s everything you need to know about the Snowflake attacks — and what you can do to protect yourself against the next Snowflake in the future.",{"data":2712,"content":2716,"nodeType":239},{"target":2713},{"sys":2714},{"id":2715,"type":244,"linkType":245},"4QoPUiP5q6Mwj1eWUZT15Q",[],{"data":2718,"content":2719,"nodeType":275},{},[],{"data":2721,"content":2722,"nodeType":279},{},[2723],{"data":2724,"marks":2725,"value":2727,"nodeType":172},{},[2726],{"type":286},"Snowflake: The facts",{"data":2729,"content":2730,"nodeType":173},{},[2731],{"data":2732,"marks":2733,"value":2734,"nodeType":172},{},[],"Cyber criminals associated with the threat group known as ShinyHunters claimed responsibility for breaching multiple organizations using Snowflake, a cloud-based data warehousing and analytics platform. ",{"data":2736,"content":2737,"nodeType":173},{},[2738,2742,2751],{"data":2739,"marks":2740,"value":2741,"nodeType":172},{},[],"ShinyHunters associates targeted ~165 organizations that were subjected to account takeover attacks using stolen credentials harvested from historical infostealer infections dating back as far as 2020, ",{"data":2743,"content":2745,"nodeType":435},{"uri":2744},"https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion",[2746],{"data":2747,"marks":2748,"value":2750,"nodeType":172},{},[2749],{"type":1613},"according to Mandiant’s investigation",{"data":2752,"marks":2753,"value":2352,"nodeType":172},{},[],{"data":2755,"content":2756,"nodeType":2450},{},[2757],{"data":2758,"content":2759,"nodeType":173},{},[2760],{"data":2761,"marks":2762,"value":2764,"nodeType":172},{},[2763],{"type":286},">80% of the compromised accounts belonging to Snowflake customers had prior credential exposure. ",{"data":2766,"content":2767,"nodeType":173},{},[2768],{"data":2769,"marks":2770,"value":2771,"nodeType":172},{},[],"The impacted accounts lacked MFA, meaning successful authentication only required a valid username and password. As the Snowflake credentials found in infostealer malware credential dumps had not been rotated or updated, they remained valid and could be used to authenticate to user accounts on Snowflake tenants belonging to various customers.",{"data":2773,"content":2774,"nodeType":173},{},[2775],{"data":2776,"marks":2777,"value":2778,"nodeType":172},{},[],"As a data warehousing platform integrated with a range of connected cloud services, access to a customer’s Snowflake tenant provided attackers with large quantities of sensitive commercial and personal data that could be stolen and monetized by attackers in a variety of ways — such as by ransoming the victim organization, extorting individual end-customers, and selling the data on to other criminal organizations. ",{"data":2780,"content":2781,"nodeType":173},{},[2782],{"data":2783,"marks":2784,"value":2785,"nodeType":172},{},[],"In total, 9 public victims were named following the breach, collectively impacting hundreds of millions of people. ",{"data":2787,"content":2788,"nodeType":207},{},[2789,2799,2809,2819,2829,2839,2849,2859,2869],{"data":2790,"content":2791,"nodeType":211},{},[2792],{"data":2793,"content":2794,"nodeType":173},{},[2795],{"data":2796,"marks":2797,"value":2798,"nodeType":172},{},[],"Lending Tree: Sensitive data for over 190 million people available online including customer details, partial credit card numbers, insurance quotes and other information, being sold for $2m.",{"data":2800,"content":2801,"nodeType":211},{},[2802],{"data":2803,"content":2804,"nodeType":173},{},[2805],{"data":2806,"marks":2807,"value":2808,"nodeType":172},{},[],"Truist Bank: Information belonging to 65,000 employees being sold online for $1m",{"data":2810,"content":2811,"nodeType":211},{},[2812],{"data":2813,"content":2814,"nodeType":173},{},[2815],{"data":2816,"marks":2817,"value":2818,"nodeType":172},{},[],"Advance Auto Parts: 3TB of data for sale for $1.5 million. Affected 2.3 million people, as well as current and former employees and job applicants.",{"data":2820,"content":2821,"nodeType":211},{},[2822],{"data":2823,"content":2824,"nodeType":173},{},[2825],{"data":2826,"marks":2827,"value":2828,"nodeType":172},{},[],"Pure Storage: Workspace with 11k customer records including company, email, LDAP username and software version numbers.",{"data":2830,"content":2831,"nodeType":211},{},[2832],{"data":2833,"content":2834,"nodeType":173},{},[2835],{"data":2836,"marks":2837,"value":2838,"nodeType":172},{},[],"Los Angeles Unified: Student data, disability information, discipline details, and parent information, being sold online for $150k.",{"data":2840,"content":2841,"nodeType":211},{},[2842],{"data":2843,"content":2844,"nodeType":173},{},[2845],{"data":2846,"marks":2847,"value":2848,"nodeType":172},{},[],"Neiman Marcus: 31m email addresses exposed alongside various personal information.",{"data":2850,"content":2851,"nodeType":211},{},[2852],{"data":2853,"content":2854,"nodeType":173},{},[2855],{"data":2856,"marks":2857,"value":2858,"nodeType":172},{},[],"Santander: 30 million customer details for sale relating to customers of Santander Chile, Spain, and Uruguay.",{"data":2860,"content":2861,"nodeType":211},{},[2862],{"data":2863,"content":2864,"nodeType":173},{},[2865],{"data":2866,"marks":2867,"value":2868,"nodeType":172},{},[],"Ticketmaster: 560 million customer details for sale, disruption to events and ticketing worldwide, increasing in scam ticket production.",{"data":2870,"content":2871,"nodeType":211},{},[2872],{"data":2873,"content":2874,"nodeType":173},{},[2875],{"data":2876,"marks":2877,"value":2878,"nodeType":172},{},[],"AT&T: Call logs stolen for approximately 109 million customers (nearly all of its mobile customers). AT&T paid an undisclosed ransom fee. ",{"data":2880,"content":2881,"nodeType":275},{},[],{"data":2883,"content":2884,"nodeType":279},{},[2885],{"data":2886,"marks":2887,"value":2889,"nodeType":172},{},[2888],{"type":286},"The Snowflake attacks step-by-step",{"data":2891,"content":2892,"nodeType":207},{},[2893,2903,2913,2923,2933,2943,2953,2963],{"data":2894,"content":2895,"nodeType":211},{},[2896],{"data":2897,"content":2898,"nodeType":173},{},[2899],{"data":2900,"marks":2901,"value":2902,"nodeType":172},{},[],"Snowflake users were infected with infostealer malware that harvested credentials from user devices over an extended period via several infostealer malware variants, including; VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA and METASTEALER.",{"data":2904,"content":2905,"nodeType":211},{},[2906],{"data":2907,"content":2908,"nodeType":173},{},[2909],{"data":2910,"marks":2911,"value":2912,"nodeType":172},{},[],"Credentials appeared on criminal marketplaces e.g. dark web forums and Telegram channels.",{"data":2914,"content":2915,"nodeType":211},{},[2916],{"data":2917,"content":2918,"nodeType":173},{},[2919],{"data":2920,"marks":2921,"value":2922,"nodeType":172},{},[],"ShinyHunters saw the potential in targeting Snowflake users, based on the availability of credentials, number of customer organizations, and the value of the data that can be accessed in Snowflake. ",{"data":2924,"content":2925,"nodeType":211},{},[2926],{"data":2927,"content":2928,"nodeType":173},{},[2929],{"data":2930,"marks":2931,"value":2932,"nodeType":172},{},[],"ShinyHunters embarked on a large-scale campaign targeting Snowflake customer accounts using previously breached credentials. ",{"data":2934,"content":2935,"nodeType":211},{},[2936],{"data":2937,"content":2938,"nodeType":173},{},[2939],{"data":2940,"marks":2941,"value":2942,"nodeType":172},{},[],"ShinyHunters accessed user accounts that lacked MFA, belonging to approximately 165 Snowflake customers. ",{"data":2944,"content":2945,"nodeType":211},{},[2946],{"data":2947,"content":2948,"nodeType":173},{},[2949],{"data":2950,"marks":2951,"value":2952,"nodeType":172},{},[],"ShinyHunters used SQL-based reconnaissance, staging, and data exfiltration techniques, expedited by custom hacker tooling developed specifically for Snowflake, to conduct attacks at scale.",{"data":2954,"content":2955,"nodeType":211},{},[2956],{"data":2957,"content":2958,"nodeType":173},{},[2959],{"data":2960,"marks":2961,"value":2962,"nodeType":172},{},[],"ShinyHunters acquired massive quantities of Snowflake data based on the information that each customer stored in Snowflake or connected apps. ",{"data":2964,"content":2965,"nodeType":211},{},[2966],{"data":2967,"content":2968,"nodeType":173},{},[2969],{"data":2970,"marks":2971,"value":2972,"nodeType":172},{},[],"ShinyHunters began attempts to extort Snowflake and end-customers using the data acquired.",{"data":2974,"content":2978,"nodeType":239},{"target":2975},{"sys":2976},{"id":2977,"type":244,"linkType":245},"2J92gFLs1wAAGC4nQTaiWu",[],{"data":2980,"content":2981,"nodeType":275},{},[],{"data":2983,"content":2984,"nodeType":279},{},[2985],{"data":2986,"marks":2987,"value":2989,"nodeType":172},{},[2988],{"type":286},"Why did the Snowflake breaches happen?",{"data":2991,"content":2992,"nodeType":551},{},[2993],{"data":2994,"marks":2995,"value":2997,"nodeType":172},{},[2996],{"type":286},"Stolen credentials remained valid for years",{"data":2999,"content":3000,"nodeType":173},{},[3001],{"data":3002,"marks":3003,"value":3004,"nodeType":172},{},[],"The credentials used to access Snowflake accounts from historical infostealer infections had not been changed or rotated despite dating back as far as 2020, and remained valid. ",{"data":3006,"content":3007,"nodeType":173},{},[3008],{"data":3009,"marks":3010,"value":3011,"nodeType":172},{},[],"This highlights the potential risk of breached credentials already in the public domain, particularly in the case of cloud services like Snowflake that may not be subject to the same levels of credential hygiene as other traditional enterprise domain accounts. ",{"data":3013,"content":3014,"nodeType":551},{},[3015],{"data":3016,"marks":3017,"value":3019,"nodeType":172},{},[3018],{"type":286},"Local logins lacked MFA ",{"data":3021,"content":3022,"nodeType":173},{},[3023,3027,3036],{"data":3024,"marks":3025,"value":3026,"nodeType":172},{},[],"Even where organizations were primarily encouraging employees to use SSO to access their Snowflake tenant, previously created local logins with a username and password continue to exist even after introducing SSO-based logins. Further, MFA was not globally enforceable at the application level, meaning that MFA was only set when logging into an IdP account for SSO, but not for local logins. We call this problem ",{"data":3028,"content":3030,"nodeType":435},{"uri":3029},"https://pushsecurity.com/blog/ghost-logins-when-forgotten-identities-come-back-to-haunt-you/",[3031],{"data":3032,"marks":3033,"value":3035,"nodeType":172},{},[3034],{"type":1613},"ghost logins",{"data":3037,"marks":3038,"value":2352,"nodeType":172},{},[],{"data":3040,"content":3041,"nodeType":173},{},[3042],{"data":3043,"marks":3044,"value":3045,"nodeType":172},{},[],"This meant that attackers were able to take over Snowflake accounts with only a single authentication factor (username & password). ",{"data":3047,"content":3048,"nodeType":551},{},[3049],{"data":3050,"marks":3051,"value":3053,"nodeType":172},{},[3052],{"type":286},"Snowflake was a high-value target used by many organizations",{"data":3055,"content":3056,"nodeType":173},{},[3057],{"data":3058,"marks":3059,"value":3060,"nodeType":172},{},[],"As a data warehousing platform used by a vast number of organizations, Snowflake represented a high-value target based on the data typically stored within it, and the repeatable way in which Snowflake users could be targeted. ",{"data":3062,"content":3063,"nodeType":173},{},[3064],{"data":3065,"marks":3066,"value":3067,"nodeType":172},{},[],"The attacker followed a near identical process when targeting Snowflake victims, meaning it could be scripted and executed at scale, with attacks taking a matter of minutes. ",{"data":3069,"content":3070,"nodeType":551},{},[3071],{"data":3072,"marks":3073,"value":3075,"nodeType":172},{},[3074],{"type":286},"Infostealer infections are driving credential availability",{"data":3077,"content":3078,"nodeType":173},{},[3079],{"data":3080,"marks":3081,"value":3082,"nodeType":172},{},[],"Infostealers are often seen as a low-priority issue, but are the primary source of stolen credentials used in campaigns like this one. ",{"data":3084,"content":3085,"nodeType":173},{},[3086],{"data":3087,"marks":3088,"value":3089,"nodeType":172},{},[],"EDR is a strong protection but is often bypassed by infostealers as attackers continually modify them to bypass security controls. Further, unmanaged devices such as those used by third-party contractors or BYOD employees often lack the robust controls applied to company-managed devices and are naturally more susceptible to infostealer attacks. And since browser profiles can be synced across devices, even personal device compromises can result in the capture of corporate credentials.  ",{"data":3091,"content":3092,"nodeType":173},{},[3093,3097,3106],{"data":3094,"marks":3095,"value":3096,"nodeType":172},{},[],"There is some suggestion that targeting key third-party suppliers – ",{"data":3098,"content":3100,"nodeType":435},{"uri":3099},"https://www.wired.com/story/epam-snowflake-ticketmaster-breach-shinyhunters/",[3101],{"data":3102,"marks":3103,"value":3105,"nodeType":172},{},[3104],{"type":1613},"such as EPAM Systems, a software engineering firm and Snowflake ‘Elite Tier Partner’",{"data":3107,"marks":3108,"value":3109,"nodeType":172},{},[]," – provided some of the access to Snowflake customers needed. It’s unclear what came first, but it’s possible (likely, even) that EPAM was identified as a target specifically because of its lucrative customer base and Snowflake credentials — adding another indicator that Snowflake was potentially a premeditated attack inspired by the availability of Snowflake credentials online.",{"data":3111,"content":3115,"nodeType":239},{"target":3112},{"sys":3113},{"id":3114,"type":244,"linkType":245},"4D0gjt5oJLNKJH8GzjP8Je",[],{"data":3117,"content":3118,"nodeType":275},{},[],{"data":3120,"content":3121,"nodeType":279},{},[3122],{"data":3123,"marks":3124,"value":3126,"nodeType":172},{},[3125],{"type":286},"Key takeaways from the Snowflake attacks",{"data":3128,"content":3129,"nodeType":551},{},[3130],{"data":3131,"marks":3132,"value":3134,"nodeType":172},{},[3133],{"type":286},"Securing your IdP accounts is not enough",{"data":3136,"content":3137,"nodeType":173},{},[3138],{"data":3139,"marks":3140,"value":3141,"nodeType":172},{},[],"SSO can help reduce your identity attack surface, but it's not feasible to get every workforce identity behind it.",{"data":3143,"content":3144,"nodeType":207},{},[3145,3168,3190,3225],{"data":3146,"content":3147,"nodeType":211},{},[3148],{"data":3149,"content":3150,"nodeType":173},{},[3151,3155,3164],{"data":3152,"marks":3153,"value":3154,"nodeType":172},{},[],"Only 1 in 3 apps support SAML SSO, and those that offer it often charge more for it; the “",{"data":3156,"content":3158,"nodeType":435},{"uri":3157},"https://ssotax.org/",[3159],{"data":3160,"marks":3161,"value":3163,"nodeType":172},{},[3162],{"type":1613},"SSO tax",{"data":3165,"marks":3166,"value":3167,"nodeType":172},{},[],"”.",{"data":3169,"content":3170,"nodeType":211},{},[3171],{"data":3172,"content":3173,"nodeType":173},{},[3174,3178,3187],{"data":3175,"marks":3176,"value":3177,"nodeType":172},{},[],"Many apps are self-adopted by employees, leaving security teams unaware and unable to enforce SSO.  The typical organization has ",{"data":3179,"content":3181,"nodeType":435},{"uri":3180},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have/",[3182],{"data":3183,"marks":3184,"value":3186,"nodeType":172},{},[3185],{"type":1613},"hundreds of apps and thousands of unmanaged identities outside of SSO",{"data":3188,"marks":3189,"value":489,"nodeType":172},{},[],{"data":3191,"content":3192,"nodeType":211},{},[3193],{"data":3194,"content":3195,"nodeType":173},{},[3196,3200,3208,3212,3221],{"data":3197,"marks":3198,"value":3199,"nodeType":172},{},[],"Most apps do not prevent users from creating additional \"",{"data":3201,"content":3202,"nodeType":435},{"uri":3029},[3203],{"data":3204,"marks":3205,"value":3207,"nodeType":172},{},[3206],{"type":1613},"ghost login",{"data":3209,"marks":3210,"value":3211,"nodeType":172},{},[],"\" methods outside of SSO (especially by default), accounting for around ",{"data":3213,"content":3215,"nodeType":435},{"uri":3214},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have/#id-identity-configurations-and-how-they-can-be-exploited_id-many-accounts-lack-the-most-basic-protections",[3216],{"data":3217,"marks":3218,"value":3220,"nodeType":172},{},[3219],{"type":1613},"10% of all identities",{"data":3222,"marks":3223,"value":3224,"nodeType":172},{},[]," observed by Push. ",{"data":3226,"content":3227,"nodeType":211},{},[3228],{"data":3229,"content":3230,"nodeType":173},{},[3231,3235,3243],{"data":3232,"marks":3233,"value":3234,"nodeType":172},{},[],"In total, we identified that ",{"data":3236,"content":3237,"nodeType":435},{"uri":3180},[3238],{"data":3239,"marks":3240,"value":3242,"nodeType":172},{},[3241],{"type":1613},"37% (2 in 5) accounts have a password login set with no MFA",{"data":3244,"marks":3245,"value":3246,"nodeType":172},{},[],", while 9% have no MFA AND a weak, breached, or reused password.",{"data":3248,"content":3249,"nodeType":173},{},[3250],{"data":3251,"marks":3252,"value":3253,"nodeType":172},{},[],"So, relying on locked-down IdP accounts and maximising the use of SSO is an important pillar of an effective identity security strategy, but there will always be gaps. Unless you recognize this, you may be blindsided by attackers finding them before you do. ",{"data":3255,"content":3256,"nodeType":551},{},[3257],{"data":3258,"marks":3259,"value":3261,"nodeType":172},{},[3260],{"type":286},"The threat of infostealers and stolen credentials needs to be taken seriously",{"data":3263,"content":3264,"nodeType":173},{},[3265],{"data":3266,"marks":3267,"value":3268,"nodeType":172},{},[],"Breached credentials appearing online is not always seen as a top priority for security teams, particularly when there’s so much noise from all of the outdated or simply erroneous findings (anyone that’s ever subscribed to a credential TI feed knows the pain of this). ",{"data":3270,"content":3271,"nodeType":173},{},[3272],{"data":3273,"marks":3274,"value":3275,"nodeType":172},{},[],"But Snowflake serves as a stark reminder that despite all the false positives, stolen credentials are sometimes valid — and when weaponized at-scale they can be a powerful tool for attackers. ",{"data":3277,"content":3281,"nodeType":239},{"target":3278},{"sys":3279},{"id":3280,"type":244,"linkType":245},"4EODpwKsqNivpvP2yMtZCd",[],{"data":3283,"content":3284,"nodeType":551},{},[3285],{"data":3286,"marks":3287,"value":3289,"nodeType":172},{},[3288],{"type":286},"Don’t rely on third-parties to protect your identities for you",{"data":3291,"content":3292,"nodeType":173},{},[3293],{"data":3294,"marks":3295,"value":3296,"nodeType":172},{},[],"Snowflake came under fire following the attacks for not enabling MFA by default, or giving security teams sufficient tools to deal with the incident. ",{"data":3298,"content":3299,"nodeType":173},{},[3300],{"data":3301,"marks":3302,"value":3303,"nodeType":172},{},[],"This is perhaps justifiable, but is hardly the exception. Very few apps enforce MFA by default or provide a global MFA enforcement mechanism. Most don’t even provide audit logs (and when they do, the scope of logging is pretty limited). And we regularly encounter apps that don’t give you any information about account configuration as an admin — like which accounts have MFA, or the login methods that they’re using (e.g. SSO via SAML, SSO via OIDC, password, which IdPs are being used…) which is essential information to be able to secure your identity attack surface. ",{"data":3305,"content":3306,"nodeType":173},{},[3307],{"data":3308,"marks":3309,"value":3310,"nodeType":172},{},[],"Yes, it would be great if app vendors put security first and made controls available by default, for all customers (not just the premium ones). But in the absence of an industrywide shift toward security-first product development, it’s important that organizations don’t just point the finger at service providers — and take matters into their own hands when it comes to securing their user identities. ",{"data":3312,"content":3313,"nodeType":551},{},[3314],{"data":3315,"marks":3316,"value":3318,"nodeType":172},{},[3317],{"type":286},"This isn’t a specific Snowflake problem — it could have been any application",{"data":3320,"content":3321,"nodeType":173},{},[3322],{"data":3323,"marks":3324,"value":3325,"nodeType":172},{},[],"While Snowflake was admittedly a high-value target because of the data it collected, apps with sensitive data (or with integrations connecting them to data collected in adjacent apps) are not in short supply. ",{"data":3327,"content":3328,"nodeType":173},{},[3329],{"data":3330,"marks":3331,"value":3332,"nodeType":172},{},[],"If we accept that many other apps are similarly desirable targets, then we should also consider that it’s unlikely that Snowflake is the only app that has valid credentials sitting around on the internet, waiting to be weaponized by criminals. Equally, it’s not the only app that doesn’t require mandatory MFA for user accounts, as we discussed above. The next Snowflake is likely to lurk in the same breached datasets, possibly even using the same credentials.",{"data":3334,"content":3335,"nodeType":173},{},[3336],{"data":3337,"marks":3338,"value":3339,"nodeType":172},{},[],"There’s been a clear increase in the number of infostealer and stolen credential related breaches and news stories since Snowflake as attackers wise up to the potential opportunity and start seeing the dollar signs. It would be naive to think that this was a one off event — the next Snowflake is probably not too far away. ",{"data":3341,"content":3342,"nodeType":173},{},[3343],{"data":3344,"marks":3345,"value":3346,"nodeType":172},{},[],"For a deep-dive analysis of the impact of Snowflake, check out our on-demand webinar from earlier this year.",{"data":3348,"content":3352,"nodeType":239},{"target":3349},{"sys":3350},{"id":3351,"type":244,"linkType":245},"7LkU5DqE9HJ1PQu9BTg6Mw",[],{"data":3354,"content":3355,"nodeType":275},{},[],{"data":3357,"content":3358,"nodeType":279},{},[3359],{"data":3360,"marks":3361,"value":3363,"nodeType":172},{},[3362],{"type":286},"How to protect yourself from the next Snowflake using Push",{"data":3365,"content":3366,"nodeType":173},{},[3367],{"data":3368,"marks":3369,"value":3370,"nodeType":172},{},[],"Organizations looking to reduce their exposure to account takeover using stolen credentials should look to:",{"data":3372,"content":3373,"nodeType":207},{},[3374,3384,3394],{"data":3375,"content":3376,"nodeType":211},{},[3377],{"data":3378,"content":3379,"nodeType":173},{},[3380],{"data":3381,"marks":3382,"value":3383,"nodeType":172},{},[],"Identify the apps being used across the business and locate vulnerable workforce identities using weak, breached, or reused credentials, and missing MFA. Where SSO is the preferred login method, local username & password logins should ideally be removed. ",{"data":3385,"content":3386,"nodeType":211},{},[3387],{"data":3388,"content":3389,"nodeType":173},{},[3390],{"data":3391,"marks":3392,"value":3393,"nodeType":172},{},[],"Where credentials appear in third-party data breaches, verify where they are still valid and ensure that the credentials are changed. ",{"data":3395,"content":3396,"nodeType":211},{},[3397],{"data":3398,"content":3399,"nodeType":173},{},[3400],{"data":3401,"marks":3402,"value":3403,"nodeType":172},{},[],"Detect unauthorized access to workforce identities where sessions are initiated or resumed from unusual or unexpected locations. It should be noted that while this is a fairly common feature for larger enterprise cloud platforms with configurable access control policies, this is not typically possible for most SaaS applications.  ",{"data":3405,"content":3406,"nodeType":173},{},[3407],{"data":3408,"marks":3409,"value":3410,"nodeType":172},{},[],"All of these use cases can be achieved using Push. The Push browser extension detects all logins performed in employee browsers, capturing granular information about the login method and MFA types used, and enriching this data by integrating with your preferred IdP.",{"data":3412,"content":3413,"nodeType":173},{},[3414,3418,3426],{"data":3415,"marks":3416,"value":3417,"nodeType":172},{},[],"Push’s ",{"data":3419,"content":3421,"nodeType":435},{"uri":3420},"https://pushsecurity.com/blog/verified-stolen-credential-detection",[3422],{"data":3423,"marks":3424,"value":3425,"nodeType":172},{},[],"verified stolen credential detection feature",{"data":3427,"marks":3428,"value":3429,"nodeType":172},{},[]," compares a k-anonymized hash of user passwords observed with stolen credential TI feeds to cut through the noise and identify where stolen credentials appearing online represent a genuine vulnerability.   ",{"data":3431,"content":3432,"nodeType":173},{},[3433,3437,3446],{"data":3434,"marks":3435,"value":3436,"nodeType":172},{},[],"On top of this, all logins made in browsers protected by the Push extension, across every app, are verified by ",{"data":3438,"content":3440,"nodeType":435},{"uri":3439},"https://pushsecurity.com/blog/introducing-session-token-theft-detection-why-browser-is-best/",[3441],{"data":3442,"marks":3443,"value":3445,"nodeType":172},{},[3444],{"type":1613},"adding a unique marker to the user agent string of the session",{"data":3447,"marks":3448,"value":3449,"nodeType":172},{},[],", which will then appear in your IdP logs. This means that any session occurring outside of the Push-protected estate can be flagged to your security team via SIEM alert — including where an attacker uses stolen credentials to log into an app from a browser without the Push extension running. ",{"data":3451,"content":3455,"nodeType":239},{"target":3452},{"sys":3453},{"id":3454,"type":244,"linkType":245},"3tqVk7Vr7pYLOEVukIJM2g",[],{"data":3457,"content":3458,"nodeType":173},{},[3459],{"data":3460,"marks":3461,"value":37,"nodeType":172},{},[],"Snowflake: Looking back on 2024’s landmark security event","165 Snowflake customers were targeted by criminals using stolen credentials from infostealer infections, impacting hundreds of millions of people. ","2024-11-29T00:00:00.000Z","snowflake-retro",{"items":3467},[3468],{"sys":3469,"name":188},{"id":187},{"items":3471},[3472],{"fullName":2659,"firstName":2660,"jobTitle":2661,"profilePicture":3473},{"url":2663},{"items":3475},[3476],{"fullName":2659,"firstName":2660,"jobTitle":2661,"profilePicture":3477},{"url":2663},{"json":3479,"links":3996},{"nodeType":174,"data":3480,"content":3481},{},[3482,3501,3517,3523,3535,3542,3545,3553,3560,3567,3588,3600,3606,3618,3630,3636,3643,3650,3653,3661,3669,3701,3708,3715,3723,3743,3750,3757,3764,3771,3779,3798,3805,3812,3819,3826,3829,3837,3844,3850,3857,3860,3868,3875,3882,3888,3895,3901,3908,3914,3921,3927,3933,3939,3942,3950,3957],{"nodeType":173,"data":3483,"content":3484},{},[3485,3489,3498],{"nodeType":172,"value":3486,"marks":3487,"data":3488},"One of the breakaway stories of 2026 has been the rise in attacks powered by ",[],{},{"nodeType":435,"data":3490,"content":3492},{"uri":3491},"https://pushsecurity.com/blog/browser-extension-management-guide/",[3493],{"nodeType":172,"value":3494,"marks":3495,"data":3497},"malicious browser extensions",[3496],{"type":1613},{},{"nodeType":172,"value":2352,"marks":3499,"data":3500},[],{},{"nodeType":173,"data":3502,"content":3503},{},[3504,3508,3513],{"nodeType":172,"value":3505,"marks":3506,"data":3507},"Most browser extension attacks are really targeting the apps your users are accessing ",[],{},{"nodeType":172,"value":3509,"marks":3510,"data":3512},"inside",[3511],{"type":318},{},{"nodeType":172,"value":3514,"marks":3515,"data":3516}," the browser. They do this by intercepting credentials (passwords, session cookies, and so on) as you browse the internet. ",[],{},{"nodeType":239,"data":3518,"content":3522},{"target":3519},{"sys":3520},{"id":3521,"type":244,"linkType":245},"1nUMc1L69zkD3MmmdqbYm0",[],{"nodeType":173,"data":3524,"content":3525},{},[3526,3531],{"nodeType":172,"value":3527,"marks":3528,"data":3530},"But there’s an often overlooked vector that leads to the same outcome — synced browser profiles. ",[3529],{"type":286},{},{"nodeType":172,"value":3532,"marks":3533,"data":3534},"And the most dangerous part of this attack is that it often stems from personal device compromises — naturally, outside the scope of your corporate security software. ",[],{},{"nodeType":173,"data":3536,"content":3537},{},[3538],{"nodeType":172,"value":3539,"marks":3540,"data":3541},"Sign into Chrome or Edge with a Google or Microsoft account, and your passwords, bookmarks, history, and extensions follow you seamlessly across every device. For individual users, it's a quality-of-life improvement. But for organisations, it links corporate accounts to personal ones with far weaker security controls. ",[],{},{"nodeType":275,"data":3543,"content":3544},{},[],{"nodeType":279,"data":3546,"content":3547},{},[3548],{"nodeType":172,"value":3549,"marks":3550,"data":3552},"How browser sync attacks work",[3551],{"type":286},{},{"nodeType":173,"data":3554,"content":3555},{},[3556],{"nodeType":172,"value":3557,"marks":3558,"data":3559},"When an employee signs into a personal browser profile on a work device (or saves work credentials on a personal device), the browser's sync mechanism copies those credentials into a cloud account outside the organisation's control. That cloud account — typically a personal Google or Microsoft account — becomes the weakest link in the chain.",[],{},{"nodeType":173,"data":3561,"content":3562},{},[3563],{"nodeType":172,"value":3564,"marks":3565,"data":3566},"The typical sequence looks like this:",[],{},{"nodeType":173,"data":3568,"content":3569},{},[3570,3575,3579,3584],{"nodeType":172,"value":3571,"marks":3572,"data":3574},"An employee signs into Chrome with their personal Google account on a corporate laptop. ",[3573],{"type":286},{},{"nodeType":172,"value":3576,"marks":3577,"data":3578},"During the course of their work, the browser prompts them to save passwords — for a VPN, an internal tool, a support system, a cloud platform. They click \"Save.\" The credential is now stored locally in the browser ",[],{},{"nodeType":172,"value":3580,"marks":3581,"data":3583},"and",[3582],{"type":318},{},{"nodeType":172,"value":3585,"marks":3586,"data":3587}," synced to their personal Google account in the cloud.",[],{},{"nodeType":173,"data":3589,"content":3590},{},[3591,3596],{"nodeType":172,"value":3592,"marks":3593,"data":3595},"The personal account is compromised. ",[3594],{"type":286},{},{"nodeType":172,"value":3597,"marks":3598,"data":3599},"This can happen in a lot of ways, and is made easier by the less secure nature of personal accounts. They are typically accessed from devices with less or no security protection, while MFA and other identity-layer controls are less common. Once the personal device or account is breached, every synced password — including corporate ones — is in the hands of the attacker. ",[],{},{"nodeType":239,"data":3601,"content":3605},{"target":3602},{"sys":3603},{"id":3604,"type":244,"linkType":245},"2GQ4TVJQWS9VJB5W6fBeLS",[],{"nodeType":173,"data":3607,"content":3608},{},[3609,3614],{"nodeType":172,"value":3610,"marks":3611,"data":3613},"With the harvested corporate credentials, the attacker authenticates to the organisation's systems.",[3612],{"type":286},{},{"nodeType":172,"value":3615,"marks":3616,"data":3617}," If MFA is absent or bypassable (via fatigue attacks, social engineering, or session token reuse), they're in.",[],{},{"nodeType":173,"data":3619,"content":3620},{},[3621,3626],{"nodeType":172,"value":3622,"marks":3623,"data":3625},"From here, it's a conventional intrusion — privilege escalation, reconnaissance, and exfiltration. ",[3624],{"type":286},{},{"nodeType":172,"value":3627,"marks":3628,"data":3629},"But the initial access was entirely outside the defender's visibility. No phishing email hit the corporate mail gateway. No exploit was fired at a corporate asset. The compromise happened in a personal context that security teams had no control over.",[],{},{"nodeType":239,"data":3631,"content":3635},{"target":3632},{"sys":3633},{"id":3634,"type":244,"linkType":245},"5llxwUFxBOjuXTyr5LXOyy",[],{"nodeType":173,"data":3637,"content":3638},{},[3639],{"nodeType":172,"value":3640,"marks":3641,"data":3642},"What makes this attack so effective is that it entirely bypasses the corporate security stack. Endpoint detection, email filtering, network monitoring — none of it sees the initial compromise because it happens on a personal device or in a personal cloud account.",[],{},{"nodeType":173,"data":3644,"content":3645},{},[3646],{"nodeType":172,"value":3647,"marks":3648,"data":3649},"The scope isn’t limited to “personal” devices either. BYOD and contractor machines suffer from the same security limitations in that they are a place where personal and corporate use converges, and/or they sit outside of the scope of your security tooling. ",[],{},{"nodeType":275,"data":3651,"content":3652},{},[],{"nodeType":279,"data":3654,"content":3655},{},[3656],{"nodeType":172,"value":3657,"marks":3658,"data":3660},"Real-world incidents",[3659],{"type":286},{},{"nodeType":551,"data":3662,"content":3663},{},[3664],{"nodeType":172,"value":3665,"marks":3666,"data":3668},"Cisco (2022)",[3667],{"type":286},{},{"nodeType":173,"data":3670,"content":3671},{},[3672,3675,3684,3688,3697],{"nodeType":172,"value":37,"marks":3673,"data":3674},[],{},{"nodeType":435,"data":3676,"content":3678},{"uri":3677},"https://thehackernews.com/2022/08/cisco-confirms-its-been-hacked-by.html",[3679],{"nodeType":172,"value":3680,"marks":3681,"data":3683},"Cisco",[3682],{"type":1613},{},{"nodeType":172,"value":3685,"marks":3686,"data":3687}," was breached by an initial access broker with ties to the Yanluowang ransomware group, UNC2447, and the ",[],{},{"nodeType":435,"data":3689,"content":3691},{"uri":3690},"https://pushsecurity.com/blog/scattered-lapsus-hunters/",[3692],{"nodeType":172,"value":3693,"marks":3694,"data":3696},"Lapsus$",[3695],{"type":1613},{},{"nodeType":172,"value":3698,"marks":3699,"data":3700}," threat actor group. ",[],{},{"nodeType":173,"data":3702,"content":3703},{},[3704],{"nodeType":172,"value":3705,"marks":3706,"data":3707},"A Cisco employee had enabled Chrome's password syncing feature and had stored their Cisco VPN credentials in the browser. Those credentials were synchronised to their personal Google account. The attacker compromised the personal Google account, obtained the VPN credentials, and then used a combination of voice phishing and MFA fatigue — repeatedly sending push notifications until the employee accepted one — to bypass multi-factor authentication and gain VPN access.",[],{},{"nodeType":173,"data":3709,"content":3710},{},[3711],{"nodeType":172,"value":3712,"marks":3713,"data":3714},"Once inside the network, the attacker escalated privileges, moved laterally to Citrix servers and domain controllers, and deployed offensive tooling consistent with pre-ransomware activity. Cisco's security team ultimately detected and removed the attacker before ransomware was deployed, but the adversary made repeated attempts to regain access in the following weeks, including targeting accounts where employees had only made single-character password changes after the company-wide reset.",[],{},{"nodeType":551,"data":3716,"content":3717},{},[3718],{"nodeType":172,"value":3719,"marks":3720,"data":3722},"Okta (2023)",[3721],{"type":286},{},{"nodeType":173,"data":3724,"content":3725},{},[3726,3730,3739],{"nodeType":172,"value":3727,"marks":3728,"data":3729},"The ",[],{},{"nodeType":435,"data":3731,"content":3733},{"uri":3732},"https://sec.okta.com/articles/2023/11/unauthorized-access-oktas-support-case-management-system-root-cause/",[3734],{"nodeType":172,"value":3735,"marks":3736,"data":3738},"Okta breach",[3737],{"type":1613},{},{"nodeType":172,"value":3740,"marks":3741,"data":3742}," followed an almost identical pattern to Cisco, but with more severe downstream consequences.",[],{},{"nodeType":173,"data":3744,"content":3745},{},[3746],{"nodeType":172,"value":3747,"marks":3748,"data":3749},"Between September 28 and October 17, 2023, an attacker gained unauthorised access to Okta's customer support case management system. The root cause: an Okta employee had signed into their personal Google profile on Chrome on their Okta-managed laptop. While signed into that personal profile, they accessed a service account for the support system. The service account's username and password were saved by Chrome and synced to the employee's personal Google account.",[],{},{"nodeType":173,"data":3751,"content":3752},{},[3753],{"nodeType":172,"value":3754,"marks":3755,"data":3756},"The attacker — having compromised either the personal Google account or a personal device — obtained these service account credentials and used them to access the support system. The compromised service account had permissions to view and update customer support cases, which contained HAR (HTTP Archive) files uploaded by customers for troubleshooting. Some of these HAR files contained session tokens.",[],{},{"nodeType":173,"data":3758,"content":3759},{},[3760],{"nodeType":172,"value":3761,"marks":3762,"data":3763},"The attacker used the stolen session tokens to hijack the legitimate Okta sessions of five customers, including 1Password, BeyondTrust, and Cloudflare — three security companies that independently detected the suspicious activity and reported it to Okta. In total, files associated with 134 Okta customers were accessed.",[],{},{"nodeType":173,"data":3765,"content":3766},{},[3767],{"nodeType":172,"value":3768,"marks":3769,"data":3770},"What made this breach particularly notable was the detection gap. Okta's security team was unable to identify suspicious file downloads in their logs for 14 days. The attacker navigated directly to the Files tab in the support system rather than opening files through individual support cases, which generated a different log event type that wasn't part of the initial investigation scope. It wasn't until BeyondTrust provided a suspicious IP address on October 13 that Okta was able to correlate the activity.",[],{},{"nodeType":551,"data":3772,"content":3773},{},[3774],{"nodeType":172,"value":3775,"marks":3776,"data":3778},"Snowflake (customers) (2024)",[3777],{"type":286},{},{"nodeType":173,"data":3780,"content":3781},{},[3782,3785,3794],{"nodeType":172,"value":3727,"marks":3783,"data":3784},[],{},{"nodeType":435,"data":3786,"content":3788},{"uri":3787},"https://pushsecurity.com/blog/snowflake-retro/",[3789],{"nodeType":172,"value":3790,"marks":3791,"data":3793},"Snowflake campaign",[3792],{"type":1613},{},{"nodeType":172,"value":3795,"marks":3796,"data":3797}," represents what happens when the browser-credential-sync problem meets infostealer malware at scale. ",[],{},{"nodeType":173,"data":3799,"content":3800},{},[3801],{"nodeType":172,"value":3802,"marks":3803,"data":3804},"In 2024, a financially motivated threat actor tracked as UNC5537 (associated with the ShinyHunters group) systematically compromised approximately 165 Snowflake customer environments. The attackers didn't exploit any vulnerability in Snowflake itself. They logged in with valid credentials.",[],{},{"nodeType":173,"data":3806,"content":3807},{},[3808],{"nodeType":172,"value":3809,"marks":3810,"data":3811},"Those credentials had been harvested by infostealer malware — including Vidar, RedLine, Lumma, RisePro, Raccoon Stealer, and MetaStealer — from employee and contractor devices over a period stretching back to 2020. Mandiant's investigation found that over 80% of the compromised accounts had prior credential exposure, and critically, the stolen credentials had never been rotated.",[],{},{"nodeType":173,"data":3813,"content":3814},{},[3815],{"nodeType":172,"value":3816,"marks":3817,"data":3818},"The personal/corporate boundary failure was central to the campaign. Mandiant specifically noted that in several cases, the initial infostealer infections occurred on contractor systems that were also used for personal activities, including gaming and downloads of pirated software. These were personal or unmonitored laptops where corporate credentials had been saved in the browser alongside everything else.",[],{},{"nodeType":173,"data":3820,"content":3821},{},[3822],{"nodeType":172,"value":3823,"marks":3824,"data":3825},"The impacted Snowflake accounts lacked MFA (which Snowflake did not enforce by default at the time), and the attackers used a custom tool to automate SQL-based reconnaissance and data exfiltration across customer instances. The stolen data encompassed hundreds of millions of customer records, and at least one victim paid an undisclosed ransom.",[],{},{"nodeType":275,"data":3827,"content":3828},{},[],{"nodeType":279,"data":3830,"content":3831},{},[3832],{"nodeType":172,"value":3833,"marks":3834,"data":3836},"What security teams can do about it",[3835],{"type":286},{},{"nodeType":173,"data":3838,"content":3839},{},[3840],{"nodeType":172,"value":3841,"marks":3842,"data":3843},"Chrome Enterprise and Microsoft Edge for Business both support policies that prevent employees from signing into personal accounts on corporate-managed browsers. This is the most direct control. It doesn't prevent all credential leakage scenarios, but it closes the sync-to-personal-cloud path.",[],{},{"nodeType":239,"data":3845,"content":3849},{"target":3846},{"sys":3847},{"id":3848,"type":244,"linkType":245},"CmrOdYVVW6wz9kdRqxOmX",[],{"nodeType":173,"data":3851,"content":3852},{},[3853],{"nodeType":172,"value":3854,"marks":3855,"data":3856},"Every incident described above was enabled or worsened by the absence of MFA on the target system. MFA should be mandatory for all human user accounts, and organisations should audit for \"ghost logins\" — local username/password accounts that persist alongside SSO and bypass its MFA enforcement.",[],{},{"nodeType":275,"data":3858,"content":3859},{},[],{"nodeType":279,"data":3861,"content":3862},{},[3863],{"nodeType":172,"value":3864,"marks":3865,"data":3867},"How Push can help",[3866],{"type":286},{},{"nodeType":173,"data":3869,"content":3870},{},[3871],{"nodeType":172,"value":3872,"marks":3873,"data":3874},"Push makes browser security easier than ever, particularly when dealing with complex environments running different browsers and operating systems. ",[],{},{"nodeType":173,"data":3876,"content":3877},{},[3878],{"nodeType":172,"value":3879,"marks":3880,"data":3881},"You can use Push to surface which users are logged into their browser using a non-work profile and whether the profile is synced across devices. Push captures this information for every browser that your employees are using, including Chrome, Edge, Firefox, Safari, Brave, Opera, Arc, Island, and Prisma (and we’re always adding support for new ones). ",[],{},{"nodeType":239,"data":3883,"content":3887},{"target":3884},{"sys":3885},{"id":3886,"type":244,"linkType":245},"67sSoSW136TeBZzYIEXggP",[],{"nodeType":173,"data":3889,"content":3890},{},[3891],{"nodeType":172,"value":3892,"marks":3893,"data":3894},"Sync attacks can impact both saved credentials and browser extensions. This means that even if your employees aren’t saving credentials to their browser profile, you can still be at risk if they’ve installed any extensions in another browser where they’re signed in. ",[],{},{"nodeType":239,"data":3896,"content":3900},{"target":3897},{"sys":3898},{"id":3899,"type":244,"linkType":245},"1MzuYaPlUpYfTnBJRqUBtO",[],{"nodeType":173,"data":3902,"content":3903},{},[3904],{"nodeType":172,"value":3905,"marks":3906,"data":3907},"You can use Push to identify where credentials are being saved — for example, are employees using your company-approved password manager, or copying credentials from unsanctioned apps or locations? This includes where users are manually copying passwords from a password manager app rather than auto-populating (this increases the chance of them entering these passwords into phishing pages).",[],{},{"nodeType":239,"data":3909,"content":3913},{"target":3910},{"sys":3911},{"id":3912,"type":244,"linkType":245},"7gNX2RXqB2NIf1tNnJBIFD",[],{"nodeType":173,"data":3915,"content":3916},{},[3917],{"nodeType":172,"value":3918,"marks":3919,"data":3920},"You can also see where those credentials have a vulnerability, such as a weak, breached, or reused password. In this scenario, we’re looking for credentials that have been leaked online, where an employee is signed into their work browser with a personal account, and profile sync is enabled. This could indicate that the user has been the victim of an infostealer compromise or malicious extension on their personal device.",[],{},{"nodeType":239,"data":3922,"content":3926},{"target":3923},{"sys":3924},{"id":3925,"type":244,"linkType":245},"1CBezYXZtlIVbReROF7QpK",[],{"nodeType":239,"data":3928,"content":3932},{"target":3929},{"sys":3930},{"id":3931,"type":244,"linkType":245},"4xs0WNCijnwnIVc0xqpUu9",[],{"nodeType":239,"data":3934,"content":3938},{"target":3935},{"sys":3936},{"id":3937,"type":244,"linkType":245},"8gVeg0IBB5EV17iBk6XP8",[],{"nodeType":275,"data":3940,"content":3941},{},[],{"nodeType":279,"data":3943,"content":3944},{},[3945],{"nodeType":172,"value":3946,"marks":3947,"data":3949},"Stop browser-based attacks with Push",[3948],{"type":286},{},{"nodeType":173,"data":3951,"content":3952},{},[3953],{"nodeType":172,"value":3954,"marks":3955,"data":3956},"Push Security's browser-based security platform detects and blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, and session hijacking. You don't need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your attack surface.",[],{},{"nodeType":173,"data":3958,"content":3959},{},[3960,3964,3972,3975,3983,3986,3993],{"nodeType":172,"value":3961,"marks":3962,"data":3963},"To learn more about Push, ",[],{},{"nodeType":435,"data":3965,"content":3966},{"uri":2611},[3967],{"nodeType":172,"value":3968,"marks":3969,"data":3971},"check out our latest product overview",[3970],{"type":1613},{},{"nodeType":172,"value":1616,"marks":3973,"data":3974},[],{},{"nodeType":435,"data":3976,"content":3977},{"uri":2623},[3978],{"nodeType":172,"value":3979,"marks":3980,"data":3982},"view our demo library",[3981],{"type":1613},{},{"nodeType":172,"value":2631,"marks":3984,"data":3985},[],{},{"nodeType":435,"data":3987,"content":3988},{"uri":2636},[3989],{"nodeType":172,"value":2639,"marks":3990,"data":3992},[3991],{"type":1613},{},{"nodeType":172,"value":489,"marks":3994,"data":3995},[],{},{"entries":3997},{"hyperlink":3998,"inline":3999,"block":4000},[],[],[4001,4016,4035,4044,4052,4059,4085,4093,4098,4124],{"sys":4002,"__typename":4003,"content":4004,"name":4015,"title":118},{"id":3521},"InsightTextBlockComponent",{"json":4005},{"data":4006,"content":4007,"nodeType":174},{},[4008],{"data":4009,"content":4010,"nodeType":173},{},[4011],{"data":4012,"marks":4013,"value":4014,"nodeType":172},{},[],"This is the same for most browser-based attacks, like phishing (of multiple varieties, with AITM phishing and device code phishing being the most common in 2026), and even hybrid attacks like ClickFix (trick victim into installing an infostealer on their device > steal credentials and cookies > log into apps). ","Browser Sync Blog IB1",{"sys":4017,"__typename":4003,"content":4018,"name":4034,"title":118},{"id":3604},{"json":4019},{"nodeType":174,"data":4020,"content":4021},{},[4022],{"nodeType":173,"data":4023,"content":4024},{},[4025,4029],{"nodeType":172,"value":4026,"marks":4027,"data":4028},"Personal devices are far softer targets than corporate endpoints. They typically have no EDR agent, no centrally managed antivirus, no hardened configuration baselines, and no security operations team watching for alerts. And personal browsing habits are way more likely to lead to infostealer deployment, which are often distributed through malicious advertisements on all manner of platforms — search results, social media ads, gaming forums, and so on. ",[],{},{"nodeType":172,"value":4030,"marks":4031,"data":4033},"Notably, the 2025 Verizon DBIR found that 46% of infostealer-infected systems with compromised corporate credentials were non-managed devices. ",[4032],{"type":286},{},"Browser Sync Blog IB2",{"sys":4036,"__typename":4037,"title":4038,"caption":4039,"layoutMode":118,"file":4040},{"id":3634},"Image","Browser sync attack diagram","How a personal account compromise can lead to a corporate breach.",{"url":4041,"width":4042,"height":4043},"https://images.ctfassets.net/y1cdw1ablpvd/7KIXnq2SeCTN2zA7DoIOj4/f2b7c37c47d28ac110cd2769c35652ae/Browser_sync_attack_diagram.png",3922,1636,{"sys":4045,"__typename":4037,"title":4046,"caption":4047,"layoutMode":118,"file":4048},{"id":3848},"Preventing browser profile syncing in Chrome","Preventing browser profile syncing in Chrome.",{"url":4049,"width":4050,"height":4051},"https://images.ctfassets.net/y1cdw1ablpvd/54OsAScfL5a896m3n0is80/ee84ec32221be0a6342eb6792c8b6dca/image1.png",1999,1054,{"sys":4053,"__typename":4037,"title":4054,"caption":4054,"layoutMode":118,"file":4055},{"id":3886},"Identify profile syncing using Push.",{"url":4056,"width":4057,"height":4058},"https://images.ctfassets.net/y1cdw1ablpvd/7Gmo7lSxoyLpmRyeEbXz4H/10e82ddfcba7a390ee5a25c931f730ff/image3.png",1380,465,{"sys":4060,"__typename":4003,"content":4061,"name":4084,"title":118},{"id":3899},{"json":4062},{"data":4063,"content":4064,"nodeType":174},{},[4065],{"data":4066,"content":4067,"nodeType":173},{},[4068,4072,4080],{"data":4069,"marks":4070,"value":4071,"nodeType":172},{},[],"To learn more about how you can use Push to lock down extension use and block malicious extensions from running across every browser, check out our ",{"data":4073,"content":4074,"nodeType":435},{"uri":3491},[4075],{"data":4076,"marks":4077,"value":4079,"nodeType":172},{},[4078],{"type":1613},"guide",{"data":4081,"marks":4082,"value":4083,"nodeType":172},{},[]," here. ","Browser Sync Blog IB3",{"sys":4086,"__typename":4037,"title":4087,"caption":4088,"layoutMode":118,"file":4089},{"id":3912},"Get detailed visibility of password manager use and password entry behavior.","Get deep visibility of password manager use and password entry behavior.",{"url":4090,"width":4091,"height":4092},"https://images.ctfassets.net/y1cdw1ablpvd/74hJdhrMBMXv0enE2Qs5VD/2cdff9be14f70d2ae2283b88da0f3eeb/Push_Password_Manager.gif",1280,720,{"sys":4094,"__typename":4037,"title":4095,"caption":4095,"layoutMode":118,"file":4096},{"id":3925},"Identify browser profile syncing and whether the user has active credentials that have been leaked online.",{"url":4097,"width":4091,"height":4092},"https://images.ctfassets.net/y1cdw1ablpvd/3BIn8peNvp8EXo1TWqZqXO/0c3f849f24d60fa546603d12abd4c349/Browser_Profile_Sync.gif",{"sys":4099,"__typename":4003,"content":4100,"name":4123,"title":118},{"id":3931},{"json":4101},{"data":4102,"content":4103,"nodeType":174},{},[4104],{"data":4105,"content":4106,"nodeType":173},{},[4107,4111,4119],{"data":4108,"marks":4109,"value":4110,"nodeType":172},{},[],"As well as identifying password vulnerabilities, you can also use Push to harden accounts by detecting MFA gaps and enforcing MFA (even on apps where this isn’t natively possible). Check out our ",{"data":4112,"content":4114,"nodeType":435},{"uri":4113},"https://pushsecurity.com/blog/guide-how-to-use-push-controls-to-protect-your-users-from-modern-attacks/",[4115],{"data":4116,"marks":4117,"value":4079,"nodeType":172},{},[4118],{"type":1613},{"data":4120,"marks":4121,"value":4122,"nodeType":172},{},[]," for more information.","Browser Sync Blog IB4",{"sys":4125,"__typename":4126,"title":4127,"arcadeDemoUrl":4128,"playText":4129},{"id":3937},"ArcadeDemo","Find and fix vulnerabilities using Push to harden attack paths.","https://demo.arcade.software/3gsvKeVcdatDBiW7oC9g?embed","2 mins","content:blog:browser-sync-attacks-where-personal-account-hacks-lead-to-corporate-breaches.json","json","content","blog/browser-sync-attacks-where-personal-account-hacks-lead-to-corporate-breaches.json","blog/browser-sync-attacks-where-personal-account-hacks-lead-to-corporate-breaches",[4136,4319,4438,4557,4675,4795,4915,5035],{"createdDate":4137,"id":4138,"name":4139,"modelId":4140,"published":13,"stageModifiedSincePublish":6,"query":4141,"data":4147,"variations":4307,"lastUpdated":4308,"firstPublished":4309,"testRatio":33,"screenshot":4310,"createdBy":34,"lastUpdatedBy":4311,"folders":4312,"meta":4313,"rev":4318},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[4142],{"@type":4143,"property":4144,"operator":4145,"value":4146},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":4148,"customFonts":4149,"seoTitle":4196,"title":4196,"tsCode":37,"seoDescription":4197,"fontAwesomeIcon":4198,"jsCode":37,"blocks":4199,"url":4146,"state":4304},[],[4150],{"family":4151,"kind":4152,"version":4153,"lastModified":4154,"files":4155,"category":4174,"menu":4175,"subsets":4176,"variants":4179},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":4156,"200":4157,"300":4158,"500":4159,"600":4160,"700":4161,"800":4162,"900":4163,"800italic":4164,"900italic":4165,"700italic":4166,"100italic":4167,"italic":4168,"regular":4169,"200italic":4170,"500italic":4171,"300italic":4172,"600italic":4173},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[4177,4178],"latin","latin-ext",[4180,4181,4182,4183,4184,4185,128,4186,4187,4188,4189,4190,318,4191,4192,4193,4194,4195],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[4200,4299],{"@type":106,"@version":107,"tagName":4201,"id":4202,"children":4203},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[4204,4221,4229,4236,4248,4263,4274,4285,4291],{"@type":106,"@version":107,"layerName":4205,"id":4206,"component":4207,"responsiveStyles":4218},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":4205,"options":4208,"isRSC":118},{"title":4196,"description":4209,"points":4210,"video":4217},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[4211,4213,4215],{"item":4212},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":4214},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":4216},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":4219},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":4220},"transparent",{"@type":106,"@version":107,"id":4222,"component":4223,"responsiveStyles":4226},"builder-96634044407e491299e291ed64669e39",{"name":4224,"options":4225,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":4227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":4228},"#000",{"@type":106,"@version":107,"id":4230,"component":4231,"responsiveStyles":4234},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":4232,"options":4233,"isRSC":118},"Diagonal",{"darkMode":41},{"large":4235},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":4237,"id":4238,"component":4239,"responsiveStyles":4246},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":4237,"tag":4237,"options":4240,"isRSC":118},{"darkMode":6,"maxWidth":4241,"maxTextWidth":4242,"title":4243,"description":4244,"animatedTitle":37,"image":4245,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":4247},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":4249,"component":4250,"responsiveStyles":4258},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":4251,"options":4252,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":4241,"imageMaxWidth":4253,"textPaddingTop":4254,"title":4255,"description":4256,"reverse":41,"image":4257},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":4259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":4260,"paddingTop":4261,"marginTop":4262},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":4264,"component":4265,"responsiveStyles":4271},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":4251,"options":4266,"isRSC":118},{"darkMode":6,"maxWidth":4241,"imageMaxWidth":4253,"textPaddingTop":4267,"title":4268,"description":4269,"reverse":6,"image":4270},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":4272},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":4273},"36px",{"@type":106,"@version":107,"layerName":4251,"id":4275,"component":4276,"responsiveStyles":4282},"builder-42c32198083f4880acb37c5cb76934da",{"name":4251,"options":4277,"isRSC":118},{"darkMode":6,"maxWidth":4241,"imageMaxWidth":4253,"textPaddingTop":4278,"title":4279,"description":4280,"reverse":41,"image":4281},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":4283},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":4284},"47px",{"@type":106,"@version":107,"id":4286,"component":4287,"responsiveStyles":4289},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":4232,"options":4288,"isRSC":118},{"darkMode":6},{"large":4290},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":4292,"component":4293,"responsiveStyles":4297},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":4294,"tag":4294,"options":4295,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":4296},"bg-black",{"large":4298},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":4300,"@type":106,"tagName":131,"properties":4301,"responsiveStyles":4302},"builder-pixel-h6onu0ubr9",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":4303},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":4305},{"path":37,"query":4306},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":4314,"winningTest":118,"breakpoints":4315,"kind":4316,"hasLinks":6,"originalContentId":4317,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","wjcv5yvqyja",{"createdDate":4320,"id":4321,"name":4322,"modelId":4140,"published":13,"stageModifiedSincePublish":6,"query":4323,"data":4326,"variations":4430,"lastUpdated":4431,"firstPublished":4432,"testRatio":33,"screenshot":4433,"createdBy":34,"lastUpdatedBy":4311,"folders":4434,"meta":4435,"rev":4318},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[4324],{"@type":4143,"property":4144,"operator":4145,"value":4325},"/uc/browser-extension-security",{"seoDescription":4327,"jsCode":37,"fontAwesomeIcon":4328,"tsCode":37,"title":4322,"seoTitle":4322,"customFonts":4329,"inputs":4334,"blocks":4335,"url":4325,"state":4427},"Shine a light on risky browser extensions.","faPuzzlePiece",[4330],{"kind":4152,"family":4151,"version":4153,"files":4331,"category":4174,"lastModified":4154,"subsets":4332,"variants":4333,"menu":4175},{"100":4156,"200":4157,"300":4158,"500":4159,"600":4160,"700":4161,"800":4162,"900":4163,"100italic":4167,"italic":4168,"regular":4169,"900italic":4165,"800italic":4164,"700italic":4166,"200italic":4170,"300italic":4172,"500italic":4171,"600italic":4173},[4177,4178],[4180,4181,4182,4183,4184,4185,128,4186,4187,4188,4189,4190,318,4191,4192,4193,4194,4195],[],[4336,4422],{"@type":106,"@version":107,"tagName":4201,"id":4337,"meta":4338,"children":4339},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":4202},[4340,4356,4363,4370,4379,4389,4399,4409,4416],{"@type":106,"@version":107,"id":4341,"meta":4342,"component":4343,"responsiveStyles":4354},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":4206},{"name":4205,"options":4344,"isRSC":118},{"title":4322,"description":4345,"points":4346,"video":4353},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[4347,4349,4351],{"item":4348},"Discover every browser extension in use",{"item":4350},"Spot risky or unsanctioned behavior",{"item":4352},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":4355},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":4220},{"@type":106,"@version":107,"id":4357,"meta":4358,"component":4359,"responsiveStyles":4361},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":4222},{"name":4224,"options":4360,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":4362},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":4228},{"@type":106,"@version":107,"id":4364,"meta":4365,"component":4366,"responsiveStyles":4368},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":4230},{"name":4232,"options":4367,"isRSC":118},{"darkMode":41},{"large":4369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":4237,"id":4371,"component":4372,"responsiveStyles":4377},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":4237,"tag":4237,"options":4373,"isRSC":118},{"darkMode":6,"maxWidth":4241,"maxTextWidth":4242,"title":4374,"description":4375,"image":4376,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":4378},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":4380,"meta":4381,"component":4382,"responsiveStyles":4387},"builder-93738f98109a4009affb349afd7bb182",{"previousId":4249},{"name":4251,"options":4383,"isRSC":118},{"darkMode":6,"maxWidth":4241,"imageMaxWidth":4253,"textPaddingTop":4254,"title":4384,"description":4385,"reverse":41,"image":4386},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":4388},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":4260,"paddingTop":4261,"marginTop":4262},{"@type":106,"@version":107,"id":4390,"meta":4391,"component":4392,"responsiveStyles":4397},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":4264},{"name":4251,"options":4393,"isRSC":118},{"darkMode":6,"maxWidth":4241,"imageMaxWidth":4253,"textPaddingTop":4267,"title":4394,"description":4395,"reverse":6,"image":4396},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":4398},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":4273},{"@type":106,"@version":107,"layerName":4251,"id":4400,"meta":4401,"component":4402,"responsiveStyles":4407},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":4275},{"name":4251,"options":4403,"isRSC":118},{"darkMode":6,"maxWidth":4241,"imageMaxWidth":4253,"textPaddingTop":4278,"title":4404,"description":4405,"reverse":41,"image":4406},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":4408},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":4284},{"@type":106,"@version":107,"id":4410,"meta":4411,"component":4412,"responsiveStyles":4414},"builder-1a689287d1a1418997d57db578a71105",{"previousId":4286},{"name":4232,"options":4413,"isRSC":118},{"darkMode":6},{"large":4415},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":4417,"component":4418,"responsiveStyles":4420},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":4294,"tag":4294,"options":4419,"isRSC":118},{"sectionHeading":37,"customClass":4296},{"large":4421},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":4423,"@type":106,"tagName":131,"properties":4424,"responsiveStyles":4425},"builder-pixel-jc4lv2mnufo",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":4426},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":4428},{"path":37,"query":4429},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":4316,"winningTest":118,"breakpoints":4436,"lastPreviewUrl":4437,"hasLinks":6,"originalContentId":4138,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":4439,"id":4440,"name":4441,"modelId":4140,"published":13,"query":4442,"data":4445,"variations":4548,"lastUpdated":4549,"firstPublished":4550,"testRatio":33,"screenshot":4551,"createdBy":34,"lastUpdatedBy":4552,"folders":4553,"meta":4554,"rev":4318},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[4443],{"@type":4143,"property":4144,"operator":4145,"value":4444},"/uc/account-takeover-detection",{"title":4441,"customFonts":4446,"jsCode":37,"seoTitle":4441,"seoDescription":4451,"fontAwesomeIcon":4452,"tsCode":37,"blocks":4453,"url":4444,"state":4545},[4447],{"kind":4152,"category":4174,"variants":4448,"menu":4175,"files":4449,"family":4151,"subsets":4450,"version":4153,"lastModified":4154},[4180,4181,4182,4183,4184,4185,128,4186,4187,4188,4189,4190,318,4191,4192,4193,4194,4195],{"100":4156,"200":4157,"300":4158,"500":4159,"600":4160,"700":4161,"800":4162,"900":4163,"300italic":4172,"500italic":4171,"800italic":4164,"700italic":4166,"italic":4168,"900italic":4165,"600italic":4173,"200italic":4170,"regular":4169,"100italic":4167},[4177,4178],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[4454,4540],{"@type":106,"@version":107,"tagName":4201,"id":4455,"meta":4456,"children":4457},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":4202},[4458,4474,4481,4488,4497,4507,4517,4527,4534],{"@type":106,"@version":107,"id":4459,"meta":4460,"component":4461,"responsiveStyles":4472},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":4206},{"name":4205,"options":4462,"isRSC":118},{"title":4441,"description":4463,"points":4464,"video":4471},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[4465,4467,4469],{"item":4466},"Identify credential-based ATO as it unfolds",{"item":4468},"Surface hijacked sessions and token misuse",{"item":4470},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":4473},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":4220},{"@type":106,"@version":107,"id":4475,"meta":4476,"component":4477,"responsiveStyles":4479},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":4222},{"name":4224,"options":4478,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":4480},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":4228},{"@type":106,"@version":107,"id":4482,"meta":4483,"component":4484,"responsiveStyles":4486},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":4230},{"name":4232,"options":4485,"isRSC":118},{"darkMode":41},{"large":4487},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":4489,"component":4490,"responsiveStyles":4495},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":4237,"tag":4237,"options":4491,"isRSC":118},{"darkMode":6,"maxWidth":4241,"maxTextWidth":4242,"title":4492,"description":4493,"image":4494,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":4496},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":4498,"meta":4499,"component":4500,"responsiveStyles":4505},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":4249},{"name":4251,"options":4501,"isRSC":118},{"darkMode":6,"maxWidth":4241,"imageMaxWidth":4253,"textPaddingTop":4254,"title":4502,"description":4503,"reverse":41,"image":4504},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":4506},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":4260,"paddingTop":4262,"marginTop":4262},{"@type":106,"@version":107,"id":4508,"meta":4509,"component":4510,"responsiveStyles":4515},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":4264},{"name":4251,"options":4511,"isRSC":118},{"darkMode":6,"maxWidth":4241,"imageMaxWidth":4253,"textPaddingTop":4267,"title":4512,"description":4513,"reverse":6,"image":4514},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":4516},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":4273},{"@type":106,"@version":107,"layerName":4251,"id":4518,"meta":4519,"component":4520,"responsiveStyles":4525},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":4275},{"name":4251,"options":4521,"isRSC":118},{"darkMode":6,"maxWidth":4241,"imageMaxWidth":4253,"textPaddingTop":4278,"title":4522,"description":4523,"reverse":41,"image":4524},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":4526},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":4284},{"@type":106,"@version":107,"id":4528,"meta":4529,"component":4530,"responsiveStyles":4532},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":4286},{"name":4232,"options":4531,"isRSC":118},{"darkMode":6},{"large":4533},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":4535,"component":4536,"responsiveStyles":4538},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":4294,"tag":4294,"options":4537,"isRSC":118},{"sectionHeading":37,"customClass":4296},{"large":4539},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":4541,"@type":106,"tagName":131,"properties":4542,"responsiveStyles":4543},"builder-pixel-bp9ni6h4vze",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":4544},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":4546},{"path":37,"query":4547},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":4555,"hasLinks":6,"originalContentId":4138,"breakpoints":4556,"winningTest":118,"kind":4316,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":4558,"id":4559,"name":4560,"modelId":4140,"published":13,"query":4561,"data":4564,"variations":4667,"lastUpdated":4668,"firstPublished":4669,"testRatio":33,"screenshot":4670,"createdBy":34,"lastUpdatedBy":4552,"folders":4671,"meta":4672,"rev":4318},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[4562],{"@type":4143,"property":4144,"operator":4145,"value":4563},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":4565,"jsCode":37,"customFonts":4566,"fontAwesomeIcon":4571,"seoTitle":4560,"title":4560,"blocks":4572,"url":4563,"state":4664},"Harden access paths with visibility,  detection, and guardrails.",[4567],{"kind":4152,"files":4568,"version":4153,"lastModified":4154,"subsets":4569,"menu":4175,"category":4174,"variants":4570,"family":4151},{"100":4156,"200":4157,"300":4158,"500":4159,"600":4160,"700":4161,"800":4162,"900":4163,"regular":4169,"italic":4168,"800italic":4164,"500italic":4171,"600italic":4173,"200italic":4170,"900italic":4165,"700italic":4166,"100italic":4167,"300italic":4172},[4177,4178],[4180,4181,4182,4183,4184,4185,128,4186,4187,4188,4189,4190,318,4191,4192,4193,4194,4195],"faRadar",[4573,4659],{"@type":106,"@version":107,"tagName":4201,"id":4574,"meta":4575,"children":4576},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":4455},[4577,4593,4600,4607,4616,4626,4636,4646,4653],{"@type":106,"@version":107,"id":4578,"meta":4579,"component":4580,"responsiveStyles":4591},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":4459},{"name":4205,"options":4581,"isRSC":118},{"title":4560,"description":4582,"points":4583,"video":4590},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[4584,4586,4588],{"item":4585},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":4587},"Monitor how users actually log in across apps, flows, and tools",{"item":4589},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":4592},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":4220},{"@type":106,"@version":107,"id":4594,"meta":4595,"component":4596,"responsiveStyles":4598},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":4475},{"name":4224,"options":4597,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":4599},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":4228},{"@type":106,"@version":107,"id":4601,"meta":4602,"component":4603,"responsiveStyles":4605},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":4482},{"name":4232,"options":4604,"isRSC":118},{"darkMode":41},{"large":4606},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":4608,"component":4609,"responsiveStyles":4614},"builder-dec0246085e1485c803f7152b1922a81",{"name":4237,"tag":4237,"options":4610,"isRSC":118},{"darkMode":6,"maxWidth":4241,"maxTextWidth":4242,"title":4611,"description":4612,"image":4613,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":4615},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":4617,"meta":4618,"component":4619,"responsiveStyles":4624},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":4498},{"name":4251,"options":4620,"isRSC":118},{"darkMode":6,"maxWidth":4241,"imageMaxWidth":4253,"textPaddingTop":4254,"title":4621,"description":4622,"reverse":41,"image":4623},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":4625},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":4260,"paddingTop":4261,"marginTop":4262},{"@type":106,"@version":107,"id":4627,"meta":4628,"component":4629,"responsiveStyles":4634},"builder-431d175c59004669b0b2776b07d71737",{"previousId":4508},{"name":4251,"options":4630,"isRSC":118},{"darkMode":6,"maxWidth":4241,"imageMaxWidth":4253,"textPaddingTop":4267,"title":4631,"description":4632,"reverse":6,"image":4633},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":4635},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":4273},{"@type":106,"@version":107,"layerName":4251,"id":4637,"meta":4638,"component":4639,"responsiveStyles":4644},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":4518},{"name":4251,"options":4640,"isRSC":118},{"darkMode":6,"maxWidth":4241,"imageMaxWidth":4253,"textPaddingTop":4278,"title":4641,"description":4642,"reverse":41,"image":4643},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":4645},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":4284},{"@type":106,"@version":107,"id":4647,"meta":4648,"component":4649,"responsiveStyles":4651},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":4528},{"name":4232,"options":4650,"isRSC":118},{"darkMode":6},{"large":4652},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":4654,"component":4655,"responsiveStyles":4657},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":4294,"tag":4294,"options":4656,"isRSC":118},{"sectionHeading":37,"customClass":4296},{"large":4658},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":4660,"@type":106,"tagName":131,"properties":4661,"responsiveStyles":4662},"builder-pixel-hqgadf1h59w",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":4663},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":4665},{"path":37,"query":4666},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":4316,"lastPreviewUrl":4673,"breakpoints":4674,"hasLinks":6,"originalContentId":4440,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":4676,"id":4677,"name":4678,"modelId":4140,"published":13,"query":4679,"data":4682,"variations":4787,"lastUpdated":4788,"firstPublished":4789,"testRatio":33,"screenshot":4790,"createdBy":34,"lastUpdatedBy":4552,"folders":4791,"meta":4792,"rev":4318},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[4680],{"@type":4143,"property":4144,"operator":4145,"value":4681},"/uc/clickfix-protection",{"seoDescription":4683,"fontAwesomeIcon":4684,"customFonts":4685,"seoTitle":4690,"jsCode":37,"tsCode":37,"title":4690,"blocks":4691,"url":4681,"state":4784},"Block attacks that trick users into running malicious code.","faLaptopCode",[4686],{"files":4687,"subsets":4688,"menu":4175,"version":4153,"kind":4152,"family":4151,"lastModified":4154,"variants":4689,"category":4174},{"100":4156,"200":4157,"300":4158,"500":4159,"600":4160,"700":4161,"800":4162,"900":4163,"200italic":4170,"800italic":4164,"700italic":4166,"600italic":4173,"100italic":4167,"italic":4168,"regular":4169,"300italic":4172,"500italic":4171,"900italic":4165},[4177,4178],[4180,4181,4182,4183,4184,4185,128,4186,4187,4188,4189,4190,318,4191,4192,4193,4194,4195],"ClickFix protection",[4692,4779],{"@type":106,"@version":107,"tagName":4201,"id":4693,"meta":4694,"children":4695},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":4574},[4696,4712,4719,4726,4736,4746,4756,4766,4773],{"@type":106,"@version":107,"id":4697,"meta":4698,"component":4699,"responsiveStyles":4710},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":4578},{"name":4205,"options":4700,"isRSC":118},{"title":4690,"description":4701,"points":4702,"image":4709},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[4703,4705,4707],{"item":4704},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":4706},"Block malicious copy-and-paste actions before code is executed",{"item":4708},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":4711},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":4220},{"@type":106,"@version":107,"id":4713,"meta":4714,"component":4715,"responsiveStyles":4717},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":4594},{"name":4224,"options":4716,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":4718},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":4228},{"@type":106,"@version":107,"id":4720,"meta":4721,"component":4722,"responsiveStyles":4724},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":4601},{"name":4232,"options":4723,"isRSC":118},{"darkMode":41},{"large":4725},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":4727,"meta":4728,"component":4729,"responsiveStyles":4734},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":4608},{"name":4237,"tag":4237,"options":4730,"isRSC":118},{"darkMode":6,"maxWidth":4241,"maxTextWidth":4242,"title":4731,"description":4732,"reverse":6,"image":4733},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":4735},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":4737,"meta":4738,"component":4739,"responsiveStyles":4744},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":4617},{"name":4251,"options":4740,"isRSC":118},{"darkMode":6,"maxWidth":4241,"imageMaxWidth":4253,"textPaddingTop":4254,"title":4741,"description":4742,"reverse":41,"image":4743},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":4745},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":4260,"paddingTop":4261,"marginTop":4262},{"@type":106,"@version":107,"id":4747,"meta":4748,"component":4749,"responsiveStyles":4754},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":4627},{"name":4251,"options":4750,"isRSC":118},{"darkMode":6,"maxWidth":4241,"imageMaxWidth":4253,"textPaddingTop":4267,"title":4751,"description":4752,"reverse":6,"image":4753},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":4755},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":4273},{"@type":106,"@version":107,"layerName":4251,"id":4757,"meta":4758,"component":4759,"responsiveStyles":4764},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":4637},{"name":4251,"options":4760,"isRSC":118},{"darkMode":6,"maxWidth":4241,"imageMaxWidth":4253,"textPaddingTop":4278,"title":4761,"description":4762,"reverse":41,"image":4763},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":4765},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":4284},{"@type":106,"@version":107,"id":4767,"meta":4768,"component":4769,"responsiveStyles":4771},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":4647},{"name":4232,"options":4770,"isRSC":118},{"darkMode":6},{"large":4772},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":4774,"component":4775,"responsiveStyles":4777},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":4294,"tag":4294,"options":4776,"isRSC":118},{"sectionHeading":37,"customClass":4296},{"large":4778},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":4780,"@type":106,"tagName":131,"properties":4781,"responsiveStyles":4782},"builder-pixel-jb7i4u6v2mk",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":4783},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":4785},{"path":37,"query":4786},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":4793,"originalContentId":4559,"winningTest":118,"hasLinks":6,"kind":4316,"breakpoints":4794,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":4796,"id":4797,"name":4798,"modelId":4140,"published":13,"query":4799,"data":4802,"variations":4907,"lastUpdated":4908,"firstPublished":4909,"testRatio":33,"screenshot":4910,"createdBy":34,"lastUpdatedBy":4552,"folders":4911,"meta":4912,"rev":4318},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[4800],{"@type":4143,"property":4144,"operator":4145,"value":4801},"/uc/incident-response",{"seoDescription":4803,"customFonts":4804,"title":4798,"jsCode":37,"fontAwesomeIcon":4809,"seoTitle":4810,"tsCode":37,"blocks":4811,"url":4801,"state":4904},"Investigate and respond faster with unique browser telemetry.",[4805],{"kind":4152,"subsets":4806,"menu":4175,"variants":4807,"category":4174,"family":4151,"version":4153,"lastModified":4154,"files":4808},[4177,4178],[4180,4181,4182,4183,4184,4185,128,4186,4187,4188,4189,4190,318,4191,4192,4193,4194,4195],{"100":4156,"200":4157,"300":4158,"500":4159,"600":4160,"700":4161,"800":4162,"900":4163,"900italic":4165,"600italic":4173,"200italic":4170,"300italic":4172,"100italic":4167,"700italic":4166,"800italic":4164,"regular":4169,"italic":4168,"500italic":4171},"faSatelliteDish","Browser based incident response",[4812,4899],{"@type":106,"@version":107,"tagName":4201,"id":4813,"meta":4814,"children":4815},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":4574},[4816,4833,4840,4847,4856,4866,4876,4886,4893],{"@type":106,"@version":107,"id":4817,"meta":4818,"component":4819,"responsiveStyles":4831},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":4578},{"name":4205,"options":4820,"isRSC":118},{"title":4821,"description":4822,"points":4823,"video":4830},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[4824,4826,4828],{"item":4825},"Reconstruct what happened with real browser session context",{"item":4827},"Investigate faster with real-world session context",{"item":4829},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":4832},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":4220},{"@type":106,"@version":107,"id":4834,"meta":4835,"component":4836,"responsiveStyles":4838},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":4594},{"name":4224,"options":4837,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":4839},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":4228},{"@type":106,"@version":107,"id":4841,"meta":4842,"component":4843,"responsiveStyles":4845},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":4601},{"name":4232,"options":4844,"isRSC":118},{"darkMode":41},{"large":4846},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":4848,"component":4849,"responsiveStyles":4854},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":4237,"tag":4237,"options":4850,"isRSC":118},{"darkMode":6,"maxWidth":4241,"maxTextWidth":4242,"title":4851,"description":4852,"image":4853,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":4855},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":4857,"meta":4858,"component":4859,"responsiveStyles":4864},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":4617},{"name":4251,"options":4860,"isRSC":118},{"darkMode":6,"maxWidth":4241,"imageMaxWidth":4253,"textPaddingTop":4254,"title":4861,"description":4862,"reverse":41,"image":4863},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":4865},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":4260,"paddingTop":4262,"marginTop":4262},{"@type":106,"@version":107,"id":4867,"meta":4868,"component":4869,"responsiveStyles":4874},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":4627},{"name":4251,"options":4870,"isRSC":118},{"darkMode":6,"maxWidth":4241,"imageMaxWidth":4253,"textPaddingTop":4267,"title":4871,"description":4872,"reverse":6,"image":4873},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":4875},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":4273},{"@type":106,"@version":107,"layerName":4251,"id":4877,"meta":4878,"component":4879,"responsiveStyles":4884},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":4637},{"name":4251,"options":4880,"isRSC":118},{"darkMode":6,"maxWidth":4241,"imageMaxWidth":4253,"textPaddingTop":4278,"title":4881,"description":4882,"reverse":41,"image":4883},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":4885},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":4284},{"@type":106,"@version":107,"id":4887,"meta":4888,"component":4889,"responsiveStyles":4891},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":4647},{"name":4232,"options":4890,"isRSC":118},{"darkMode":6},{"large":4892},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":4894,"component":4895,"responsiveStyles":4897},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":4294,"tag":4294,"options":4896,"isRSC":118},{"sectionHeading":37,"customClass":4296},{"large":4898},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":4900,"@type":106,"tagName":131,"properties":4901,"responsiveStyles":4902},"builder-pixel-t20dmmgkd7",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":4903},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":4905},{"path":37,"query":4906},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":4316,"breakpoints":4913,"originalContentId":4559,"winningTest":118,"lastPreviewUrl":4914,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":4916,"id":4917,"name":4918,"modelId":4140,"published":13,"query":4919,"data":4922,"variations":5027,"lastUpdated":5028,"firstPublished":5029,"testRatio":33,"screenshot":5030,"createdBy":34,"lastUpdatedBy":4552,"folders":5031,"meta":5032,"rev":4318},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[4920],{"@type":4143,"property":4144,"operator":4145,"value":4921},"/uc/shadow-saas",{"seoTitle":4923,"seoDescription":4924,"customFonts":4925,"fontAwesomeIcon":4930,"title":4931,"jsCode":37,"tsCode":37,"blocks":4932,"url":4921,"state":5024},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[4926],{"kind":4152,"variants":4927,"files":4928,"family":4151,"version":4153,"subsets":4929,"lastModified":4154,"category":4174,"menu":4175},[4180,4181,4182,4183,4184,4185,128,4186,4187,4188,4189,4190,318,4191,4192,4193,4194,4195],{"100":4156,"200":4157,"300":4158,"500":4159,"600":4160,"700":4161,"800":4162,"900":4163,"300italic":4172,"500italic":4171,"regular":4169,"900italic":4165,"italic":4168,"100italic":4167,"200italic":4170,"600italic":4173,"700italic":4166,"800italic":4164},[4177,4178],"faShieldCheck","Secure shadow SaaS",[4933,5019],{"@type":106,"@version":107,"tagName":4201,"id":4934,"meta":4935,"children":4936},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":4813},[4937,4953,4960,4967,4976,4986,4996,5006,5013],{"@type":106,"@version":107,"id":4938,"meta":4939,"component":4940,"responsiveStyles":4951},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":4817},{"name":4205,"options":4941,"isRSC":118},{"title":4923,"description":4942,"points":4943,"video":4950},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[4944,4946,4948],{"item":4945},"Discover every SaaS app users access, managed or not",{"item":4947},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":4949},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":4952},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":4220},{"@type":106,"@version":107,"id":4954,"meta":4955,"component":4956,"responsiveStyles":4958},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":4834},{"name":4224,"options":4957,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":4959},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":4228},{"@type":106,"@version":107,"id":4961,"meta":4962,"component":4963,"responsiveStyles":4965},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":4841},{"name":4232,"options":4964,"isRSC":118},{"darkMode":41},{"large":4966},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":4968,"component":4969,"responsiveStyles":4974},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":4237,"tag":4237,"options":4970,"isRSC":118},{"darkMode":6,"maxWidth":4241,"maxTextWidth":4242,"title":4971,"description":4972,"image":4973,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":4975},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":4977,"meta":4978,"component":4979,"responsiveStyles":4984},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":4857},{"name":4251,"options":4980,"isRSC":118},{"darkMode":6,"maxWidth":4241,"imageMaxWidth":4253,"textPaddingTop":4254,"title":4981,"description":4982,"reverse":41,"image":4983},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":4985},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":4260,"paddingTop":4262,"marginTop":4262},{"@type":106,"@version":107,"id":4987,"meta":4988,"component":4989,"responsiveStyles":4994},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":4867},{"name":4251,"options":4990,"isRSC":118},{"darkMode":6,"maxWidth":4241,"imageMaxWidth":4253,"textPaddingTop":4267,"title":4991,"description":4992,"reverse":6,"image":4993},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":4995},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":4273},{"@type":106,"@version":107,"layerName":4251,"id":4997,"meta":4998,"component":4999,"responsiveStyles":5004},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":4877},{"name":4251,"options":5000,"isRSC":118},{"darkMode":6,"maxWidth":4241,"imageMaxWidth":4253,"textPaddingTop":4278,"title":5001,"description":5002,"reverse":41,"image":5003},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":5005},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":4284},{"@type":106,"@version":107,"id":5007,"meta":5008,"component":5009,"responsiveStyles":5011},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":4887},{"name":4232,"options":5010,"isRSC":118},{"darkMode":6},{"large":5012},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":5014,"component":5015,"responsiveStyles":5017},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":4294,"tag":4294,"options":5016,"isRSC":118},{"sectionHeading":37,"customClass":4296},{"large":5018},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":5020,"@type":106,"tagName":131,"properties":5021,"responsiveStyles":5022},"builder-pixel-225hg4jfk9t",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":5023},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":5025},{"path":37,"query":5026},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":4797,"winningTest":118,"lastPreviewUrl":5033,"breakpoints":5034,"kind":4316,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":5036,"id":5037,"name":5038,"modelId":4140,"published":13,"query":5039,"data":5042,"variations":5146,"lastUpdated":5147,"firstPublished":5148,"testRatio":33,"screenshot":5149,"createdBy":34,"lastUpdatedBy":4552,"folders":5150,"meta":5151,"rev":4318},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[5040],{"@type":4143,"property":4144,"operator":4145,"value":5041},"/uc/shadow-ai",{"fontAwesomeIcon":5043,"seoTitle":5044,"jsCode":37,"customFonts":5045,"title":5050,"tsCode":37,"seoDescription":5051,"blocks":5052,"url":5041,"state":5143},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[5046],{"variants":5047,"category":4174,"files":5048,"subsets":5049,"family":4151,"kind":4152,"menu":4175,"lastModified":4154,"version":4153},[4180,4181,4182,4183,4184,4185,128,4186,4187,4188,4189,4190,318,4191,4192,4193,4194,4195],{"100":4156,"200":4157,"300":4158,"500":4159,"600":4160,"700":4161,"800":4162,"900":4163,"800italic":4164,"regular":4169,"700italic":4166,"200italic":4170,"italic":4168,"500italic":4171,"600italic":4173,"300italic":4172,"100italic":4167,"900italic":4165},[4177,4178],"Secure shadow AI","See and control shadow AI apps in the browser.",[5053,5138],{"@type":106,"@version":107,"tagName":4201,"id":5054,"meta":5055,"children":5056},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":4934},[5057,5073,5080,5087,5097,5106,5115,5125,5132],{"@type":106,"@version":107,"id":5058,"meta":5059,"component":5060,"responsiveStyles":5071},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":4938},{"name":4205,"options":5061,"isRSC":118},{"title":5050,"description":5062,"points":5063,"image":5070},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[5064,5066,5068],{"item":5065},"Map every AI tool used across your workforce",{"item":5067},"Review and classify apps by sensitivity, purpose, and policy status",{"item":5069},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":5072},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":4220},{"@type":106,"@version":107,"id":5074,"meta":5075,"component":5076,"responsiveStyles":5078},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":4954},{"name":4224,"options":5077,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":5079},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":4228},{"@type":106,"@version":107,"id":5081,"meta":5082,"component":5083,"responsiveStyles":5085},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":4961},{"name":4232,"options":5084,"isRSC":118},{"darkMode":41},{"large":5086},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":5088,"meta":5089,"component":5090,"responsiveStyles":5095},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":4968},{"name":4237,"tag":4237,"options":5091,"isRSC":118},{"darkMode":6,"maxWidth":4241,"maxTextWidth":4242,"title":5092,"description":5093,"image":5094,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":5096},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":5098,"meta":5099,"component":5100,"responsiveStyles":5104},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":4977},{"name":4251,"options":5101,"isRSC":118},{"darkMode":6,"maxWidth":4241,"imageMaxWidth":4253,"textPaddingTop":4254,"title":5102,"description":5103,"reverse":41,"image":4993},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":5105},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":4260,"paddingTop":4262,"marginTop":4262},{"@type":106,"@version":107,"id":5107,"meta":5108,"component":5109,"responsiveStyles":5113},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":4987},{"name":4251,"options":5110,"isRSC":118},{"darkMode":6,"maxWidth":4241,"imageMaxWidth":4253,"textPaddingTop":4267,"title":5111,"description":5112,"reverse":6,"image":5003},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":5114},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":4273},{"@type":106,"@version":107,"layerName":4251,"id":5116,"meta":5117,"component":5118,"responsiveStyles":5123},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":4997},{"name":4251,"options":5119,"isRSC":118},{"darkMode":6,"maxWidth":4241,"imageMaxWidth":4253,"textPaddingTop":4278,"title":5120,"description":5121,"reverse":41,"image":5122},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":5124},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":4284},{"@type":106,"@version":107,"id":5126,"meta":5127,"component":5128,"responsiveStyles":5130},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":5007},{"name":4232,"options":5129,"isRSC":118},{"darkMode":6},{"large":5131},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":5133,"component":5134,"responsiveStyles":5136},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":4294,"tag":4294,"options":5135,"isRSC":118},{"sectionHeading":37,"customClass":4296},{"large":5137},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":5139,"@type":106,"tagName":131,"properties":5140,"responsiveStyles":5141},"builder-pixel-gvb5hb3oa9q",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":5142},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":5144},{"path":37,"query":5145},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":5152,"originalContentId":4917,"kind":4316,"lastPreviewUrl":5153,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",1776343367639]