[{"data":1,"prerenderedAt":4269},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/cyber-criminal-ecosystem-analysis":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"ogImage":118,"summary":1282,"title":1296,"subtitle":118,"metaTitle":1297,"synopsis":1292,"hashTags":118,"publishedDate":1298,"slug":1299,"tagsCollection":1300,"relatedBlogPostsCollection":1310,"authorsCollection":3623,"content":3627,"_id":4264,"_type":4265,"_source":4266,"_file":4267,"_stem":4268,"_extension":4265},"/blog/cyber-criminal-ecosystem-analysis","blog",{"id":1280,"publishedAt":1281},"2U6QpQ9rkY8x5ES48okHZB","2026-01-12T10:13:52.486Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1295},{},[1286],{"data":1287,"content":1288,"nodeType":1294},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"Attackers are going out of their way to target Google Ad Manager accounts, powering malvertising scams. Here’s what you need to know.","text","paragraph","document","How cyber criminals power malvertising scams with stolen accounts","Analysing the malvertising criminal ecosystem","2026-01-12T00:00:00.000Z","cyber-criminal-ecosystem-analysis",{"items":1301},[1302,1306],{"sys":1303,"name":1305},{"id":1304},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1307,"name":1309},{"id":1308},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1311},[1312,1960,2931],{"__typename":1313,"sys":1314,"content":1316,"title":1943,"synopsis":1944,"hashTags":118,"publishedDate":1298,"slug":1945,"tagsCollection":1946,"authorsCollection":1952},"BlogPosts",{"id":1315},"2YmiesBvJHGw4wiKEKzLUq",{"json":1317},{"nodeType":1295,"data":1318,"content":1319},{},[1320,1327,1334,1387,1396,1403,1410,1416,1422,1428,1432,1442,1449,1455,1462,1468,1474,1481,1487,1505,1508,1516,1523,1530,1537,1544,1550,1568,1571,1579,1586,1645,1652,1659,1662,1670,1677,1684,1691,1724,1727,1735,1755,1762,1805,1812,1855,1862,1935],{"nodeType":1294,"data":1321,"content":1322},{},[1323],{"nodeType":1293,"value":1324,"marks":1325,"data":1326},"In recent months, we’ve seen a significant increase in the number of attacks targeting ad manager accounts. These attacks ultimately serve up an Attacker-in-the-Middle (AITM) phishing page designed to steal the victim’s Google account. ",[],{},{"nodeType":1294,"data":1328,"content":1329},{},[1330],{"nodeType":1293,"value":1331,"marks":1332,"data":1333},"Most recently, we reported on:",[],{},{"nodeType":1335,"data":1336,"content":1337},"unordered-list",{},[1338,1364],{"nodeType":1339,"data":1340,"content":1341},"list-item",{},[1342],{"nodeType":1294,"data":1343,"content":1344},{},[1345,1349,1360],{"nodeType":1293,"value":1346,"marks":1347,"data":1348},"A campaign running ",[],{},{"nodeType":1350,"data":1351,"content":1353},"hyperlink",{"uri":1352},"https://pushsecurity.com/blog/analysing-a-malvertising-attack-targeting-business-google-accounts/",[1354],{"nodeType":1293,"value":1355,"marks":1356,"data":1359},"fake malvertising ads for “Google Ads”",[1357],{"type":1358},"underline",{},{"nodeType":1293,"value":1361,"marks":1362,"data":1363}," in Google Search. ",[],{},{"nodeType":1339,"data":1365,"content":1366},{},[1367],{"nodeType":1294,"data":1368,"content":1369},{},[1370,1374,1383],{"nodeType":1293,"value":1371,"marks":1372,"data":1373},"A campaign using sophisticated ",[],{},{"nodeType":1350,"data":1375,"content":1377},{"uri":1376},"https://pushsecurity.com/blog/uncovering-a-calendly-themed-phishing-campaign/",[1378],{"nodeType":1293,"value":1379,"marks":1380,"data":1382},"Calendly-themed phishing lures",[1381],{"type":1358},{},{"nodeType":1293,"value":1384,"marks":1385,"data":1386}," targeting marketing professionals.",[],{},{"nodeType":1388,"data":1389,"content":1395},"embedded-entry-block",{"target":1390},{"sys":1391},{"id":1392,"type":1393,"linkType":1394},"1ThnhFZQIhzV179qclvzFH","Link","Entry",[],{"nodeType":1294,"data":1397,"content":1398},{},[1399],{"nodeType":1293,"value":1400,"marks":1401,"data":1402},"Now, we’ve seen the Google Ads malvertising campaign expand to run additional ads impersonating Ahrefs, an AI marketing platform. Crucially, employees with access to Ahrefs are highly likely to also have access to Google Ads, meaning that attackers can reliably target Google accounts via Ahrefs. ",[],{},{"nodeType":1294,"data":1404,"content":1405},{},[1406],{"nodeType":1293,"value":1407,"marks":1408,"data":1409},"You can see a demo of the phishing chain below. ",[],{},{"nodeType":1388,"data":1411,"content":1415},{"target":1412},{"sys":1413},{"id":1414,"type":1393,"linkType":1394},"2XjyySGldgl9uPA7CZRms8",[],{"nodeType":1388,"data":1417,"content":1421},{"target":1418},{"sys":1419},{"id":1420,"type":1393,"linkType":1394},"yB12nGF91iq15GoHWItaX",[],{"nodeType":1388,"data":1423,"content":1427},{"target":1424},{"sys":1425},{"id":1426,"type":1393,"linkType":1394},"2NK29DaTd93kOctyWxV0RT",[],{"nodeType":1429,"data":1430,"content":1431},"hr",{},[],{"nodeType":1433,"data":1434,"content":1435},"heading-1",{},[1436],{"nodeType":1293,"value":1437,"marks":1438,"data":1441},"Attack breakdown",[1439],{"type":1440},"bold",{},{"nodeType":1294,"data":1443,"content":1444},{},[1445],{"nodeType":1293,"value":1446,"marks":1447,"data":1448},"Users searching for “ahrefs” on Google Search were served with a fake ad impersonating Ahrefs, hosted on Squarespace, a legitimate website building and hosting platform. Previously, we’d seen this campaign use hosting sites Odoo and Kartra to similar effect. ",[],{},{"nodeType":1388,"data":1450,"content":1454},{"target":1451},{"sys":1452},{"id":1453,"type":1393,"linkType":1394},"59dhFey5rahm5sA20NudTl",[],{"nodeType":1294,"data":1456,"content":1457},{},[1458],{"nodeType":1293,"value":1459,"marks":1460,"data":1461},"Upon clicking the link, the victim was taken to a clone of the real Ahrefs site. Crucially, you can see that the domain is not the official Ahrefs domain. ",[],{},{"nodeType":1388,"data":1463,"content":1467},{"target":1464},{"sys":1465},{"id":1466,"type":1393,"linkType":1394},"48fQUiJXC1qACKUUPDliS5",[],{"nodeType":1388,"data":1469,"content":1473},{"target":1470},{"sys":1471},{"id":1472,"type":1393,"linkType":1394},"77iqOW1jDVt5Oxw8qTwnKG",[],{"nodeType":1294,"data":1475,"content":1476},{},[1477],{"nodeType":1293,"value":1478,"marks":1479,"data":1480},"However, the site is not fully interactable beyond the front page. Clicking on any link takes the user to a Google sign-in page. ",[],{},{"nodeType":1388,"data":1482,"content":1486},{"target":1483},{"sys":1484},{"id":1485,"type":1393,"linkType":1394},"7t9BoUyIFN8dlBDksjsYlD",[],{"nodeType":1294,"data":1488,"content":1489},{},[1490,1494,1501],{"nodeType":1293,"value":1491,"marks":1492,"data":1493},"This is in fact an AITM phishing page that is designed to hijack the victim’s Google account. Entering credentials and completing the MFA check will result in the attacker stealing the app session and effectively taking over the account. The phishing kit used matches ",[],{},{"nodeType":1350,"data":1495,"content":1496},{"uri":1352},[1497],{"nodeType":1293,"value":1498,"marks":1499,"data":1500},"the previous malvertising detected impersonating Google Ads",[],{},{"nodeType":1293,"value":1502,"marks":1503,"data":1504},". ",[],{},{"nodeType":1429,"data":1506,"content":1507},{},[],{"nodeType":1433,"data":1509,"content":1510},{},[1511],{"nodeType":1293,"value":1512,"marks":1513,"data":1515},"Why are attackers targeting ad manager accounts?",[1514],{"type":1440},{},{"nodeType":1294,"data":1517,"content":1518},{},[1519],{"nodeType":1293,"value":1520,"marks":1521,"data":1522},"Ad Manager accounts on platforms like Google, Facebook, and LinkedIn have become lucrative targets for cybercriminals. By compromising these accounts, attackers can exploit the digital advertising ecosystem in various ways for financial gain. ",[],{},{"nodeType":1294,"data":1524,"content":1525},{},[1526],{"nodeType":1293,"value":1527,"marks":1528,"data":1529},"The ad industry’s scale makes it attractive to fraud. Estimates suggest digital ad fraud cost advertisers tens of billions, potentially nearing $100 billion or more, with projections reaching $172 billion by 2028.",[],{},{"nodeType":1294,"data":1531,"content":1532},{},[1533],{"nodeType":1293,"value":1534,"marks":1535,"data":1536},"A hijacked Google Ad Manager account gives attackers access to significant ad spend and account data which can be monetized illicitly. The tactics range from stealthy ad fraud to overt abuse like malicious ads or extortion schemes.",[],{},{"nodeType":1294,"data":1538,"content":1539},{},[1540],{"nodeType":1293,"value":1541,"marks":1542,"data":1543},"Pretty much every enterprise today advertises their services via Google ads — this makes attacks on these accounts pretty much a unanimous problem. Agencies managing numerous client accounts are put further at risk. For example, if an attacker can compromise an MCC account (used to manage several ad accounts) they get full access to the customer portfolio. ",[],{},{"nodeType":1388,"data":1545,"content":1549},{"target":1546},{"sys":1547},{"id":1548,"type":1393,"linkType":1394},"1WPbstxHtdjnAKpF1rhCpW",[],{"nodeType":1294,"data":1551,"content":1552},{},[1553,1557,1565],{"nodeType":1293,"value":1554,"marks":1555,"data":1556},"Learn more about why attackers are targeting ad manager accounts ",[],{},{"nodeType":1350,"data":1558,"content":1560},{"uri":1559},"https://pushsecurity.com/blog/cyber-criminal-ecosystem-analysis",[1561],{"nodeType":1293,"value":1562,"marks":1563,"data":1564},"in our blog post",[],{},{"nodeType":1293,"value":1502,"marks":1566,"data":1567},[],{},{"nodeType":1429,"data":1569,"content":1570},{},[],{"nodeType":1433,"data":1572,"content":1573},{},[1574],{"nodeType":1293,"value":1575,"marks":1576,"data":1578},"Why malvertising? ",[1577],{"type":1440},{},{"nodeType":1294,"data":1580,"content":1581},{},[1582],{"nodeType":1293,"value":1583,"marks":1584,"data":1585},"Malvertising scams happen across lots of different sites, but the most common platform we see targeted is Google Search. This takes advantage of users browsing to find a website and clicking the first link that appears — in this case a fake sponsored link taking you to the attacker’s page. ",[],{},{"nodeType":1294,"data":1587,"content":1588},{},[1589,1593,1602,1606,1615,1619,1628,1632,1641],{"nodeType":1293,"value":1590,"marks":1591,"data":1592},"Malvertising attacks delivered over channels like Google Search are a great way to catch victims unawares while also evading typically email-based anti-phishing controls. Malvertising is an increasingly popular attack vector for the delivery of AITM phishing, malware downloads, and ",[],{},{"nodeType":1350,"data":1594,"content":1596},{"uri":1595},"https://pushsecurity.com/blog/the-most-advanced-clickfix-yet/",[1597],{"nodeType":1293,"value":1598,"marks":1599,"data":1601},"ClickFix",[1600],{"type":1358},{},{"nodeType":1293,"value":1603,"marks":1604,"data":1605}," (4 in 5 ClickFix attacks intercepted by Push were delivered via Google Search). This isn’t just targeting ad manager accounts — last year, we reported on campaigns impersonating ",[],{},{"nodeType":1350,"data":1607,"content":1609},{"uri":1608},"https://pushsecurity.com/blog/analysing-a-sophisticated-google-malvertising-attack/",[1610],{"nodeType":1293,"value":1611,"marks":1612,"data":1614},"TradingView",[1613],{"type":1358},{},{"nodeType":1293,"value":1616,"marks":1617,"data":1618},", ",[],{},{"nodeType":1350,"data":1620,"content":1622},{"uri":1621},"https://pushsecurity.com/blog/phishing-with-active-directory-federation-services/",[1623],{"nodeType":1293,"value":1624,"marks":1625,"data":1627},"Microsoft Office 365",[1626],{"type":1358},{},{"nodeType":1293,"value":1629,"marks":1630,"data":1631},", and ",[],{},{"nodeType":1350,"data":1633,"content":1635},{"uri":1634},"https://pushsecurity.com/blog/investigating-a-recent-malvertising-campaign-targeting-onfido-customers/",[1636],{"nodeType":1293,"value":1637,"marks":1638,"data":1640},"Onfido",[1639],{"type":1358},{},{"nodeType":1293,"value":1642,"marks":1643,"data":1644},", to name a few. ",[],{},{"nodeType":1294,"data":1646,"content":1647},{},[1648],{"nodeType":1293,"value":1649,"marks":1650,"data":1651},"There’s a tendency to see malvertising as a more random attack, but Google Ads can be tuned to searches coming from specific geographic locations, tailored to specific email domain matches, or specific device types (e.g. desktop, mobile, etc.). If you know where your target organization is located, you can tailor the ad to that location. Even more precise ad targeting can be achieved on social media platforms. ",[],{},{"nodeType":1294,"data":1653,"content":1654},{},[1655],{"nodeType":1293,"value":1656,"marks":1657,"data":1658},"Because these attacks completely circumvent the traditional phishing detection surface (email) and often happen entirely over the internet (meaning no endpoint security controls can come into play) the only way to reliably detect and stop these attacks is to intercept them where they happen — in the user’s web browser. ",[],{},{"nodeType":1429,"data":1660,"content":1661},{},[],{"nodeType":1433,"data":1663,"content":1664},{},[1665],{"nodeType":1293,"value":1666,"marks":1667,"data":1669},"How Push stopped the attack",[1668],{"type":1440},{},{"nodeType":1294,"data":1671,"content":1672},{},[1673],{"nodeType":1293,"value":1674,"marks":1675,"data":1676},"Regardless of the delivery channel, all roads lead to a web page accessed in the victim’s browser, where Push is waiting to detect and block the attack. Even if the page has never been previously flagged as suspicious or malicious, Push analyses the page in real time and blocks it — protecting against the latest zero-day threats.  ",[],{},{"nodeType":1294,"data":1678,"content":1679},{},[1680],{"nodeType":1293,"value":1681,"marks":1682,"data":1683},"By seeing what your users see, and getting an unfiltered, real-time view of the page as it loads, Push is able to pinpoint malicious content, code, and behaviors and shut the attack down before it happens. Whether it's entering credentials onto a phishing page, approving a malicious OAuth grant, installing a risky browser extension, or insecurely accessing an app with a weak password and no MFA, Push detects the action and shuts it down.",[],{},{"nodeType":1294,"data":1685,"content":1686},{},[1687],{"nodeType":1293,"value":1688,"marks":1689,"data":1690},"Push blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.",[],{},{"nodeType":1294,"data":1692,"content":1693},{},[1694,1698,1707,1711,1720],{"nodeType":1293,"value":1695,"marks":1696,"data":1697},"To learn more about Push, ",[],{},{"nodeType":1350,"data":1699,"content":1701},{"uri":1700},"https://pushsecurity.com/resources/product-brochure",[1702],{"nodeType":1293,"value":1703,"marks":1704,"data":1706},"check out our latest product overview",[1705],{"type":1358},{},{"nodeType":1293,"value":1708,"marks":1709,"data":1710}," or ",[],{},{"nodeType":1350,"data":1712,"content":1714},{"uri":1713},"https://pushsecurity.com/demo",[1715],{"nodeType":1293,"value":1716,"marks":1717,"data":1719},"book some time with one of our team for a live demo",[1718],{"type":1358},{},{"nodeType":1293,"value":1721,"marks":1722,"data":1723},".",[],{},{"nodeType":1429,"data":1725,"content":1726},{},[],{"nodeType":1433,"data":1728,"content":1729},{},[1730],{"nodeType":1293,"value":1731,"marks":1732,"data":1734},"IoCs",[1733],{"type":1440},{},{"nodeType":1294,"data":1736,"content":1737},{},[1738,1742,1751],{"nodeType":1293,"value":1739,"marks":1740,"data":1741},"Short-lived IoCs are of limited value when tackling modern phishing attacks due to the rate at which attackers are able to ",[],{},{"nodeType":1350,"data":1743,"content":1745},{"uri":1744},"https://phishing-techniques.pushsecurity.com/techniques/domain-rotation-redirection/",[1746],{"nodeType":1293,"value":1747,"marks":1748,"data":1750},"quickly spin up and rotate the sites used",[1749],{"type":1358},{},{"nodeType":1293,"value":1752,"marks":1753,"data":1754}," in the attack chain, often dynamically serving different URLs to site visitors. ",[],{},{"nodeType":1294,"data":1756,"content":1757},{},[1758],{"nodeType":1293,"value":1759,"marks":1760,"data":1761},"That said, the domains observed in this chain were:",[],{},{"nodeType":1335,"data":1763,"content":1764},{},[1765,1775,1785,1795],{"nodeType":1339,"data":1766,"content":1767},{},[1768],{"nodeType":1294,"data":1769,"content":1770},{},[1771],{"nodeType":1293,"value":1772,"marks":1773,"data":1774},"comandd-ok[.]com",[],{},{"nodeType":1339,"data":1776,"content":1777},{},[1778],{"nodeType":1294,"data":1779,"content":1780},{},[1781],{"nodeType":1293,"value":1782,"marks":1783,"data":1784},"ahrefs-ac.squarespace[.]com",[],{},{"nodeType":1339,"data":1786,"content":1787},{},[1788],{"nodeType":1294,"data":1789,"content":1790},{},[1791],{"nodeType":1293,"value":1792,"marks":1793,"data":1794},"ahrefs-seo-app.squarespace[.]com",[],{},{"nodeType":1339,"data":1796,"content":1797},{},[1798],{"nodeType":1294,"data":1799,"content":1800},{},[1801],{"nodeType":1293,"value":1802,"marks":1803,"data":1804},"slgn-ahrefs-app-com.squarespace[.]com",[],{},{"nodeType":1294,"data":1806,"content":1807},{},[1808],{"nodeType":1293,"value":1809,"marks":1810,"data":1811},"[Update 24th February] We also observed the following new domains:",[],{},{"nodeType":1335,"data":1813,"content":1814},{},[1815,1825,1835,1845],{"nodeType":1339,"data":1816,"content":1817},{},[1818],{"nodeType":1294,"data":1819,"content":1820},{},[1821],{"nodeType":1293,"value":1822,"marks":1823,"data":1824},"www-ahrefs-seo-ads[.]surge.sh",[],{},{"nodeType":1339,"data":1826,"content":1827},{},[1828],{"nodeType":1294,"data":1829,"content":1830},{},[1831],{"nodeType":1293,"value":1832,"marks":1833,"data":1834},"web-semrush-seo-wold[.]surge[.]sh",[],{},{"nodeType":1339,"data":1836,"content":1837},{},[1838],{"nodeType":1294,"data":1839,"content":1840},{},[1841],{"nodeType":1293,"value":1842,"marks":1843,"data":1844},"contabelforeehc[.]com",[],{},{"nodeType":1339,"data":1846,"content":1847},{},[1848],{"nodeType":1294,"data":1849,"content":1850},{},[1851],{"nodeType":1293,"value":1852,"marks":1853,"data":1854},"contabelfore[.]com",[],{},{"nodeType":1294,"data":1856,"content":1857},{},[1858],{"nodeType":1293,"value":1859,"marks":1860,"data":1861},"In addition, the following domains were previously associated with the attacks we detected in December:",[],{},{"nodeType":1335,"data":1863,"content":1864},{},[1865,1875,1885,1895,1905,1915,1925],{"nodeType":1339,"data":1866,"content":1867},{},[1868],{"nodeType":1294,"data":1869,"content":1870},{},[1871],{"nodeType":1293,"value":1872,"marks":1873,"data":1874},"ads-adsword1.odoo[.]com",[],{},{"nodeType":1339,"data":1876,"content":1877},{},[1878],{"nodeType":1294,"data":1879,"content":1880},{},[1881],{"nodeType":1293,"value":1882,"marks":1883,"data":1884},"sing-operador2[.]click/accounts/v3/login",[],{},{"nodeType":1339,"data":1886,"content":1887},{},[1888],{"nodeType":1294,"data":1889,"content":1890},{},[1891],{"nodeType":1293,"value":1892,"marks":1893,"data":1894},"adsgooglie.odoo[.]com/",[],{},{"nodeType":1339,"data":1896,"content":1897},{},[1898],{"nodeType":1294,"data":1899,"content":1900},{},[1901],{"nodeType":1293,"value":1902,"marks":1903,"data":1904},"word4only[.]online/",[],{},{"nodeType":1339,"data":1906,"content":1907},{},[1908],{"nodeType":1294,"data":1909,"content":1910},{},[1911],{"nodeType":1293,"value":1912,"marks":1913,"data":1914},"adsloginacess.kartra[.]com/page/oeN7",[],{},{"nodeType":1339,"data":1916,"content":1917},{},[1918],{"nodeType":1294,"data":1919,"content":1920},{},[1921],{"nodeType":1293,"value":1922,"marks":1923,"data":1924},"ads-o.odoo[.]com",[],{},{"nodeType":1339,"data":1926,"content":1927},{},[1928],{"nodeType":1294,"data":1929,"content":1930},{},[1931],{"nodeType":1293,"value":1932,"marks":1933,"data":1934},"operador8-ads[.]lat/accounts/v3/login/",[],{},{"nodeType":1294,"data":1936,"content":1937},{},[1938],{"nodeType":1293,"value":1939,"marks":1940,"data":1942},"Push customers do not need to take any further action.",[1941],{"type":1440},{},"Google Search malvertising campaign continues, now impersonating Ahrefs","New samples linked to a Push-tracked malvertising campaign detected, targeting Google accounts via an Ahrefs lure. ","google-search-malvertising-campaign-continues-now-impersonating-ahrefs",{"items":1947},[1948,1950],{"sys":1949,"name":1309},{"id":1308},{"sys":1951,"name":1305},{"id":1304},{"items":1953},[1954],{"fullName":1955,"firstName":1956,"jobTitle":1957,"profilePicture":1958},"Dan Green","Dan","Threat Research",{"url":1959},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"__typename":1313,"sys":1961,"content":1963,"title":2917,"synopsis":2918,"hashTags":118,"publishedDate":2919,"slug":2920,"tagsCollection":2921,"authorsCollection":2927},{"id":1962},"2sFCww9xnI8okIxhtOaiY1",{"json":1964},{"nodeType":1295,"data":1965,"content":1966},{},[1967,1974,1981,1988,1991,1999,2006,2013,2019,2026,2032,2052,2059,2071,2074,2082,2089,2105,2112,2124,2130,2133,2141,2150,2156,2165,2185,2194,2201,2210,2229,2238,2245,2254,2287,2296,2303,2312,2330,2336,2345,2352,2361,2404,2407,2415,2424,2444,2453,2460,2469,2502,2508,2517,2524,2530,2533,2541,2550,2557,2617,2623,2626,2634,2643,2650,2656,2659,2667,2674,2681,2751,2758,2821,2828,2831,2839,2846,2853,2859,2862,2870,2877,2884,2891],{"nodeType":1294,"data":1968,"content":1969},{},[1970],{"nodeType":1293,"value":1971,"marks":1972,"data":1973},"The biggest cybersecurity story this year (so far) has been the emergence of “Scattered Lapsus$ Hunters” and their record-breaking worldwide hacking spree. ",[],{},{"nodeType":1294,"data":1975,"content":1976},{},[1977],{"nodeType":1293,"value":1978,"marks":1979,"data":1980},"Scattered Lapsus$ Hunters is part of “The Com”, the name for the broad community of English-speaking cybercriminals with international criminal connections — including with nation-state sponsored groups. They are also known to collaborate with a range of cybercrime “as-a-Service” organizations for phishing, initial access, ransomware, and more. ",[],{},{"nodeType":1294,"data":1982,"content":1983},{},[1984],{"nodeType":1293,"value":1985,"marks":1986,"data":1987},"It’s difficult to pin down exactly who the individuals are that make up this criminal collective. But what is known is their MO — making money through extortion by means of account takeover, mass data theft, and ransomware deployment. ",[],{},{"nodeType":1429,"data":1989,"content":1990},{},[],{"nodeType":1433,"data":1992,"content":1993},{},[1994],{"nodeType":1293,"value":1995,"marks":1996,"data":1998},"How did we get here? ",[1997],{"type":1440},{},{"nodeType":1294,"data":2000,"content":2001},{},[2002],{"nodeType":1293,"value":2003,"marks":2004,"data":2005},"Earlier this year, the threat group known to most analysts as Scattered Spider (also tracked as 0ktapus, Octo Tempest, Scatter Swine, Muddled Libra, and UNC3944) re-emerged after a series of arrests in late 2024. ",[],{},{"nodeType":1294,"data":2007,"content":2008},{},[2009],{"nodeType":1293,"value":2010,"marks":2011,"data":2012},"This group has been active in peaks and troughs over the years, but are mainly known for high-profile ransomware attacks on Caesars and MGM Resorts in 2024. ",[],{},{"nodeType":1388,"data":2014,"content":2018},{"target":2015},{"sys":2016},{"id":2017,"type":1393,"linkType":1394},"1Vt269d7n6IGMzOrJs1FDx",[],{"nodeType":1294,"data":2020,"content":2021},{},[2022],{"nodeType":1293,"value":2023,"marks":2024,"data":2025},"Scattered Spider hit the headlines again in April 2025 with attacks on UK retailers Marks & Spencer and Co-op, which resulted in significant, prolonged disruption, and a serious downstream impact on the retail supply chain. ",[],{},{"nodeType":1388,"data":2027,"content":2031},{"target":2028},{"sys":2029},{"id":2030,"type":1393,"linkType":1394},"3kvcGV2zZZUPnM8IK04Y1O",[],{"nodeType":1294,"data":2033,"content":2034},{},[2035,2039,2048],{"nodeType":1293,"value":2036,"marks":2037,"data":2038},"It didn’t stop there, though. What followed was a wide-scale campaign targeting Salesforce customers, with the attackers claiming to have stolen ",[],{},{"nodeType":1350,"data":2040,"content":2042},{"uri":2041},"https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/",[2043],{"nodeType":1293,"value":2044,"marks":2045,"data":2047},"over 1.5 billion records from 1000+ companies",[2046],{"type":1358},{},{"nodeType":1293,"value":2049,"marks":2050,"data":2051}," across multiple verticals, including heavyweights like Google, Cloudflare, Workday, Adidas, FedEx, Disney, LVMH, and many more.",[],{},{"nodeType":1294,"data":2053,"content":2054},{},[2055],{"nodeType":1293,"value":2056,"marks":2057,"data":2058},"Around this time, the attackers began to refer to themselves as part of a wider collective, assuming the moniker “Scattered Lapsus$ Hunters” (a mash-up of names given by analysts and self-adopted by attackers — Scattered Spider, ShinyHunters, and Lapsus$).",[],{},{"nodeType":1294,"data":2060,"content":2061},{},[2062,2066],{"nodeType":1293,"value":2063,"marks":2064,"data":2065},"The most significant breach this year to-date impacted Jaguar Land Rover. A ransomware attack resulted in months of disruption that directly impacted the UK’s GDP, with the government underwriting a $1.5B loan to alleviate the supply chain impact. ",[],{},{"nodeType":1293,"value":2067,"marks":2068,"data":2070},"In fact, this was the most economically consequential cyber attack yet recorded in a G7 economy. ",[2069],{"type":1440},{},{"nodeType":1429,"data":2072,"content":2073},{},[],{"nodeType":1433,"data":2075,"content":2076},{},[2077],{"nodeType":1293,"value":2078,"marks":2079,"data":2081},"2025 wasn’t a one-off",[2080],{"type":1440},{},{"nodeType":1294,"data":2083,"content":2084},{},[2085],{"nodeType":1293,"value":2086,"marks":2087,"data":2088},"The developments through 2025 have presented a stronger picture than ever before that cybercriminal operations are heavily interlinked. Groups overlap considerably, and individuals freely move between different cells. ",[],{},{"nodeType":1294,"data":2090,"content":2091},{},[2092,2096,2101],{"nodeType":1293,"value":2093,"marks":2094,"data":2095},"When we scratch beneath the surface, this is evident in the tactics, techniques and procedures (TTPs) used by these attackers — even stretching as far back as 2021 with the initial rise of Lapsus$. This is not an accident. ",[],{},{"nodeType":1293,"value":2097,"marks":2098,"data":2100},"The TTPs used show a conscious move by attackers to move away from environments that are well-protected by traditional security tools. ",[2099],{"type":1440},{},{"nodeType":1293,"value":2102,"marks":2103,"data":2104},"This means avoiding targeting endpoints with malware, and not relying on software-based exploits. Instead, these attackers look to take over apps and services directly over the internet. ",[],{},{"nodeType":1294,"data":2106,"content":2107},{},[2108],{"nodeType":1293,"value":2109,"marks":2110,"data":2111},"Most of the time, this is as simple as logging in to a SaaS app, or an enterprise SSO account (e.g. Microsoft, Okta, or Google) and dumping the data. For attackers that want to take it further, they can abuse the sprawl of interconnected apps that make up modern business IT, seeking out specific data or exploitable functionality. Or, they can leverage internet-accessible management portals to chart a path back to your on-premise assets, giving them everything they need to pivot toward more conventional methods such as ransomware deployment. ",[],{},{"nodeType":1294,"data":2113,"content":2114},{},[2115,2119],{"nodeType":1293,"value":2116,"marks":2117,"data":2118},"When we look at historical breaches, the pattern is clear. ",[],{},{"nodeType":1293,"value":2120,"marks":2121,"data":2123},"Not one of the attacks attributed to Scattered Lapsus$ Hunters, or its predecessors, started with an endpoint or network attack — they all began with account takeover. ",[2122],{"type":1440},{},{"nodeType":1388,"data":2125,"content":2129},{"target":2126},{"sys":2127},{"id":2128,"type":1393,"linkType":1394},"6poP5VM2ARrEvwKEG42HgK",[],{"nodeType":1429,"data":2131,"content":2132},{},[],{"nodeType":1433,"data":2134,"content":2135},{},[2136],{"nodeType":1293,"value":2137,"marks":2138,"data":2140},"TTP breakdown: Analysing the top “Scattered Lapsus$ Hunters” breaches since 2021",[2139],{"type":1440},{},{"nodeType":2142,"data":2143,"content":2144},"heading-2",{},[2145],{"nodeType":1293,"value":2146,"marks":2147,"data":2149},"Phishing and stolen credentials",[2148],{"type":1440},{},{"nodeType":1388,"data":2151,"content":2155},{"target":2152},{"sys":2153},{"id":2154,"type":1393,"linkType":1394},"4SNOanDIdGZsvRRnMYQVSo",[],{"nodeType":1294,"data":2157,"content":2158},{},[2159],{"nodeType":1293,"value":2160,"marks":2161,"data":2164},"EA Games (2021)",[2162,2163],{"type":1440},{"type":1358},{},{"nodeType":1294,"data":2166,"content":2167},{},[2168,2172,2181],{"nodeType":1293,"value":2169,"marks":2170,"data":2171},"Attackers used stolen session cookies to log into EA’s Slack instance, purchased on a criminal forum. Combined with ",[],{},{"nodeType":1350,"data":2173,"content":2175},{"uri":2174},"https://pushsecurity.com/blog/phishing-slack-persistence/",[2176],{"nodeType":1293,"value":2177,"marks":2178,"data":2180},"social engineering via Slack",[2179],{"type":1358},{},{"nodeType":1293,"value":2182,"marks":2183,"data":2184},", this was used to steal 750GB of data, including video game source code. ",[],{},{"nodeType":1294,"data":2186,"content":2187},{},[2188],{"nodeType":1293,"value":2189,"marks":2190,"data":2193},"Nvidia (2022)",[2191,2192],{"type":1440},{"type":1358},{},{"nodeType":1294,"data":2195,"content":2196},{},[2197],{"nodeType":1293,"value":2198,"marks":2199,"data":2200},"Attackers used stolen credentials to steal 1TB of data from Nvidia’s internal shares, including a significant amount of sensitive information about the designs of Nvidia graphics cards, source code, and the usernames and passwords of more than 71,000 Nvidia employees.",[],{},{"nodeType":1294,"data":2202,"content":2203},{},[2204],{"nodeType":1293,"value":2205,"marks":2206,"data":2209},"Microsoft (2022)",[2207,2208],{"type":1440},{"type":1358},{},{"nodeType":1294,"data":2211,"content":2212},{},[2213,2217,2225],{"nodeType":1293,"value":2214,"marks":2215,"data":2216},"Attackers used stolen credentials combined with SIM swapping and ",[],{},{"nodeType":1350,"data":2218,"content":2220},{"uri":2219},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/mfa_fatigue/description.md",[2221],{"nodeType":1293,"value":2222,"marks":2223,"data":2224},"MFA fatigue",[],{},{"nodeType":1293,"value":2226,"marks":2227,"data":2228}," attacks to steal Azure DevOps source code — leaked a 9GB archive of Microsoft source code – including ~90% of Bing and 45% of Cortana code. ",[],{},{"nodeType":1294,"data":2230,"content":2231},{},[2232],{"nodeType":1293,"value":2233,"marks":2234,"data":2237},"T-Mobile (2022)",[2235,2236],{"type":1440},{"type":1358},{},{"nodeType":1294,"data":2239,"content":2240},{},[2241],{"nodeType":1293,"value":2242,"marks":2243,"data":2244},"Attackers used stolen credentials to establish initial access, coupled with social engineering T-Mobile staff into approving the attacker’s device for VPN access. This resulted in source code being stolen from over 30,000 repositories. ",[],{},{"nodeType":1294,"data":2246,"content":2247},{},[2248],{"nodeType":1293,"value":2249,"marks":2250,"data":2253},"Snowflake (165 customers) (2024)",[2251,2252],{"type":1440},{"type":1358},{},{"nodeType":1294,"data":2255,"content":2256},{},[2257,2261,2270,2274,2283],{"nodeType":1293,"value":2258,"marks":2259,"data":2260},"Attackers targeted ",[],{},{"nodeType":1350,"data":2262,"content":2264},{"uri":2263},"https://pushsecurity.com/blog/snowflake-retro/",[2265],{"nodeType":1293,"value":2266,"marks":2267,"data":2269},"165 Snowflake customers",[2268],{"type":1358},{},{"nodeType":1293,"value":2271,"marks":2272,"data":2273}," using stolen credentials from credential breaches dating back as far as 2020. Due to widespread MFA gaps and the presence of ",[],{},{"nodeType":1350,"data":2275,"content":2277},{"uri":2276},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/ghost_logins/description.md",[2278],{"nodeType":1293,"value":2279,"marks":2280,"data":2282},"ghost logins",[2281],{"type":1358},{},{"nodeType":1293,"value":2284,"marks":2285,"data":2286},", attackers were able to simply log in to individual customer tenants, dump the data, and use it to extort the companies. In total, 9 public victims were named following the breach, with over 1B breached customer records. ",[],{},{"nodeType":1294,"data":2288,"content":2289},{},[2290],{"nodeType":1293,"value":2291,"marks":2292,"data":2295},"PowerSchool (2024)",[2293,2294],{"type":1440},{"type":1358},{},{"nodeType":1294,"data":2297,"content":2298},{},[2299],{"nodeType":1293,"value":2300,"marks":2301,"data":2302},"Attackers gained access to a community-focused customer support portal, PowerSource, using compromised credentials and stole data using an \"export data manager\" customer support tool, stealing the data of 62.4 million students and 9.5 million teachers. PowerSchool paid an undisclosed ransom fee, but hackers returned later to extort schools and individuals separately anyway.",[],{},{"nodeType":1294,"data":2304,"content":2305},{},[2306],{"nodeType":1293,"value":2307,"marks":2308,"data":2311},"Red Hat (2025)",[2309,2310],{"type":1440},{"type":1358},{},{"nodeType":1294,"data":2313,"content":2314},{},[2315,2319,2326],{"nodeType":1293,"value":2316,"marks":2317,"data":2318},"Attackers breached Red Hat’s GitLab instance via a compromised account — the result of ",[],{},{"nodeType":1350,"data":2320,"content":2321},{"uri":2276},[2322],{"nodeType":1293,"value":2279,"marks":2323,"data":2325},[2324],{"type":1358},{},{"nodeType":1293,"value":2327,"marks":2328,"data":2329}," providing a backdoor to access an otherwise secure, SSO-connected account. Stolen data included approximately 800 Customer Engagement Reports (CERs), authentication tokens, full database URIs, and other private information in Red Hat code and CERs, which they claimed to use to gain access to downstream customer infrastructure. ",[],{},{"nodeType":1388,"data":2331,"content":2335},{"target":2332},{"sys":2333},{"id":2334,"type":1393,"linkType":1394},"G1V7d5Dvevmr9p0YXElPX",[],{"nodeType":1294,"data":2337,"content":2338},{},[2339],{"nodeType":1293,"value":2340,"marks":2341,"data":2344},"Discord (2025)",[2342,2343],{"type":1440},{"type":1358},{},{"nodeType":1294,"data":2346,"content":2347},{},[2348],{"nodeType":1293,"value":2349,"marks":2350,"data":2351},"Attackers compromised a Zendesk customer support account, stealing 1.6TB of data. The hackers say this consisted of roughly 8.4 million tickets affecting 5.5 million unique users, and that about 580,000 users contained payment information.",[],{},{"nodeType":1294,"data":2353,"content":2354},{},[2355],{"nodeType":1293,"value":2356,"marks":2357,"data":2360},"SoundCloud, MatchGroup, Crunchbase, Betterment... (2026)",[2358,2359],{"type":1440},{"type":1358},{},{"nodeType":1294,"data":2362,"content":2363},{},[2364,2368,2376,2380,2388,2392,2400],{"nodeType":1293,"value":2365,"marks":2366,"data":2367},"Scattered Lapsus$ Hunters have already claimed several public victims in 2026, with over 60 million breached records. ",[],{},{"nodeType":1350,"data":2369,"content":2371},{"uri":2370},"https://www.bleepingcomputer.com/news/security/shinyhunters-claim-to-be-behind-sso-account-data-theft-attacks/",[2372],{"nodeType":1293,"value":2373,"marks":2374,"data":2375},"SoundCloud, Betterment, Crunchbase",[],{},{"nodeType":1293,"value":2377,"marks":2378,"data":2379}," and ",[],{},{"nodeType":1350,"data":2381,"content":2383},{"uri":2382},"https://www.bleepingcomputer.com/news/security/match-group-breach-exposes-data-from-hinge-tinder-okcupid-and-match/",[2384],{"nodeType":1293,"value":2385,"marks":2386,"data":2387},"MatchGroup",[],{},{"nodeType":1293,"value":2389,"marks":2390,"data":2391}," have all reported breaches this month, powered by a brand ",[],{},{"nodeType":1350,"data":2393,"content":2395},{"uri":2394},"https://pushsecurity.com/blog/unpacking-the-latest-slh-campaign/",[2396],{"nodeType":1293,"value":2397,"marks":2398,"data":2399},"new real-time-operated AiTM phishing kit",[],{},{"nodeType":1293,"value":2401,"marks":2402,"data":2403}," targeting Okta, Entra, and Google SSO accounts. This is a developing situation, with more victims expected to be announced publicly soon.",[],{},{"nodeType":1429,"data":2405,"content":2406},{},[],{"nodeType":2142,"data":2408,"content":2409},{},[2410],{"nodeType":1293,"value":2411,"marks":2412,"data":2414},"Vishing and help desk scams",[2413],{"type":1440},{},{"nodeType":1294,"data":2416,"content":2417},{},[2418],{"nodeType":1293,"value":2419,"marks":2420,"data":2423},"MGM Resorts & Caesars (2023)",[2421,2422],{"type":1440},{"type":1358},{},{"nodeType":1294,"data":2425,"content":2426},{},[2427,2431,2440],{"nodeType":1293,"value":2428,"marks":2429,"data":2430},"MGM Resorts and Caesars were hit with twin breaches in 2023. Attackers socially engineered help desk personnel to take over accounts with Super Administrator privileges within MGM Resorts’ Okta tenant, which they then used to register a second, attacker-controlled IdP via ",[],{},{"nodeType":1350,"data":2432,"content":2434},{"uri":2433},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/inbound_federation/description.md",[2435],{"nodeType":1293,"value":2436,"marks":2437,"data":2439},"inbound federation",[2438],{"type":1358},{},{"nodeType":1293,"value":2441,"marks":2442,"data":2443}," — granting comprehensive access that was used to deploy ransomware. ",[],{},{"nodeType":1294,"data":2445,"content":2446},{},[2447],{"nodeType":1293,"value":2448,"marks":2449,"data":2452},"Transport for London (2024)",[2450,2451],{"type":1440},{"type":1358},{},{"nodeType":1294,"data":2454,"content":2455},{},[2456],{"nodeType":1293,"value":2457,"marks":2458,"data":2459},"Attackers socially engineered the Transport for London help desk to gain privileged access to the IT environment, resulting in prolonged disruption to key online services underpinning London’s public transport network, theft of 5,000 users bank details, and all 30,000 staff members having to reset their online credentials in person.",[],{},{"nodeType":1294,"data":2461,"content":2462},{},[2463],{"nodeType":1293,"value":2464,"marks":2465,"data":2468},"Marks & Spencer (2025)",[2466,2467],{"type":1440},{"type":1358},{},{"nodeType":1294,"data":2470,"content":2471},{},[2472,2476,2485,2489,2498],{"nodeType":1293,"value":2473,"marks":2474,"data":2475},"Attackers compromised a Microsoft Entra account belonging to a privileged user via a ",[],{},{"nodeType":1350,"data":2477,"content":2479},{"uri":2478},"https://pushsecurity.com/blog/scattered-spider-defending-against-help-desk-scams/",[2480],{"nodeType":1293,"value":2481,"marks":2482,"data":2484},"help desk scam",[2483],{"type":1358},{},{"nodeType":1293,"value":2486,"marks":2487,"data":2488},", which enabled them to steal sensitive data from cloud environments, as well as pivot to deploy ransomware via the ",[],{},{"nodeType":1350,"data":2490,"content":2492},{"uri":2491},"https://cloud.google.com/blog/topics/threat-intelligence/vsphere-active-directory-integration-risks",[2493],{"nodeType":1293,"value":2494,"marks":2495,"data":2497},"VMware admin console",[2496],{"type":1358},{},{"nodeType":1293,"value":2499,"marks":2500,"data":2501},". This enabled ransomware to be deployed at the hypervisor layer, evading host-based protections like EDR. ",[],{},{"nodeType":1388,"data":2503,"content":2507},{"target":2504},{"sys":2505},{"id":2506,"type":1393,"linkType":1394},"7hBdHG74NaA3bQfOMpYA9o",[],{"nodeType":1294,"data":2509,"content":2510},{},[2511],{"nodeType":1293,"value":2512,"marks":2513,"data":2516},"Jaguar Land Rover (2025)",[2514,2515],{"type":1440},{"type":1358},{},{"nodeType":1294,"data":2518,"content":2519},{},[2520],{"nodeType":1293,"value":2521,"marks":2522,"data":2523},"Attackers compromised highly privileged admin accounts via a help desk scam, which they leveraged to access and deploy ransomware to all aspects of Jaguar’s business, from CAD and engineering software, to payments tracking, to customer car delivery, using similar techniques to the Marks & Spencer breach. ",[],{},{"nodeType":1388,"data":2525,"content":2529},{"target":2526},{"sys":2527},{"id":2528,"type":1393,"linkType":1394},"6s1X2fo4K9EeVLBmHm4YXb",[],{"nodeType":1429,"data":2531,"content":2532},{},[],{"nodeType":2142,"data":2534,"content":2535},{},[2536],{"nodeType":1293,"value":2537,"marks":2538,"data":2540},"Malicious OAuth integrations",[2539],{"type":1440},{},{"nodeType":1294,"data":2542,"content":2543},{},[2544],{"nodeType":1293,"value":2545,"marks":2546,"data":2549},"Salesforce & Salesloft (1000+ customers) (2025)",[2547,2548],{"type":1440},{"type":1358},{},{"nodeType":1294,"data":2551,"content":2552},{},[2553],{"nodeType":1293,"value":2554,"marks":2555,"data":2556},"A vast campaign against Salesforce customers resulted in the compromise of 1000+ Salesforce tenants (according to the attacker) with more than 1.5 billion records stolen. This campaign can consisted of three phases:",[],{},{"nodeType":1335,"data":2558,"content":2559},{},[2560,2575,2590],{"nodeType":1339,"data":2561,"content":2562},{},[2563],{"nodeType":1294,"data":2564,"content":2565},{},[2566,2571],{"nodeType":1293,"value":2567,"marks":2568,"data":2570},"Phase 1:",[2569],{"type":1440},{},{"nodeType":1293,"value":2572,"marks":2573,"data":2574}," The attacker conducted a large-scale vishing campaign against Salesforce customers, calling up users and socially engineering them into connecting a malicious version of the “Data Loader” app into their tenant. This was in fact an attacker-controlled app that enabled data to be mass-exfiltrated via API. ",[],{},{"nodeType":1339,"data":2576,"content":2577},{},[2578],{"nodeType":1294,"data":2579,"content":2580},{},[2581,2586],{"nodeType":1293,"value":2582,"marks":2583,"data":2585},"Phase 2: ",[2584],{"type":1440},{},{"nodeType":1293,"value":2587,"marks":2588,"data":2589},"The attacker conducted a supply-chain compromise against customers of Salesloft. Users of Salesloft’s “Drift” integration were impacted by attackers stealing access tokens from Salesloft’s AWS environment. This integration allowed the attacker to steal data from customers that had deployed Drift to connected environments — namely, Salesforce, and Google Workspace. ",[],{},{"nodeType":1339,"data":2591,"content":2592},{},[2593],{"nodeType":1294,"data":2594,"content":2595},{},[2596,2601,2605,2613],{"nodeType":1293,"value":2597,"marks":2598,"data":2600},"Phase 3:",[2599],{"type":1440},{},{"nodeType":1293,"value":2602,"marks":2603,"data":2604}," The attacker then conducted a separate supply-chain compromise involving Gainsight (allegedly using OAuth tokens stolen in the Salesloft attack) which enabled them to ",[],{},{"nodeType":1350,"data":2606,"content":2608},{"uri":2607},"https://www.bleepingcomputer.com/news/security/salesforce-investigates-customer-data-theft-via-gainsight-breach/",[2609],{"nodeType":1293,"value":2610,"marks":2611,"data":2612},"breach a further 285 Salesforce instances",[],{},{"nodeType":1293,"value":2614,"marks":2615,"data":2616}," using stolen OAuth tokens from Gainsight's integrations. ",[],{},{"nodeType":1388,"data":2618,"content":2622},{"target":2619},{"sys":2620},{"id":2621,"type":1393,"linkType":1394},"3TwjpVKQ42SwQRhvGFbZdn",[],{"nodeType":1429,"data":2624,"content":2625},{},[],{"nodeType":2142,"data":2627,"content":2628},{},[2629],{"nodeType":1293,"value":2630,"marks":2631,"data":2633},"Malicious browser extensions",[2632],{"type":1440},{},{"nodeType":1294,"data":2635,"content":2636},{},[2637],{"nodeType":1293,"value":2638,"marks":2639,"data":2642},"CyberHaven (2024)",[2640,2641],{"type":1440},{"type":1358},{},{"nodeType":1294,"data":2644,"content":2645},{},[2646],{"nodeType":1293,"value":2647,"marks":2648,"data":2649},"Hackers phished a CyberHaven extension developer and uploaded a malicious version of the CyberHaven extension to the Chrome Web Store, leading to customer data breaches where installed in user browsers, impacting CyberHaven’s estimated ~400 business customers. This was part of a broader campaign that targeted 35 Chrome extensions, collectively impacting over 2.5 million users.",[],{},{"nodeType":1388,"data":2651,"content":2655},{"target":2652},{"sys":2653},{"id":2654,"type":1393,"linkType":1394},"4ErDI0xi0Vj2Zrk8Qsb2NB",[],{"nodeType":1429,"data":2657,"content":2658},{},[],{"nodeType":1433,"data":2660,"content":2661},{},[2662],{"nodeType":1293,"value":2663,"marks":2664,"data":2666},"The bigger picture",[2665],{"type":1440},{},{"nodeType":1294,"data":2668,"content":2669},{},[2670],{"nodeType":1293,"value":2671,"marks":2672,"data":2673},"Scattered Lapsus$ Hunters are dominating the headlines right now, but they aren’t the only attackers using these modern techniques and consciously evading established security controls. ",[],{},{"nodeType":1294,"data":2675,"content":2676},{},[2677],{"nodeType":1293,"value":2678,"marks":2679,"data":2680},"Threat reports agree that attackers are steering away from traditional exploit and malware-driven breaches towards identities:",[],{},{"nodeType":1335,"data":2682,"content":2683},{},[2684,2707,2729],{"nodeType":1339,"data":2685,"content":2686},{},[2687],{"nodeType":1294,"data":2688,"content":2689},{},[2690,2694,2703],{"nodeType":1293,"value":2691,"marks":2692,"data":2693},"Identity-based attacks surged 32% in the last year, while 97% of identity attacks are password-based, driven by credential leaks and infostealer malware. (",[],{},{"nodeType":1350,"data":2695,"content":2697},{"uri":2696},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf#page=1",[2698],{"nodeType":1293,"value":2699,"marks":2700,"data":2702},"Microsoft",[2701],{"type":1358},{},{"nodeType":1293,"value":2704,"marks":2705,"data":2706},")",[],{},{"nodeType":1339,"data":2708,"content":2709},{},[2710],{"nodeType":1294,"data":2711,"content":2712},{},[2713,2717,2726],{"nodeType":1293,"value":2714,"marks":2715,"data":2716},"79% of detections were malware-free in the last year, up from 40% in 2019. (",[],{},{"nodeType":1350,"data":2718,"content":2720},{"uri":2719},"https://www.crowdstrike.com/en-gb/global-threat-report/",[2721],{"nodeType":1293,"value":2722,"marks":2723,"data":2725},"CrowdStrike",[2724],{"type":1358},{},{"nodeType":1293,"value":2704,"marks":2727,"data":2728},[],{},{"nodeType":1339,"data":2730,"content":2731},{},[2732],{"nodeType":1294,"data":2733,"content":2734},{},[2735,2739,2748],{"nodeType":1293,"value":2736,"marks":2737,"data":2738},"Credential abuse and phishing combined accounted for 38% of breaches, making identity the primary breach vector observed. (",[],{},{"nodeType":1350,"data":2740,"content":2742},{"uri":2741},"https://www.verizon.com/business/resources/reports/dbir/",[2743],{"nodeType":1293,"value":2744,"marks":2745,"data":2747},"Verizon",[2746],{"type":1358},{},{"nodeType":1293,"value":2704,"marks":2749,"data":2750},[],{},{"nodeType":1294,"data":2752,"content":2753},{},[2754],{"nodeType":1293,"value":2755,"marks":2756,"data":2757},"And other public breaches from this year alone demonstrate similar TTPs from outside of the Scattered Lapsus$ Hunters orbit:",[],{},{"nodeType":1335,"data":2759,"content":2760},{},[2761,2776,2791,2806],{"nodeType":1339,"data":2762,"content":2763},{},[2764],{"nodeType":1294,"data":2765,"content":2766},{},[2767,2772],{"nodeType":1293,"value":2768,"marks":2769,"data":2771},"Nikkei",[2770],{"type":1440},{},{"nodeType":1293,"value":2773,"marks":2774,"data":2775},": Japanese publishing giant Nikkei’s Slack messaging platform was compromised using stolen credentials, leaking the names, email addresses, and chat histories for 17,368 individuals registered on Slack.",[],{},{"nodeType":1339,"data":2777,"content":2778},{},[2779],{"nodeType":1294,"data":2780,"content":2781},{},[2782,2787],{"nodeType":1293,"value":2783,"marks":2784,"data":2786},"Evertec",[2785],{"type":1440},{},{"nodeType":1293,"value":2788,"marks":2789,"data":2790},": Hackers tried to steal $130 million from Evertec’s Brazilian subsidiary Sinqia S.A.after gaining unauthorized access to its environment on the central bank’s real-time payment system (Pix) using stolen credentials.",[],{},{"nodeType":1339,"data":2792,"content":2793},{},[2794],{"nodeType":1294,"data":2795,"content":2796},{},[2797,2802],{"nodeType":1293,"value":2798,"marks":2799,"data":2801},"Hy-Vee:",[2800],{"type":1440},{},{"nodeType":1293,"value":2803,"marks":2804,"data":2805}," Was hit with a data breach after hackers logged in with stolen credentials, exposing 53GB of sensitive data.",[],{},{"nodeType":1339,"data":2807,"content":2808},{},[2809],{"nodeType":1294,"data":2810,"content":2811},{},[2812,2817],{"nodeType":1293,"value":2813,"marks":2814,"data":2816},"Scania: ",[2815],{"type":1440},{},{"nodeType":1293,"value":2818,"marks":2819,"data":2820},"Automotive giant Scania confirmed it suffered a cybersecurity incident where threat actors used compromised credentials to breach its Financial Services systems and steal insurance claim documents.",[],{},{"nodeType":1294,"data":2822,"content":2823},{},[2824],{"nodeType":1293,"value":2825,"marks":2826,"data":2827},"Scattered Lapsus$ Hunters may be grabbing the headlines — but this a huge movement in a vast and flexible community of attackers. And criminals around the world are learning from their success. ",[],{},{"nodeType":1429,"data":2829,"content":2830},{},[],{"nodeType":1433,"data":2832,"content":2833},{},[2834],{"nodeType":1293,"value":2835,"marks":2836,"data":2838},"Lessons learned",[2837],{"type":1440},{},{"nodeType":1294,"data":2840,"content":2841},{},[2842],{"nodeType":1293,"value":2843,"marks":2844,"data":2845},"The common thread with all of these attacks is that they are evading established security controls by targeting applications directly, over the internet, via account takeover.",[],{},{"nodeType":1294,"data":2847,"content":2848},{},[2849],{"nodeType":1293,"value":2850,"marks":2851,"data":2852},"Clearly, the success of these attacks shows the limitations of multiple control layers. Endpoint and network layer controls have no visibility of this attack surface. Identity-focused controls are being undermined by ghost logins and shadow IT. And the limitations of cloud security controls in their ability to encompass all apps, and detect and stop malicious actions in real-time (that often blend in seamlessly with normal user activity). ",[],{},{"nodeType":1388,"data":2854,"content":2858},{"target":2855},{"sys":2856},{"id":2857,"type":1393,"linkType":1394},"4Dg3fZEGf7ShyQJ8jlNDME",[],{"nodeType":1429,"data":2860,"content":2861},{},[],{"nodeType":1433,"data":2863,"content":2864},{},[2865],{"nodeType":1293,"value":2866,"marks":2867,"data":2869},"How Push can help",[2868],{"type":1440},{},{"nodeType":1294,"data":2871,"content":2872},{},[2873],{"nodeType":1293,"value":2874,"marks":2875,"data":2876},"Stopping attacks that are designed to evade established controls is in our DNA — it’s the reason Push was founded. ",[],{},{"nodeType":1294,"data":2878,"content":2879},{},[2880],{"nodeType":1293,"value":2881,"marks":2882,"data":2883},"The browser is the gateway to to the apps and identities that attackers are now targeting, with many attacks taking place inside the user’s browser — whether that’s entering credentials onto a phishing page, approving a malicious OAuth grant, installing a risky browser extension, or insecurely accessing an app with a weak password and no MFA. ",[],{},{"nodeType":1294,"data":2885,"content":2886},{},[2887],{"nodeType":1293,"value":2888,"marks":2889,"data":2890},"Push’s browser-based security platform provides comprehensive detection and response capabilities against attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your attack surface.",[],{},{"nodeType":1294,"data":2892,"content":2893},{},[2894,2897,2904,2907,2914],{"nodeType":1293,"value":1695,"marks":2895,"data":2896},[],{},{"nodeType":1350,"data":2898,"content":2899},{"uri":1700},[2900],{"nodeType":1293,"value":1703,"marks":2901,"data":2903},[2902],{"type":1358},{},{"nodeType":1293,"value":1708,"marks":2905,"data":2906},[],{},{"nodeType":1350,"data":2908,"content":2909},{"uri":1713},[2910],{"nodeType":1293,"value":1716,"marks":2911,"data":2913},[2912],{"type":1358},{},{"nodeType":1293,"value":1721,"marks":2915,"data":2916},[],{},"\"Scattered Lapsus$ Hunters\" — how modern attackers exploit the gaps in your security stack ","How Scattered Lapsus$ Hunters breaches demonstrate the evolution of attacker TTPs, shaping the future of cyber attacks.","2025-11-13T00:00:00.000Z","scattered-lapsus-hunters",{"items":2922},[2923,2925],{"sys":2924,"name":1305},{"id":1304},{"sys":2926,"name":1309},{"id":1308},{"items":2928},[2929],{"fullName":1955,"firstName":1956,"jobTitle":1957,"profilePicture":2930},{"url":1959},{"__typename":1313,"sys":2932,"content":2934,"title":3609,"synopsis":3610,"hashTags":118,"publishedDate":3611,"slug":3612,"tagsCollection":3613,"authorsCollection":3619},{"id":2933},"5CqV6e5wfHsfEVczkWSerZ",{"json":2935},{"nodeType":1295,"data":2936,"content":2937},{},[2938,2944,2951,2958,2961,2969,2976,2983,2990,3084,3090,3096,3102,3109,3116,3136,3139,3147,3154,3161,3168,3213,3220,3266,3272,3279,3286,3289,3297,3304,3311,3318,3392,3398,3404,3436,3442,3462,3468,3475,3482,3488,3491,3499,3506,3539,3546,3549,3557,3564,3571,3597,3603],{"nodeType":1388,"data":2939,"content":2943},{"target":2940},{"sys":2941},{"id":2942,"type":1393,"linkType":1394},"1axcGwWxeKxDMk8jOWhYT6",[],{"nodeType":1294,"data":2945,"content":2946},{},[2947],{"nodeType":1293,"value":2948,"marks":2949,"data":2950},"2025 saw a huge amount of attacker innovation when it comes to phishing attacks, as attackers continue to double down on identity-based techniques. The continual evolution of phishing means it remains one of the most effective methods available to attackers today — in fact, it’s arguably more effective than ever. ",[],{},{"nodeType":1294,"data":2952,"content":2953},{},[2954],{"nodeType":1293,"value":2955,"marks":2956,"data":2957},"Let’s take a closer look at the key trends that defined phishing attacks in 2025, and what these changes mean for security teams heading into 2026. ",[],{},{"nodeType":1429,"data":2959,"content":2960},{},[],{"nodeType":1433,"data":2962,"content":2963},{},[2964],{"nodeType":1293,"value":2965,"marks":2966,"data":2968},"#1: Phishing goes omni-channel",[2967],{"type":1440},{},{"nodeType":1294,"data":2970,"content":2971},{},[2972],{"nodeType":1293,"value":2973,"marks":2974,"data":2975},"We’ve been talking about the rise of non-email phishing for some time now, but 2025 was the year phishing truly went omni-channel. ",[],{},{"nodeType":1294,"data":2977,"content":2978},{},[2979],{"nodeType":1293,"value":2980,"marks":2981,"data":2982},"Although most of the industry’s data on phishing still comes from email security vendors and tools, the picture is starting to change. Roughly 1 in 3 phishing attacks detected by Push Security were delivered outside of email. ",[],{},{"nodeType":1294,"data":2984,"content":2985},{},[2986],{"nodeType":1293,"value":2987,"marks":2988,"data":2989},"There are many examples of phishing campaigns operated outside of email, with LinkedIn DMs and Google Search being the top channels we identified. Notable campaigns include:",[],{},{"nodeType":1335,"data":2991,"content":2992},{},[2993,3015,3037],{"nodeType":1339,"data":2994,"content":2995},{},[2996],{"nodeType":1294,"data":2997,"content":2998},{},[2999,3002,3011],{"nodeType":1293,"value":37,"marks":3000,"data":3001},[],{},{"nodeType":1350,"data":3003,"content":3005},{"uri":3004},"https://pushsecurity.com/blog/how-push-stopped-a-high-risk-linkedin-spear-phishing-attack",[3006],{"nodeType":1293,"value":3007,"marks":3008,"data":3010},"A targeted campaign against tech company Exec’s",[3009],{"type":1358},{},{"nodeType":1293,"value":3012,"marks":3013,"data":3014}," delivered via compromised accounts on LinkedIn from other employees of the same organization, framed as an investment opportunity.",[],{},{"nodeType":1339,"data":3016,"content":3017},{},[3018],{"nodeType":1294,"data":3019,"content":3020},{},[3021,3024,3033],{"nodeType":1293,"value":37,"marks":3022,"data":3023},[],{},{"nodeType":1350,"data":3025,"content":3027},{"uri":3026},"https://pushsecurity.com/blog/new-phishing-campaign-identified-targeting-linkedin-users",[3028],{"nodeType":1293,"value":3029,"marks":3030,"data":3032},"A campaign posing as a South American investment fund",[3031],{"type":1358},{},{"nodeType":1293,"value":3034,"marks":3035,"data":3036}," offering the opportunity to join the fund. ",[],{},{"nodeType":1339,"data":3038,"content":3039},{},[3040],{"nodeType":1294,"data":3041,"content":3042},{},[3043,3047,3056,3060,3068,3072,3080],{"nodeType":1293,"value":3044,"marks":3045,"data":3046},"Several malvertising campaigns capturing users searching for key search terms such as “",[],{},{"nodeType":1350,"data":3048,"content":3050},{"uri":3049},"https://pushsecurity.com/blog/analysing-a-malvertising-attack-targeting-business-google-accounts",[3051],{"nodeType":1293,"value":3052,"marks":3053,"data":3055},"Google Ads",[3054],{"type":1358},{},{"nodeType":1293,"value":3057,"marks":3058,"data":3059},"”, “",[],{},{"nodeType":1350,"data":3061,"content":3063},{"uri":3062},"https://pushsecurity.com/blog/analysing-a-sophisticated-google-malvertising-attack",[3064],{"nodeType":1293,"value":1611,"marks":3065,"data":3067},[3066],{"type":1358},{},{"nodeType":1293,"value":3069,"marks":3070,"data":3071},"” and “",[],{},{"nodeType":1350,"data":3073,"content":3075},{"uri":3074},"https://pushsecurity.com/blog/investigating-a-recent-malvertising-campaign-targeting-onfido-customers",[3076],{"nodeType":1293,"value":1637,"marks":3077,"data":3079},[3078],{"type":1358},{},{"nodeType":1293,"value":3081,"marks":3082,"data":3083},"”. ",[],{},{"nodeType":1388,"data":3085,"content":3089},{"target":3086},{"sys":3087},{"id":3088,"type":1393,"linkType":1394},"3LjyZooaJQ83eJt8DRX9bP",[],{"nodeType":1388,"data":3091,"content":3095},{"target":3092},{"sys":3093},{"id":3094,"type":1393,"linkType":1394},"644LdQYjRHerpKU5pCGv1n",[],{"nodeType":1388,"data":3097,"content":3101},{"target":3098},{"sys":3099},{"id":3100,"type":1393,"linkType":1394},"3anCGk5A4AOVH1t9dr1xKp",[],{"nodeType":1294,"data":3103,"content":3104},{},[3105],{"nodeType":1293,"value":3106,"marks":3107,"data":3108},"Phishing via non-email channels has a number of advantages. With email being the best protected phishing vector, it sidesteps these controls entirely. There’s no need to build up your sender reputation, find ways to trick content analysis engines, or hope your message doesn’t end up in the spam folder.",[],{},{"nodeType":1294,"data":3110,"content":3111},{},[3112],{"nodeType":1293,"value":3113,"marks":3114,"data":3115},"In comparison, non-email vectors have practically no screening, your security team has no visibility, and users are less likely to anticipate possible phishing. It’s arguable that a company Exec is more likely to engage with a LinkedIn DM from a reputable account than a cold email. And social media apps do nothing to analyse messages for phishing links. (And because of the limitations of URL-based checks when it comes to today’s multi-stage phishing attacks, this would be extremely difficult even if they tried). ",[],{},{"nodeType":1294,"data":3117,"content":3118},{},[3119,3123,3132],{"nodeType":1293,"value":3120,"marks":3121,"data":3122},"Search engines also present a huge opportunity for attackers, whether they’re compromising existing, high reputation sites, spinning up malicious ads, or simply vibe coding their own SEO-optimised websites. This is an effective way to launch “watering hole” style attacks, casting a wide net to harvest credentials and account access that can be re-sold to other criminals for a fee, or leveraged by partners in the cybercriminal ecosystem as part of major cyber breaches (such as the recent attacks by the “",[],{},{"nodeType":1350,"data":3124,"content":3126},{"uri":3125},"https://pushsecurity.com/blog/scattered-lapsus-hunters",[3127],{"nodeType":1293,"value":3128,"marks":3129,"data":3131},"Scattered Lapsus$ Hunters",[3130],{"type":1358},{},{"nodeType":1293,"value":3133,"marks":3134,"data":3135},"” criminal collective, all of which began with identity-based initial access). ",[],{},{"nodeType":1429,"data":3137,"content":3138},{},[],{"nodeType":1433,"data":3140,"content":3141},{},[3142],{"nodeType":1293,"value":3143,"marks":3144,"data":3146},"#2: Criminal PhaaS kits dominate",[3145],{"type":1440},{},{"nodeType":1294,"data":3148,"content":3149},{},[3150],{"nodeType":1293,"value":3151,"marks":3152,"data":3153},"The vast majority of phishing attacks today use a reverse proxy. This means they are capable of bypassing most forms of MFA because a session is created and stolen in real time as part of the attack. There is no downside to this approach compared to the basic credential phishing that was the norm more than a decade ago.",[],{},{"nodeType":1294,"data":3155,"content":3156},{},[3157],{"nodeType":1293,"value":3158,"marks":3159,"data":3160},"These Attacker-in-the-Middle attacks are powered by criminal Phishing-as-a-Service (PhaaS) kits such as Tycoon, NakedPages, Sneaky2FA, Flowerstorm, Salty2FA, along with various Evilginx variations (nominally a tool for red teamers, but widely used by attackers). ",[],{},{"nodeType":1294,"data":3162,"content":3163},{},[3164],{"nodeType":1293,"value":3165,"marks":3166,"data":3167},"PhaaS kits are incredibly important to cybercrime because they make sophisticated and continuously evolving capabilities available to the criminal marketplace, lowering the barrier to entry for criminals running advanced phishing campaigns. This is not unique to phishing: Ransomware-as-a-Service, Credential Stuffing-as-a-Service, and many more for-hire tools and services exist for criminals to use for a fee. ",[],{},{"nodeType":1294,"data":3169,"content":3170},{},[3171,3175,3184,3187,3196,3200,3209],{"nodeType":1293,"value":3172,"marks":3173,"data":3174},"This competitive environment has fuelled attacker innovation, resulting in an environment in which MFA-bypass is table stakes, phishing-resistant authentication is being circumvented through ",[],{},{"nodeType":1350,"data":3176,"content":3178},{"uri":3177},"https://pushsecurity.com/blog/mfa-downgrade-attacks",[3179],{"nodeType":1293,"value":3180,"marks":3181,"data":3183},"downgrade attacks",[3182],{"type":1358},{},{"nodeType":1293,"value":1629,"marks":3185,"data":3186},[],{},{"nodeType":1350,"data":3188,"content":3190},{"uri":3189},"https://phishing-techniques.pushsecurity.com/",[3191],{"nodeType":1293,"value":3192,"marks":3193,"data":3195},"detection evasion techniques",[3194],{"type":1358},{},{"nodeType":1293,"value":3197,"marks":3198,"data":3199}," are being used to circumvent security tools — from email scanners, to web-crawling security tools, to web proxies analyzing network traffic. It also means that when new capabilities emerge — such as ",[],{},{"nodeType":1350,"data":3201,"content":3203},{"uri":3202},"https://pushsecurity.com/blog/analyzing-the-latest-sneaky2fa-phishing-page",[3204],{"nodeType":1293,"value":3205,"marks":3206,"data":3208},"Browser-in-the-Browser",[3207],{"type":1358},{},{"nodeType":1293,"value":3210,"marks":3211,"data":3212}," — these are quickly integrated into a range of phishing kits. ",[],{},{"nodeType":1294,"data":3214,"content":3215},{},[3216],{"nodeType":1293,"value":3217,"marks":3218,"data":3219},"Some of the most prevalent detection evasion methods we’ve seen this year are:",[],{},{"nodeType":1335,"data":3221,"content":3222},{},[3223,3233,3243],{"nodeType":1339,"data":3224,"content":3225},{},[3226],{"nodeType":1294,"data":3227,"content":3228},{},[3229],{"nodeType":1293,"value":3230,"marks":3231,"data":3232},"Widespread use of bot protection. Every phishing page today comes with either a custom CAPTCHA or Cloudflare Turnstile (legitimate and fake versions) designed to block web-crawling security bots from being able to analyse phishing pages. ",[],{},{"nodeType":1339,"data":3234,"content":3235},{},[3236],{"nodeType":1294,"data":3237,"content":3238},{},[3239],{"nodeType":1293,"value":3240,"marks":3241,"data":3242},"Extensive redirect chains between the initial link seeded out to the victim, and the actual malicious page hosting phishing content, designed to bury phishing sites among several legitimate pages. ",[],{},{"nodeType":1339,"data":3244,"content":3245},{},[3246],{"nodeType":1294,"data":3247,"content":3248},{},[3249,3253,3262],{"nodeType":1293,"value":3250,"marks":3251,"data":3252},"Multi-stage page loading performed client-side via JavaScript. This means that pages are ",[],{},{"nodeType":1350,"data":3254,"content":3256},{"uri":3255},"https://phishing-techniques.pushsecurity.com/techniques/conditional-loading/",[3257],{"nodeType":1293,"value":3258,"marks":3259,"data":3261},"conditionally loaded",[3260],{"type":1358},{},{"nodeType":1293,"value":3263,"marks":3264,"data":3265},", and if conditions aren’t met, malicious content isn’t served — so the page looks clean. This also means that most of the malicious activity is happening locally, without creating web requests that can be analysed by network traffic analysis tools (e.g. web proxies). ",[],{},{"nodeType":1388,"data":3267,"content":3271},{"target":3268},{"sys":3269},{"id":3270,"type":1393,"linkType":1394},"5LLgjhCexTYd5OlHuptv3n",[],{"nodeType":1294,"data":3273,"content":3274},{},[3275],{"nodeType":1293,"value":3276,"marks":3277,"data":3278},"This contributes to an environment where phishing is going undetected for extended periods of time. Even when a page is flagged, it’s trivial for attackers to dynamically serve up different phishing pages from the same benign chain of URLs used in the attack. ",[],{},{"nodeType":1294,"data":3280,"content":3281},{},[3282],{"nodeType":1293,"value":3283,"marks":3284,"data":3285},"This is all to say that the old-school approach to URL blocking bad sites is becoming much harder and leaves you two steps behind attackers at all times.",[],{},{"nodeType":1429,"data":3287,"content":3288},{},[],{"nodeType":1433,"data":3290,"content":3291},{},[3292],{"nodeType":1293,"value":3293,"marks":3294,"data":3296},"#3: Attackers find ways around phishing-resistant authentication (and other security controls)",[3295],{"type":1440},{},{"nodeType":1294,"data":3298,"content":3299},{},[3300],{"nodeType":1293,"value":3301,"marks":3302,"data":3303},"We already mentioned that MFA downgrade has been an area of focus for security researchers and attackers. But phishing-resistant authentication methods (i.e. passkeys) remain effective so long as the phishing-resistant factor is the only possible login factor, and there are no backup methods enabled for the account. (Though because of the logistical issues of having just one factor, this is fairly uncommon.) ",[],{},{"nodeType":1294,"data":3305,"content":3306},{},[3307],{"nodeType":1293,"value":3308,"marks":3309,"data":3310},"Equally, access control policies can be applied on larger enterprise apps and cloud platforms to reduce the risk of unauthorized access (although these can be tricky to implement and maintain without error).",[],{},{"nodeType":1294,"data":3312,"content":3313},{},[3314],{"nodeType":1293,"value":3315,"marks":3316,"data":3317},"In any case, attackers are considering all eventualities and looking for alternative ways into accounts that are less well protected. This mainly involves attackers circumventing the standard authentication process, through techniques such as:",[],{},{"nodeType":1335,"data":3319,"content":3320},{},[3321,3349,3377],{"nodeType":1339,"data":3322,"content":3323},{},[3324],{"nodeType":1294,"data":3325,"content":3326},{},[3327,3330,3340,3345],{"nodeType":1293,"value":37,"marks":3328,"data":3329},[],{},{"nodeType":1350,"data":3331,"content":3333},{"uri":3332},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/consent_phishing/description.md",[3334],{"nodeType":1293,"value":3335,"marks":3336,"data":3339},"Consent phishing",[3337,3338],{"type":1358},{"type":1440},{},{"nodeType":1293,"value":3341,"marks":3342,"data":3344},":",[3343],{"type":1440},{},{"nodeType":1293,"value":3346,"marks":3347,"data":3348}," Tricking victims into connecting malicious OAuth apps into their app tenant.",[],{},{"nodeType":1339,"data":3350,"content":3351},{},[3352],{"nodeType":1294,"data":3353,"content":3354},{},[3355,3358,3368,3373],{"nodeType":1293,"value":37,"marks":3356,"data":3357},[],{},{"nodeType":1350,"data":3359,"content":3361},{"uri":3360},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/device_code_phishing/description.md",[3362],{"nodeType":1293,"value":3363,"marks":3364,"data":3367},"Device code phishing",[3365,3366],{"type":1358},{"type":1440},{},{"nodeType":1293,"value":3369,"marks":3370,"data":3372},": ",[3371],{"type":1440},{},{"nodeType":1293,"value":3374,"marks":3375,"data":3376},"The same as consent phishing, but authorizing through the device code flow designed for device logins that cannot support OAuth, by providing a substitute passcode. ",[],{},{"nodeType":1339,"data":3378,"content":3379},{},[3380],{"nodeType":1294,"data":3381,"content":3382},{},[3383,3388],{"nodeType":1293,"value":3384,"marks":3385,"data":3387},"Malicious browser extensions: ",[3386],{"type":1440},{},{"nodeType":1293,"value":3389,"marks":3390,"data":3391},"Tricking victims into installing a malicious extension (or hijacking an existing one) to steal credentials and cookies from the browser. ",[],{},{"nodeType":1388,"data":3393,"content":3397},{"target":3394},{"sys":3395},{"id":3396,"type":1393,"linkType":1394},"75lMjdJtq9APebTaF2hQ1b",[],{"nodeType":1388,"data":3399,"content":3403},{"target":3400},{"sys":3401},{"id":3402,"type":1393,"linkType":1394},"4KWwlg8PsuyAud8i5tpWfH",[],{"nodeType":1294,"data":3405,"content":3406},{},[3407,3411,3419,3423,3432],{"nodeType":1293,"value":3408,"marks":3409,"data":3410},"Another technique that attackers are using to steal credentials and sessions is ",[],{},{"nodeType":1350,"data":3412,"content":3414},{"uri":3413},"https://pushsecurity.com/blog/the-most-advanced-clickfix-yet",[3415],{"nodeType":1293,"value":1598,"marks":3416,"data":3418},[3417],{"type":1358},{},{"nodeType":1293,"value":3420,"marks":3421,"data":3422},". ClickFix was the ",[],{},{"nodeType":1350,"data":3424,"content":3426},{"uri":3425},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf#page=36",[3427],{"nodeType":1293,"value":3428,"marks":3429,"data":3431},"top initial access vector detected by Microsoft last year",[3430],{"type":1358},{},{"nodeType":1293,"value":3433,"marks":3434,"data":3435},", involved in 47% of attacks. While not a traditional phishing attack, this sees attackers socially engineer users into running malicious code on their machine, typically deploying remote access tools and infostealer malware. Infostealers are then used to harvest credentials and cookies for initial access to various apps and services. ",[],{},{"nodeType":1388,"data":3437,"content":3441},{"target":3438},{"sys":3439},{"id":3440,"type":1393,"linkType":1394},"4cC9GbPoKFmYUJgbkbeOLs",[],{"nodeType":1294,"data":3443,"content":3444},{},[3445,3449,3458],{"nodeType":1293,"value":3446,"marks":3447,"data":3448},"Push Security researchers have also discovered a brand new technique dubbed ",[],{},{"nodeType":1350,"data":3450,"content":3452},{"uri":3451},"https://pushsecurity.com/blog/consentfix",[3453],{"nodeType":1293,"value":3454,"marks":3455,"data":3457},"ConsentFix",[3456],{"type":1358},{},{"nodeType":1293,"value":3459,"marks":3460,"data":3461}," — a browser-native version of ClickFix that results in an OAuth connection being established to the target app, simply by copying and pasting a legitimate URL containing OAuth key material. ",[],{},{"nodeType":1388,"data":3463,"content":3467},{"target":3464},{"sys":3465},{"id":3466,"type":1393,"linkType":1394},"4bdqleePd53oK5v5uEUFbr",[],{"nodeType":1294,"data":3469,"content":3470},{},[3471],{"nodeType":1293,"value":3472,"marks":3473,"data":3474},"This is even more dangerous than ClickFix as it is entirely browser-native — removing the endpoint detection surface (and strong security controls like EDR) from the equation entirely. And in the particular case spotted by Push, the attackers targeted Azure CLI — a first-party Microsoft app that has special permissions and can’t be restricted like third-party apps. ",[],{},{"nodeType":1294,"data":3476,"content":3477},{},[3478],{"nodeType":1293,"value":3479,"marks":3480,"data":3481},"Really, there are lots of different techniques attackers can use to take over accounts on key business applications — it’s outdated to think of phishing as being locked in to passwords, MFA, and the standard authentication flow. ",[],{},{"nodeType":1388,"data":3483,"content":3487},{"target":3484},{"sys":3485},{"id":3486,"type":1393,"linkType":1394},"74S97KkuFzI48UwXw3msTq",[],{"nodeType":1429,"data":3489,"content":3490},{},[],{"nodeType":1433,"data":3492,"content":3493},{},[3494],{"nodeType":1293,"value":3495,"marks":3496,"data":3498},"Guidance for security teams in 2026",[3497],{"type":1440},{},{"nodeType":1294,"data":3500,"content":3501},{},[3502],{"nodeType":1293,"value":3503,"marks":3504,"data":3505},"To tackle phishing in 2026, security teams need to change their threat model for phishing, and acknowledge that:",[],{},{"nodeType":1335,"data":3507,"content":3508},{},[3509,3519,3529],{"nodeType":1339,"data":3510,"content":3511},{},[3512],{"nodeType":1294,"data":3513,"content":3514},{},[3515],{"nodeType":1293,"value":3516,"marks":3517,"data":3518},"It’s not enough to protect email as your main anti-phishing surface",[],{},{"nodeType":1339,"data":3520,"content":3521},{},[3522],{"nodeType":1294,"data":3523,"content":3524},{},[3525],{"nodeType":1293,"value":3526,"marks":3527,"data":3528},"Network and traffic monitoring tools aren’t keeping up with modern phishing pages",[],{},{"nodeType":1339,"data":3530,"content":3531},{},[3532],{"nodeType":1294,"data":3533,"content":3534},{},[3535],{"nodeType":1293,"value":3536,"marks":3537,"data":3538},"Phishing-resistant authentication, even if perfectly implemented, doesn’t make you immune",[],{},{"nodeType":1294,"data":3540,"content":3541},{},[3542],{"nodeType":1293,"value":3543,"marks":3544,"data":3545},"Detection and response is key. But most organizations have significant visibility gaps.",[],{},{"nodeType":1429,"data":3547,"content":3548},{},[],{"nodeType":1433,"data":3550,"content":3551},{},[3552],{"nodeType":1293,"value":3553,"marks":3554,"data":3556},"Solving the detection gap in the browser",[3555],{"type":1440},{},{"nodeType":1294,"data":3558,"content":3559},{},[3560],{"nodeType":1293,"value":3561,"marks":3562,"data":3563},"One thing that these attacks have in common is that they all take place in the web browser, targeting users as they go about their work on the internet. That makes it the perfect place to detect and respond to these attacks. But right now, the browser is a blind-spot for most security teams.",[],{},{"nodeType":1294,"data":3565,"content":3566},{},[3567],{"nodeType":1293,"value":3568,"marks":3569,"data":3570},"Push Security’s browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong — you can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.",[],{},{"nodeType":1294,"data":3572,"content":3573},{},[3574,3577,3584,3587,3594],{"nodeType":1293,"value":1695,"marks":3575,"data":3576},[],{},{"nodeType":1350,"data":3578,"content":3579},{"uri":1700},[3580],{"nodeType":1293,"value":1703,"marks":3581,"data":3583},[3582],{"type":1358},{},{"nodeType":1293,"value":1708,"marks":3585,"data":3586},[],{},{"nodeType":1350,"data":3588,"content":3589},{"uri":1713},[3590],{"nodeType":1293,"value":1716,"marks":3591,"data":3593},[3592],{"type":1358},{},{"nodeType":1293,"value":1721,"marks":3595,"data":3596},[],{},{"nodeType":1388,"data":3598,"content":3602},{"target":3599},{"sys":3600},{"id":3601,"type":1393,"linkType":1394},"6QzB0BlVC5mstXwXHvy2c3",[],{"nodeType":1294,"data":3604,"content":3605},{},[3606],{"nodeType":1293,"value":37,"marks":3607,"data":3608},[],{},"2025’s top phishing trends — and what they mean for your 2026 security strategy","Analysing the key trends that defined phishing attacks in 2025, and what these changes mean for security teams heading into 2026. ","2025-12-15T00:00:00.000Z","2025-top-phishing-trends",{"items":3614},[3615,3617],{"sys":3616,"name":1309},{"id":1308},{"sys":3618,"name":1305},{"id":1304},{"items":3620},[3621],{"fullName":1955,"firstName":1956,"jobTitle":1957,"profilePicture":3622},{"url":1959},{"items":3624},[3625],{"fullName":1955,"firstName":1956,"jobTitle":1957,"profilePicture":3626},{"url":1959},{"json":3628,"links":4102},{"nodeType":1295,"data":3629,"content":3630},{},[3631,3638,3644,3706,3709,3716,3722,3728,3735,3742,3745,3753,3769,3775,3782,3849,3856,3862,3869,3875,3878,3886,3893,3900,3907,3914,3920,3923,3931,3938,3945,3952,3981,3988,3994,3997,4005,4012,4019,4026,4029,4037,4044,4051,4057,4063,4090,4096],{"nodeType":1294,"data":3632,"content":3633},{},[3634],{"nodeType":1293,"value":3635,"marks":3636,"data":3637},"In recent months, we’ve seen a significant increase in the number of attacks targeting ad manager accounts. These attacks range from phishing campaigns against marketing professionals to malicious sites impersonating legitimate marketing tools — ultimately serving up an Attacker-in-the-Middle (AITM) phishing page designed to steal the victim’s Google account. ",[],{},{"nodeType":1294,"data":3639,"content":3640},{},[3641],{"nodeType":1293,"value":1331,"marks":3642,"data":3643},[],{},{"nodeType":1335,"data":3645,"content":3646},{},[3647,3666,3685],{"nodeType":1339,"data":3648,"content":3649},{},[3650],{"nodeType":1294,"data":3651,"content":3652},{},[3653,3656,3663],{"nodeType":1293,"value":1346,"marks":3654,"data":3655},[],{},{"nodeType":1350,"data":3657,"content":3658},{"uri":1352},[3659],{"nodeType":1293,"value":1355,"marks":3660,"data":3662},[3661],{"type":1358},{},{"nodeType":1293,"value":1361,"marks":3664,"data":3665},[],{},{"nodeType":1339,"data":3667,"content":3668},{},[3669],{"nodeType":1294,"data":3670,"content":3671},{},[3672,3675,3682],{"nodeType":1293,"value":1371,"marks":3673,"data":3674},[],{},{"nodeType":1350,"data":3676,"content":3677},{"uri":1376},[3678],{"nodeType":1293,"value":1379,"marks":3679,"data":3681},[3680],{"type":1358},{},{"nodeType":1293,"value":1384,"marks":3683,"data":3684},[],{},{"nodeType":1339,"data":3686,"content":3687},{},[3688],{"nodeType":1294,"data":3689,"content":3690},{},[3691,3695,3703],{"nodeType":1293,"value":3692,"marks":3693,"data":3694},"A continuation of the Google Ads malvertising campaign, ",[],{},{"nodeType":1350,"data":3696,"content":3698},{"uri":3697},"https://pushsecurity.com/blog/google-search-malvertising-campaign-continues-now-impersonating-ahrefs",[3699],{"nodeType":1293,"value":3700,"marks":3701,"data":3702},"this time impersonating Ahrefs",[],{},{"nodeType":1293,"value":1502,"marks":3704,"data":3705},[],{},{"nodeType":1429,"data":3707,"content":3708},{},[],{"nodeType":1433,"data":3710,"content":3711},{},[3712],{"nodeType":1293,"value":1512,"marks":3713,"data":3715},[3714],{"type":1440},{},{"nodeType":1294,"data":3717,"content":3718},{},[3719],{"nodeType":1293,"value":1520,"marks":3720,"data":3721},[],{},{"nodeType":1294,"data":3723,"content":3724},{},[3725],{"nodeType":1293,"value":1527,"marks":3726,"data":3727},[],{},{"nodeType":1294,"data":3729,"content":3730},{},[3731],{"nodeType":1293,"value":3732,"marks":3733,"data":3734},"A hijacked Google Ad Manager account gives attackers access to significant ad spend and account data which can be monetized. The tactics range from stealthy ad fraud to overt abuse like malicious ads or extortion schemes.",[],{},{"nodeType":1294,"data":3736,"content":3737},{},[3738],{"nodeType":1293,"value":3739,"marks":3740,"data":3741},"Here’s how attackers can profit from a compromised ad manager account — and how it impacts your business. ",[],{},{"nodeType":1429,"data":3743,"content":3744},{},[],{"nodeType":2142,"data":3746,"content":3747},{},[3748],{"nodeType":1293,"value":3749,"marks":3750,"data":3752},"Malvertising",[3751],{"type":1440},{},{"nodeType":1294,"data":3754,"content":3755},{},[3756,3760,3765],{"nodeType":1293,"value":3757,"marks":3758,"data":3759},"Arguably the most dangerous use of a compromised ad manager account is to conduct ",[],{},{"nodeType":1293,"value":3761,"marks":3762,"data":3764},"malvertising",[3763],{"type":1440},{},{"nodeType":1293,"value":3766,"marks":3767,"data":3768}," – inserting malicious ads or redirects in place of legitimate advertisements. ",[],{},{"nodeType":1294,"data":3770,"content":3771},{},[3772],{"nodeType":1293,"value":1583,"marks":3773,"data":3774},[],{},{"nodeType":1294,"data":3776,"content":3777},{},[3778],{"nodeType":1293,"value":3779,"marks":3780,"data":3781},"The goal here is usually to compromise more devices and accounts, via:",[],{},{"nodeType":1335,"data":3783,"content":3784},{},[3785,3795,3805,3839],{"nodeType":1339,"data":3786,"content":3787},{},[3788],{"nodeType":1294,"data":3789,"content":3790},{},[3791],{"nodeType":1293,"value":3792,"marks":3793,"data":3794},"AITM phishing sites looking to hijack sessions on valuable accounts — usually enterprise SSO accounts such as Google or Microsoft, but also many high-value SaaS services, as well as logins for banking and cryptocurrency sites.. ",[],{},{"nodeType":1339,"data":3796,"content":3797},{},[3798],{"nodeType":1294,"data":3799,"content":3800},{},[3801],{"nodeType":1293,"value":3802,"marks":3803,"data":3804},"Deploying infostealer malware, harvesting credentials and user sessions from the compromised device to enable broad access to apps via compromised accounts. ",[],{},{"nodeType":1339,"data":3806,"content":3807},{},[3808],{"nodeType":1294,"data":3809,"content":3810},{},[3811,3815,3822,3826,3835],{"nodeType":1293,"value":3812,"marks":3813,"data":3814},"Running ",[],{},{"nodeType":1350,"data":3816,"content":3817},{"uri":1595},[3818],{"nodeType":1293,"value":1598,"marks":3819,"data":3821},[3820],{"type":1358},{},{"nodeType":1293,"value":3823,"marks":3824,"data":3825},"-style social engineering scams prompting users to perform a malicious action (typically running code on their device, although a new browser-native version of this attack in the form of ",[],{},{"nodeType":1350,"data":3827,"content":3829},{"uri":3828},"https://pushsecurity.com/blog/consentfix/",[3830],{"nodeType":1293,"value":3831,"marks":3832,"data":3834},"ConsentFix ",[3833],{"type":1358},{},{"nodeType":1293,"value":3836,"marks":3837,"data":3838},"was recently discovered by Push researchers).",[],{},{"nodeType":1339,"data":3840,"content":3841},{},[3842],{"nodeType":1294,"data":3843,"content":3844},{},[3845],{"nodeType":1293,"value":3846,"marks":3847,"data":3848},"Infecting machines with malicious software to siphon compute power for cryptomining or adding the device to a botnet used in DDOS attacks. ",[],{},{"nodeType":1294,"data":3850,"content":3851},{},[3852],{"nodeType":1293,"value":3853,"marks":3854,"data":3855},"Harvested data can be used by the attacker directly to conduct cyber attacks, but is more commonly sold on to other criminals further up the supply chain. So, attackers are using compromised ad accounts, to take over more accounts used to manage ads, to take over even more accounts… You can see how this can quickly snowball into something hugely profitable for attackers. ",[],{},{"nodeType":1388,"data":3857,"content":3861},{"target":3858},{"sys":3859},{"id":3860,"type":1393,"linkType":1394},"1Ji0oUqCZvgmQIT2VWNgjQ",[],{"nodeType":1294,"data":3863,"content":3864},{},[3865],{"nodeType":1293,"value":3866,"marks":3867,"data":3868},"Malvertising scams don’t just target ad manager accounts either. They can be found targeting all manner of sites. But all malvertising scams are underpinned by ad spending — so it makes sense that attackers are looking to harvest account access and make use of the pre-allocated marketing spend of their victims. ",[],{},{"nodeType":1388,"data":3870,"content":3874},{"target":3871},{"sys":3872},{"id":3873,"type":1393,"linkType":1394},"7qpSbkJxLeo7zD400cvQyv",[],{"nodeType":1429,"data":3876,"content":3877},{},[],{"nodeType":2142,"data":3879,"content":3880},{},[3881],{"nodeType":1293,"value":3882,"marks":3883,"data":3885},"Ad fraud",[3884],{"type":1440},{},{"nodeType":1294,"data":3887,"content":3888},{},[3889],{"nodeType":1293,"value":3890,"marks":3891,"data":3892},"One of the most common motives for hacking ad accounts is ad fraud – generating fake ad impressions or clicks to illicitly collect advertising revenue. By hijacking a Google Ad Manager account, criminals can direct the account’s ad spend to their own fraudulent web pages.",[],{},{"nodeType":1294,"data":3894,"content":3895},{},[3896],{"nodeType":1293,"value":3897,"marks":3898,"data":3899},"When a Google Ads/Ad Manager account is compromised, attackers can create new campaigns or modify existing ones. By directing traffic to websites the criminals control (often low quality sites made specifically for advertising) the victim’s ad budget can be funnelled into the attackers’ pockets as ad revenue.",[],{},{"nodeType":1294,"data":3901,"content":3902},{},[3903],{"nodeType":1293,"value":3904,"marks":3905,"data":3906},"The hijacked ad accounts provide a means to introduce fraudulent traffic into legitimate ad ecosystems, often escaping immediate detection thanks to the account’s established trust or high spending thresholds. For example, a compromised account with a large budget can run thousands of ads pointing to fraudulent sites before being flagged. ",[],{},{"nodeType":1294,"data":3908,"content":3909},{},[3910],{"nodeType":1293,"value":3911,"marks":3912,"data":3913},"This is often abused as a channel for money laundering. An attacker can inject dirty money into the ad ecosystem (for example, using a compromised advertiser account’s billing) and then receive clean money out the other end (as payments to a publisher or ad partner account they control). ",[],{},{"nodeType":1388,"data":3915,"content":3919},{"target":3916},{"sys":3917},{"id":3918,"type":1393,"linkType":1394},"21ryRzAB91llJXOVlkdiv5",[],{"nodeType":1429,"data":3921,"content":3922},{},[],{"nodeType":2142,"data":3924,"content":3925},{},[3926],{"nodeType":1293,"value":3927,"marks":3928,"data":3930},"Selling or sharing access with other criminal groups ",[3929],{"type":1440},{},{"nodeType":1294,"data":3932,"content":3933},{},[3934],{"nodeType":1293,"value":3935,"marks":3936,"data":3937},"Stolen advertising accounts themselves have become a commodity in the underground economy. Instead of (or in addition to) exploiting the account personally, a hacker might sell access to the compromised Ad Manager account on criminal forums. ",[],{},{"nodeType":1294,"data":3939,"content":3940},{},[3941],{"nodeType":1293,"value":3942,"marks":3943,"data":3944},"There is strong demand for reputable ad accounts because they come with advantages: high spending limits, established credit card billing, a history of compliance (making them less likely to be flagged by Google’s fraud detection), and existing relationships with ad networks or clients. In other words, a hijacked account is a ready-made vehicle for anyone looking to run malicious ad campaigns without going through the usual vetting.",[],{},{"nodeType":1294,"data":3946,"content":3947},{},[3948],{"nodeType":1293,"value":3949,"marks":3950,"data":3951},"Access to a Google Ads account (especially one with a good track record or high credit threshold) can fetch a significant price in criminal markets. Compromised Google ad accounts have shown up for sale on hacker forums and darknet markets, often advertised with details like the account’s age, billing history, or spend limit. For example, a hacker on one forum might sell or rent a “2-year-old Google Ads account with $50k monthly spend history” for a price commensurate with its potential yield.",[],{},{"nodeType":1294,"data":3953,"content":3954},{},[3955,3959,3968,3972,3977],{"nodeType":1293,"value":3956,"marks":3957,"data":3958},"The previously mentioned ",[],{},{"nodeType":1350,"data":3960,"content":3962},{"uri":3961},"https://cloud.google.com/blog/topics/threat-intelligence/vietnamese-actors-fake-job-posting-campaigns",[3963],{"nodeType":1293,"value":3964,"marks":3965,"data":3967},"Vietnamese threat group",[3966],{"type":1358},{},{"nodeType":1293,"value":3969,"marks":3970,"data":3971}," would ",[],{},{"nodeType":1293,"value":3973,"marks":3974,"data":3976},"“either sell ads to other actors, or sell the accounts themselves to other actors to monetize”",[3975],{"type":1440},{},{"nodeType":1293,"value":3978,"marks":3979,"data":3980},". This means an attacker could use a compromised account as a platform to sell fraudulent ad placements (e.g. “pay us and we’ll run your ads via this legitimate account for X days”). If not, they just sell the whole account login to the highest bidder.",[],{},{"nodeType":1294,"data":3982,"content":3983},{},[3984],{"nodeType":1293,"value":3985,"marks":3986,"data":3987},"It’s also worth noting that a Google Ad Manager account is also an enterprise SSO account that can be used to access broader Google Workspace services, and any SaaS apps accessible via SSO. ",[],{},{"nodeType":1388,"data":3989,"content":3993},{"target":3990},{"sys":3991},{"id":3992,"type":1393,"linkType":1394},"1RrDk0VMWNGwPPEc8wIZWM",[],{"nodeType":1429,"data":3995,"content":3996},{},[],{"nodeType":2142,"data":3998,"content":3999},{},[4000],{"nodeType":1293,"value":4001,"marks":4002,"data":4004},"Data theft and extortion",[4003],{"type":1440},{},{"nodeType":1294,"data":4006,"content":4007},{},[4008],{"nodeType":1293,"value":4009,"marks":4010,"data":4011},"Most ad accounts contain valuable data – like audience lists, conversion data, or payment info. Attackers could exfiltrate this data and extort the victim by threatening to leak it or sell it (though this borders on a data breach scenario, it’s another way to extort via an ad account hack, especially for large advertising agencies handling many clients’ data).",[],{},{"nodeType":1294,"data":4013,"content":4014},{},[4015],{"nodeType":1293,"value":4016,"marks":4017,"data":4018},"An attacker might also threaten to manipulate the account in ways that hurt the victim financially. For instance, they could create fake campaigns that burn through the budget on useless traffic (driving up costs with nothing to show, or even causing overcharges). They could also threaten to click-bomb the victim’s ads (if it’s an advertiser account) so that Google’s systems detect invalid activity and suspend the account. ",[],{},{"nodeType":1294,"data":4020,"content":4021},{},[4022],{"nodeType":1293,"value":4023,"marks":4024,"data":4025},"For the victim, the cost of reputational damage or lost advertising time can far exceed the ransom demand, which is why some might contemplate paying. A large brand could lose consumer confidence or partner relationships if their ads serve malware for even a short time. Agencies managing several client ad accounts could face client complaints and legal liability if an attack spreads offensive ads via their accounts – such agencies have noted the “serious financial threats” and client dissatisfaction resulting from ad account breaches.",[],{},{"nodeType":1429,"data":4027,"content":4028},{},[],{"nodeType":1433,"data":4030,"content":4031},{},[4032],{"nodeType":1293,"value":4033,"marks":4034,"data":4036},"Conclusion",[4035],{"type":1440},{},{"nodeType":1294,"data":4038,"content":4039},{},[4040],{"nodeType":1293,"value":4041,"marks":4042,"data":4043},"Pretty much every enterprise today advertises their services via Google ads — this makes attacks on these accounts a unanimous problem. Agencies managing numerous client accounts are put further at risk. For example, if an attacker can compromise an MCC account (used to manage several ad accounts) they get full access to the agency’s customer portfolio. ",[],{},{"nodeType":1294,"data":4045,"content":4046},{},[4047],{"nodeType":1293,"value":4048,"marks":4049,"data":4050},"Organisations need to be on guard against both attacks on accounts used to manage ads, and malvertising in general — which is an incredibly prevalent threat and one of the top delivery vectors for phishing attacks today. Malvertising attacks delivered over channels like Google Search are a great way to catch victims unawares while also evading typically email-based anti-phishing controls. ",[],{},{"nodeType":1294,"data":4052,"content":4053},{},[4054],{"nodeType":1293,"value":1649,"marks":4055,"data":4056},[],{},{"nodeType":1388,"data":4058,"content":4062},{"target":4059},{"sys":4060},{"id":4061,"type":1393,"linkType":1394},"3VJGhlTaAAOyJckK2yUfZd",[],{"nodeType":1294,"data":4064,"content":4065},{},[4066,4070,4077,4080,4087],{"nodeType":1293,"value":4067,"marks":4068,"data":4069},"To learn more about how Push tackles browser-based threats, ",[],{},{"nodeType":1350,"data":4071,"content":4072},{"uri":1700},[4073],{"nodeType":1293,"value":1703,"marks":4074,"data":4076},[4075],{"type":1358},{},{"nodeType":1293,"value":1708,"marks":4078,"data":4079},[],{},{"nodeType":1350,"data":4081,"content":4082},{"uri":1713},[4083],{"nodeType":1293,"value":1716,"marks":4084,"data":4086},[4085],{"type":1358},{},{"nodeType":1293,"value":1721,"marks":4088,"data":4089},[],{},{"nodeType":1388,"data":4091,"content":4095},{"target":4092},{"sys":4093},{"id":4094,"type":1393,"linkType":1394},"4D7zpYAc1tTEAmn2hpkWPe",[],{"nodeType":1294,"data":4097,"content":4098},{},[4099],{"nodeType":1293,"value":37,"marks":4100,"data":4101},[],{},{"entries":4103},{"hyperlink":4104,"inline":4105,"block":4106},[],[],[4107,4116,4131,4209,4243,4256],{"sys":4108,"__typename":4109,"title":4110,"caption":4111,"layoutMode":118,"file":4112},{"id":3860},"Image","Propagation of malvertising","It’s easy to see how malicious ads can propagate and turn into more malicious ads, leading to more campaigns impersonating more brands, more account compromises, and so on. ",{"url":4113,"width":4114,"height":4115},"https://images.ctfassets.net/y1cdw1ablpvd/3iUNORa8hHXi68kZAsFxi8/1a742458ae768bc14a1ba1f6cf26de41/image1.png",1999,1125,{"sys":4117,"__typename":4118,"content":4119,"name":4130,"title":118},{"id":3873},"InsightTextBlockComponent",{"json":4120},{"nodeType":1295,"data":4121,"content":4122},{},[4123],{"nodeType":1294,"data":4124,"content":4125},{},[4126],{"nodeType":1293,"value":4127,"marks":4128,"data":4129},"Large enterprises spend vast amounts on Google Ads, often starting at $20,000+ per month, with major brands sometimes spending $40 to $50 million annually, depending heavily on their competitive industry. So, there’s a lot to play with for an attacker — and it might be some time before a discrepancy is noticed by the victim. ",[],{},"Malvertising insight box 4",{"sys":4132,"__typename":4118,"content":4133,"name":4208,"title":118},{"id":3918},{"json":4134},{"nodeType":1295,"data":4135,"content":4136},{},[4137,4165],{"nodeType":1294,"data":4138,"content":4139},{},[4140,4144,4152,4156,4161],{"nodeType":1293,"value":4141,"marks":4142,"data":4143},"In late 2025, agencies noticed a surge of Google Ads account takeovers where hackers ran unauthorized campaigns until budgets were exhausted. ",[],{},{"nodeType":1350,"data":4145,"content":4146},{"uri":3961},[4147],{"nodeType":1293,"value":4148,"marks":4149,"data":4151},"Google’s Threat Analysis Group found a cluster of Vietnamese actors",[4150],{"type":1358},{},{"nodeType":1293,"value":4153,"marks":4154,"data":4155}," who hijacked marketing accounts to ",[],{},{"nodeType":1293,"value":4157,"marks":4158,"data":4160},"“either sell ads to other actors, or sell the accounts themselves”",[4159],{"type":1440},{},{"nodeType":1293,"value":4162,"marks":4163,"data":4164}," for profit. ",[],{},{"nodeType":1294,"data":4166,"content":4167},{},[4168,4172,4181,4185,4194,4198,4205],{"nodeType":1293,"value":4169,"marks":4170,"data":4171},"Similarly, a series of attacks on companies managing ads ",[],{},{"nodeType":1350,"data":4173,"content":4175},{"uri":4174},"https://www.adexchanger.com/online-advertising/people-managing-google-ad-campaigns-are-getting-their-accounts-seized-by-scammers/",[4176],{"nodeType":1293,"value":4177,"marks":4178,"data":4180},"reported that their accounts had been hacked as early as January 2025",[4179],{"type":1358},{},{"nodeType":1293,"value":4182,"marks":4183,"data":4184},". These attacks were linked to ",[],{},{"nodeType":1350,"data":4186,"content":4188},{"uri":4187},"https://www.malwarebytes.com/blog/news/2025/01/the-great-google-ads-heist-criminals-ransack-advertiser-accounts-via-fake-google-ads",[4189],{"nodeType":1293,"value":4190,"marks":4191,"data":4193},"South American scam operations by MalwareBytes",[4192],{"type":1358},{},{"nodeType":1293,"value":4195,"marks":4196,"data":4197}," — likely the same group behind ",[],{},{"nodeType":1350,"data":4199,"content":4200},{"uri":3697},[4201],{"nodeType":1293,"value":4202,"marks":4203,"data":4204},"the attacks we recently identified",[],{},{"nodeType":1293,"value":1502,"marks":4206,"data":4207},[],{},"Malvertising insight box 1",{"sys":4210,"__typename":4118,"content":4211,"name":4242,"title":118},{"id":3992},{"json":4212},{"data":4213,"content":4214,"nodeType":1295},{},[4215],{"data":4216,"content":4217,"nodeType":1294},{},[4218,4222,4227,4237],{"data":4219,"marks":4220,"value":4221,"nodeType":1293},{},[],"Even if the victim isn’t predominantly a Google shop, a Google account using the same email as a different identity provider account (e.g. Microsoft) can still be used to access downstream apps via SSO. This is because most apps use the email itself as the identifier, while 3 in 5 allow you to access an account using a new login method without doing any further verification checks. ",{"data":4223,"marks":4224,"value":4226,"nodeType":1293},{},[4225],{"type":1440},"Read our ",{"data":4228,"content":4230,"nodeType":1350},{"uri":4229},"https://pushsecurity.com/blog/cross-idp-impersonation/",[4231],{"data":4232,"marks":4233,"value":4236,"nodeType":1293},{},[4234,4235],{"type":1358},{"type":1440},"blog post on cross-IdP impersonation",{"data":4238,"marks":4239,"value":4241,"nodeType":1293},{},[4240],{"type":1440}," for more information. ","Malvertising insight box 2",{"sys":4244,"__typename":4118,"content":4245,"name":4255,"title":118},{"id":4061},{"json":4246},{"nodeType":1295,"data":4247,"content":4248},{},[4249],{"nodeType":1294,"data":4250,"content":4251},{},[4252],{"nodeType":1293,"value":1656,"marks":4253,"data":4254},[],{},"Malvertising insight box 3",{"sys":4257,"__typename":4258,"type":4259,"ctaText":4260,"buttonLabel":4261,"buttonColour":4262,"buttonUrl":4263},{"id":4094},"CtaWidget","Custom","Want to see how security controls match up with modern browser-based attacks? Register for our upcoming webinar for an interactive walkthrough.","Register Now","sunny orange","https://pushsecurity.com/webinar/investigating-browser-threats","content:blog:cyber-criminal-ecosystem-analysis.json","json","content","blog/cyber-criminal-ecosystem-analysis.json","blog/cyber-criminal-ecosystem-analysis",1776359982066]