[{"data":1,"prerenderedAt":4040},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"use-case-page":155,"blog/consentfix":1175},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"n0c69wxpcx","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"brpv9ps5x2",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-dloynz89rbq","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","vvf0k1j1pre",[156,340,459,578,696,816,936,1056],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":167,"variations":328,"lastUpdated":329,"firstPublished":330,"testRatio":33,"screenshot":331,"createdBy":34,"lastUpdatedBy":332,"folders":333,"meta":334,"rev":339},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[162],{"@type":163,"property":164,"operator":165,"value":166},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":168,"customFonts":169,"seoTitle":217,"title":217,"tsCode":37,"seoDescription":218,"fontAwesomeIcon":219,"jsCode":37,"blocks":220,"url":166,"state":325},[],[170],{"family":171,"kind":172,"version":173,"lastModified":174,"files":175,"category":194,"menu":195,"subsets":196,"variants":199},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":176,"200":177,"300":178,"500":179,"600":180,"700":181,"800":182,"900":183,"800italic":184,"900italic":185,"700italic":186,"100italic":187,"italic":188,"regular":189,"200italic":190,"500italic":191,"300italic":192,"600italic":193},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[197,198],"latin","latin-ext",[200,201,202,203,204,205,128,206,207,208,209,210,211,212,213,214,215,216],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[221,320],{"@type":106,"@version":107,"tagName":222,"id":223,"children":224},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[225,242,250,257,269,284,295,306,312],{"@type":106,"@version":107,"layerName":226,"id":227,"component":228,"responsiveStyles":239},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":226,"options":229,"isRSC":118},{"title":217,"description":230,"points":231,"video":238},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[232,234,236],{"item":233},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":235},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":237},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":240},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":241},"transparent",{"@type":106,"@version":107,"id":243,"component":244,"responsiveStyles":247},"builder-96634044407e491299e291ed64669e39",{"name":245,"options":246,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":248},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":249},"#000",{"@type":106,"@version":107,"id":251,"component":252,"responsiveStyles":255},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":253,"options":254,"isRSC":118},"Diagonal",{"darkMode":41},{"large":256},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":258,"id":259,"component":260,"responsiveStyles":267},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":258,"tag":258,"options":261,"isRSC":118},{"darkMode":6,"maxWidth":262,"maxTextWidth":263,"title":264,"description":265,"animatedTitle":37,"image":266,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":268},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":270,"component":271,"responsiveStyles":279},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":272,"options":273,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":275,"title":276,"description":277,"reverse":41,"image":278},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":280},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":281,"paddingTop":282,"marginTop":283},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":285,"component":286,"responsiveStyles":292},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":272,"options":287,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":288,"title":289,"description":290,"reverse":6,"image":291},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":293},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":294},"36px",{"@type":106,"@version":107,"layerName":272,"id":296,"component":297,"responsiveStyles":303},"builder-42c32198083f4880acb37c5cb76934da",{"name":272,"options":298,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":299,"title":300,"description":301,"reverse":41,"image":302},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":304},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":305},"47px",{"@type":106,"@version":107,"id":307,"component":308,"responsiveStyles":310},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":253,"options":309,"isRSC":118},{"darkMode":6},{"large":311},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":313,"component":314,"responsiveStyles":318},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":315,"tag":315,"options":316,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":317},"bg-black",{"large":319},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":321,"@type":106,"tagName":131,"properties":322,"responsiveStyles":323},"builder-pixel-h6onu0ubr9",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":324},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":326},{"path":37,"query":327},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":335,"winningTest":118,"breakpoints":336,"kind":337,"hasLinks":6,"originalContentId":338,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","wjcv5yvqyja",{"createdDate":341,"id":342,"name":343,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":344,"data":347,"variations":451,"lastUpdated":452,"firstPublished":453,"testRatio":33,"screenshot":454,"createdBy":34,"lastUpdatedBy":332,"folders":455,"meta":456,"rev":339},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[345],{"@type":163,"property":164,"operator":165,"value":346},"/uc/browser-extension-security",{"seoDescription":348,"jsCode":37,"fontAwesomeIcon":349,"tsCode":37,"title":343,"seoTitle":343,"customFonts":350,"inputs":355,"blocks":356,"url":346,"state":448},"Shine a light on risky browser extensions.","faPuzzlePiece",[351],{"kind":172,"family":171,"version":173,"files":352,"category":194,"lastModified":174,"subsets":353,"variants":354,"menu":195},{"100":176,"200":177,"300":178,"500":179,"600":180,"700":181,"800":182,"900":183,"100italic":187,"italic":188,"regular":189,"900italic":185,"800italic":184,"700italic":186,"200italic":190,"300italic":192,"500italic":191,"600italic":193},[197,198],[200,201,202,203,204,205,128,206,207,208,209,210,211,212,213,214,215,216],[],[357,443],{"@type":106,"@version":107,"tagName":222,"id":358,"meta":359,"children":360},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":223},[361,377,384,391,400,410,420,430,437],{"@type":106,"@version":107,"id":362,"meta":363,"component":364,"responsiveStyles":375},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":227},{"name":226,"options":365,"isRSC":118},{"title":343,"description":366,"points":367,"video":374},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[368,370,372],{"item":369},"Discover every browser extension in use",{"item":371},"Spot risky or unsanctioned behavior",{"item":373},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":376},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":241},{"@type":106,"@version":107,"id":378,"meta":379,"component":380,"responsiveStyles":382},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":243},{"name":245,"options":381,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":383},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":249},{"@type":106,"@version":107,"id":385,"meta":386,"component":387,"responsiveStyles":389},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":251},{"name":253,"options":388,"isRSC":118},{"darkMode":41},{"large":390},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":258,"id":392,"component":393,"responsiveStyles":398},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":258,"tag":258,"options":394,"isRSC":118},{"darkMode":6,"maxWidth":262,"maxTextWidth":263,"title":395,"description":396,"image":397,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":399},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":401,"meta":402,"component":403,"responsiveStyles":408},"builder-93738f98109a4009affb349afd7bb182",{"previousId":270},{"name":272,"options":404,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":275,"title":405,"description":406,"reverse":41,"image":407},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":409},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":281,"paddingTop":282,"marginTop":283},{"@type":106,"@version":107,"id":411,"meta":412,"component":413,"responsiveStyles":418},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":285},{"name":272,"options":414,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":288,"title":415,"description":416,"reverse":6,"image":417},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":419},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":294},{"@type":106,"@version":107,"layerName":272,"id":421,"meta":422,"component":423,"responsiveStyles":428},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":296},{"name":272,"options":424,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":299,"title":425,"description":426,"reverse":41,"image":427},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":429},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":305},{"@type":106,"@version":107,"id":431,"meta":432,"component":433,"responsiveStyles":435},"builder-1a689287d1a1418997d57db578a71105",{"previousId":307},{"name":253,"options":434,"isRSC":118},{"darkMode":6},{"large":436},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":438,"component":439,"responsiveStyles":441},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":315,"tag":315,"options":440,"isRSC":118},{"sectionHeading":37,"customClass":317},{"large":442},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":444,"@type":106,"tagName":131,"properties":445,"responsiveStyles":446},"builder-pixel-jc4lv2mnufo",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":447},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":449},{"path":37,"query":450},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":337,"winningTest":118,"breakpoints":457,"lastPreviewUrl":458,"hasLinks":6,"originalContentId":158,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":460,"id":461,"name":462,"modelId":160,"published":13,"query":463,"data":466,"variations":569,"lastUpdated":570,"firstPublished":571,"testRatio":33,"screenshot":572,"createdBy":34,"lastUpdatedBy":573,"folders":574,"meta":575,"rev":339},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[464],{"@type":163,"property":164,"operator":165,"value":465},"/uc/account-takeover-detection",{"title":462,"customFonts":467,"jsCode":37,"seoTitle":462,"seoDescription":472,"fontAwesomeIcon":473,"tsCode":37,"blocks":474,"url":465,"state":566},[468],{"kind":172,"category":194,"variants":469,"menu":195,"files":470,"family":171,"subsets":471,"version":173,"lastModified":174},[200,201,202,203,204,205,128,206,207,208,209,210,211,212,213,214,215,216],{"100":176,"200":177,"300":178,"500":179,"600":180,"700":181,"800":182,"900":183,"300italic":192,"500italic":191,"800italic":184,"700italic":186,"italic":188,"900italic":185,"600italic":193,"200italic":190,"regular":189,"100italic":187},[197,198],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[475,561],{"@type":106,"@version":107,"tagName":222,"id":476,"meta":477,"children":478},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":223},[479,495,502,509,518,528,538,548,555],{"@type":106,"@version":107,"id":480,"meta":481,"component":482,"responsiveStyles":493},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":227},{"name":226,"options":483,"isRSC":118},{"title":462,"description":484,"points":485,"video":492},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[486,488,490],{"item":487},"Identify credential-based ATO as it unfolds",{"item":489},"Surface hijacked sessions and token misuse",{"item":491},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":494},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":241},{"@type":106,"@version":107,"id":496,"meta":497,"component":498,"responsiveStyles":500},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":243},{"name":245,"options":499,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":501},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":249},{"@type":106,"@version":107,"id":503,"meta":504,"component":505,"responsiveStyles":507},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":251},{"name":253,"options":506,"isRSC":118},{"darkMode":41},{"large":508},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":510,"component":511,"responsiveStyles":516},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":258,"tag":258,"options":512,"isRSC":118},{"darkMode":6,"maxWidth":262,"maxTextWidth":263,"title":513,"description":514,"image":515,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":517},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":519,"meta":520,"component":521,"responsiveStyles":526},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":270},{"name":272,"options":522,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":275,"title":523,"description":524,"reverse":41,"image":525},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":527},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":281,"paddingTop":283,"marginTop":283},{"@type":106,"@version":107,"id":529,"meta":530,"component":531,"responsiveStyles":536},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":285},{"name":272,"options":532,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":288,"title":533,"description":534,"reverse":6,"image":535},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":294},{"@type":106,"@version":107,"layerName":272,"id":539,"meta":540,"component":541,"responsiveStyles":546},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":296},{"name":272,"options":542,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":299,"title":543,"description":544,"reverse":41,"image":545},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":547},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":305},{"@type":106,"@version":107,"id":549,"meta":550,"component":551,"responsiveStyles":553},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":307},{"name":253,"options":552,"isRSC":118},{"darkMode":6},{"large":554},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":556,"component":557,"responsiveStyles":559},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":315,"tag":315,"options":558,"isRSC":118},{"sectionHeading":37,"customClass":317},{"large":560},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":562,"@type":106,"tagName":131,"properties":563,"responsiveStyles":564},"builder-pixel-bp9ni6h4vze",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":565},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":567},{"path":37,"query":568},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":576,"hasLinks":6,"originalContentId":158,"breakpoints":577,"winningTest":118,"kind":337,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":579,"id":580,"name":581,"modelId":160,"published":13,"query":582,"data":585,"variations":688,"lastUpdated":689,"firstPublished":690,"testRatio":33,"screenshot":691,"createdBy":34,"lastUpdatedBy":573,"folders":692,"meta":693,"rev":339},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[583],{"@type":163,"property":164,"operator":165,"value":584},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":586,"jsCode":37,"customFonts":587,"fontAwesomeIcon":592,"seoTitle":581,"title":581,"blocks":593,"url":584,"state":685},"Harden access paths with visibility,  detection, and guardrails.",[588],{"kind":172,"files":589,"version":173,"lastModified":174,"subsets":590,"menu":195,"category":194,"variants":591,"family":171},{"100":176,"200":177,"300":178,"500":179,"600":180,"700":181,"800":182,"900":183,"regular":189,"italic":188,"800italic":184,"500italic":191,"600italic":193,"200italic":190,"900italic":185,"700italic":186,"100italic":187,"300italic":192},[197,198],[200,201,202,203,204,205,128,206,207,208,209,210,211,212,213,214,215,216],"faRadar",[594,680],{"@type":106,"@version":107,"tagName":222,"id":595,"meta":596,"children":597},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":476},[598,614,621,628,637,647,657,667,674],{"@type":106,"@version":107,"id":599,"meta":600,"component":601,"responsiveStyles":612},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":480},{"name":226,"options":602,"isRSC":118},{"title":581,"description":603,"points":604,"video":611},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[605,607,609],{"item":606},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":608},"Monitor how users actually log in across apps, flows, and tools",{"item":610},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":613},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":241},{"@type":106,"@version":107,"id":615,"meta":616,"component":617,"responsiveStyles":619},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":496},{"name":245,"options":618,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":620},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":249},{"@type":106,"@version":107,"id":622,"meta":623,"component":624,"responsiveStyles":626},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":503},{"name":253,"options":625,"isRSC":118},{"darkMode":41},{"large":627},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":629,"component":630,"responsiveStyles":635},"builder-dec0246085e1485c803f7152b1922a81",{"name":258,"tag":258,"options":631,"isRSC":118},{"darkMode":6,"maxWidth":262,"maxTextWidth":263,"title":632,"description":633,"image":634,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":636},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":638,"meta":639,"component":640,"responsiveStyles":645},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":519},{"name":272,"options":641,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":275,"title":642,"description":643,"reverse":41,"image":644},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":646},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":281,"paddingTop":282,"marginTop":283},{"@type":106,"@version":107,"id":648,"meta":649,"component":650,"responsiveStyles":655},"builder-431d175c59004669b0b2776b07d71737",{"previousId":529},{"name":272,"options":651,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":288,"title":652,"description":653,"reverse":6,"image":654},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":656},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":294},{"@type":106,"@version":107,"layerName":272,"id":658,"meta":659,"component":660,"responsiveStyles":665},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":539},{"name":272,"options":661,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":299,"title":662,"description":663,"reverse":41,"image":664},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":666},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":305},{"@type":106,"@version":107,"id":668,"meta":669,"component":670,"responsiveStyles":672},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":549},{"name":253,"options":671,"isRSC":118},{"darkMode":6},{"large":673},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":675,"component":676,"responsiveStyles":678},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":315,"tag":315,"options":677,"isRSC":118},{"sectionHeading":37,"customClass":317},{"large":679},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":681,"@type":106,"tagName":131,"properties":682,"responsiveStyles":683},"builder-pixel-hqgadf1h59w",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":684},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":686},{"path":37,"query":687},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":337,"lastPreviewUrl":694,"breakpoints":695,"hasLinks":6,"originalContentId":461,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":697,"id":698,"name":699,"modelId":160,"published":13,"query":700,"data":703,"variations":808,"lastUpdated":809,"firstPublished":810,"testRatio":33,"screenshot":811,"createdBy":34,"lastUpdatedBy":573,"folders":812,"meta":813,"rev":339},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[701],{"@type":163,"property":164,"operator":165,"value":702},"/uc/clickfix-protection",{"seoDescription":704,"fontAwesomeIcon":705,"customFonts":706,"seoTitle":711,"jsCode":37,"tsCode":37,"title":711,"blocks":712,"url":702,"state":805},"Block attacks that trick users into running malicious code.","faLaptopCode",[707],{"files":708,"subsets":709,"menu":195,"version":173,"kind":172,"family":171,"lastModified":174,"variants":710,"category":194},{"100":176,"200":177,"300":178,"500":179,"600":180,"700":181,"800":182,"900":183,"200italic":190,"800italic":184,"700italic":186,"600italic":193,"100italic":187,"italic":188,"regular":189,"300italic":192,"500italic":191,"900italic":185},[197,198],[200,201,202,203,204,205,128,206,207,208,209,210,211,212,213,214,215,216],"ClickFix protection",[713,800],{"@type":106,"@version":107,"tagName":222,"id":714,"meta":715,"children":716},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":595},[717,733,740,747,757,767,777,787,794],{"@type":106,"@version":107,"id":718,"meta":719,"component":720,"responsiveStyles":731},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":599},{"name":226,"options":721,"isRSC":118},{"title":711,"description":722,"points":723,"image":730},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[724,726,728],{"item":725},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":727},"Block malicious copy-and-paste actions before code is executed",{"item":729},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":732},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":241},{"@type":106,"@version":107,"id":734,"meta":735,"component":736,"responsiveStyles":738},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":615},{"name":245,"options":737,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":739},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":249},{"@type":106,"@version":107,"id":741,"meta":742,"component":743,"responsiveStyles":745},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":622},{"name":253,"options":744,"isRSC":118},{"darkMode":41},{"large":746},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":748,"meta":749,"component":750,"responsiveStyles":755},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":629},{"name":258,"tag":258,"options":751,"isRSC":118},{"darkMode":6,"maxWidth":262,"maxTextWidth":263,"title":752,"description":753,"reverse":6,"image":754},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":756},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":758,"meta":759,"component":760,"responsiveStyles":765},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":638},{"name":272,"options":761,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":275,"title":762,"description":763,"reverse":41,"image":764},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":766},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":281,"paddingTop":282,"marginTop":283},{"@type":106,"@version":107,"id":768,"meta":769,"component":770,"responsiveStyles":775},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":648},{"name":272,"options":771,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":288,"title":772,"description":773,"reverse":6,"image":774},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":776},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":294},{"@type":106,"@version":107,"layerName":272,"id":778,"meta":779,"component":780,"responsiveStyles":785},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":658},{"name":272,"options":781,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":299,"title":782,"description":783,"reverse":41,"image":784},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":786},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":305},{"@type":106,"@version":107,"id":788,"meta":789,"component":790,"responsiveStyles":792},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":668},{"name":253,"options":791,"isRSC":118},{"darkMode":6},{"large":793},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":795,"component":796,"responsiveStyles":798},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":315,"tag":315,"options":797,"isRSC":118},{"sectionHeading":37,"customClass":317},{"large":799},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":801,"@type":106,"tagName":131,"properties":802,"responsiveStyles":803},"builder-pixel-jb7i4u6v2mk",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":804},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":806},{"path":37,"query":807},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":814,"originalContentId":580,"winningTest":118,"hasLinks":6,"kind":337,"breakpoints":815,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":817,"id":818,"name":819,"modelId":160,"published":13,"query":820,"data":823,"variations":928,"lastUpdated":929,"firstPublished":930,"testRatio":33,"screenshot":931,"createdBy":34,"lastUpdatedBy":573,"folders":932,"meta":933,"rev":339},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[821],{"@type":163,"property":164,"operator":165,"value":822},"/uc/incident-response",{"seoDescription":824,"customFonts":825,"title":819,"jsCode":37,"fontAwesomeIcon":830,"seoTitle":831,"tsCode":37,"blocks":832,"url":822,"state":925},"Investigate and respond faster with unique browser telemetry.",[826],{"kind":172,"subsets":827,"menu":195,"variants":828,"category":194,"family":171,"version":173,"lastModified":174,"files":829},[197,198],[200,201,202,203,204,205,128,206,207,208,209,210,211,212,213,214,215,216],{"100":176,"200":177,"300":178,"500":179,"600":180,"700":181,"800":182,"900":183,"900italic":185,"600italic":193,"200italic":190,"300italic":192,"100italic":187,"700italic":186,"800italic":184,"regular":189,"italic":188,"500italic":191},"faSatelliteDish","Browser based incident response",[833,920],{"@type":106,"@version":107,"tagName":222,"id":834,"meta":835,"children":836},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":595},[837,854,861,868,877,887,897,907,914],{"@type":106,"@version":107,"id":838,"meta":839,"component":840,"responsiveStyles":852},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":599},{"name":226,"options":841,"isRSC":118},{"title":842,"description":843,"points":844,"video":851},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[845,847,849],{"item":846},"Reconstruct what happened with real browser session context",{"item":848},"Investigate faster with real-world session context",{"item":850},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":853},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":241},{"@type":106,"@version":107,"id":855,"meta":856,"component":857,"responsiveStyles":859},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":615},{"name":245,"options":858,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":860},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":249},{"@type":106,"@version":107,"id":862,"meta":863,"component":864,"responsiveStyles":866},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":622},{"name":253,"options":865,"isRSC":118},{"darkMode":41},{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":869,"component":870,"responsiveStyles":875},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":258,"tag":258,"options":871,"isRSC":118},{"darkMode":6,"maxWidth":262,"maxTextWidth":263,"title":872,"description":873,"image":874,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":876},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":878,"meta":879,"component":880,"responsiveStyles":885},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":638},{"name":272,"options":881,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":275,"title":882,"description":883,"reverse":41,"image":884},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":886},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":281,"paddingTop":283,"marginTop":283},{"@type":106,"@version":107,"id":888,"meta":889,"component":890,"responsiveStyles":895},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":648},{"name":272,"options":891,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":288,"title":892,"description":893,"reverse":6,"image":894},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":896},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":294},{"@type":106,"@version":107,"layerName":272,"id":898,"meta":899,"component":900,"responsiveStyles":905},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":658},{"name":272,"options":901,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":299,"title":902,"description":903,"reverse":41,"image":904},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":906},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":305},{"@type":106,"@version":107,"id":908,"meta":909,"component":910,"responsiveStyles":912},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":668},{"name":253,"options":911,"isRSC":118},{"darkMode":6},{"large":913},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":915,"component":916,"responsiveStyles":918},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":315,"tag":315,"options":917,"isRSC":118},{"sectionHeading":37,"customClass":317},{"large":919},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":921,"@type":106,"tagName":131,"properties":922,"responsiveStyles":923},"builder-pixel-t20dmmgkd7",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":924},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":926},{"path":37,"query":927},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":337,"breakpoints":934,"originalContentId":580,"winningTest":118,"lastPreviewUrl":935,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":937,"id":938,"name":939,"modelId":160,"published":13,"query":940,"data":943,"variations":1048,"lastUpdated":1049,"firstPublished":1050,"testRatio":33,"screenshot":1051,"createdBy":34,"lastUpdatedBy":573,"folders":1052,"meta":1053,"rev":339},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[941],{"@type":163,"property":164,"operator":165,"value":942},"/uc/shadow-saas",{"seoTitle":944,"seoDescription":945,"customFonts":946,"fontAwesomeIcon":951,"title":952,"jsCode":37,"tsCode":37,"blocks":953,"url":942,"state":1045},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[947],{"kind":172,"variants":948,"files":949,"family":171,"version":173,"subsets":950,"lastModified":174,"category":194,"menu":195},[200,201,202,203,204,205,128,206,207,208,209,210,211,212,213,214,215,216],{"100":176,"200":177,"300":178,"500":179,"600":180,"700":181,"800":182,"900":183,"300italic":192,"500italic":191,"regular":189,"900italic":185,"italic":188,"100italic":187,"200italic":190,"600italic":193,"700italic":186,"800italic":184},[197,198],"faShieldCheck","Secure shadow SaaS",[954,1040],{"@type":106,"@version":107,"tagName":222,"id":955,"meta":956,"children":957},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":834},[958,974,981,988,997,1007,1017,1027,1034],{"@type":106,"@version":107,"id":959,"meta":960,"component":961,"responsiveStyles":972},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":838},{"name":226,"options":962,"isRSC":118},{"title":944,"description":963,"points":964,"video":971},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[965,967,969],{"item":966},"Discover every SaaS app users access, managed or not",{"item":968},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":970},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":973},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":241},{"@type":106,"@version":107,"id":975,"meta":976,"component":977,"responsiveStyles":979},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":855},{"name":245,"options":978,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":980},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":249},{"@type":106,"@version":107,"id":982,"meta":983,"component":984,"responsiveStyles":986},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":862},{"name":253,"options":985,"isRSC":118},{"darkMode":41},{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":989,"component":990,"responsiveStyles":995},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":258,"tag":258,"options":991,"isRSC":118},{"darkMode":6,"maxWidth":262,"maxTextWidth":263,"title":992,"description":993,"image":994,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":996},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":998,"meta":999,"component":1000,"responsiveStyles":1005},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":878},{"name":272,"options":1001,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":275,"title":1002,"description":1003,"reverse":41,"image":1004},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1006},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":281,"paddingTop":283,"marginTop":283},{"@type":106,"@version":107,"id":1008,"meta":1009,"component":1010,"responsiveStyles":1015},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":888},{"name":272,"options":1011,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":288,"title":1012,"description":1013,"reverse":6,"image":1014},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1016},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":294},{"@type":106,"@version":107,"layerName":272,"id":1018,"meta":1019,"component":1020,"responsiveStyles":1025},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":898},{"name":272,"options":1021,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":299,"title":1022,"description":1023,"reverse":41,"image":1024},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1026},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":305},{"@type":106,"@version":107,"id":1028,"meta":1029,"component":1030,"responsiveStyles":1032},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":908},{"name":253,"options":1031,"isRSC":118},{"darkMode":6},{"large":1033},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1035,"component":1036,"responsiveStyles":1038},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":315,"tag":315,"options":1037,"isRSC":118},{"sectionHeading":37,"customClass":317},{"large":1039},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1041,"@type":106,"tagName":131,"properties":1042,"responsiveStyles":1043},"builder-pixel-225hg4jfk9t",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1044},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1046},{"path":37,"query":1047},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":818,"winningTest":118,"lastPreviewUrl":1054,"breakpoints":1055,"kind":337,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1057,"id":1058,"name":1059,"modelId":160,"published":13,"query":1060,"data":1063,"variations":1167,"lastUpdated":1168,"firstPublished":1169,"testRatio":33,"screenshot":1170,"createdBy":34,"lastUpdatedBy":573,"folders":1171,"meta":1172,"rev":339},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1061],{"@type":163,"property":164,"operator":165,"value":1062},"/uc/shadow-ai",{"fontAwesomeIcon":1064,"seoTitle":1065,"jsCode":37,"customFonts":1066,"title":1071,"tsCode":37,"seoDescription":1072,"blocks":1073,"url":1062,"state":1164},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1067],{"variants":1068,"category":194,"files":1069,"subsets":1070,"family":171,"kind":172,"menu":195,"lastModified":174,"version":173},[200,201,202,203,204,205,128,206,207,208,209,210,211,212,213,214,215,216],{"100":176,"200":177,"300":178,"500":179,"600":180,"700":181,"800":182,"900":183,"800italic":184,"regular":189,"700italic":186,"200italic":190,"italic":188,"500italic":191,"600italic":193,"300italic":192,"100italic":187,"900italic":185},[197,198],"Secure shadow AI","See and control shadow AI apps in the browser.",[1074,1159],{"@type":106,"@version":107,"tagName":222,"id":1075,"meta":1076,"children":1077},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":955},[1078,1094,1101,1108,1118,1127,1136,1146,1153],{"@type":106,"@version":107,"id":1079,"meta":1080,"component":1081,"responsiveStyles":1092},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":959},{"name":226,"options":1082,"isRSC":118},{"title":1071,"description":1083,"points":1084,"image":1091},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1085,1087,1089],{"item":1086},"Map every AI tool used across your workforce",{"item":1088},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1090},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1093},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":241},{"@type":106,"@version":107,"id":1095,"meta":1096,"component":1097,"responsiveStyles":1099},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":975},{"name":245,"options":1098,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1100},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":249},{"@type":106,"@version":107,"id":1102,"meta":1103,"component":1104,"responsiveStyles":1106},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":982},{"name":253,"options":1105,"isRSC":118},{"darkMode":41},{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":989},{"name":258,"tag":258,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":262,"maxTextWidth":263,"title":1113,"description":1114,"image":1115,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1125},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":998},{"name":272,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":275,"title":1123,"description":1124,"reverse":41,"image":1014},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1126},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":281,"paddingTop":283,"marginTop":283},{"@type":106,"@version":107,"id":1128,"meta":1129,"component":1130,"responsiveStyles":1134},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1008},{"name":272,"options":1131,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":288,"title":1132,"description":1133,"reverse":6,"image":1024},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1135},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":294},{"@type":106,"@version":107,"layerName":272,"id":1137,"meta":1138,"component":1139,"responsiveStyles":1144},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1018},{"name":272,"options":1140,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":299,"title":1141,"description":1142,"reverse":41,"image":1143},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1145},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":305},{"@type":106,"@version":107,"id":1147,"meta":1148,"component":1149,"responsiveStyles":1151},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1028},{"name":253,"options":1150,"isRSC":118},{"darkMode":6},{"large":1152},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1154,"component":1155,"responsiveStyles":1157},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":315,"tag":315,"options":1156,"isRSC":118},{"sectionHeading":37,"customClass":317},{"large":1158},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1160,"@type":106,"tagName":131,"properties":1161,"responsiveStyles":1162},"builder-pixel-gvb5hb3oa9q",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1163},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1165},{"path":37,"query":1166},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1173,"originalContentId":938,"kind":337,"lastPreviewUrl":1174,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1176,"_dir":1177,"_draft":6,"_partial":6,"_locale":37,"sys":1178,"ogImage":118,"summary":1181,"title":1195,"subtitle":118,"metaTitle":1196,"synopsis":1197,"hashTags":118,"publishedDate":1198,"slug":1199,"tagsCollection":1200,"relatedBlogPostsCollection":1210,"authorsCollection":3010,"content":3014,"_id":4035,"_type":4036,"_source":4037,"_file":4038,"_stem":4039,"_extension":4036},"/blog/consentfix","blog",{"id":1179,"publishedAt":1180},"71EaaK7lfl6bQBbkAU0qjv","2026-02-04T09:53:45.482Z",{"json":1182},{"data":1183,"content":1184,"nodeType":1194},{},[1185],{"data":1186,"content":1187,"nodeType":1193},{},[1188],{"data":1189,"marks":1190,"value":1191,"nodeType":1192},{},[],"We recently intercepted a phishing campaign using a new kind of attack technique that we’re calling “ConsentFix” — combining OAuth consent phishing with a ClickFix-style user prompt that leads to account compromise. Here's what you need to know.","text","paragraph","document","ConsentFix: Analysing a browser-native ClickFix-style attack that hijacks OAuth consent grants","ConsentFix: Browser-native ClickFix hijacks OAuth grants","Analysing \"ConsentFix\", a new browser-native attack technique we've detected in the wild, combining OAuth consent phishing with a ClickFix-style user prompt. ","2025-12-11T00:00:00.000Z","consentfix",{"items":1201},[1202,1206],{"sys":1203,"name":1205},{"id":1204},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1207,"name":1209},{"id":1208},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1211},[1212,1844,2414],{"__typename":1213,"sys":1214,"content":1216,"title":1826,"synopsis":1827,"hashTags":118,"publishedDate":1828,"slug":1829,"tagsCollection":1830,"authorsCollection":1836},"BlogPosts",{"id":1215},"6Zosy4SU0LpjlaSWX75peb",{"json":1217},{"data":1218,"content":1219,"nodeType":1194},{},[1220,1227,1234,1241,1250,1257,1261,1271,1278,1285,1292,1298,1305,1311,1318,1324,1331,1337,1372,1379,1385,1392,1398,1405,1411,1418,1463,1466,1474,1481,1488,1495,1501,1504,1512,1519,1539,1545,1551,1557,1564,1570,1576,1596,1599,1607,1627,1633,1640,1660,1669,1676,1683,1690,1710,1718,1725,1731,1734,1742,1749,1756,1759,1767,1774,1781,1814,1820],{"data":1221,"content":1222,"nodeType":1193},{},[1223],{"data":1224,"marks":1225,"value":1226,"nodeType":1192},{},[],"We recently investigated a sophisticated phishing campaign targeting Google Workspace and Facebook Business accounts with Calendly-themed phishing lures, based around a fake job opportunity. ",{"data":1228,"content":1229,"nodeType":1193},{},[1230],{"data":1231,"marks":1232,"value":1233,"nodeType":1192},{},[],"We were first alerted to the campaign when a Push customer was hit with a highly targeted email-based attack, where the attacker used an Attacker-in-the-Middle (AiTM) phishing toolkit to target the customer’s Google Workspace account. ",{"data":1235,"content":1236,"nodeType":1193},{},[1237],{"data":1238,"marks":1239,"value":1240,"nodeType":1192},{},[],"In this case, Google was the customer’s primary enterprise IdP account, used to access native Google suite apps as well as SSO to downstream apps — effectively, the front door to their business IT stack. Despite this, the attacker’s MO was specifically the takeover of accounts used for the management of digital ads. ",{"data":1242,"content":1248,"nodeType":1249},{"target":1243},{"sys":1244},{"id":1245,"type":1246,"linkType":1247},"5oivBCf1Fqvnq0GNCSko8f","Link","Entry",[],"embedded-entry-block",{"data":1251,"content":1252,"nodeType":1193},{},[1253],{"data":1254,"marks":1255,"value":1256,"nodeType":1192},{},[],"In this blog post, we break down the various TTPs used by the attacker across the campaign, and consider why ad management platforms are being specifically targeted.  ",{"data":1258,"content":1259,"nodeType":1260},{},[],"hr",{"data":1262,"content":1263,"nodeType":1270},{},[1264],{"data":1265,"marks":1266,"value":1269,"nodeType":1192},{},[1267],{"type":1268},"bold","Variant 1: Targeting Google Workspace with a sophisticated email phish ","heading-1",{"data":1272,"content":1273,"nodeType":1193},{},[1274],{"data":1275,"marks":1276,"value":1277,"nodeType":1192},{},[],"The first phishing variant we analyzed began with a multi-stage phishing email lure, framed as a job opportunity for LVMH (Louis Vuitton Moët Hennessy), which oversees more than 75 brands across sectors like fashion, cosmetics, watches, and spirits. The specific delivery address is impersonating “Inside LVMH”, the talent acquisition and training arm of LVMH.  ",{"data":1279,"content":1280,"nodeType":1193},{},[1281],{"data":1282,"marks":1283,"value":1284,"nodeType":1192},{},[],"This lure is notable for multiple reasons. It is highly targeted, well-written, populated with information from the victim, and coming from what appears to be a legitimate employee of LVMH. Even if the victim was initially suspicious, searching for the recruiter’s name would appear to confirm their identity.  ",{"data":1286,"content":1287,"nodeType":1193},{},[1288],{"data":1289,"marks":1290,"value":1291,"nodeType":1192},{},[],"It is possible, even likely, that this interaction was operated using AI, using information scraped from the internet — but in any case, the outcome achieved is highly convincing. ",{"data":1293,"content":1297,"nodeType":1249},{"target":1294},{"sys":1295},{"id":1296,"type":1246,"linkType":1247},"46BYpquURERbkhWc6C2Lpc",[],{"data":1299,"content":1300,"nodeType":1193},{},[1301],{"data":1302,"marks":1303,"value":1304,"nodeType":1192},{},[],"Only after the victim has responded to an initial email was the phishing link delivered under the guise of a Calendly link to book time for a call. ",{"data":1306,"content":1310,"nodeType":1249},{"target":1307},{"sys":1308},{"id":1309,"type":1246,"linkType":1247},"37GBkfXGEdWvdQbMq65sad",[],{"data":1312,"content":1313,"nodeType":1193},{},[1314],{"data":1315,"marks":1316,"value":1317,"nodeType":1192},{},[],"Clicking the link takes the victim to an authentic-looking page impersonating a Calendly landing page.",{"data":1319,"content":1323,"nodeType":1249},{"target":1320},{"sys":1321},{"id":1322,"type":1246,"linkType":1247},"1DwOPzK7mxsoJlEBp8cMpr",[],{"data":1325,"content":1326,"nodeType":1193},{},[1327],{"data":1328,"marks":1329,"value":1330,"nodeType":1192},{},[],"After completing the CAPTCHA check and selecting \"Continue with Google” the victim is redirected to an AiTM phishing page designed to capture Google Workspace credentials, with specific branding impersonating Calendly — making this visually distinct from most common Google-themed phishing pages. ",{"data":1332,"content":1336,"nodeType":1249},{"target":1333},{"sys":1334},{"id":1335,"type":1246,"linkType":1247},"u1SY1uUX23sxfBYLpyaKb",[],{"data":1338,"content":1339,"nodeType":1193},{},[1340,1344,1355,1359,1368],{"data":1341,"marks":1342,"value":1343,"nodeType":1192},{},[],"This page uses ",{"data":1345,"content":1347,"nodeType":1354},{"uri":1346},"https://phishing-techniques.pushsecurity.com/techniques/conditional-loading/",[1348],{"data":1349,"marks":1350,"value":1353,"nodeType":1192},{},[1351],{"type":1352},"underline","specific targeting parameters","hyperlink",{"data":1356,"marks":1357,"value":1358,"nodeType":1192},{},[]," to ensure that only the intended recipient is able to access the page’s malicious functionality — a well-known ",{"data":1360,"content":1362,"nodeType":1354},{"uri":1361},"https://phishing-techniques.pushsecurity.com/",[1363],{"data":1364,"marks":1365,"value":1367,"nodeType":1192},{},[1366],{"type":1352},"detection evasion technique",{"data":1369,"marks":1370,"value":1371,"nodeType":1192},{},[]," to prevent security analysts from being able to fully analyse the page (as malicious elements are not rendered until this check is completed). ",{"data":1373,"content":1374,"nodeType":1193},{},[1375],{"data":1376,"marks":1377,"value":1378,"nodeType":1192},{},[],"As you can see in the example below, attempts to use any email other than the intended victim’s email domain are blocked.   ",{"data":1380,"content":1384,"nodeType":1249},{"target":1381},{"sys":1382},{"id":1383,"type":1246,"linkType":1247},"5m8LvVYjXz0zrITgTWqxio",[],{"data":1386,"content":1387,"nodeType":1193},{},[1388],{"data":1389,"marks":1390,"value":1391,"nodeType":1192},{},[],"Only entering an allowed email domain loads the password entry field. ",{"data":1393,"content":1397,"nodeType":1249},{"target":1394},{"sys":1395},{"id":1396,"type":1246,"linkType":1247},"6KFRJSsgk2pB6x67kWdpws",[],{"data":1399,"content":1400,"nodeType":1193},{},[1401],{"data":1402,"marks":1403,"value":1404,"nodeType":1192},{},[],"We identified a number of pages that appear to be part of the same campaign. All these pages have the same visual style, Calendly-themed lure targeting Google Workspace accounts, and appear to match real employees of the respective companies being impersonated. ",{"data":1406,"content":1410,"nodeType":1249},{"target":1407},{"sys":1408},{"id":1409,"type":1246,"linkType":1247},"zMkN1U5QlvIEcfOGmhBBf",[],{"data":1412,"content":1413,"nodeType":1193},{},[1414],{"data":1415,"marks":1416,"value":1417,"nodeType":1192},{},[],"The different pages include:",{"data":1419,"content":1420,"nodeType":1462},{},[1421,1432,1442,1452],{"data":1422,"content":1423,"nodeType":1431},{},[1424],{"data":1425,"content":1426,"nodeType":1193},{},[1427],{"data":1428,"marks":1429,"value":1430,"nodeType":1192},{},[],"A different visual match for the LVMH page.","list-item",{"data":1433,"content":1434,"nodeType":1431},{},[1435],{"data":1436,"content":1437,"nodeType":1193},{},[1438],{"data":1439,"marks":1440,"value":1441,"nodeType":1192},{},[],"A Lego recruitment themed page.",{"data":1443,"content":1444,"nodeType":1431},{},[1445],{"data":1446,"content":1447,"nodeType":1193},{},[1448],{"data":1449,"marks":1450,"value":1451,"nodeType":1192},{},[],"A Mastercard HR themed page.",{"data":1453,"content":1454,"nodeType":1431},{},[1455],{"data":1456,"content":1457,"nodeType":1193},{},[1458],{"data":1459,"marks":1460,"value":1461,"nodeType":1192},{},[],"An Uber recruitment themed page.","unordered-list",{"data":1464,"content":1465,"nodeType":1260},{},[],{"data":1467,"content":1468,"nodeType":1270},{},[1469],{"data":1470,"marks":1471,"value":1473,"nodeType":1192},{},[1472],{"type":1268},"Variant 2: Targeting Facebook Business accounts",{"data":1475,"content":1476,"nodeType":1193},{},[1477],{"data":1478,"marks":1479,"value":1480,"nodeType":1192},{},[],"Upon further investigation, we found links to a second phishing page style that appears to be part of a longer campaign targeting Facebook accounts, dating back more than two years. ",{"data":1482,"content":1483,"nodeType":1193},{},[1484],{"data":1485,"marks":1486,"value":1487,"nodeType":1192},{},[],"In total, we identified 31 unique URLs associated with the same campaign, many of which were recycled over time to impersonate different brands. ",{"data":1489,"content":1490,"nodeType":1193},{},[1491],{"data":1492,"marks":1493,"value":1494,"nodeType":1192},{},[],"Since most of these pages appeared to be older (and no longer live) they could not be analysed further, beyond giving an indication of how the phishing campaign has evolved over time. ",{"data":1496,"content":1500,"nodeType":1249},{"target":1497},{"sys":1498},{"id":1499,"type":1246,"linkType":1247},"5PFRI9XtNVdkpYiRoIYpF",[],{"data":1502,"content":1503,"nodeType":1260},{},[],{"data":1505,"content":1506,"nodeType":1270},{},[1507],{"data":1508,"marks":1509,"value":1511,"nodeType":1192},{},[1510],{"type":1268},"Variant 3: Targeting both Google and Facebook accounts",{"data":1513,"content":1514,"nodeType":1193},{},[1515],{"data":1516,"marks":1517,"value":1518,"nodeType":1192},{},[],"We also discovered a third, more recent variant targeting both Google and Facebook accounts with Calendly-styled pages.",{"data":1520,"content":1521,"nodeType":1193},{},[1522,1526,1535],{"data":1523,"marks":1524,"value":1525,"nodeType":1192},{},[],"This variant looks to leverage a Browser-in-the-Browser style pop-up window similar to the ",{"data":1527,"content":1529,"nodeType":1354},{"uri":1528},"https://pushsecurity.com/blog/analyzing-the-latest-sneaky2fa-phishing-page/",[1530],{"data":1531,"marks":1532,"value":1534,"nodeType":1192},{},[1533],{"type":1352},"Sneaky2FA attacks we reported on recently",{"data":1536,"marks":1537,"value":1538,"nodeType":1192},{},[],". BITB allows the attacker to mask the phishing page URL by presenting a fake URL set by the attacker, inside a pop-up login window. ",{"data":1540,"content":1544,"nodeType":1249},{"target":1541},{"sys":1542},{"id":1543,"type":1246,"linkType":1247},"7w4cmyqPvhxAFrokaK9CE1",[],{"data":1546,"content":1550,"nodeType":1249},{"target":1547},{"sys":1548},{"id":1549,"type":1246,"linkType":1247},"6FUSNecz0BXLxJxoJTsALD",[],{"data":1552,"content":1556,"nodeType":1249},{"target":1553},{"sys":1554},{"id":1555,"type":1246,"linkType":1247},"2zwFDrgsLuxi4Xv2q0nPFK",[],{"data":1558,"content":1559,"nodeType":1193},{},[1560],{"data":1561,"marks":1562,"value":1563,"nodeType":1192},{},[],"The attacker also implemented additional anti-analysis functionality, beyond the specific domain targeting we observed in the first page variant — the result of which meant the page IP blocked us from interacting with it further. ",{"data":1565,"content":1569,"nodeType":1249},{"target":1566},{"sys":1567},{"id":1568,"type":1246,"linkType":1247},"3ZPdxi5cGZcn5hF1ISIUa7",[],{"data":1571,"content":1575,"nodeType":1249},{"target":1572},{"sys":1573},{"id":1574,"type":1246,"linkType":1247},"3J5pmgNL9LevE1FdX4oksf",[],{"data":1577,"content":1578,"nodeType":1193},{},[1579,1583,1592],{"data":1580,"marks":1581,"value":1582,"nodeType":1192},{},[],"Often ",{"data":1584,"content":1586,"nodeType":1354},{"uri":1585},"https://phishing-techniques.pushsecurity.com/techniques/anti-sandbox/",[1587],{"data":1588,"marks":1589,"value":1591,"nodeType":1192},{},[1590],{"type":1352},"accessing dev tools",{"data":1593,"marks":1594,"value":1595,"nodeType":1192},{},[]," on a page is enough to trigger this, specifically targeting security analysts and web-crawling security bots/tools. ",{"data":1597,"content":1598,"nodeType":1260},{},[],{"data":1600,"content":1601,"nodeType":1270},{},[1602],{"data":1603,"marks":1604,"value":1606,"nodeType":1192},{},[1605],{"type":1268},"Why are attackers targeting business ad management accounts?",{"data":1608,"content":1609,"nodeType":1193},{},[1610,1614,1623],{"data":1611,"marks":1612,"value":1613,"nodeType":1192},{},[],"The campaign shows signs of being a long-running, targeted initiative focused on compromising accounts responsible for managing digital ads on behalf of businesses. The attackers have demonstrated that they are continuing to iterate on their TTPs, introducing new page styles with increased sophistication, and new ",{"data":1615,"content":1617,"nodeType":1354},{"uri":1616},"https://phishing-techniques.pushsecurity.com/#techniques-table",[1618],{"data":1619,"marks":1620,"value":1622,"nodeType":1192},{},[1621],{"type":1352},"detection evasion techniques",{"data":1624,"marks":1625,"value":1626,"nodeType":1192},{},[]," to defeat security analysis tools.  ",{"data":1628,"content":1632,"nodeType":1249},{"target":1629},{"sys":1630},{"id":1631,"type":1246,"linkType":1247},"m5GsTsDb55T70MU2m72B1",[],{"data":1634,"content":1635,"nodeType":1193},{},[1636],{"data":1637,"marks":1638,"value":1639,"nodeType":1192},{},[],"We also discovered that Google recently issued a security warning specifically for agency organizations managing ads for a number of businesses, urging them to create security alerts whenever a new account is added to a Manager Account (MCC) used to view and manage multiple Google Ads accounts from a single view. ",{"data":1641,"content":1642,"nodeType":1193},{},[1643,1647,1656],{"data":1644,"marks":1645,"value":1646,"nodeType":1192},{},[],"With malvertising on the rise as an increasingly popular attack vector for the delivery of AITM phishing, malware downloads, and ",{"data":1648,"content":1650,"nodeType":1354},{"uri":1649},"https://pushsecurity.com/blog/the-most-advanced-clickfix-yet/",[1651],{"data":1652,"marks":1653,"value":1655,"nodeType":1192},{},[1654],{"type":1352},"ClickFix",{"data":1657,"marks":1658,"value":1659,"nodeType":1192},{},[]," (4 in 5 ClickFix attacks intercepted by Push were delivered via Google Search), it makes sense that attackers are looking to increase their web of accounts from which to launch malicious ads. ",{"data":1661,"content":1662,"nodeType":1668},{},[1663],{"data":1664,"marks":1665,"value":1667,"nodeType":1192},{},[1666],{"type":1268},"Why are attackers turning to malvertising?","heading-2",{"data":1670,"content":1671,"nodeType":1193},{},[1672],{"data":1673,"marks":1674,"value":1675,"nodeType":1192},{},[],"Malvertising attacks delivered over search engines (e.g. Google Search) and social media apps (Facebook, LinkedIn, etc.) are a great way to catch victims unawares while also evading typically email-based anti-phishing controls. ",{"data":1677,"content":1678,"nodeType":1193},{},[1679],{"data":1680,"marks":1681,"value":1682,"nodeType":1192},{},[],"The flipside of this is that malvertising attacks are less likely to be targeted than phishing delivered directly to the victim via a direct message (i.e. email, social media DM, instant messenger app, SMS, etc.). ",{"data":1684,"content":1685,"nodeType":1193},{},[1686],{"data":1687,"marks":1688,"value":1689,"nodeType":1192},{},[],"However, that isn’t to say that malvertising attacks can’t be targeted. For example, Google Ads can be targeted to searches coming from specific geographic locations, tailored to specific email domain matches, or specific device types (e.g. desktop, mobile, etc.). If you know where your target organization is located, you can tailor the ad to that location. Even more precise ad targeting can be achieved on social media platforms. ",{"data":1691,"content":1692,"nodeType":1193},{},[1693,1697,1706],{"data":1694,"marks":1695,"value":1696,"nodeType":1192},{},[],"Malvertising is an effective way to launch “watering hole” style attacks, casting a wide net to harvest credentials and account access that can be re-sold to other criminals for a fee, or leveraged by partners in the cybercriminal ecosystem as part of major cyber breaches (such as the recent attacks by the “",{"data":1698,"content":1700,"nodeType":1354},{"uri":1699},"https://pushsecurity.com/blog/scattered-lapsus-hunters/",[1701],{"data":1702,"marks":1703,"value":1705,"nodeType":1192},{},[1704],{"type":1352},"Scattered Lapsus$ Hunters",{"data":1707,"marks":1708,"value":1709,"nodeType":1192},{},[],"” criminal collective, all of which began with identity-based initial access). For this reason, credentials and access are an increasingly profitable commodity for cyber criminals. ",{"data":1711,"content":1712,"nodeType":1668},{},[1713],{"data":1714,"marks":1715,"value":1717,"nodeType":1192},{},[1716],{"type":1268},"Additional considerations",{"data":1719,"content":1720,"nodeType":1193},{},[1721],{"data":1722,"marks":1723,"value":1724,"nodeType":1192},{},[],"As previously mentioned, compromising a Google Workspace account (particularly where it is the primary enterprise cloud platform used by the organization) provides comprehensive access to business apps, data, and functionality that can be exploited by attackers — effectively, it’s the access point to modern business IT. There’s a good chance that attackers establishing a foothold in this way would look to leverage this access further, or at least sell on that access to a criminal group looking to take the attack further. ",{"data":1726,"content":1730,"nodeType":1249},{"target":1727},{"sys":1728},{"id":1729,"type":1246,"linkType":1247},"7jnQqRk0JuqEtrQ3HXy3f8",[],{"data":1732,"content":1733,"nodeType":1260},{},[],{"data":1735,"content":1736,"nodeType":1270},{},[1737],{"data":1738,"marks":1739,"value":1741,"nodeType":1192},{},[1740],{"type":1268},"IoCs",{"data":1743,"content":1744,"nodeType":1193},{},[1745],{"data":1746,"marks":1747,"value":1748,"nodeType":1192},{},[],"We have opted not to provide the domains associated with that campaign to preserve the privacy of the individuals being impersonated by the attacker. In many cases, their full name was included in the URL for the phishing page, while their name and profile picture (most likely scraped from LinkedIn) are also visible on the landing page. ",{"data":1750,"content":1751,"nodeType":1193},{},[1752],{"data":1753,"marks":1754,"value":1755,"nodeType":1192},{},[],"However, with the rate at which these domains were spun up and subsequently taken down (by the attacker or the site hosting the links) IoC-based detections for campaigns such as this are of limited value. ",{"data":1757,"content":1758,"nodeType":1260},{},[],{"data":1760,"content":1761,"nodeType":1270},{},[1762],{"data":1763,"marks":1764,"value":1766,"nodeType":1192},{},[1765],{"type":1268},"Learn more about Push",{"data":1768,"content":1769,"nodeType":1193},{},[1770],{"data":1771,"marks":1772,"value":1773,"nodeType":1192},{},[],"Push researchers are continuously analysing and developing new detections based on the latest phishing kits and TTPs which enables us to stay two steps ahead of attackers.",{"data":1775,"content":1776,"nodeType":1193},{},[1777],{"data":1778,"marks":1779,"value":1780,"nodeType":1192},{},[],"Push’s browser-based security platform provides comprehensive detection and response capabilities against attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your attack surface.",{"data":1782,"content":1783,"nodeType":1193},{},[1784,1788,1797,1801,1810],{"data":1785,"marks":1786,"value":1787,"nodeType":1192},{},[],"To learn more about Push, ",{"data":1789,"content":1791,"nodeType":1354},{"uri":1790},"https://pushsecurity.com/resources/product-brochure",[1792],{"data":1793,"marks":1794,"value":1796,"nodeType":1192},{},[1795],{"type":1352},"check out our latest product overview",{"data":1798,"marks":1799,"value":1800,"nodeType":1192},{},[]," or ",{"data":1802,"content":1804,"nodeType":1354},{"uri":1803},"https://pushsecurity.com/demo",[1805],{"data":1806,"marks":1807,"value":1809,"nodeType":1192},{},[1808],{"type":1352},"book some time with one of our team for a live demo",{"data":1811,"marks":1812,"value":1813,"nodeType":1192},{},[],".",{"data":1815,"content":1819,"nodeType":1249},{"target":1816},{"sys":1817},{"id":1818,"type":1246,"linkType":1247},"6QzB0BlVC5mstXwXHvy2c3",[],{"data":1821,"content":1822,"nodeType":1193},{},[1823],{"data":1824,"marks":1825,"value":37,"nodeType":1192},{},[],"Uncovering a Calendly-themed phishing campaign targeting business ad manager accounts","Investigating a phishing campaign targeting Google Ads Manager MCC accounts to propagate malvertising lures. ","2025-12-02T00:00:00.000Z","uncovering-a-calendly-themed-phishing-campaign",{"items":1831},[1832,1834],{"sys":1833,"name":1205},{"id":1204},{"sys":1835,"name":1209},{"id":1208},{"items":1837},[1838],{"fullName":1839,"firstName":1840,"jobTitle":1841,"profilePicture":1842},"Luke Jennings","Luke","Vice President, R&D",{"url":1843},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg",{"__typename":1213,"sys":1845,"content":1847,"title":2396,"synopsis":2397,"hashTags":118,"publishedDate":2398,"slug":2399,"tagsCollection":2400,"authorsCollection":2406},{"id":1846},"6QLonRmBzbj9h88Y7jD0LU",{"json":1848},{"nodeType":1194,"data":1849,"content":1850},{},[1851,1858,1865,1896,1903,1910,1917,1920,1928,1948,1955,1961,1968,1974,1981,1987,1994,2000,2007,2013,2020,2027,2033,2036,2044,2064,2071,2078,2084,2102,2110,2130,2138,2156,2163,2169,2201,2209,2242,2250,2270,2275,2278,2286,2306,2312,2315,2323,2330,2337,2340,2348,2354,2361,2385,2390],{"nodeType":1193,"data":1852,"content":1853},{},[1854],{"nodeType":1192,"value":1855,"marks":1856,"data":1857},"PhaaS kits make up the vast majority of phishing sites intercepted by Push and dominate the phishing landscape, with kits like Tycoon, NakedPages, Flowerstorm, Salty2FA, and various Evilginx variations proving very popular among attackers targeting Push customers.",[],{},{"nodeType":1193,"data":1859,"content":1860},{},[1861],{"nodeType":1192,"value":1862,"marks":1863,"data":1864},"PhaaS kits are incredibly important to cybercrime because they make sophisticated and continuously evolving capabilities available to the criminal marketplace, lowering the barrier to entry for criminals running advanced phishing campaigns. This is not unique to phishing: Ransomware-as-a-Service, Credential Stuffing-as-a-Service, and many more for-hire tools and services exist for criminals to use for a fee. ",[],{},{"nodeType":1193,"data":1866,"content":1867},{},[1868,1872,1881,1885,1892],{"nodeType":1192,"value":1869,"marks":1870,"data":1871},"This competitive environment has fuelled attacker innovation, resulting in an environment in which MFA-bypass is table stakes, phishing-resistant authentication is being circumvented through ",[],{},{"nodeType":1354,"data":1873,"content":1875},{"uri":1874},"https://pushsecurity.com/blog/mfa-downgrade-attacks/",[1876],{"nodeType":1192,"value":1877,"marks":1878,"data":1880},"downgrade attacks",[1879],{"type":1352},{},{"nodeType":1192,"value":1882,"marks":1883,"data":1884},", and ",[],{},{"nodeType":1354,"data":1886,"content":1887},{"uri":1361},[1888],{"nodeType":1192,"value":1622,"marks":1889,"data":1891},[1890],{"type":1352},{},{"nodeType":1192,"value":1893,"marks":1894,"data":1895}," are being used to circumvent security tools — from email scanners, to web-crawling security tools, to web proxies analyzing network traffic.",[],{},{"nodeType":1193,"data":1897,"content":1898},{},[1899],{"nodeType":1192,"value":1900,"marks":1901,"data":1902},"Recently, we’ve noticed an increase in detections relating to Sneaky2FA, which operates through a fully-featured bot on Telegram. Customers reportedly receive access to a licensed, obfuscated version of the source code and deploy it independently.",[],{},{"nodeType":1193,"data":1904,"content":1905},{},[1906],{"nodeType":1192,"value":1907,"marks":1908,"data":1909},"This makes Sneaky2FA something that can be reliably profiled and tracked due to these codebase similarities — which is what we’re actively doing at Push. ",[],{},{"nodeType":1193,"data":1911,"content":1912},{},[1913],{"nodeType":1192,"value":1914,"marks":1915,"data":1916},"Why is this relevant? Well, the latest Sneaky2FA phish we identified was pretty interesting. ",[],{},{"nodeType":1260,"data":1918,"content":1919},{},[],{"nodeType":1270,"data":1921,"content":1922},{},[1923],{"nodeType":1192,"value":1924,"marks":1925,"data":1927},"Sneaky2FA adds BITB to its phishing toolkit",[1926],{"type":1268},{},{"nodeType":1193,"data":1929,"content":1930},{},[1931,1935,1944],{"nodeType":1192,"value":1932,"marks":1933,"data":1934},"We recently detected a Sneaky2FA server that is a bit different from the typical reverse-proxy ",[],{},{"nodeType":1354,"data":1936,"content":1938},{"uri":1937},"https://pushsecurity.com/blog/phishing-2-0-how-phishing-toolkits-are-evolving-with-aitm/",[1939],{"nodeType":1192,"value":1940,"marks":1941,"data":1943},"Attacker-in-the-Middle",[1942],{"type":1352},{},{"nodeType":1192,"value":1945,"marks":1946,"data":1947}," site, featuring an embedded browser window that contained the actual phishing page. ",[],{},{"nodeType":1193,"data":1949,"content":1950},{},[1951],{"nodeType":1192,"value":1952,"marks":1953,"data":1954},"You can see how the page loaded below in the video below.",[],{},{"nodeType":1249,"data":1956,"content":1960},{"target":1957},{"sys":1958},{"id":1959,"type":1246,"linkType":1247},"6L6Ban2xptI1uNA8OPJQzq",[],{"nodeType":1193,"data":1962,"content":1963},{},[1964],{"nodeType":1192,"value":1965,"marks":1966,"data":1967},"When the URL previewdoc[.]us is first accessed, a Cloudflare Turnstile check must be completed before the page loads. ",[],{},{"nodeType":1249,"data":1969,"content":1973},{"target":1970},{"sys":1971},{"id":1972,"type":1246,"linkType":1247},"QscI1SZ6dOpgMkrJPtqLD",[],{"nodeType":1193,"data":1975,"content":1976},{},[1977],{"nodeType":1192,"value":1978,"marks":1979,"data":1980},"The page then redirects to a subdomain of previewdoc[.]us, which prompts the user to “Sign in with Microsoft” in order to view a document, styled to look like Adobe Acrobat Reader. ",[],{},{"nodeType":1249,"data":1982,"content":1986},{"target":1983},{"sys":1984},{"id":1985,"type":1246,"linkType":1247},"7pkfAQquHrA6aUnCtj74iu",[],{"nodeType":1193,"data":1988,"content":1989},{},[1990],{"nodeType":1192,"value":1991,"marks":1992,"data":1993},"Upon clicking ‘Sign in with Microsoft” a reverse-proxy phishing page resembling a Microsoft login form is loaded in an embedded browser, with a custom background image designed to resemble a document library. ",[],{},{"nodeType":1249,"data":1995,"content":1999},{"target":1996},{"sys":1997},{"id":1998,"type":1246,"linkType":1247},"782tw14AqgJ9mqneVaOdHc",[],{"nodeType":1193,"data":2001,"content":2002},{},[2003],{"nodeType":1192,"value":2004,"marks":2005,"data":2006},"Interestingly, the pop-up window adjusts to the visitor’s OS and browser — you can see some different examples below.",[],{},{"nodeType":1249,"data":2008,"content":2012},{"target":2009},{"sys":2010},{"id":2011,"type":1246,"linkType":1247},"6lN9agEyeQ63LDHM1kaSqX",[],{"nodeType":1193,"data":2014,"content":2015},{},[2016],{"nodeType":1192,"value":2017,"marks":2018,"data":2019},"Completing authentication will result in the user’s Microsoft credentials and active session being stolen by the attacker, facilitating account takeover. ",[],{},{"nodeType":1193,"data":2021,"content":2022},{},[2023],{"nodeType":1192,"value":2024,"marks":2025,"data":2026},"You can see the sequence of pages loaded and Push detection events in the timeline below.",[],{},{"nodeType":1249,"data":2028,"content":2032},{"target":2029},{"sys":2030},{"id":2031,"type":1246,"linkType":1247},"1oPpha39PMiJGUaZSptx1f",[],{"nodeType":1260,"data":2034,"content":2035},{},[],{"nodeType":1270,"data":2037,"content":2038},{},[2039],{"nodeType":1192,"value":2040,"marks":2041,"data":2043},"Why Browser-in-the-Browser?",[2042],{"type":1268},{},{"nodeType":1193,"data":2045,"content":2046},{},[2047,2051,2060],{"nodeType":1192,"value":2048,"marks":2049,"data":2050},"BITB was first coined as a technique in 2022 by ",[],{},{"nodeType":1354,"data":2052,"content":2054},{"uri":2053},"https://mrd0x.com/browser-in-the-browser-phishing-attack/",[2055],{"nodeType":1192,"value":2056,"marks":2057,"data":2059},"mr.d0x",[2058],{"type":1352},{},{"nodeType":1192,"value":2061,"marks":2062,"data":2063},", but standard AITM phishing pages are far more frequently encountered in the wild, particularly when it comes to enterprise business targets.",[],{},{"nodeType":1193,"data":2065,"content":2066},{},[2067],{"nodeType":1192,"value":2068,"marks":2069,"data":2070},"BITB is principally designed to mask suspicious phishing URLs by simulating a pretty normal function of in-browser authentication — a pop-up login form. BITB phishing pages replicate the design of a pop-up window with an iframe pointing to a malicious server. ",[],{},{"nodeType":1193,"data":2072,"content":2073},{},[2074],{"nodeType":1192,"value":2075,"marks":2076,"data":2077},"The pop-up browser window shows a legitimate Microsoft login URL — this is in fact a fake URL that is designed to fool the user. ",[],{},{"nodeType":1249,"data":2079,"content":2083},{"target":2080},{"sys":2081},{"id":2082,"type":1246,"linkType":1247},"7kI5PHTr9XYQJ0xVJUnUDu",[],{"nodeType":1193,"data":2085,"content":2086},{},[2087,2091,2098],{"nodeType":1192,"value":2088,"marks":2089,"data":2090},"This BITB example shares many of the advantages of typical reverse-proxy based phishing pages, as well as the ",[],{},{"nodeType":1354,"data":2092,"content":2093},{"uri":1361},[2094],{"nodeType":1192,"value":1622,"marks":2095,"data":2097},[2096],{"type":1352},{},{"nodeType":1192,"value":2099,"marks":2100,"data":2101}," that are commonly used by attackers (and baked into PhaaS kits off-the-shelf). This includes:",[],{},{"nodeType":1668,"data":2103,"content":2104},{},[2105],{"nodeType":1192,"value":2106,"marks":2107,"data":2109},"Bot protection to defeat web scraping tools",[2108],{"type":1268},{},{"nodeType":1193,"data":2111,"content":2112},{},[2113,2117,2126],{"nodeType":1192,"value":2114,"marks":2115,"data":2116},"Attackers are using common ",[],{},{"nodeType":1354,"data":2118,"content":2120},{"uri":2119},"https://phishing-techniques.pushsecurity.com/techniques/bot-protection/",[2121],{"nodeType":1192,"value":2122,"marks":2123,"data":2125},"bot protection",[2124],{"type":1352},{},{"nodeType":1192,"value":2127,"marks":2128,"data":2129}," technologies like CAPTCHA and Cloudflare Turnstile to prevent security bots from accessing their web pages to be able to analyse them (and therefore block pages from being automatically flagged). This requires anyone visiting the page to pass a bot check/challenge before the page can be loaded, meaning the full page cannot be analysed by automated tools. ",[],{},{"nodeType":1668,"data":2131,"content":2132},{},[2133],{"nodeType":1192,"value":2134,"marks":2135,"data":2137},"Stop unwanted visitors with conditional loading",[2136],{"type":1268},{},{"nodeType":1193,"data":2139,"content":2140},{},[2141,2144,2152],{"nodeType":1192,"value":37,"marks":2142,"data":2143},[],{},{"nodeType":1354,"data":2145,"content":2146},{"uri":1346},[2147],{"nodeType":1192,"value":2148,"marks":2149,"data":2151},"Conditional loading",[2150],{"type":1352},{},{"nodeType":1192,"value":2153,"marks":2154,"data":2155}," techniques are used to prevent unwanted visitors from accessing the phishing page — reducing the chance that it is detected and flagged and extending the longevity of the phish. This often includes known security vendor IPs, VPN/proxy services, but is often used to target specific organizations (or even specific users within an organization). ",[],{},{"nodeType":1193,"data":2157,"content":2158},{},[2159],{"nodeType":1192,"value":2160,"marks":2161,"data":2162},"In this case, where the correct parameters are not supplied or the phishing site detects an unwanted variable, it will redirect to a benign wikibooks page. ",[],{},{"nodeType":1249,"data":2164,"content":2168},{"target":2165},{"sys":2166},{"id":2167,"type":1246,"linkType":1247},"fN2XugiDIef8haTDapViT",[],{"nodeType":1193,"data":2170,"content":2171},{},[2172,2176,2184,2188,2197],{"nodeType":1192,"value":2173,"marks":2174,"data":2175},"Sneaky2FA has also been commonly observed using ",[],{},{"nodeType":1354,"data":2177,"content":2178},{"uri":1585},[2179],{"nodeType":1192,"value":2180,"marks":2181,"data":2183},"anti-analysis",[2182],{"type":1352},{},{"nodeType":1192,"value":2185,"marks":2186,"data":2187}," techniques to detect or ",[],{},{"nodeType":1354,"data":2189,"content":2191},{"uri":2190},"https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/#:~:text=Sneaky%202FA%20pages%20use%20anti,we%20identified%20as%20Sneaky%202FA",[2192],{"nodeType":1192,"value":2193,"marks":2194,"data":2196},"disable browser developer tools",[2195],{"type":1352},{},{"nodeType":1192,"value":2198,"marks":2199,"data":2200}," to block attempts to analyse the page for malicious content. ",[],{},{"nodeType":1668,"data":2202,"content":2203},{},[2204],{"nodeType":1192,"value":2205,"marks":2206,"data":2208},"Page and code obfuscation",[2207],{"type":1268},{},{"nodeType":1193,"data":2210,"content":2211},{},[2212,2216,2225,2229,2238],{"nodeType":1192,"value":2213,"marks":2214,"data":2215},"The HTML and JavaScript of Sneaky2FA pages are ",[],{},{"nodeType":1354,"data":2217,"content":2219},{"uri":2218},"https://phishing-techniques.pushsecurity.com/techniques/page-obfuscation/",[2220],{"nodeType":1192,"value":2221,"marks":2222,"data":2224},"heavily obfuscated",[2223],{"type":1352},{},{"nodeType":1192,"value":2226,"marks":2227,"data":2228}," to evade static detection and pattern-matching, ",[],{},{"nodeType":1354,"data":2230,"content":2232},{"uri":2231},"https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/#:~:text=,%E2%80%9CNo%20account%3F%E2%80%9D%20and%20%E2%80%9CSign%20in%E2%80%9D",[2233],{"nodeType":1192,"value":2234,"marks":2235,"data":2237},"such as",[2236],{"type":1352},{},{"nodeType":1192,"value":2239,"marks":2240,"data":2241}," breaking up UI text with invisible tags, embedding background and interface elements as encoded images instead of text, and other changes that are invisible to the user, but make it hard for scanning tools to fingerprint the page. ",[],{},{"nodeType":1668,"data":2243,"content":2244},{},[2245],{"nodeType":1192,"value":2246,"marks":2247,"data":2249},"Domain rotation and URL masking",[2248],{"type":1268},{},{"nodeType":1193,"data":2251,"content":2252},{},[2253,2257,2266],{"nodeType":1192,"value":2254,"marks":2255,"data":2256},"In addition to masking the phishing site URL presented to the user via the BITB window, Sneaky2FA has been seen using ",[],{},{"nodeType":1354,"data":2258,"content":2260},{"uri":2259},"https://www.centripetal.ai/threat-research/typhoon-versus-sneaky",[2261],{"nodeType":1192,"value":2262,"marks":2263,"data":2265},"stealthy hosting and domain tactics",[2264],{"type":1352},{},{"nodeType":1192,"value":2267,"marks":2268,"data":2269},". Each campaign uses a fresh, long, randomized URL (typically a 150-character path) on a benign-looking domain (often an old or compromised site). These domains are usually short-lived: many are taken down after just a few days or weeks. Analysts have observed that Sneaky2FA domains often lie dormant or serve harmless content until right before an attack, then quickly vanish after use. This “burn-and-replace” approach makes traditional defenses (which rely on domain reputation or pattern-matching) much weaker.",[],{},{"nodeType":1249,"data":2271,"content":2274},{"target":2272},{"sys":2273},{"id":1818,"type":1246,"linkType":1247},[],{"nodeType":1260,"data":2276,"content":2277},{},[],{"nodeType":1270,"data":2279,"content":2280},{},[2281],{"nodeType":1192,"value":2282,"marks":2283,"data":2285},"Are attackers moving to BITB? ",[2284],{"type":1268},{},{"nodeType":1193,"data":2287,"content":2288},{},[2289,2293,2302],{"nodeType":1192,"value":2290,"marks":2291,"data":2292},"There is evidence that Sneaky2FAs shift to BITB might not be an isolated change. Raccoon0365 is another PhaaS service that has been seen utilizing BITB functionality after ",[],{},{"nodeType":1354,"data":2294,"content":2296},{"uri":2295},"https://www.cloudflare.com/en-gb/threat-intelligence/research/report/cloudflare-participates-in-global-operation-to-disrupt-raccoono365/",[2297],{"nodeType":1192,"value":2298,"marks":2299,"data":2301},"announcing a “BITB mini-panel”",[2300],{"type":1352},{},{"nodeType":1192,"value":2303,"marks":2304,"data":2305}," would be added as part of a service revamp. ",[],{},{"nodeType":1249,"data":2307,"content":2311},{"target":2308},{"sys":2309},{"id":2310,"type":1246,"linkType":1247},"2sJUR9TVbZMU1v10Tq94Pz",[],{"nodeType":1260,"data":2313,"content":2314},{},[],{"nodeType":1270,"data":2316,"content":2317},{},[2318],{"nodeType":1192,"value":2319,"marks":2320,"data":2322},"Conclusion",[2321],{"type":1268},{},{"nodeType":1193,"data":2324,"content":2325},{},[2326],{"nodeType":1192,"value":2327,"marks":2328,"data":2329},"Attackers are continuously innovating their phishing techniques, particularly in the context of an increasingly professionalized PhaaS ecosystem. With identity-based attacks continuing to be the leading cause of breaches, attackers are incentivized to refine and enhance their phishing infrastructure. ",[],{},{"nodeType":1193,"data":2331,"content":2332},{},[2333],{"nodeType":1192,"value":2334,"marks":2335,"data":2336},"The addition of BITB, with the frequent iteration and improvement of detection evasion techniques, means that traditional security controls such as email gateways, web filters, and signature-based defenses will continue to be reliably bypassed. ",[],{},{"nodeType":1260,"data":2338,"content":2339},{},[],{"nodeType":1270,"data":2341,"content":2342},{},[2343],{"nodeType":1192,"value":2344,"marks":2345,"data":2347},"How Push can help",[2346],{"type":1268},{},{"nodeType":1193,"data":2349,"content":2350},{},[2351],{"nodeType":1192,"value":1773,"marks":2352,"data":2353},[],{},{"nodeType":1193,"data":2355,"content":2356},{},[2357],{"nodeType":1192,"value":2358,"marks":2359,"data":2360},"Despite the various detection evasion techniques, and the use of BITB methods, Push still detected this toolkit running on the page, enabling any attack to be detected and blocked before the user could be phished. Because we can inspect the live page, we detect malicious content loaded in the browser in real time. ",[],{},{"nodeType":1193,"data":2362,"content":2363},{},[2364,2367,2373,2376,2382],{"nodeType":1192,"value":1787,"marks":2365,"data":2366},[],{},{"nodeType":1354,"data":2368,"content":2369},{"uri":1790},[2370],{"nodeType":1192,"value":1796,"marks":2371,"data":2372},[],{},{"nodeType":1192,"value":1800,"marks":2374,"data":2375},[],{},{"nodeType":1354,"data":2377,"content":2378},{"uri":1803},[2379],{"nodeType":1192,"value":1809,"marks":2380,"data":2381},[],{},{"nodeType":1192,"value":1813,"marks":2383,"data":2384},[],{},{"nodeType":1249,"data":2386,"content":2389},{"target":2387},{"sys":2388},{"id":1818,"type":1246,"linkType":1247},[],{"nodeType":1193,"data":2391,"content":2392},{},[2393],{"nodeType":1192,"value":37,"marks":2394,"data":2395},[],{},"Analyzing the latest Sneaky2FA Browser-in-the-Browser phishing page","Analyzing a BITB phishing page linked to the Sneaky2FA Phishing-as-a-Service operation. ","2025-11-18T00:00:00.000Z","analyzing-the-latest-sneaky2fa-phishing-page",{"items":2401},[2402,2404],{"sys":2403,"name":1205},{"id":1204},{"sys":2405,"name":1209},{"id":1208},{"items":2407},[2408],{"fullName":2409,"firstName":2410,"jobTitle":2411,"profilePicture":2412},"Dan Green","Dan","Threat Research",{"url":2413},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"__typename":1213,"sys":2415,"content":2417,"title":2996,"synopsis":2997,"hashTags":118,"publishedDate":2998,"slug":2999,"tagsCollection":3000,"authorsCollection":3006},{"id":2416},"7rVNBW6rYXnXMpI0JEwzgR",{"json":2418},{"nodeType":1194,"data":2419,"content":2420},{},[2421,2428,2435,2447,2453,2460,2463,2471,2478,2484,2500,2507,2530,2537,2543,2546,2554,2587,2593,2613,2619,2638,2645,2651,2654,2662,2669,2689,2696,2716,2723,2729,2732,2740,2747,2780,2787,2794,2840,2859,2870,2877,2880,2888,2908,2915,2922,2928,2931,2939,2959,2985,2990],{"nodeType":1193,"data":2422,"content":2423},{},[2424],{"nodeType":1192,"value":2425,"marks":2426,"data":2427},"ClickFix attacks have skyrocketed in the last year. This social engineering attack has established itself as a key part of the modern attacker’s toolkit, tricking victims into running malicious code on their device.",[],{},{"nodeType":1193,"data":2429,"content":2430},{},[2431],{"nodeType":1192,"value":2432,"marks":2433,"data":2434},"As we showcased in our last webinar and at our threat briefing in London earlier this month, ClickFix is evolving fast, in terms of the web pages themselves, the delivery mechanisms by which they are sent to victims, and the nature of the payload and its execution.",[],{},{"nodeType":1193,"data":2436,"content":2437},{},[2438,2442],{"nodeType":1192,"value":2439,"marks":2440,"data":2441},"One particular example stood out to us in our research. ",[],{},{"nodeType":1192,"value":2443,"marks":2444,"data":2446},"So, is this the most advanced ClickFix you’ve seen?",[2445],{"type":1268},{},{"nodeType":1249,"data":2448,"content":2452},{"target":2449},{"sys":2450},{"id":2451,"type":1246,"linkType":1247},"ID7VKJNOZk729P5zBOBjZ",[],{"nodeType":1193,"data":2454,"content":2455},{},[2456],{"nodeType":1192,"value":2457,"marks":2458,"data":2459},"Let’s break it down further.",[],{},{"nodeType":1260,"data":2461,"content":2462},{},[],{"nodeType":1270,"data":2464,"content":2465},{},[2466],{"nodeType":1192,"value":2467,"marks":2468,"data":2470},"How ClickFix pages are evolving",[2469],{"type":1268},{},{"nodeType":1193,"data":2472,"content":2473},{},[2474],{"nodeType":1192,"value":2475,"marks":2476,"data":2477},"The CloudFlare-based lure is a great example of how ClickFix pages themselves are evolving — and becoming increasingly convincing to users. ",[],{},{"nodeType":1249,"data":2479,"content":2483},{"target":2480},{"sys":2481},{"id":2482,"type":1246,"linkType":1247},"4wJOgtofImjbsekyXMc5Ec",[],{"nodeType":1193,"data":2485,"content":2486},{},[2487,2491,2496],{"nodeType":1192,"value":2488,"marks":2489,"data":2490},"This is an incredibly slick example — ",[],{},{"nodeType":1192,"value":2492,"marks":2493,"data":2495},"it almost looks like Cloudflare shipped a new kind of bot check service. ",[2494],{"type":1268},{},{"nodeType":1192,"value":2497,"marks":2498,"data":2499},"The embedded video, countdown timer, and counter for “users verified in the last hour” all serve to increase the sense of authenticity, and put extra pressure on the victim to complete the check. ",[],{},{"nodeType":1193,"data":2501,"content":2502},{},[2503],{"nodeType":1192,"value":2504,"marks":2505,"data":2506},"There are a couple of extra things happening under the hood here, too:",[],{},{"nodeType":1462,"data":2508,"content":2509},{},[2510,2520],{"nodeType":1431,"data":2511,"content":2512},{},[2513],{"nodeType":1193,"data":2514,"content":2515},{},[2516],{"nodeType":1192,"value":2517,"marks":2518,"data":2519},"The page is adapting to the device that you’re visiting from, serving up instructions specific to the user’s Mac (increasingly common as ClickFix expands to support different Operating Systems).",[],{},{"nodeType":1431,"data":2521,"content":2522},{},[2523],{"nodeType":1193,"data":2524,"content":2525},{},[2526],{"nodeType":1192,"value":2527,"marks":2528,"data":2529},"The page is automatically copying the malicious code to the user’s clipboard via JavaScript (which we see in 9/10 cases).",[],{},{"nodeType":1193,"data":2531,"content":2532},{},[2533],{"nodeType":1192,"value":2534,"marks":2535,"data":2536},"For the past decade or more, user awareness has focused on stopping users from clicking links in suspicious emails, downloading risky files, and entering their username and password into random websites. It hasn’t focused on opening up a program and running a command — so it’s no surprise that this kind of highly convincing page is so effective at duping victims into following the instructions. ",[],{},{"nodeType":1249,"data":2538,"content":2542},{"target":2539},{"sys":2540},{"id":2541,"type":1246,"linkType":1247},"LiVIyGxdAaUXUfvKjD6ON",[],{"nodeType":1260,"data":2544,"content":2545},{},[],{"nodeType":1270,"data":2547,"content":2548},{},[2549],{"nodeType":1192,"value":2550,"marks":2551,"data":2553},"How ClickFix delivery methods are evolving",[2552],{"type":1268},{},{"nodeType":1193,"data":2555,"content":2556},{},[2557,2561,2570,2574,2583],{"nodeType":1192,"value":2558,"marks":2559,"data":2560},"There’s also the fact that this page wasn’t accessed via email. The top delivery vector for ClickFix attacks that we’ve observed is, in fact, Google Search — in the form of ",[],{},{"nodeType":1354,"data":2562,"content":2564},{"uri":2563},"https://phishing-techniques.pushsecurity.com/techniques/malvertising/",[2565],{"nodeType":1192,"value":2566,"marks":2567,"data":2569},"poisoned search results and malicious advertising (malvertising)",[2568],{"type":1352},{},{"nodeType":1192,"value":2571,"marks":2572,"data":2573},". Attackers are either taking over legitimate sites (there’s a ",[],{},{"nodeType":1354,"data":2575,"content":2577},{"uri":2576},"https://www.bleepingcomputer.com/news/security/hackers-launch-mass-attacks-exploiting-outdated-wordpress-plugins/",[2578],{"nodeType":1192,"value":2579,"marks":2580,"data":2582},"steady supply of website hosting and CMS vulnerabilities",[2581],{"type":1352},{},{"nodeType":1192,"value":2584,"marks":2585,"data":2586}," to take advantage of) or simply vibe-coding their own sites and optimizing them for various search terms. ",[],{},{"nodeType":1249,"data":2588,"content":2592},{"target":2589},{"sys":2590},{"id":2591,"type":1246,"linkType":1247},"6N9EmH6AaN6Hr4xk6ozATR",[],{"nodeType":1193,"data":2594,"content":2595},{},[2596,2600,2609],{"nodeType":1192,"value":2597,"marks":2598,"data":2599},"And because most anti-phishing controls are implemented via email, by using ",[],{},{"nodeType":1354,"data":2601,"content":2603},{"uri":2602},"https://pushsecurity.com/blog/why-attackers-are-moving-beyond-email-based-phishing?utm_source=thehackernews&utm_medium=sponsored-content&utm_term=article",[2604],{"nodeType":1192,"value":2605,"marks":2606,"data":2608},"non-email delivery vectors, an entire layer of detection opportunity is cut out",[2607],{"type":1352},{},{"nodeType":1192,"value":2610,"marks":2611,"data":2612},". ",[],{},{"nodeType":1249,"data":2614,"content":2618},{"target":2615},{"sys":2616},{"id":2617,"type":1246,"linkType":1247},"1CWsZlLFX9TS53J1uamOG8",[],{"nodeType":1193,"data":2620,"content":2621},{},[2622,2626,2634],{"nodeType":1192,"value":2623,"marks":2624,"data":2625},"But even when they are sent via email, ClickFix pages, like other modern phishing sites, are using a range of ",[],{},{"nodeType":1354,"data":2627,"content":2629},{"uri":2628},"https://pushsecurity.com/blog/phishing-detection-evasion-launch?utm_source=thehackernews&utm_medium=sponsored-content&utm_term=article",[2630],{"nodeType":1192,"value":1622,"marks":2631,"data":2633},[2632],{"type":1352},{},{"nodeType":1192,"value":2635,"marks":2636,"data":2637}," that prevent them being flagged by security tools — from email scanners, to web-crawling security tools, to web proxies analyzing network traffic. Detection evasion mainly involves camouflaging and rotating domains to stay ahead of known-bad detections (i.e. blocklists), using bot protection to prevent analysis, and heavily obfuscating page content to stop detection signatures firing. ",[],{},{"nodeType":1193,"data":2639,"content":2640},{},[2641],{"nodeType":1192,"value":2642,"marks":2643,"data":2644},"Finally, because the code is copied inside the browser sandbox, typical security tools are unable to observe and flag this action as potentially malicious. This means that the last — and only — opportunity for organizations to stop ClickFix is on the endpoint, after the user has attempted to run the malicious code.",[],{},{"nodeType":1249,"data":2646,"content":2650},{"target":2647},{"sys":2648},{"id":2649,"type":1246,"linkType":1247},"3HiqpIBWWMr5FMi3IBzXcc",[],{"nodeType":1260,"data":2652,"content":2653},{},[],{"nodeType":1270,"data":2655,"content":2656},{},[2657],{"nodeType":1192,"value":2658,"marks":2659,"data":2661},"How ClickFix payloads are evolving",[2660],{"type":1268},{},{"nodeType":1193,"data":2663,"content":2664},{},[2665],{"nodeType":1192,"value":2666,"marks":2667,"data":2668},"It’s not just the ClickFix page and delivery mechanisms that are evolving — the services where code is being run, and the type of payload, are also increasingly varied. ",[],{},{"nodeType":1193,"data":2670,"content":2671},{},[2672,2676,2685],{"nodeType":1192,"value":2673,"marks":2674,"data":2675},"While the main payloads observed by Push are mshta and PowerShell, ",[],{},{"nodeType":1354,"data":2677,"content":2679},{"uri":2678},"https://mhaggis.github.io/ClickGrab/techniques.html",[2680],{"nodeType":1192,"value":2681,"marks":2682,"data":2684},"attackers are abusing a wide range of LOLBINS",[2683],{"type":1352},{},{"nodeType":1192,"value":2686,"marks":2687,"data":2688}," targeting different services across Operating Systems.",[],{},{"nodeType":1193,"data":2690,"content":2691},{},[2692],{"nodeType":1192,"value":2693,"marks":2694,"data":2695},"While it is possible to disable the Win+R dialog box and limit the applications that can be run from the File Explorer address bar, it is not possible to similarly restrict users from interacting with other legitimate services to run malicious commands. ",[],{},{"nodeType":1193,"data":2697,"content":2698},{},[2699,2703,2712],{"nodeType":1192,"value":2700,"marks":2701,"data":2702},"Another recent example termed ",[],{},{"nodeType":1354,"data":2704,"content":2706},{"uri":2705},"https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/",[2707],{"nodeType":1192,"value":2708,"marks":2709,"data":2711},"cache smuggling",[2710],{"type":1352},{},{"nodeType":1192,"value":2713,"marks":2714,"data":2715}," was also identified by security researchers. This technique combines a ClickFix approach with JavaScript that caches a malicious file posing as a JPG. This means that the ClickFix command executes locally — effectively getting an entire zip file onto the local system without the PowerShell command needing to make any web requests.",[],{},{"nodeType":1193,"data":2717,"content":2718},{},[2719],{"nodeType":1192,"value":2720,"marks":2721,"data":2722},"Finally, it’s worth considering the future of ClickFix. The current attack path straddles browser and endpoint — what if it could take place entirely in the browser and evade EDR altogether? ",[],{},{"nodeType":1249,"data":2724,"content":2728},{"target":2725},{"sys":2726},{"id":2727,"type":1246,"linkType":1247},"2rUDKawJnrmZVtxfNcSNha",[],{"nodeType":1260,"data":2730,"content":2731},{},[],{"nodeType":1270,"data":2733,"content":2734},{},[2735],{"nodeType":1192,"value":2736,"marks":2737,"data":2739},"What’s the impact of ClickFix evolution?",[2738],{"type":1268},{},{"nodeType":1193,"data":2741,"content":2742},{},[2743],{"nodeType":1192,"value":2744,"marks":2745,"data":2746},"To summarize:",[],{},{"nodeType":1462,"data":2748,"content":2749},{},[2750,2760,2770],{"nodeType":1431,"data":2751,"content":2752},{},[2753],{"nodeType":1193,"data":2754,"content":2755},{},[2756],{"nodeType":1192,"value":2757,"marks":2758,"data":2759},"ClickFix pages are becoming increasingly sophisticated, making it more likely that victims will fall for the social engineering.",[],{},{"nodeType":1431,"data":2761,"content":2762},{},[2763],{"nodeType":1193,"data":2764,"content":2765},{},[2766],{"nodeType":1192,"value":2767,"marks":2768,"data":2769},"ClickFix delivery is evading traditional monitoring controls at the email layer to reach victims. ",[],{},{"nodeType":1431,"data":2771,"content":2772},{},[2773],{"nodeType":1193,"data":2774,"content":2775},{},[2776],{"nodeType":1192,"value":2777,"marks":2778,"data":2779},"ClickFix payloads are becoming more varied and are finding new ways to evade security controls. ",[],{},{"nodeType":1193,"data":2781,"content":2782},{},[2783],{"nodeType":1192,"value":2784,"marks":2785,"data":2786},"This means that EDR-based interception of malware execution is the last — and only — real line of defense for most organizations, kicking in after the initial script has been run (typically acting as a stager for the real malware). ",[],{},{"nodeType":1193,"data":2788,"content":2789},{},[2790],{"nodeType":1192,"value":2791,"marks":2792,"data":2793},"Malware execution can and should be intercepted by EDR, but it’s not foolproof. ",[],{},{"nodeType":1462,"data":2795,"content":2796},{},[2797,2820,2830],{"nodeType":1431,"data":2798,"content":2799},{},[2800],{"nodeType":1193,"data":2801,"content":2802},{},[2803,2807,2816],{"nodeType":1192,"value":2804,"marks":2805,"data":2806},"Attackers are constantly ",[],{},{"nodeType":1354,"data":2808,"content":2810},{"uri":2809},"https://www.infostealers.com/article/logins-zip-leverages-chromium-zero-day-stealthy-infostealer-builder-promises-99-credential-theft-in-under-12-seconds/",[2811],{"nodeType":1192,"value":2812,"marks":2813,"data":2815},"developing new tools and capabilities",[2814],{"type":1352},{},{"nodeType":1192,"value":2817,"marks":2818,"data":2819}," to bypass EDR in the cat-and-mouse game between attackers and defenders.",[],{},{"nodeType":1431,"data":2821,"content":2822},{},[2823],{"nodeType":1193,"data":2824,"content":2825},{},[2826],{"nodeType":1192,"value":2827,"marks":2828,"data":2829},"Because ClickFix attacks are user initiated, context might be missing that lead to the alert being misclassified. This can mean the difference between the level of priority alert that is raised, and whether or not it is automatically blocked.",[],{},{"nodeType":1431,"data":2831,"content":2832},{},[2833],{"nodeType":1193,"data":2834,"content":2835},{},[2836],{"nodeType":1192,"value":2837,"marks":2838,"data":2839},"If you’re an organization that allows employees and contractors to use unmanaged BYOD devices, there’s a strong chance that there are gaps in your EDR coverage.",[],{},{"nodeType":1193,"data":2841,"content":2842},{},[2843,2847,2855],{"nodeType":1192,"value":2844,"marks":2845,"data":2846},"This is why attackers are doubling down. According to the ",[],{},{"nodeType":1354,"data":2848,"content":2850},{"uri":2849},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf#page=1",[2851],{"nodeType":1192,"value":2852,"marks":2853,"data":2854},"2025 Microsoft Digital Defense report",[],{},{"nodeType":1192,"value":2856,"marks":2857,"data":2858},", ClickFix was the most common initial access method in the last year, accounting for 47% of attacks. That's a pretty significant stat.",[],{},{"nodeType":2860,"data":2861,"content":2862},"blockquote",{},[2863],{"nodeType":1193,"data":2864,"content":2865},{},[2866],{"nodeType":1192,"value":2867,"marks":2868,"data":2869},"47% of attacks started with ClickFix in the last year, according to Microsoft.",[],{},{"nodeType":1193,"data":2871,"content":2872},{},[2873],{"nodeType":1192,"value":2874,"marks":2875,"data":2876},"Ultimately, organizations are leaving themselves relying on a single line of defense — if the attack isn’t detected and blocked by EDR, it isn’t spotted at all. ",[],{},{"nodeType":1260,"data":2878,"content":2879},{},[],{"nodeType":1270,"data":2881,"content":2882},{},[2883],{"nodeType":1192,"value":2884,"marks":2885,"data":2887},"Don’t gamble on a single point of failure ",[2886],{"type":1268},{},{"nodeType":1193,"data":2889,"content":2890},{},[2891,2895,2904],{"nodeType":1192,"value":2892,"marks":2893,"data":2894},"Push Security’s latest feature, ",[],{},{"nodeType":1354,"data":2896,"content":2898},{"uri":2897},"https://pushsecurity.com/blog/introducing-malicious-copy-paste-detection?utm_source=thehackernews&utm_medium=sponsored-content&utm_term=article",[2899],{"nodeType":1192,"value":2900,"marks":2901,"data":2903},"malicious copy and paste detection",[2902],{"type":1352},{},{"nodeType":1192,"value":2905,"marks":2906,"data":2907},", tackles ClickFix-style attacks at the earliest opportunity through browser-based detection and blocking. This is a universally effective control that works regardless of the lure delivery channel, page style and structure, or the specifics of the malware type and execution.",[],{},{"nodeType":1193,"data":2909,"content":2910},{},[2911],{"nodeType":1192,"value":2912,"marks":2913,"data":2914},"Unlike heavy-handed DLP solutions that block copy-paste altogether, Push protects your employees without disrupting their user experience or hampering productivity.",[],{},{"nodeType":1193,"data":2916,"content":2917},{},[2918],{"nodeType":1192,"value":2919,"marks":2920,"data":2921},"By adding a new layer of protection in the browser, security teams can reduce the strain on their EDR and reduce the risk of host-based controls being bypassed through misconfiguration or attacker innovation. ",[],{},{"nodeType":1249,"data":2923,"content":2927},{"target":2924},{"sys":2925},{"id":2926,"type":1246,"linkType":1247},"sALkMt8UbTZ2f34hKvGLj",[],{"nodeType":1260,"data":2929,"content":2930},{},[],{"nodeType":1270,"data":2932,"content":2933},{},[2934],{"nodeType":1192,"value":2935,"marks":2936,"data":2938},"Learn more",[2937],{"type":1268},{},{"nodeType":1193,"data":2940,"content":2941},{},[2942,2946,2955],{"nodeType":1192,"value":2943,"marks":2944,"data":2945},"If you want to learn more about ClickFix attacks and how they’re evolving, ",[],{},{"nodeType":1354,"data":2947,"content":2949},{"uri":2948},"https://pushsecurity.com/resources/clickfix",[2950],{"nodeType":1192,"value":2951,"marks":2952,"data":2954},"check out our latest webinar (now available on-demand!)",[2953],{"type":1352},{},{"nodeType":1192,"value":2956,"marks":2957,"data":2958}," where we dive into real-world ClickFix examples and demonstrate how ClickFix sites work under the hood. ",[],{},{"nodeType":1193,"data":2960,"content":2961},{},[2962,2965,2972,2975,2982],{"nodeType":1192,"value":1787,"marks":2963,"data":2964},[],{},{"nodeType":1354,"data":2966,"content":2967},{"uri":1790},[2968],{"nodeType":1192,"value":1796,"marks":2969,"data":2971},[2970],{"type":1352},{},{"nodeType":1192,"value":1800,"marks":2973,"data":2974},[],{},{"nodeType":1354,"data":2976,"content":2977},{"uri":1803},[2978],{"nodeType":1192,"value":1809,"marks":2979,"data":2981},[2980],{"type":1352},{},{"nodeType":1192,"value":1813,"marks":2983,"data":2984},[],{},{"nodeType":1249,"data":2986,"content":2989},{"target":2987},{"sys":2988},{"id":2541,"type":1246,"linkType":1247},[],{"nodeType":1193,"data":2991,"content":2992},{},[2993],{"nodeType":1192,"value":37,"marks":2994,"data":2995},[],{},"The most advanced ClickFix yet?","Breaking down the most sophisticated ClickFix page we’ve seen in the wild — and what it tells us about the future of malicious copy-and-paste attacks. ","2025-11-06T00:00:00.000Z","the-most-advanced-clickfix-yet",{"items":3001},[3002,3004],{"sys":3003,"name":1209},{"id":1208},{"sys":3005,"name":1205},{"id":1204},{"items":3007},[3008],{"fullName":2409,"firstName":2410,"jobTitle":2411,"profilePicture":3009},{"url":2413},{"items":3011},[3012],{"fullName":1839,"firstName":1840,"jobTitle":1841,"profilePicture":3013},{"url":1843},{"json":3015,"links":3859},{"nodeType":1194,"data":3016,"content":3017},{},[3018,3026,3033,3040,3047,3059,3066,3072,3078,3081,3089,3096,3103,3109,3128,3135,3141,3148,3154,3161,3204,3210,3216,3223,3230,3233,3241,3261,3268,3274,3292,3297,3316,3323,3326,3334,3341,3387,3399,3402,3410,3427,3434,3450,3457,3464,3470,3477,3480,3488,3495,3548,3555,3558,3566,3572,3579,3586,3592,3599,3632,3639,3646,3652,3659,3665,3672,3692,3699,3732,3739,3772,3775,3783,3790,3796,3815,3822,3848,3853],{"nodeType":1270,"data":3019,"content":3020},{},[3021],{"nodeType":1192,"value":3022,"marks":3023,"data":3025},"Introducing “ConsentFix” — a new kind of phishing attack",[3024],{"type":1268},{},{"nodeType":1193,"data":3027,"content":3028},{},[3029],{"nodeType":1192,"value":3030,"marks":3031,"data":3032},"The Push browser agent recently detected and blocked a new attack technique seen targeting several Push customers. ",[],{},{"nodeType":1193,"data":3034,"content":3035},{},[3036],{"nodeType":1192,"value":3037,"marks":3038,"data":3039},"This is a new kind of browser-based attack technique that takes over user accounts with a simple copy and paste. If you’re already logged into the app in your browser, you don’t even need to supply creds, or pass an MFA check — meaning it effectively circumvents phishing-resistant auth like passkeys too.",[],{},{"nodeType":1193,"data":3041,"content":3042},{},[3043],{"nodeType":1192,"value":3044,"marks":3045,"data":3046},"This is so different from the AiTM phish kits we usually come up against that we felt it deserved a new name. ",[],{},{"nodeType":1193,"data":3048,"content":3049},{},[3050,3055],{"nodeType":1192,"value":3051,"marks":3052,"data":3054},"Enter: ConsentFix. ",[3053],{"type":1268},{},{"nodeType":1192,"value":3056,"marks":3057,"data":3058},"This attack shares a lot of similarities with ClickFix/FileFix, AiTM phishing, and OAuth Consent Phishing. You can think of this as a browser-native ClickFix attack that phishes an OAuth token on a target app by getting the victim to copy and paste a URL containing OAuth key material into a phishing page. ",[],{},{"nodeType":1193,"data":3060,"content":3061},{},[3062],{"nodeType":1192,"value":3063,"marks":3064,"data":3065},"The campaign we detected looks to be specifically targeting Microsoft accounts by abusing the Azure CLI OAuth app. Essentially, the attacker tricks the victim into logging into Azure CLI, by generating an OAuth authorization code — visible in a localhost URL — and then pasting that URL (including the code) into an attacker-controlled page. This then creates an OAuth connection between the victim’s Microsoft account and the attacker’s Azure CLI instance. ",[],{},{"nodeType":1249,"data":3067,"content":3071},{"target":3068},{"sys":3069},{"id":3070,"type":1246,"linkType":1247},"5GTnqWIbmraz8HZeHMybrP",[],{"nodeType":1249,"data":3073,"content":3077},{"target":3074},{"sys":3075},{"id":3076,"type":1246,"linkType":1247},"1lcjX5q3b1bsuhyOXKvJpW",[],{"nodeType":1260,"data":3079,"content":3080},{},[],{"nodeType":1270,"data":3082,"content":3083},{},[3084],{"nodeType":1192,"value":3085,"marks":3086,"data":3088},"How ConsentFix works",[3087],{"type":1268},{},{"nodeType":1193,"data":3090,"content":3091},{},[3092],{"nodeType":1192,"value":3093,"marks":3094,"data":3095},"In all of the examples we saw, the victim accessed a malicious or compromised webpage via Google Search. The vast majority of the sites we’ve seen associated with the campaign are legitimate, compromised websites with high domain reputation that are easily findable via search engines.",[],{},{"nodeType":1193,"data":3097,"content":3098},{},[3099],{"nodeType":1192,"value":3100,"marks":3101,"data":3102},"The attacker had injected a fake Cloudflare Turnstile into the compromised websites, requiring an email address to be supplied in order to proceed. ",[],{},{"nodeType":1249,"data":3104,"content":3108},{"target":3105},{"sys":3106},{"id":3107,"type":1246,"linkType":1247},"39jEjeLqOYIkGc4o9w3MuX",[],{"nodeType":1193,"data":3110,"content":3111},{},[3112,3116,3124],{"nodeType":1192,"value":3113,"marks":3114,"data":3115},"This acted as a form of ",[],{},{"nodeType":1354,"data":3117,"content":3118},{"uri":1346},[3119],{"nodeType":1192,"value":3120,"marks":3121,"data":3123},"conditional loading",[3122],{"type":1352},{},{"nodeType":1192,"value":3125,"marks":3126,"data":3127}," that would only continue if a valid email address and domain was supplied, designed to prevent the page from being analysed by security bots, analysts, and low-value accounts that run the risk of exposing the campaign before the intended recipient(s) can be phished. ",[],{},{"nodeType":1193,"data":3129,"content":3130},{},[3131],{"nodeType":1192,"value":3132,"marks":3133,"data":3134},"If a domain not on the target list was provided, the victim was passed back to the original website and the attack did not progress to the next stage. Further, once the check has concluded per IP, the phishing page will no longer activate, even a different email is provided.  ",[],{},{"nodeType":1249,"data":3136,"content":3140},{"target":3137},{"sys":3138},{"id":3139,"type":1246,"linkType":1247},"7ttmGnTzi9j87tBXfyFcOA",[],{"nodeType":1193,"data":3142,"content":3143},{},[3144],{"nodeType":1192,"value":3145,"marks":3146,"data":3147},"After entering an approved email address, the next stage was loaded, prompting the victim to complete a set of instructions on the page to continue.",[],{},{"nodeType":1249,"data":3149,"content":3153},{"target":3150},{"sys":3151},{"id":3152,"type":1246,"linkType":1247},"2oHYNoMgAz6MdgLlcWjbaB",[],{"nodeType":1193,"data":3155,"content":3156},{},[3157],{"nodeType":1192,"value":3158,"marks":3159,"data":3160},"To complete the attack, the victim must:",[],{},{"nodeType":1462,"data":3162,"content":3163},{},[3164,3174,3184,3194],{"nodeType":1431,"data":3165,"content":3166},{},[3167],{"nodeType":1193,"data":3168,"content":3169},{},[3170],{"nodeType":1192,"value":3171,"marks":3172,"data":3173},"Click the “Sign In” button. This opens a new tab that loads a legitimate Microsoft URL associated with the user account/email used to access the page.",[],{},{"nodeType":1431,"data":3175,"content":3176},{},[3177],{"nodeType":1193,"data":3178,"content":3179},{},[3180],{"nodeType":1192,"value":3181,"marks":3182,"data":3183},"If the user is already logged into Microsoft in their browser, they simply need to select their MS account from the dropdown. Otherwise, they will be required to login via the legitimate Microsoft login URL (no phishing takes place at this stage). ",[],{},{"nodeType":1431,"data":3185,"content":3186},{},[3187],{"nodeType":1193,"data":3188,"content":3189},{},[3190],{"nodeType":1192,"value":3191,"marks":3192,"data":3193},"Once logged into legit Microsoft or the account is selected from the dropdown, the user is redirected to localhost, which generates a URL containing a code associated with the user’s Microsoft account. ",[],{},{"nodeType":1431,"data":3195,"content":3196},{},[3197],{"nodeType":1193,"data":3198,"content":3199},{},[3200],{"nodeType":1192,"value":3201,"marks":3202,"data":3203},"To complete the phish, the victim copies the URL and pastes it onto the original page. ",[],{},{"nodeType":1249,"data":3205,"content":3209},{"target":3206},{"sys":3207},{"id":3208,"type":1246,"linkType":1247},"7zendMbmCViGwtEpUQvq6y",[],{"nodeType":1249,"data":3211,"content":3215},{"target":3212},{"sys":3213},{"id":3214,"type":1246,"linkType":1247},"1eZOs7hXi9FzCE92QEP6xh",[],{"nodeType":1193,"data":3217,"content":3218},{},[3219],{"nodeType":1192,"value":3220,"marks":3221,"data":3222},"Once the steps are completed, the victim has granted the attacker access to their Microsoft account via Azure CLI. ",[],{},{"nodeType":1193,"data":3224,"content":3225},{},[3226],{"nodeType":1192,"value":3227,"marks":3228,"data":3229},"At this point, the attacker has effective control of the victim’s Microsoft account, but without ever needing to phish a password, or pass an MFA check. In fact, if the user was already logged in to their Microsoft account (i.e. they had an active session) no login is required at all. ",[],{},{"nodeType":1260,"data":3231,"content":3232},{},[],{"nodeType":1270,"data":3234,"content":3235},{},[3236],{"nodeType":1192,"value":3237,"marks":3238,"data":3240},"The next evolution of ClickFix?",[3239],{"type":1268},{},{"nodeType":1193,"data":3242,"content":3243},{},[3244,3248,3257],{"nodeType":1192,"value":3245,"marks":3246,"data":3247},"When we presented ",[],{},{"nodeType":1354,"data":3249,"content":3251},{"uri":3250},"https://pushsecurity.com/webinar/clickfix",[3252],{"nodeType":1192,"value":3253,"marks":3254,"data":3256},"our last webinar on ClickFix",[3255],{"type":1352},{},{"nodeType":1192,"value":3258,"marks":3259,"data":3260},", we predicted that the next evolution of the attack would happen entirely within the browser context. This is because any attack that touches the endpoint (a traditionally much better protected surface) is way more likely to be detected. And with many ClickFix attacks being used to deliver infostealer malware, these attacks are really trying to get back into the browser anyway — to steal credentials and sessions stored there. ",[],{},{"nodeType":1193,"data":3262,"content":3263},{},[3264],{"nodeType":1192,"value":3265,"marks":3266,"data":3267},"Let’s take a closer look at the page — if you follow Push research, you might be getting déjà vu. ",[],{},{"nodeType":1249,"data":3269,"content":3273},{"target":3270},{"sys":3271},{"id":3272,"type":1246,"linkType":1247},"1vMZCJ92IxFdR1EzzCOOvb",[],{"nodeType":1193,"data":3275,"content":3276},{},[3277,3281,3289],{"nodeType":1192,"value":3278,"marks":3279,"data":3280},"We’ve seen this kind of embedded video player before (albeit a slicker looking one) that we blogged about as ",[],{},{"nodeType":1354,"data":3282,"content":3283},{"uri":1649},[3284],{"nodeType":1192,"value":3285,"marks":3286,"data":3288},"the most advanced ClickFix we’d seen",[3287],{"type":1352},{},{"nodeType":1192,"value":1813,"marks":3290,"data":3291},[],{},{"nodeType":1249,"data":3293,"content":3296},{"target":3294},{"sys":3295},{"id":2451,"type":1246,"linkType":1247},[],{"nodeType":1193,"data":3298,"content":3299},{},[3300,3304,3312],{"nodeType":1192,"value":3301,"marks":3302,"data":3303},"Another similarity with ClickFix campaigns we’ve investigated is the use of Google Search as a delivery vector. 4 in 5 ClickFix attacks intercepted by Push came via Google Search, with attackers using ",[],{},{"nodeType":1354,"data":3305,"content":3306},{"uri":2563},[3307],{"nodeType":1192,"value":3308,"marks":3309,"data":3311},"malvertising",[3310],{"type":1352},{},{"nodeType":1192,"value":3313,"marks":3314,"data":3315}," and either compromised or custom vibe-coded websites to intercept users as they browse the internet. ",[],{},{"nodeType":1193,"data":3317,"content":3318},{},[3319],{"nodeType":1192,"value":3320,"marks":3321,"data":3322},"So it seems highly likely that this is a kind of browser-native evolution of ClickFix that shares many elements with typical ClickFix attacks, and is probably used by the same groups of attackers.",[],{},{"nodeType":1260,"data":3324,"content":3325},{},[],{"nodeType":1270,"data":3327,"content":3328},{},[3329],{"nodeType":1192,"value":3330,"marks":3331,"data":3333},"OAuth shenanigans via Azure CLI",[3332],{"type":1268},{},{"nodeType":1193,"data":3335,"content":3336},{},[3337],{"nodeType":1192,"value":3338,"marks":3339,"data":3340},"The clever use of Azure CLI and OAuth consent abuse is another clever iteration on previous techniques. ",[],{},{"nodeType":1193,"data":3342,"content":3343},{},[3344,3348,3357,3361,3370,3374,3383],{"nodeType":1192,"value":3345,"marks":3346,"data":3347},"We’ve previously seen ",[],{},{"nodeType":1354,"data":3349,"content":3351},{"uri":3350},"https://phishing-techniques.pushsecurity.com/techniques/consent-phishing/",[3352],{"nodeType":1192,"value":3353,"marks":3354,"data":3356},"consent phishing",[3355],{"type":1352},{},{"nodeType":1192,"value":3358,"marks":3359,"data":3360}," and ",[],{},{"nodeType":1354,"data":3362,"content":3364},{"uri":3363},"https://phishing-techniques.pushsecurity.com/techniques/device-code-phishing/",[3365],{"nodeType":1192,"value":3366,"marks":3367,"data":3369},"device code phishing",[3368],{"type":1352},{},{"nodeType":1192,"value":3371,"marks":3372,"data":3373}," attacks where attackers have tricked victims into connecting malicious external apps into their tenant via OAuth, but this is becoming increasingly difficult in core enterprise cloud environments like Azure due to ",[],{},{"nodeType":1354,"data":3375,"content":3377},{"uri":3376},"https://learn.microsoft.com/en-us/microsoft-365/admin/misc/user-consent?view=o365-worldwide",[3378],{"nodeType":1192,"value":3379,"marks":3380,"data":3382},"stricter default configs",[3381],{"type":1352},{},{"nodeType":1192,"value":3384,"marks":3385,"data":3386},". However, since Azure CLI is a first-party Microsoft app, it is implicitly trusted in Entra ID, and is excluded from these restrictions. ",[],{},{"nodeType":1193,"data":3388,"content":3389},{},[3390,3394],{"nodeType":1192,"value":3391,"marks":3392,"data":3393},"First-party apps like Azure CLI are trusted by default in all tenants, allowed to request permissions without admin approval, and cannot be deleted or blocked. They can also be granted special permissions, such as tenant-wide service permissions (without needing admin approval), use of legacy or undocumented graph scopes, internal scopes for Microsoft client operations, and permissions for Office/Entra admin functions. ",[],{},{"nodeType":1192,"value":3395,"marks":3396,"data":3398},"This makes Azure CLI a prime target for attackers, and significantly more exploitable than when connecting a third-party app. ",[3397],{"type":1268},{},{"nodeType":1260,"data":3400,"content":3401},{},[],{"nodeType":1270,"data":3403,"content":3404},{},[3405],{"nodeType":1192,"value":3406,"marks":3407,"data":3409},"Advanced detection evasion techniques",[3408],{"type":1268},{},{"nodeType":1193,"data":3411,"content":3412},{},[3413,3417,3423],{"nodeType":1192,"value":3414,"marks":3415,"data":3416},"This campaign features some of the most advanced ",[],{},{"nodeType":1354,"data":3418,"content":3419},{"uri":1361},[3420],{"nodeType":1192,"value":1622,"marks":3421,"data":3422},[],{},{"nodeType":1192,"value":3424,"marks":3425,"data":3426}," we've seen in the wild. ",[],{},{"nodeType":1193,"data":3428,"content":3429},{},[3430],{"nodeType":1192,"value":3431,"marks":3432,"data":3433},"As well as the use of Google Search to deliver the lure, and bot protection to prevent security tools from analysing the page, there were multiple layers of anti-analysis techniques to navigate.",[],{},{"nodeType":1193,"data":3435,"content":3436},{},[3437,3441,3446],{"nodeType":1192,"value":3438,"marks":3439,"data":3440},"We already mentioned the use of selective targeting based on email addresses and domain names. But all sites involved in the campaign also have synchronized IP blocking — meaning if you visit one site and are served one of the associated phishing pages, the phish will never be served again, ",[],{},{"nodeType":1192,"value":3442,"marks":3443,"data":3445},"across any of the sites linked to the campaign",[3444],{"type":1268},{},{"nodeType":1192,"value":3447,"marks":3448,"data":3449},". When you visit any of the sites again, the phish won't trigger, and it can be browsed as normal. ",[],{},{"nodeType":1193,"data":3451,"content":3452},{},[3453],{"nodeType":1192,"value":3454,"marks":3455,"data":3456},"On the backend, there are multiple checks based on your IP and identifiers unique to your session. Unless all of the conditions are met, certain JavaScript packages won't be served — preventing full inspection of the page to detect malicious elements. ",[],{},{"nodeType":1193,"data":3458,"content":3459},{},[3460],{"nodeType":1192,"value":3461,"marks":3462,"data":3463},"If the conditions aren't met, the page may not load the Cloudflare Turnstile check at all, or will redirect you back to the site to continue browsing as normal.",[],{},{"nodeType":1249,"data":3465,"content":3469},{"target":3466},{"sys":3467},{"id":3468,"type":1246,"linkType":1247},"5v0zDoscA6pYLBfkXrNtIH",[],{"nodeType":1193,"data":3471,"content":3472},{},[3473],{"nodeType":1192,"value":3474,"marks":3475,"data":3476},"All of these make it incredibly hard to detect and block these attacks ahead of time when relying on URL-based checks and traffic analysis.",[],{},{"nodeType":1260,"data":3478,"content":3479},{},[],{"nodeType":1270,"data":3481,"content":3482},{},[3483],{"nodeType":1192,"value":3484,"marks":3485,"data":3487},"Key takeaways",[3486],{"type":1268},{},{"nodeType":1193,"data":3489,"content":3490},{},[3491],{"nodeType":1192,"value":3492,"marks":3493,"data":3494},"ConsentFix is a dangerous evolution of ClickFix and consent phishing that is incredibly hard for traditional security tools to detect and block, as:",[],{},{"nodeType":1462,"data":3496,"content":3497},{},[3498,3508,3518,3528,3538],{"nodeType":1431,"data":3499,"content":3500},{},[3501],{"nodeType":1193,"data":3502,"content":3503},{},[3504],{"nodeType":1192,"value":3505,"marks":3506,"data":3507},"The attack happens entirely inside the browser context, removing one of the key detection opportunities for ClickFix (because it doesn’t touch the endpoint).",[],{},{"nodeType":1431,"data":3509,"content":3510},{},[3511],{"nodeType":1193,"data":3512,"content":3513},{},[3514],{"nodeType":1192,"value":3515,"marks":3516,"data":3517},"Delivering the lure via a Google Search watering hole attack completely circumvents email-based anti-phishing controls.",[],{},{"nodeType":1431,"data":3519,"content":3520},{},[3521],{"nodeType":1193,"data":3522,"content":3523},{},[3524],{"nodeType":1192,"value":3525,"marks":3526,"data":3527},"Targeting a first-party app like Azure CLI means that many of the mitigating controls available for third-party app integrations do not apply — making this attack way harder to prevent.",[],{},{"nodeType":1431,"data":3529,"content":3530},{},[3531],{"nodeType":1193,"data":3532,"content":3533},{},[3534],{"nodeType":1192,"value":3535,"marks":3536,"data":3537},"Because there’s no login required, phishing-resistant authentication controls like passkeys have no impact on this attack. ",[],{},{"nodeType":1431,"data":3539,"content":3540},{},[3541],{"nodeType":1193,"data":3542,"content":3543},{},[3544],{"nodeType":1192,"value":3545,"marks":3546,"data":3547},"The use of advanced detection evasion techniques makes this attack difficult to investigate, meaning these attacks are going undetected. ",[],{},{"nodeType":1193,"data":3549,"content":3550},{},[3551],{"nodeType":1192,"value":3552,"marks":3553,"data":3554},"We’re sure to see more examples of ConsentFix in future. We’ll be monitoring to see how attackers adapt in terms of integrating these capabilities with common as-a-Service offerings to make them more widespread, and whether the scope extends further beyond Microsoft / Azure CLI targets in the future to target other enterprise cloud ecosystems. ",[],{},{"nodeType":1260,"data":3556,"content":3557},{},[],{"nodeType":1270,"data":3559,"content":3560},{},[3561],{"nodeType":1192,"value":3562,"marks":3563,"data":3565},"Recommendations",[3564],{"type":1268},{},{"nodeType":1249,"data":3567,"content":3571},{"target":3568},{"sys":3569},{"id":3570,"type":1246,"linkType":1247},"3aBCwdB2aNnLRxRN5RrshC",[],{"nodeType":1193,"data":3573,"content":3574},{},[3575],{"nodeType":1192,"value":3576,"marks":3577,"data":3578},"On the backend, exploitation of this attack will lead to login events being observed to the Microsoft Azure CLI app. It’s likely that any legitimate use of this will most likely be limited to system administrators and possibly developers. Therefore, logins outside of these groups will be inherently more suspicious.",[],{},{"nodeType":1193,"data":3580,"content":3581},{},[3582],{"nodeType":1192,"value":3583,"marks":3584,"data":3585},"Additionally, it’s possible that aspects of the logins themselves will be different between legitimate Azure CLI use and exploitation of this attack. For example, see the following logs from a lab environment. The login events with an application of  “Microsoft Azure CLI” and a resource of “Azure Resource Manager” was legitimate use of the Azure CLI using the powershell CLI framework. Conversely, the login event with the Resource of “Windows Azure Active Directory” was produced by logging in using the method used by the phishing kit.",[],{},{"nodeType":1249,"data":3587,"content":3591},{"target":3588},{"sys":3589},{"id":3590,"type":1246,"linkType":1247},"6ie0nkk6XbgwidfwmiGwL4",[],{"nodeType":1193,"data":3593,"content":3594},{},[3595],{"nodeType":1192,"value":3596,"marks":3597,"data":3598},"There is no guarantee this can be used to differentiate between legitimate and malicious examples, but it’s another data point to consider. If searching logs you may wish to use the respective GUIDs for these:",[],{},{"nodeType":1462,"data":3600,"content":3601},{},[3602,3617],{"nodeType":1431,"data":3603,"content":3604},{},[3605],{"nodeType":1193,"data":3606,"content":3607},{},[3608,3613],{"nodeType":1192,"value":3609,"marks":3610,"data":3612},"Application ID",[3611],{"type":1268},{},{"nodeType":1192,"value":3614,"marks":3615,"data":3616}," = 04b07795-8ddb-461a-bbee-02f9e1bf7b46",[],{},{"nodeType":1431,"data":3618,"content":3619},{},[3620],{"nodeType":1193,"data":3621,"content":3622},{},[3623,3628],{"nodeType":1192,"value":3624,"marks":3625,"data":3627},"Resource ID",[3626],{"type":1268},{},{"nodeType":1192,"value":3629,"marks":3630,"data":3631}," = 00000002-0000-0000-c000-000000000000",[],{},{"nodeType":1193,"data":3633,"content":3634},{},[3635],{"nodeType":1192,"value":3636,"marks":3637,"data":3638},"For interactive logins, like above, you cannot rely on looking for logins from suspicious IP addresses or locations. The login itself occurs from the victims browser directly to Microsoft, and so the IP addresses associated with these events will be the legitimate IP used by the target user, not by the threat actor. ",[],{},{"nodeType":1193,"data":3640,"content":3641},{},[3642],{"nodeType":1192,"value":3643,"marks":3644,"data":3645},"However, for non-interactive logins and other audit logs for actions taken, you may be able to uncover unusual IP addresses that differ from the original interactive login. For example, here are some non-interactive logins that were observed immediately after compromise that came from different IP addresses in both the US and Indonesia.",[],{},{"nodeType":1249,"data":3647,"content":3651},{"target":3648},{"sys":3649},{"id":3650,"type":1246,"linkType":1247},"TD3YeWqgGIWIWM8FRHU4o",[],{"nodeType":1193,"data":3653,"content":3654},{},[3655],{"nodeType":1192,"value":3656,"marks":3657,"data":3658},"Interestingly, they differ in which resources they accessed, with one accessing the Windows Azure Active Directory resource ID like the interactive login, but two others accessing the Microsoft Intune Checkin resource ID. ",[],{},{"nodeType":1249,"data":3660,"content":3664},{"target":3661},{"sys":3662},{"id":3663,"type":1246,"linkType":1247},"57PqDQiAiwzqkspVpROQXb",[],{"nodeType":1668,"data":3666,"content":3667},{},[3668],{"nodeType":1192,"value":1741,"marks":3669,"data":3671},[3670],{"type":1268},{},{"nodeType":1193,"data":3673,"content":3674},{},[3675,3679,3688],{"nodeType":1192,"value":3676,"marks":3677,"data":3678},"Short-lived IoCs are of limited value when tackling modern phishing attacks due to the rate at which attackers are able to ",[],{},{"nodeType":1354,"data":3680,"content":3682},{"uri":3681},"https://phishing-techniques.pushsecurity.com/techniques/domain-rotation-redirection/",[3683],{"nodeType":1192,"value":3684,"marks":3685,"data":3687},"quickly spin up and rotate the sites used",[3686],{"type":1352},{},{"nodeType":1192,"value":3689,"marks":3690,"data":3691}," in the attack chain, often dynamically serving different URLs to site visitors. ",[],{},{"nodeType":1193,"data":3693,"content":3694},{},[3695],{"nodeType":1192,"value":3696,"marks":3697,"data":3698},"That said, the domains used to deliver the final phishing payload were:",[],{},{"nodeType":1462,"data":3700,"content":3701},{},[3702,3712,3722],{"nodeType":1431,"data":3703,"content":3704},{},[3705],{"nodeType":1193,"data":3706,"content":3707},{},[3708],{"nodeType":1192,"value":3709,"marks":3710,"data":3711},"hxxps://trustpointassurance.com/",[],{},{"nodeType":1431,"data":3713,"content":3714},{},[3715],{"nodeType":1193,"data":3716,"content":3717},{},[3718],{"nodeType":1192,"value":3719,"marks":3720,"data":3721},"hxxps://fastwaycheck.com/",[],{},{"nodeType":1431,"data":3723,"content":3724},{},[3725],{"nodeType":1193,"data":3726,"content":3727},{},[3728],{"nodeType":1192,"value":3729,"marks":3730,"data":3731},"hxxps://previewcentral.com",[],{},{"nodeType":1193,"data":3733,"content":3734},{},[3735],{"nodeType":1192,"value":3736,"marks":3737,"data":3738},"In addition, we recommend hunting for connections from the following IPs in Azure logs:",[],{},{"nodeType":1462,"data":3740,"content":3741},{},[3742,3752,3762],{"nodeType":1431,"data":3743,"content":3744},{},[3745],{"nodeType":1193,"data":3746,"content":3747},{},[3748],{"nodeType":1192,"value":3749,"marks":3750,"data":3751},"12.75.216.90",[],{},{"nodeType":1431,"data":3753,"content":3754},{},[3755],{"nodeType":1193,"data":3756,"content":3757},{},[3758],{"nodeType":1192,"value":3759,"marks":3760,"data":3761},"182.3.36.223",[],{},{"nodeType":1431,"data":3763,"content":3764},{},[3765],{"nodeType":1193,"data":3766,"content":3767},{},[3768],{"nodeType":1192,"value":3769,"marks":3770,"data":3771},"12.75.116.137",[],{},{"nodeType":1260,"data":3773,"content":3774},{},[],{"nodeType":1270,"data":3776,"content":3777},{},[3778],{"nodeType":1192,"value":3779,"marks":3780,"data":3782},"How Push stopped the attack",[3781],{"type":1268},{},{"nodeType":1193,"data":3784,"content":3785},{},[3786],{"nodeType":1192,"value":3787,"marks":3788,"data":3789},"Even though this was a brand new technique, Push intercepted this attack and shut it down before customers could interact with it. ",[],{},{"nodeType":1249,"data":3791,"content":3795},{"target":3792},{"sys":3793},{"id":3794,"type":1246,"linkType":1247},"5YzpiQH974EYA5iPPZMXkV",[],{"nodeType":1193,"data":3797,"content":3798},{},[3799,3803,3811],{"nodeType":1192,"value":3800,"marks":3801,"data":3802},"Push doesn’t detect the redirect tricks or rely on outdated domain TI feeds. The reason we detect these attacks (which make it through all the other layers of phishing protection) is that Push sees what your users see. It doesn’t matter what ",[],{},{"nodeType":1354,"data":3804,"content":3805},{"uri":1361},[3806],{"nodeType":1192,"value":3807,"marks":3808,"data":3810},"delivery channel or camouflage methods are used",[3809],{"type":1352},{},{"nodeType":1192,"value":3812,"marks":3813,"data":3814},", Push shuts the attack down in real time, as the user loads the malicious page in their web browser.",[],{},{"nodeType":1193,"data":3816,"content":3817},{},[3818],{"nodeType":1192,"value":3819,"marks":3820,"data":3821},"This isn’t all we do: Push’s browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong — you can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.",[],{},{"nodeType":1193,"data":3823,"content":3824},{},[3825,3828,3835,3838,3845],{"nodeType":1192,"value":1787,"marks":3826,"data":3827},[],{},{"nodeType":1354,"data":3829,"content":3830},{"uri":1790},[3831],{"nodeType":1192,"value":1796,"marks":3832,"data":3834},[3833],{"type":1352},{},{"nodeType":1192,"value":1800,"marks":3836,"data":3837},[],{},{"nodeType":1354,"data":3839,"content":3840},{"uri":1803},[3841],{"nodeType":1192,"value":1809,"marks":3842,"data":3844},[3843],{"type":1352},{},{"nodeType":1192,"value":1813,"marks":3846,"data":3847},[],{},{"nodeType":1249,"data":3849,"content":3852},{"target":3850},{"sys":3851},{"id":1818,"type":1246,"linkType":1247},[],{"nodeType":1193,"data":3854,"content":3855},{},[3856],{"nodeType":1192,"value":37,"marks":3857,"data":3858},[],{},{"entries":3860},{"hyperlink":3861,"inline":3862,"block":3863},[],[],[3864,3891,3900,3907,3914,3921,3927,3933,3939,3943,3948,3974,3981,3988,4020,4027],{"sys":3865,"__typename":3866,"content":3867,"name":3890,"title":118},{"id":3070},"InsightTextBlockComponent",{"json":3868},{"nodeType":1194,"data":3869,"content":3870},{},[3871],{"nodeType":1193,"data":3872,"content":3873},{},[3874,3877,3886],{"nodeType":1192,"value":37,"marks":3875,"data":3876},[],{},{"nodeType":1354,"data":3878,"content":3880},{"uri":3879},"https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow",[3881],{"nodeType":1192,"value":3882,"marks":3883,"data":3885},"Authorization code flow",[3884],{"type":1352},{},{"nodeType":1192,"value":3887,"marks":3888,"data":3889}," is an OAuth 2.0 protocol for web applications to get a user's permission to access protected resources. When using the authorization code flow to connect an app, it combines the code with an OAuth secret held by the app in exchange for a token (the valuable part). However, some apps can’t protect a secret — for example, apps that run on your mobile device or desktop. In this case, the code alone is enough to generate an OAuth token, without the secret — which is what is being exploited here.",[],{},"ConsentFix Insight Box 1",{"sys":3892,"__typename":3893,"title":3894,"caption":3895,"layoutMode":118,"file":3896},{"id":3076},"Image","Authorization code flow in Microsoft apps.","Authorization code flow for Microsoft apps.",{"url":3897,"width":3898,"height":3899},"https://images.ctfassets.net/y1cdw1ablpvd/39SjQQIFV5aDh4Xq90X1BX/59ff8127bd758e34620738e2cecc0341/image2.png",1656,1064,{"sys":3901,"__typename":3893,"title":3902,"caption":3902,"layoutMode":118,"file":3903},{"id":3107},"Fake Cloudflare Turnstile page requesting a valid email address.",{"url":3904,"width":3905,"height":3906},"https://images.ctfassets.net/y1cdw1ablpvd/7bkcFEo59SUYRyBOAHfj6G/f8a49793c6190bea9007753ad1a93159/image_683.png",1446,546,{"sys":3908,"__typename":3893,"title":3909,"caption":3909,"layoutMode":118,"file":3910},{"id":3139},"If a personal email address is used, a business address is prompted.",{"url":3911,"width":3912,"height":3913},"https://images.ctfassets.net/y1cdw1ablpvd/7CNNGeywhNK5XJaGs1wC08/3a948187b0cadb8f1989db04d233ce49/image5.png",1999,958,{"sys":3915,"__typename":3893,"title":3916,"caption":3916,"layoutMode":118,"file":3917},{"id":3152},"The victim is prompted to complete a further verification check.",{"url":3918,"width":3919,"height":3920},"https://images.ctfassets.net/y1cdw1ablpvd/m8UjkvISMPYalhzlpFrHq/b31f330ce1d49e242f0b4185b154d3e2/image_694__1_.png",1225,1135,{"sys":3922,"__typename":3893,"title":3923,"caption":3923,"layoutMode":118,"file":3924},{"id":3208},"Response on the malicious page, showing the response URL and redirect. The client_id is specific to the Azure CLI app.",{"url":3925,"width":3912,"height":3926},"https://images.ctfassets.net/y1cdw1ablpvd/24oliBnRyryM1MGM06rqUh/4e6dd173756c8f472601b9665155d27b/image1.png",1051,{"sys":3928,"__typename":3893,"title":3929,"caption":3930,"layoutMode":118,"file":3931},{"id":3214},"ConsentFix attack breakdown.","ConsentFix attack breakdown: The victim is tricked into copy-and-pasting a URL containing OAuth key material into a phishing page.",{"url":3932,"width":3912,"height":40},"https://images.ctfassets.net/y1cdw1ablpvd/7x6SiBWarYH3w4nPfjtf7r/4c1dd037b9ad47ccbba0a87256ecd909/2.png",{"sys":3934,"__typename":3935,"title":3936,"arcadeDemoUrl":3937,"playText":3938},{"id":3272},"ArcadeDemo","ConsentFix Demo","https://demo.arcade.software/jVg07nEAWrkdzyRc4S83?embed","2 mins",{"sys":3940,"__typename":3935,"title":2996,"arcadeDemoUrl":3941,"playText":3942},{"id":2451},"https://demo.arcade.software/yQIHbuD990Dk5CjI1cvS?embed","1 mins",{"sys":3944,"__typename":3935,"title":3945,"arcadeDemoUrl":3946,"playText":3947},{"id":3468},"ConsentFix Denied Access","https://demo.arcade.software/3zw2WIpCdCI2FhnEbLH7?embed","1 min",{"sys":3949,"__typename":3866,"content":3950,"name":3973,"title":118},{"id":3570},{"json":3951},{"nodeType":1194,"data":3952,"content":3953},{},[3954],{"nodeType":1193,"data":3955,"content":3956},{},[3957,3961,3969],{"nodeType":1192,"value":3958,"marks":3959,"data":3960},"Since releasing this research, the security community has jumped on ConsentFix, discovering several additional vulnerable Microsoft apps, and sharing a variety of Microsoft-specific mitigation and detection guidance. You can find this information aggregated ",[],{},{"nodeType":1354,"data":3962,"content":3964},{"uri":3963},"https://pushsecurity.com/blog/consentfix-debrief/",[3965],{"nodeType":1192,"value":3966,"marks":3967,"data":3968},"in our follow-up blog post here",[],{},{"nodeType":1192,"value":3970,"marks":3971,"data":3972},". ",[],{},"ConsentFix Insight Box 4",{"sys":3975,"__typename":3893,"title":3976,"caption":3976,"layoutMode":118,"file":3977},{"id":3590},"Microsoft log examples.",{"url":3978,"width":3979,"height":3980},"https://images.ctfassets.net/y1cdw1ablpvd/66hEuuZyciE7RPKR7tpZz4/c75ef643729ddd93cf5850dbe7a81617/image8.png",1794,240,{"sys":3982,"__typename":3893,"title":3983,"caption":3983,"layoutMode":118,"file":3984},{"id":3650},"Non-interactive logins observed from IP addresses in the US and Indonesia. ",{"url":3985,"width":3986,"height":3987},"https://images.ctfassets.net/y1cdw1ablpvd/76x7GAQzcmzaM30BvyBDNS/33b84a9d8c7a4ac088f080df705841dd/image9.png",1838,316,{"sys":3989,"__typename":3866,"content":3990,"name":4019,"title":118},{"id":3663},{"json":3991},{"nodeType":1194,"data":3992,"content":3993},{},[3994],{"nodeType":1193,"data":3995,"content":3996},{},[3997,4002,4006,4015],{"nodeType":1192,"value":3998,"marks":3999,"data":4001},"Note: ",[4000],{"type":1268},{},{"nodeType":1192,"value":4003,"marks":4004,"data":4005},"The attacker is intentionally leveraging legacy scopes to evade detection. You should ensure that ",[],{},{"nodeType":1354,"data":4007,"content":4009},{"uri":4008},"https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/aadgraphactivitylogs",[4010],{"nodeType":1192,"value":4011,"marks":4012,"data":4014},"AADGraphActivityLogs",[4013],{"type":1352},{},{"nodeType":1192,"value":4016,"marks":4017,"data":4018}," is enabled and monitored to be able to search for unusual activity such as AD enumeration.",[],{},"ConsentFix Insight Box 3",{"sys":4021,"__typename":3893,"title":4022,"caption":4022,"layoutMode":118,"file":4023},{"id":3794},"Detection timeline showing the page being detected and blocked by Push.",{"url":4024,"width":4025,"height":4026},"https://images.ctfassets.net/y1cdw1ablpvd/4H7j3s8F1FuyrGBvgSFs5a/882bf3ec5e477031fda0fde3223832f9/Group_594__1_.png",2328,1116,{"sys":4028,"__typename":4029,"type":4030,"ctaText":4031,"buttonLabel":4032,"buttonColour":4033,"buttonUrl":4034},{"id":1818},"CtaWidget","Custom","Learn how phishing evolved in 2025, showcasing the most sophisticated attacks and key trends uncovered by Push researchers","Register Now","sunny orange","https://pushsecurity.com/webinar/phishing-2025-review","content:blog:consentfix.json","json","content","blog/consentfix.json","blog/consentfix",1776343350067]