[{"data":1,"prerenderedAt":4056},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/ghost-logins-when-forgotten-identities-come-back-to-haunt-you":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"ogImage":118,"summary":1282,"title":1296,"subtitle":118,"metaTitle":1297,"synopsis":1298,"hashTags":118,"publishedDate":1299,"slug":1300,"tagsCollection":1301,"relatedBlogPostsCollection":1311,"authorsCollection":3186,"content":3194,"_id":4051,"_type":4052,"_source":4053,"_file":4054,"_stem":4055,"_extension":4052},"/blog/ghost-logins-when-forgotten-identities-come-back-to-haunt-you","blog",{"id":1280,"publishedAt":1281},"174u87EYeKMKHzYYxBLlHO","2026-02-12T12:33:05.820Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1295},{},[1286],{"data":1287,"content":1288,"nodeType":1294},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"How ghost logins – where an application user account can have multiple simultaneous logins using different sign-in methods – can be leveraged by attackers throughout the different stages of a cyber attack. ","text","paragraph","document","Ghost logins: When forgotten identities come back to haunt you","What are ghost logins and how can they be exploited?","How ghost logins can be used by cyber attackers for account takeover and persistence.","2024-07-10T00:00:00.000Z","ghost-logins-when-forgotten-identities-come-back-to-haunt-you",{"items":1302},[1303,1307],{"sys":1304,"name":1306},{"id":1305},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1308,"name":1310},{"id":1309},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1312},[1313,2144,2549],{"__typename":1314,"sys":1315,"content":1317,"title":2124,"synopsis":2125,"hashTags":118,"publishedDate":2126,"slug":2127,"tagsCollection":2128,"authorsCollection":2136},"BlogPosts",{"id":1316},"20FcoPvHu7zXkTQyv9MmK0",{"json":1318},{"nodeType":1295,"data":1319,"content":1320},{},[1321,1330,1337,1391,1398,1405,1422,1429,1436,1524,1531,1537,1545,1552,1567,1574,1582,1606,1631,1637,1657,1664,1671,1702,1709,1716,1722,1740,1747,1754,1761,1768,1774,1792,1799,1806,1813,1820,1826,1845,1852,1859,1865,1884,1891,1898,1905,1953,1960,2031,2046,2052,2059,2066,2073,2080,2098,2105],{"nodeType":1322,"data":1323,"content":1329},"embedded-entry-block",{"target":1324},{"sys":1325},{"id":1326,"type":1327,"linkType":1328},"7rud2H1hcTAOhxh9zHzxP6","Link","Entry",[],{"nodeType":1294,"data":1331,"content":1332},{},[1333],{"nodeType":1293,"value":1334,"marks":1335,"data":1336},"If someone asked you where you work, you probably wouldn’t answer, “My browser.” But that would be the truth.",[],{},{"nodeType":1294,"data":1338,"content":1339},{},[1340,1344,1353,1357,1365,1368,1376,1379,1387],{"nodeType":1293,"value":1341,"marks":1342,"data":1343},"(Threat actors already know where you work, of course, and they’ve been capitalizing on the massive shift to cloud-based workforces. Just look at any of the ",[],{},{"nodeType":1345,"data":1346,"content":1348},"hyperlink",{"uri":1347},"https://www.crowdstrike.com/global-threat-report/",[1349],{"nodeType":1293,"value":1350,"marks":1351,"data":1352},"latest",[],{},{"nodeType":1293,"value":1354,"marks":1355,"data":1356}," ",[],{},{"nodeType":1345,"data":1358,"content":1360},{"uri":1359},"https://redcanary.com/threat-detection-report/techniques/cloud-accounts/",[1361],{"nodeType":1293,"value":1362,"marks":1363,"data":1364},"threat",[],{},{"nodeType":1293,"value":1354,"marks":1366,"data":1367},[],{},{"nodeType":1345,"data":1369,"content":1371},{"uri":1370},"https://www.verizon.com/business/resources/reports/dbir/",[1372],{"nodeType":1293,"value":1373,"marks":1374,"data":1375},"research",[],{},{"nodeType":1293,"value":1354,"marks":1377,"data":1378},[],{},{"nodeType":1345,"data":1380,"content":1382},{"uri":1381},"https://www.lab539.com/blog/6-months-tracking-aitm-campaigns",[1383],{"nodeType":1293,"value":1384,"marks":1385,"data":1386},"reports",[],{},{"nodeType":1293,"value":1388,"marks":1389,"data":1390}," on identity-based attacks to see how good a job they’ve been doing.)",[],{},{"nodeType":1294,"data":1392,"content":1393},{},[1394],{"nodeType":1293,"value":1395,"marks":1396,"data":1397},"To get visibility of your infrastructure in order to build a strong detection and response program, the equation used to look something like:",[],{},{"nodeType":1294,"data":1399,"content":1400},{},[1401],{"nodeType":1293,"value":1402,"marks":1403,"data":1404},"Network traffic + Logs + Endpoints = Profit!",[],{},{"nodeType":1294,"data":1406,"content":1407},{},[1408,1412,1418],{"nodeType":1293,"value":1409,"marks":1410,"data":1411},"But now there’s a missing piece, as identity infrastructure sprawls across IdPs, core apps, shadow SaaS and third-party integrations: ",[],{},{"nodeType":1293,"value":1413,"marks":1414,"data":1417},"Browser telemetry",[1415],{"type":1416},"bold",{},{"nodeType":1293,"value":1419,"marks":1420,"data":1421},".",[],{},{"nodeType":1294,"data":1423,"content":1424},{},[1425],{"nodeType":1293,"value":1426,"marks":1427,"data":1428},"As a browser agent, Push is uniquely positioned to provide telemetry you can’t easily get anywhere else. We believe that this missing piece is the key to stopping identity attacks by providing the context both for first-class detections and security controls, as well as key correlations for events you observe in traditional log sources.",[],{},{"nodeType":1294,"data":1430,"content":1431},{},[1432],{"nodeType":1293,"value":1433,"marks":1434,"data":1435},"Now we have a better way to bring Push’s data to life to solve meaningful security challenges:",[],{},{"nodeType":1437,"data":1438,"content":1439},"unordered-list",{},[1440,1472],{"nodeType":1441,"data":1442,"content":1443},"list-item",{},[1444],{"nodeType":1294,"data":1445,"content":1446},{},[1447,1452,1456,1468],{"nodeType":1293,"value":1448,"marks":1449,"data":1451},"Plug-and-play security controls",[1450],{"type":1416},{},{"nodeType":1293,"value":1453,"marks":1454,"data":1455},", accessible from the new ",[],{},{"nodeType":1457,"data":1458,"content":1462},"entry-hyperlink",{"target":1459},{"sys":1460},{"id":1461,"type":1327,"linkType":1328},"BtDLgVZRWQ3Ov4WgDQX1W",[1463],{"nodeType":1293,"value":1464,"marks":1465,"data":1467},"Controls",[1466],{"type":1416},{},{"nodeType":1293,"value":1469,"marks":1470,"data":1471}," page in the Push platform",[],{},{"nodeType":1441,"data":1473,"content":1474},{},[1475],{"nodeType":1294,"data":1476,"content":1477},{},[1478,1483,1487,1495,1499,1507,1511,1520],{"nodeType":1293,"value":1479,"marks":1480,"data":1482},"Choose-your-own-adventure tooling",[1481],{"type":1416},{},{"nodeType":1293,"value":1484,"marks":1485,"data":1486},", including a ",[],{},{"nodeType":1345,"data":1488,"content":1490},{"uri":1489},"https://pushsecurity.redoc.ly/rest-v1/",[1491],{"nodeType":1293,"value":1492,"marks":1493,"data":1494},"REST API",[],{},{"nodeType":1293,"value":1496,"marks":1497,"data":1498},", ",[],{},{"nodeType":1345,"data":1500,"content":1502},{"uri":1501},"https://pushsecurity.redoc.ly/webhooks-v1/",[1503],{"nodeType":1293,"value":1504,"marks":1505,"data":1506},"webhooks",[],{},{"nodeType":1293,"value":1508,"marks":1509,"data":1510},", and a new ",[],{},{"nodeType":1345,"data":1512,"content":1514},{"uri":1513},"/help/audience/administrators/docs/connect-to-siem-or-soar/#using-the-events-page",[1515],{"nodeType":1293,"value":1516,"marks":1517,"data":1519},"Events",[1518],{"type":1416},{},{"nodeType":1293,"value":1521,"marks":1522,"data":1523}," page to help you visualize and build custom detections and automations.",[],{},{"nodeType":1294,"data":1525,"content":1526},{},[1527],{"nodeType":1293,"value":1528,"marks":1529,"data":1530},"Let’s take a closer look.",[],{},{"nodeType":1322,"data":1532,"content":1536},{"target":1533},{"sys":1534},{"id":1535,"type":1327,"linkType":1328},"6iKFd9Qys2SSuNqKVQB7ka",[],{"nodeType":1538,"data":1539,"content":1540},"heading-1",{},[1541],{"nodeType":1293,"value":1542,"marks":1543,"data":1544},"Plug-and-play controls",[],{},{"nodeType":1294,"data":1546,"content":1547},{},[1548],{"nodeType":1293,"value":1549,"marks":1550,"data":1551},"Security visibility without security control is a recipe for a stress headache, so we’re big believers in providing meaningful interventions that are easy to use.",[],{},{"nodeType":1294,"data":1553,"content":1554},{},[1555,1559,1563],{"nodeType":1293,"value":1556,"marks":1557,"data":1558},"With the new ",[],{},{"nodeType":1293,"value":1464,"marks":1560,"data":1562},[1561],{"type":1416},{},{"nodeType":1293,"value":1564,"marks":1565,"data":1566}," page in the Push admin console, you can now find these preconfigured detections and interventions in one place. They cover use cases that any organization can benefit from, and take a unique browser-based approach to solving some thorny issues.",[],{},{"nodeType":1294,"data":1568,"content":1569},{},[1570],{"nodeType":1293,"value":1571,"marks":1572,"data":1573},"These controls include:",[],{},{"nodeType":1575,"data":1576,"content":1577},"heading-2",{},[1578],{"nodeType":1293,"value":1579,"marks":1580,"data":1581},"Phishing tool detection",[],{},{"nodeType":1294,"data":1583,"content":1584},{},[1585,1589,1594,1598,1603],{"nodeType":1293,"value":1586,"marks":1587,"data":1588},"Detect and block when employees visit webpages that use advanced phishing tools such as Evilginx or EvilNoVNC, among others. These adversary-in-the-middle (AitM) toolkits can mimic legitimate login screens, such as an Okta login page, to steal ",[],{},{"nodeType":1293,"value":1590,"marks":1591,"data":1593},"credentials",[1592],{"type":1416},{},{"nodeType":1293,"value":1595,"marks":1596,"data":1597}," and ",[],{},{"nodeType":1293,"value":1599,"marks":1600,"data":1602},"MFA codes",[1601],{"type":1416},{},{"nodeType":1293,"value":1419,"marks":1604,"data":1605},[],{},{"nodeType":1294,"data":1607,"content":1608},{},[1609,1613,1618,1622,1627],{"nodeType":1293,"value":1610,"marks":1611,"data":1612},"Push emits a webhook event when the browser agent detects attributes of these malware. You can also set Push to ",[],{},{"nodeType":1293,"value":1614,"marks":1615,"data":1617},"Warn",[1616],{"type":1416},{},{"nodeType":1293,"value":1619,"marks":1620,"data":1621}," or ",[],{},{"nodeType":1293,"value":1623,"marks":1624,"data":1626},"Block",[1625],{"type":1416},{},{"nodeType":1293,"value":1628,"marks":1629,"data":1630}," mode to display a customizable message to end-users when they encounter a phishing site.",[],{},{"nodeType":1322,"data":1632,"content":1636},{"target":1633},{"sys":1634},{"id":1635,"type":1327,"linkType":1328},"2ylIkR0JXHkFStGuCFRjlN",[],{"nodeType":1294,"data":1638,"content":1639},{},[1640,1644,1654],{"nodeType":1293,"value":1641,"marks":1642,"data":1643},"More about ",[],{},{"nodeType":1457,"data":1645,"content":1649},{"target":1646},{"sys":1647},{"id":1648,"type":1327,"linkType":1328},"7KRnTSnJAbbiho69gNyN0B",[1650],{"nodeType":1293,"value":1651,"marks":1652,"data":1653},"phishing tool detection",[],{},{"nodeType":1293,"value":37,"marks":1655,"data":1656},[],{},{"nodeType":1575,"data":1658,"content":1659},{},[1660],{"nodeType":1293,"value":1661,"marks":1662,"data":1663},"SSO password protection",[],{},{"nodeType":1294,"data":1665,"content":1666},{},[1667],{"nodeType":1293,"value":1668,"marks":1669,"data":1670},"Prevent employees from reusing their corporate SSO password on any page that doesn’t belong to the identity provider, including phishing sites. This means that even if that employee was the first person to get phished using a new attacker site, Push still detects it and blocks it.",[],{},{"nodeType":1294,"data":1672,"content":1673},{},[1674,1678,1682,1685,1689,1693,1698],{"nodeType":1293,"value":1675,"marks":1676,"data":1677},"Customize the message that end-users see in ",[],{},{"nodeType":1293,"value":1614,"marks":1679,"data":1681},[1680],{"type":1416},{},{"nodeType":1293,"value":1619,"marks":1683,"data":1684},[],{},{"nodeType":1293,"value":1623,"marks":1686,"data":1688},[1687],{"type":1416},{},{"nodeType":1293,"value":1690,"marks":1691,"data":1692}," mode, or start out in ",[],{},{"nodeType":1293,"value":1694,"marks":1695,"data":1697},"Monitor",[1696],{"type":1416},{},{"nodeType":1293,"value":1699,"marks":1700,"data":1701}," mode to catch any false positives before you enforce the control.",[],{},{"nodeType":1294,"data":1703,"content":1704},{},[1705],{"nodeType":1293,"value":1706,"marks":1707,"data":1708},"This feature supports the following identity providers: Okta, Microsoft 365, Google Workspace, JumpCloud, Duo, and Ping Identity.",[],{},{"nodeType":1294,"data":1710,"content":1711},{},[1712],{"nodeType":1293,"value":1713,"marks":1714,"data":1715},"Push will also emit a webhook event when an SSO password is used, and if an employee clicks through the warning screen.",[],{},{"nodeType":1322,"data":1717,"content":1721},{"target":1718},{"sys":1719},{"id":1720,"type":1327,"linkType":1328},"25c8M2gWYFST7yYxGEji2s",[],{"nodeType":1294,"data":1723,"content":1724},{},[1725,1728,1737],{"nodeType":1293,"value":1641,"marks":1726,"data":1727},[],{},{"nodeType":1457,"data":1729,"content":1733},{"target":1730},{"sys":1731},{"id":1732,"type":1327,"linkType":1328},"6FYHbkcRUrtznPo7RarRsz",[1734],{"nodeType":1293,"value":1661,"marks":1735,"data":1736},[],{},{"nodeType":1293,"value":37,"marks":1738,"data":1739},[],{},{"nodeType":1575,"data":1741,"content":1742},{},[1743],{"nodeType":1293,"value":1744,"marks":1745,"data":1746},"URL blocking",[],{},{"nodeType":1294,"data":1748,"content":1749},{},[1750],{"nodeType":1293,"value":1751,"marks":1752,"data":1753},"When you find malicious sites you want to block, such as when responding to a phishing incident, add them to a blocklist and prevent other employees from accessing those sites. ",[],{},{"nodeType":1294,"data":1755,"content":1756},{},[1757],{"nodeType":1293,"value":1758,"marks":1759,"data":1760},"URL blocking can be used in tandem with Push’s anti-phishing controls, so that as you discover malicious sites, you can block them from a central blocklist. This offers a kind of herd immunity where you can block other users from visiting a malicious site as soon as you have a single incident.",[],{},{"nodeType":1294,"data":1762,"content":1763},{},[1764],{"nodeType":1293,"value":1765,"marks":1766,"data":1767},"You can programmatically manage the blocklist using the Push REST API or sync to other threat intelligence sources you consume.",[],{},{"nodeType":1322,"data":1769,"content":1773},{"target":1770},{"sys":1771},{"id":1772,"type":1327,"linkType":1328},"3m00cFiUDAnddsOBOpkeiZ",[],{"nodeType":1294,"data":1775,"content":1776},{},[1777,1780,1789],{"nodeType":1293,"value":1641,"marks":1778,"data":1779},[],{},{"nodeType":1457,"data":1781,"content":1785},{"target":1782},{"sys":1783},{"id":1784,"type":1327,"linkType":1328},"P0coHgQAdRL0YTu4Rwd4z",[1786],{"nodeType":1293,"value":1744,"marks":1787,"data":1788},[],{},{"nodeType":1293,"value":37,"marks":1790,"data":1791},[],{},{"nodeType":1575,"data":1793,"content":1794},{},[1795],{"nodeType":1293,"value":1796,"marks":1797,"data":1798},"Session token theft detection",[],{},{"nodeType":1294,"data":1800,"content":1801},{},[1802],{"nodeType":1293,"value":1803,"marks":1804,"data":1805},"Inject a unique marker provided by the Push browser agent into the User Agent string of sessions that occur in browsers enrolled in Push. ",[],{},{"nodeType":1294,"data":1807,"content":1808},{},[1809],{"nodeType":1293,"value":1810,"marks":1811,"data":1812},"By analyzing logs from your IdP, you can identify activity from the same session that both has the Push marker and that lacks the marker. This can only ever happen when a session is extracted from a browser and maliciously imported into a different browser.",[],{},{"nodeType":1294,"data":1814,"content":1815},{},[1816],{"nodeType":1293,"value":1817,"marks":1818,"data":1819},"This is a high-fidelity signal that a session token has been stolen and is being used.",[],{},{"nodeType":1322,"data":1821,"content":1825},{"target":1822},{"sys":1823},{"id":1824,"type":1327,"linkType":1328},"43rk3TCqN269Vr2YWT4llP",[],{"nodeType":1294,"data":1827,"content":1828},{},[1829,1832,1842],{"nodeType":1293,"value":1641,"marks":1830,"data":1831},[],{},{"nodeType":1457,"data":1833,"content":1837},{"target":1834},{"sys":1835},{"id":1836,"type":1327,"linkType":1328},"1UMZdjyNQt4Y7NBb2wuK4L",[1838],{"nodeType":1293,"value":1839,"marks":1840,"data":1841},"session token theft detection",[],{},{"nodeType":1293,"value":37,"marks":1843,"data":1844},[],{},{"nodeType":1575,"data":1846,"content":1847},{},[1848],{"nodeType":1293,"value":1849,"marks":1850,"data":1851},"App banners",[],{},{"nodeType":1294,"data":1853,"content":1854},{},[1855],{"nodeType":1293,"value":1856,"marks":1857,"data":1858},"Add guardrails to employees’ use of SaaS apps with in-browser app banner messages you customize with your own text. You can require users to acknowledge having read a message before they can access an app, or even require them to submit a reason for using an app before they can log in.",[],{},{"nodeType":1322,"data":1860,"content":1864},{"target":1861},{"sys":1862},{"id":1863,"type":1327,"linkType":1328},"5nEKTBz6mauHI5mg8jB4ea",[],{"nodeType":1294,"data":1866,"content":1867},{},[1868,1871,1881],{"nodeType":1293,"value":1641,"marks":1869,"data":1870},[],{},{"nodeType":1457,"data":1872,"content":1876},{"target":1873},{"sys":1874},{"id":1875,"type":1327,"linkType":1328},"2ZpKnuljaUH0jzVaae4SMN",[1877],{"nodeType":1293,"value":1878,"marks":1879,"data":1880},"app banners",[],{},{"nodeType":1293,"value":37,"marks":1882,"data":1883},[],{},{"nodeType":1538,"data":1885,"content":1886},{},[1887],{"nodeType":1293,"value":1888,"marks":1889,"data":1890},"Choose your own adventure",[],{},{"nodeType":1294,"data":1892,"content":1893},{},[1894],{"nodeType":1293,"value":1895,"marks":1896,"data":1897},"Want to do something creative? We've got you covered. Push provides a wealth of raw telemetry via the Push REST API and webhook events. Use this data to build both proactive and reactive security operations workflows, or add missing context to other sources, such as your IdP, application, or endpoint logs.",[],{},{"nodeType":1294,"data":1899,"content":1900},{},[1901],{"nodeType":1293,"value":1902,"marks":1903,"data":1904},"You can use this browser telemetry to:",[],{},{"nodeType":1437,"data":1906,"content":1907},{},[1908,1923,1938],{"nodeType":1441,"data":1909,"content":1910},{},[1911],{"nodeType":1294,"data":1912,"content":1913},{},[1914,1919],{"nodeType":1293,"value":1915,"marks":1916,"data":1918},"Harden identities and reduce account compromise",[1917],{"type":1416},{},{"nodeType":1293,"value":1920,"marks":1921,"data":1922},", such as alerting you when passwords are identified in public data breaches or when employees are using an unapproved app or when an SSO app is accessed via local account.",[],{},{"nodeType":1441,"data":1924,"content":1925},{},[1926],{"nodeType":1294,"data":1927,"content":1928},{},[1929,1934],{"nodeType":1293,"value":1930,"marks":1931,"data":1933},"Monitor for suspicious activity or high-risk changes",[1932],{"type":1416},{},{"nodeType":1293,"value":1935,"marks":1936,"data":1937},", such as checking for MFA method changes, or flagging when employees reuse corporate SSO passwords or visit sites running phishing malware.",[],{},{"nodeType":1441,"data":1939,"content":1940},{},[1941],{"nodeType":1294,"data":1942,"content":1943},{},[1944,1949],{"nodeType":1293,"value":1945,"marks":1946,"data":1948},"Investigate indicators of compromise",[1947],{"type":1416},{},{"nodeType":1293,"value":1950,"marks":1951,"data":1952},", such as correlating login events with platform logs, searching for recent signups to risky apps, or identifying post-compromise lateral movement opportunities.",[],{},{"nodeType":1294,"data":1954,"content":1955},{},[1956],{"nodeType":1293,"value":1957,"marks":1958,"data":1959},"In the “make my life easier” category, you can also use Push telemetry to:",[],{},{"nodeType":1437,"data":1961,"content":1962},{},[1963,1982,2001,2016],{"nodeType":1441,"data":1964,"content":1965},{},[1966],{"nodeType":1294,"data":1967,"content":1968},{},[1969,1973,1978],{"nodeType":1293,"value":1970,"marks":1971,"data":1972},"Automate a workflow ",[],{},{"nodeType":1293,"value":1974,"marks":1975,"data":1977},"showing you all the accounts and apps used by an offboarded employee",[1976],{"type":1416},{},{"nodeType":1293,"value":1979,"marks":1980,"data":1981},", and their account login methods.",[],{},{"nodeType":1441,"data":1983,"content":1984},{},[1985],{"nodeType":1294,"data":1986,"content":1987},{},[1988,1992,1997],{"nodeType":1293,"value":1989,"marks":1990,"data":1991},"Automate a workflow to",[],{},{"nodeType":1293,"value":1993,"marks":1994,"data":1996}," revoke licenses on SaaS after a period of inactivity",[1995],{"type":1416},{},{"nodeType":1293,"value":1998,"marks":1999,"data":2000},", saving money.",[],{},{"nodeType":1441,"data":2002,"content":2003},{},[2004],{"nodeType":1294,"data":2005,"content":2006},{},[2007,2012],{"nodeType":1293,"value":2008,"marks":2009,"data":2011},"Build an approved apps list in your company wiki",[2010],{"type":1416},{},{"nodeType":1293,"value":2013,"marks":2014,"data":2015},", synced from Push’s source of truth.",[],{},{"nodeType":1441,"data":2017,"content":2018},{},[2019],{"nodeType":1294,"data":2020,"content":2021},{},[2022,2027],{"nodeType":1293,"value":2023,"marks":2024,"data":2026},"Force-reset an IdP password if Push finds a compromised password",[2025],{"type":1416},{},{"nodeType":1293,"value":2028,"marks":2029,"data":2030}," on an employee account.",[],{},{"nodeType":1294,"data":2032,"content":2033},{},[2034,2038,2042],{"nodeType":1293,"value":2035,"marks":2036,"data":2037},"To help you visualize and plan how you will use this telemetry, Push also provides an ",[],{},{"nodeType":1293,"value":1516,"marks":2039,"data":2041},[2040],{"type":1416},{},{"nodeType":1293,"value":2043,"marks":2044,"data":2045}," page in the admin console with a rolling 7-day snapshot of all the events in your environment.",[],{},{"nodeType":1322,"data":2047,"content":2051},{"target":2048},{"sys":2049},{"id":2050,"type":1327,"linkType":1328},"2a3bJ5sN8dJ0c1kQtZiag7",[],{"nodeType":1294,"data":2053,"content":2054},{},[2055],{"nodeType":1293,"value":2056,"marks":2057,"data":2058},"The Events page can help you see real-world examples, understand the attributes of each event, and gauge event volume before you ingest data into a SIEM or other platform.",[],{},{"nodeType":1538,"data":2060,"content":2061},{},[2062],{"nodeType":1293,"value":2063,"marks":2064,"data":2065},"What if you don’t have a SIEM?",[],{},{"nodeType":1294,"data":2067,"content":2068},{},[2069],{"nodeType":1293,"value":2070,"marks":2071,"data":2072},"While you’d need a SIEM for writing detections and performing log correlations, you can still get a lot of value out of Push telemetry if you don’t have one.",[],{},{"nodeType":1294,"data":2074,"content":2075},{},[2076],{"nodeType":1293,"value":2077,"marks":2078,"data":2079},"Use Push’s webhook events to send alerts directly to your Slack, Teams, or other chat platform, or build workflows that hook into your ticketing system or SOAR platform.",[],{},{"nodeType":1294,"data":2081,"content":2082},{},[2083,2087,2094],{"nodeType":1293,"value":2084,"marks":2085,"data":2086},"Review our ",[],{},{"nodeType":1345,"data":2088,"content":2089},{"uri":1501},[2090],{"nodeType":1293,"value":2091,"marks":2092,"data":2093},"webhooks documentation",[],{},{"nodeType":1293,"value":2095,"marks":2096,"data":2097}," for a list of events.",[],{},{"nodeType":1538,"data":2099,"content":2100},{},[2101],{"nodeType":1293,"value":2102,"marks":2103,"data":2104},"Find out more",[],{},{"nodeType":1294,"data":2106,"content":2107},{},[2108,2112,2120],{"nodeType":1293,"value":2109,"marks":2110,"data":2111},"If you want to see Push in action, ",[],{},{"nodeType":1345,"data":2113,"content":2115},{"uri":2114},"/demo/",[2116],{"nodeType":1293,"value":2117,"marks":2118,"data":2119},"book a demo",[],{},{"nodeType":1293,"value":2121,"marks":2122,"data":2123},". We’ll be happy to show you these features, along with how we discover all the apps your employees are using — even the ones not behind SSO.",[],{},"Introducing set-and-forget controls that stop real-world identity attacks","Enable detections and interventions in the browser using Push’s new security controls.","2024-07-02T00:00:00.000Z","introducing-set-and-forget-controls-that-stop-real-world-identity-attacks",{"items":2129},[2130,2134],{"sys":2131,"name":2133},{"id":2132},"5jk0kqjSdSK2L0YiistQjY","Release notes",{"sys":2135,"name":1310},{"id":1309},{"items":2137},[2138],{"fullName":2139,"firstName":2140,"jobTitle":2141,"profilePicture":2142},"Kelly Davenport","Kelly","Product Team",{"url":2143},"https://images.ctfassets.net/y1cdw1ablpvd/1hi8bEuVfn5sF57LivAq6d/9a3b82426c697d765e2e450e33a18424/kelly_profile_pic.jpeg",{"__typename":1314,"sys":2145,"content":2147,"title":2530,"synopsis":2531,"hashTags":118,"publishedDate":2532,"slug":2533,"tagsCollection":2534,"authorsCollection":2542},{"id":2146},"4pXsh0RffPhT783P6CNlOA",{"json":2148},{"nodeType":1295,"data":2149,"content":2150},{},[2151,2158,2165,2171,2178,2185,2192,2199,2206,2213,2276,2282,2289,2296,2312,2319,2326,2333,2340,2347,2354,2365,2372,2378,2385,2392,2399,2406,2413,2419,2426,2447,2454,2461,2468,2511],{"nodeType":1294,"data":2152,"content":2153},{},[2154],{"nodeType":1293,"value":2155,"marks":2156,"data":2157},"When the media reports that a popular third-party service provider has suffered a breach and stolen credentials are being sold online, it’s inevitable for your security team to get asked, “Are we affected by this?”",[],{},{"nodeType":1294,"data":2159,"content":2160},{},[2161],{"nodeType":1293,"value":2162,"marks":2163,"data":2164},"Push helps its customers to answer this question in seconds and with absolute certainty. Here’s how.",[],{},{"nodeType":1322,"data":2166,"content":2170},{"target":2167},{"sys":2168},{"id":2169,"type":1327,"linkType":1328},"56lMG3VskDDU1dUHzgQxFK",[],{"nodeType":1538,"data":2172,"content":2173},{},[2174],{"nodeType":1293,"value":2175,"marks":2176,"data":2177},"Step 1: Are we using the breached service?",[],{},{"nodeType":1294,"data":2179,"content":2180},{},[2181],{"nodeType":1293,"value":2182,"marks":2183,"data":2184},"If this service is IT-managed in your organization, then you can probably answer this relatively quickly – at least for the tenant that is IT-managed. If it’s not, then you're going to need to check. ",[],{},{"nodeType":1294,"data":2186,"content":2187},{},[2188],{"nodeType":1293,"value":2189,"marks":2190,"data":2191},"That’s because end-users increasingly create SaaS accounts and tenants themselves without going through IT. When a third-party data breach hits the headlines, security teams are often surprised to find out that they have people in their organizations using that service.",[],{},{"nodeType":1294,"data":2193,"content":2194},{},[2195],{"nodeType":1293,"value":2196,"marks":2197,"data":2198},"Push uses a browser agent to track every login to every application made by your employees. It offers ground truth for answering questions like: Are we using the service? Who in the business is using it, and how are they accessing it?",[],{},{"nodeType":1294,"data":2200,"content":2201},{},[2202],{"nodeType":1293,"value":2203,"marks":2204,"data":2205},"Push can also highlight issues like missing MFA and if an employee is re-using the same password across multiple services — vital information if user credentials for the breached service have been leaked.",[],{},{"nodeType":1294,"data":2207,"content":2208},{},[2209],{"nodeType":1293,"value":2210,"marks":2211,"data":2212},"There are other data sources that can be used, but they all have their drawbacks:    ",[],{},{"nodeType":1437,"data":2214,"content":2215},{},[2216,2231,2246,2261],{"nodeType":1441,"data":2217,"content":2218},{},[2219],{"nodeType":1294,"data":2220,"content":2221},{},[2222,2227],{"nodeType":1293,"value":2223,"marks":2224,"data":2226},"Network or SWG",[2225],{"type":1416},{},{"nodeType":1293,"value":2228,"marks":2229,"data":2230}," can show you whose endpoints accessed an app website, but not if they've ever logged into the app.",[],{},{"nodeType":1441,"data":2232,"content":2233},{},[2234],{"nodeType":1294,"data":2235,"content":2236},{},[2237,2242],{"nodeType":1293,"value":2238,"marks":2239,"data":2241},"IdP",[2240],{"type":1416},{},{"nodeType":1293,"value":2243,"marks":2244,"data":2245}," can show you that you're using an app if it’s accessed using SSO, but if that’s the case then you already know about it. It won’t show you non-SSO apps, tenants, or accounts that are more likely to be compromised using stolen credentials.",[],{},{"nodeType":1441,"data":2247,"content":2248},{},[2249],{"nodeType":1294,"data":2250,"content":2251},{},[2252,2257],{"nodeType":1293,"value":2253,"marks":2254,"data":2256},"Email",[2255],{"type":1416},{},{"nodeType":1293,"value":2258,"marks":2259,"data":2260}," can be used to quickly tell you if employees have received email from an app – indicating an account might exist – but won’t tell you if they signed up using personal email, when they last logged in or if they are using the same password for everything.",[],{},{"nodeType":1441,"data":2262,"content":2263},{},[2264],{"nodeType":1294,"data":2265,"content":2266},{},[2267,2272],{"nodeType":1293,"value":2268,"marks":2269,"data":2271},"Finance / contract records",[2270],{"type":1416},{},{"nodeType":1293,"value":2273,"marks":2274,"data":2275}," take time to search through and will only cover the services you pay for (many SaaS products offer a free tier). Obviously these records won’t tell you anything about vulnerable accounts.  \n",[],{},{"nodeType":1322,"data":2277,"content":2281},{"target":2278},{"sys":2279},{"id":2280,"type":1327,"linkType":1328},"3pLEarsM0oltdxGlkHATbB",[],{"nodeType":1538,"data":2283,"content":2284},{},[2285],{"nodeType":1293,"value":2286,"marks":2287,"data":2288},"Step 2: Are any of our accounts currently vulnerable to account takeover through stolen creds?",[],{},{"nodeType":1294,"data":2290,"content":2291},{},[2292],{"nodeType":1293,"value":2293,"marks":2294,"data":2295},"If credentials are being sold on the dark web for a service your employees use, then you need to quickly determine whether any workforce accounts can be accessed using just the stolen credentials. In other words, are any of these accounts using a leaked password and/or missing MFA?",[],{},{"nodeType":1294,"data":2297,"content":2298},{},[2299,2303,2308],{"nodeType":1293,"value":2300,"marks":2301,"data":2302},"At this point, you might reach for your IdP and make sure that MFA is enforced for all logins to the affected app. But that’s only going to cover apps and tenants already using SSO. To make things more complicated, most apps still allow username and password logins in addition to SSO logins. You need to see accounts with SSO logins ",[],{},{"nodeType":1293,"value":2304,"marks":2305,"data":2307},"and",[2306],{"type":312},{},{"nodeType":1293,"value":2309,"marks":2310,"data":2311}," local logins. ",[],{},{"nodeType":1294,"data":2313,"content":2314},{},[2315],{"nodeType":1293,"value":2316,"marks":2317,"data":2318},"The data that Push collects in the browser provides rich web app context. That means Push shows you how your employees are authenticating on every app, whether it’s password, OIDC, or SAML. ",[],{},{"nodeType":1294,"data":2320,"content":2321},{},[2322],{"nodeType":1293,"value":2323,"marks":2324,"data":2325},"When you search for a breached third-party service in Push, you’ll see which employees are using usernames and passwords but missing MFA on their accounts. You can then prioritize these accounts for password resets and enabling MFA to stop any stolen credentials from being used to access those accounts. ",[],{},{"nodeType":1294,"data":2327,"content":2328},{},[2329],{"nodeType":1293,"value":2330,"marks":2331,"data":2332},"As well as highlighting accounts missing MFA, Push fingerprints every password using a shortened salted hash and checks in the browser whether it has been leaked and/or is easily guessable. Armed with this information, you can quickly get these vulnerabilities fixed to reduce the likelihood of an account takeover.",[],{},{"nodeType":1538,"data":2334,"content":2335},{},[2336],{"nodeType":1293,"value":2337,"marks":2338,"data":2339},"Step 3: Are the stolen credentials being used anywhere else? ",[],{},{"nodeType":1294,"data":2341,"content":2342},{},[2343],{"nodeType":1293,"value":2344,"marks":2345,"data":2346},"The next consideration is whether the stolen credentials can be used by an attacker in a credential-stuffing attack to compromise accounts on other applications. ",[],{},{"nodeType":1294,"data":2348,"content":2349},{},[2350],{"nodeType":1293,"value":2351,"marks":2352,"data":2353},"This is an important, and often overlooked, ring of the third-party data breach blast radius. ",[],{},{"nodeType":2355,"data":2356,"content":2357},"blockquote",{},[2358],{"nodeType":1294,"data":2359,"content":2360},{},[2361],{"nodeType":1293,"value":2362,"marks":2363,"data":2364},"Here at Push, we see that on average 1 in 3 users in every business reuse passwords across multiple accounts.",[],{},{"nodeType":1294,"data":2366,"content":2367},{},[2368],{"nodeType":1293,"value":2369,"marks":2370,"data":2371},"The password checks performed by Push also identify password reuse between applications. So if there’s a chance that a password has been stolen as part of the third-party data breach, you can make sure it’s changed across all applications. ",[],{},{"nodeType":1322,"data":2373,"content":2377},{"target":2374},{"sys":2375},{"id":2376,"type":1327,"linkType":1328},"X9axqTO6dWEe1Jy49hAyG",[],{"nodeType":1538,"data":2379,"content":2380},{},[2381],{"nodeType":1293,"value":2382,"marks":2383,"data":2384},"Take action before breaches hit the headlines",[],{},{"nodeType":1294,"data":2386,"content":2387},{},[2388],{"nodeType":1293,"value":2389,"marks":2390,"data":2391},"The workflow described above takes seconds to perform in Push. It enables you to quickly investigate a third-party data breach to determine if you could have been impacted, and if so, to take targeted action to mitigate the risks. ",[],{},{"nodeType":1294,"data":2393,"content":2394},{},[2395],{"nodeType":1293,"value":2396,"marks":2397,"data":2398},"That said, no one enjoys scrambling to respond to these kinds of incidents. If you use Push, you can actually get out ahead of these issues so you’re not stuck having to react.",[],{},{"nodeType":1294,"data":2400,"content":2401},{},[2402],{"nodeType":1293,"value":2403,"marks":2404,"data":2405},"Push integrates stolen account threat intelligence and alerts you when employees are currently using the same password that’s being sold on the dark web. This allows you to take action at the earliest possible opportunity and harden vulnerable accounts before any data breach is reported in the media. ",[],{},{"nodeType":1294,"data":2407,"content":2408},{},[2409],{"nodeType":1293,"value":2410,"marks":2411,"data":2412},"What this means for you is that next time you’re asked, “Does this affect us?” you can say you dealt with any issues way before it landed in the headlines. ",[],{},{"nodeType":1322,"data":2414,"content":2418},{"target":2415},{"sys":2416},{"id":2417,"type":1327,"linkType":1328},"2vFMyWtMlxzTqqtvCPmlGW",[],{"nodeType":1575,"data":2420,"content":2421},{},[2422],{"nodeType":1293,"value":2423,"marks":2424,"data":2425},"Do we need to log in to another security tool to do this?",[],{},{"nodeType":1294,"data":2427,"content":2428},{},[2429,2433,2443],{"nodeType":1293,"value":2430,"marks":2431,"data":2432},"No. Using the ",[],{},{"nodeType":1345,"data":2434,"content":2436},{"uri":2435},"https://pushsecurity.com/help/audience/administrators/docs/getting-started/#api-and-webhooks",[2437],{"nodeType":1293,"value":2438,"marks":2439,"data":2442},"Push API",[2440],{"type":2441},"underline",{},{"nodeType":1293,"value":2444,"marks":2445,"data":2446},", you can quickly gather relevant data to support the response to a third-party data breach in your SIEM or XDR solution.",[],{},{"nodeType":1575,"data":2448,"content":2449},{},[2450],{"nodeType":1293,"value":2451,"marks":2452,"data":2453},"Why not eliminate the risk of password-based attacks altogether? ",[],{},{"nodeType":1294,"data":2455,"content":2456},{},[2457],{"nodeType":1293,"value":2458,"marks":2459,"data":2460},"Push gives you the ability to react quickly and decisively to a third-party data breach. But it also enables you to take proactive steps to eliminate the risk of password-based attacks altogether so stolen credentials from third-party data breaches no longer pose a threat to your business. ",[],{},{"nodeType":1294,"data":2462,"content":2463},{},[2464],{"nodeType":1293,"value":2465,"marks":2466,"data":2467},"Push does this by:",[],{},{"nodeType":1437,"data":2469,"content":2470},{},[2471,2481,2491,2501],{"nodeType":1441,"data":2472,"content":2473},{},[2474],{"nodeType":1294,"data":2475,"content":2476},{},[2477],{"nodeType":1293,"value":2478,"marks":2479,"data":2480},"Stopping your employees from creating accounts with leaked, weak and reused passwords.",[],{},{"nodeType":1441,"data":2482,"content":2483},{},[2484],{"nodeType":1294,"data":2485,"content":2486},{},[2487],{"nodeType":1293,"value":2488,"marks":2489,"data":2490},"Pinning passwords to individual apps. ",[],{},{"nodeType":1441,"data":2492,"content":2493},{},[2494],{"nodeType":1294,"data":2495,"content":2496},{},[2497],{"nodeType":1293,"value":2498,"marks":2499,"data":2500},"Helping you to get all apps and accounts behind SSO.",[],{},{"nodeType":1441,"data":2502,"content":2503},{},[2504],{"nodeType":1294,"data":2505,"content":2506},{},[2507],{"nodeType":1293,"value":2508,"marks":2509,"data":2510},"Blocking phishing attacks against your employees so their credentials aren’t stolen.",[],{},{"nodeType":1294,"data":2512,"content":2513},{},[2514,2518,2526],{"nodeType":1293,"value":2515,"marks":2516,"data":2517},"If you want to find out more about how Push can help you mitigate the risks of employee credentials being stolen in the third-party data breach, then ",[],{},{"nodeType":1345,"data":2519,"content":2521},{"uri":2520},"https://pushsecurity.com/demo/",[2522],{"nodeType":1293,"value":2117,"marks":2523,"data":2525},[2524],{"type":2441},{},{"nodeType":1293,"value":2527,"marks":2528,"data":2529}," and we’ll be happy to show you. ",[],{},"Investigating and responding to a third-party data breach using Push","How to use Push to investigate and respond to a third-party data breach, which results in credentials being stolen and sold on criminal marketplaces.  ","2024-06-13T00:00:00.000Z","investigating-and-responding-to-a-third-party-data-breach-using-push",{"items":2535},[2536,2538],{"sys":2537,"name":1310},{"id":1309},{"sys":2539,"name":2541},{"id":2540},"3pjES4THCIfSAwhGdNwBcy","Identity security",{"items":2543},[2544],{"fullName":2545,"firstName":2546,"jobTitle":2141,"profilePicture":2547},"Alex Henshall","Alex",{"url":2548},"https://images.ctfassets.net/y1cdw1ablpvd/2rz3Pre3b1MexPIQ4hzPUe/0ef8a092b7e7df00fbce3f7d1ccb96d1/Alex_Henshall.jpeg",{"__typename":1314,"sys":2550,"content":2552,"title":3168,"synopsis":3169,"hashTags":118,"publishedDate":3170,"slug":3171,"tagsCollection":3172,"authorsCollection":3178},{"id":2551},"6ckZjBZzRgvEVpSScGWeZQ",{"json":2553},{"data":2554,"content":2555,"nodeType":1295},{},[2556,2576,2583,2590,2609,2616,2634,2641,2648,2681,2688,2695,2702,2709,2742,2747,2753,2772,2779,2786,2793,2826,2833,2840,2847,2864,2870,2876,2882,2889,2910,2917,2924,2931,2938,3001,3008,3051,3058,3064,3071,3087,3093,3100,3107,3140,3147,3154,3161],{"data":2557,"content":2558,"nodeType":1294},{},[2559,2563,2572],{"data":2560,"marks":2561,"value":2562,"nodeType":1293},{},[],"We have spoken previously about ",{"data":2564,"content":2566,"nodeType":1345},{"uri":2565},"https://pushsecurity.com/blog/samljacking-a-poisoned-tenant/",[2567],{"data":2568,"marks":2569,"value":2571,"nodeType":1293},{},[2570],{"type":2441},"SAMLjacking and poisoned tenants",{"data":2573,"marks":2574,"value":2575,"nodeType":1293},{},[],", particularly with regard to clever phishing attacks aimed at gaining initial access to some cloud identities. Today, we’ll look at how Okta’s AD synchronization is pretty much SAMLjacking on steroids. We’ll also consider how it can be used as a stealthy watering-hole style lateral movement attack too.",{"data":2577,"content":2578,"nodeType":1294},{},[2579],{"data":2580,"marks":2581,"value":2582,"nodeType":1293},{},[],"To be clear, this isn't a vulnerability in Okta that circumvents a security boundary and needs to be patched. This is offensive use of a product feature, the SaaS version of living off the land (LOTL). Let's call it living off the cloud (LOTC).",{"data":2584,"content":2585,"nodeType":1538},{},[2586],{"data":2587,"marks":2588,"value":2589,"nodeType":1293},{},[],"What is SAMLjacking?",{"data":2591,"content":2592,"nodeType":1294},{},[2593,2596,2605],{"data":2594,"marks":2595,"value":37,"nodeType":1293},{},[],{"data":2597,"content":2599,"nodeType":1345},{"uri":2598},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/samljacking/description.md",[2600],{"data":2601,"marks":2602,"value":2604,"nodeType":1293},{},[2603],{"type":2441},"SAMLjacking",{"data":2606,"marks":2607,"value":2608,"nodeType":1293},{},[]," is where an attacker makes use of SAML SSO configuration settings for a SaaS tenant they control in order to redirect users to a malicious link during the authentication process. This can be highly effective for phishing, as the original URL will be a legitimate SaaS URL and users will provide their credentials because they’re expecting that as part of the login process. ",{"data":2610,"content":2611,"nodeType":1538},{},[2612],{"data":2613,"marks":2614,"value":2615,"nodeType":1293},{},[],"What is a poisoned tenant?",{"data":2617,"content":2618,"nodeType":1294},{},[2619,2622,2630],{"data":2620,"marks":2621,"value":37,"nodeType":1293},{},[],{"data":2623,"content":2625,"nodeType":1345},{"uri":2624},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/poisoned_tenants/description.md",[2626],{"data":2627,"marks":2628,"value":2629,"nodeType":1293},{},[],"Poisoned tenants",{"data":2631,"marks":2632,"value":2633,"nodeType":1293},{},[]," involve an adversary registering a tenant for a SaaS app they control and tricking target users to join it, often using built-in invite functionality. The end goal is to have some target users actively using a tenant you (as the adversary) control.",{"data":2635,"content":2636,"nodeType":1538},{},[2637],{"data":2638,"marks":2639,"value":2640,"nodeType":1293},{},[],"What is Oktajacking?",{"data":2642,"content":2643,"nodeType":1294},{},[2644],{"data":2645,"marks":2646,"value":2647,"nodeType":1293},{},[],"This is a name I’ve been using to refer to using Okta to do the credential capture/keylogging for you, without needing to have your own malicious domain hosting your malicious SAML server. This is even more effective than regular SAMLjacking as the user will only ever see legitimate SaaS domains, with the subdomain being the attacker-chosen part (e.g. https://attacker-tenant.okta.com).",{"data":2649,"content":2650,"nodeType":1294},{},[2651,2655,2664,2668,2677],{"data":2652,"marks":2653,"value":2654,"nodeType":1293},{},[],"However, the awesome research that underpins this technique was conducted by Adam Chester (",{"data":2656,"content":2658,"nodeType":1345},{"uri":2657},"https://twitter.com/_xpn_",[2659],{"data":2660,"marks":2661,"value":2663,"nodeType":1293},{},[2662],{"type":2441},"@_xpn_",{"data":2665,"marks":2666,"value":2667,"nodeType":1293},{},[],") and is covered in his excellent article, ",{"data":2669,"content":2671,"nodeType":1345},{"uri":2670},"https://blog.xpnsec.com/okta-for-redteamers/",[2672],{"data":2673,"marks":2674,"value":2676,"nodeType":1293},{},[2675],{"type":2441},"Okta for Red Teamers",{"data":2678,"marks":2679,"value":2680,"nodeType":1293},{},[],". If you haven’t already read that, you absolutely should. ",{"data":2682,"content":2683,"nodeType":1294},{},[2684],{"data":2685,"marks":2686,"value":2687,"nodeType":1293},{},[],"Adam identified that if you compromise a Windows domain that’s linked to Okta and/or compromise an Okta admin account for an Okta instance linked to a Windows domain, you can use the Okta AD agent to capture credentials during logins. There’s lots more, but that’s the key part we’ll build upon for this article. ",{"data":2689,"content":2690,"nodeType":1294},{},[2691],{"data":2692,"marks":2693,"value":2694,"nodeType":1293},{},[],"This attack works because Okta forwards credentials from logins for accounts tied to AD to its own AD agent that runs on the target network. Then, Okta allows the agent to report back to them about whether the login should be successful or not. This enables an attacker who has compromised an AD agent, or is able to emulate one, to both monitor login credentials for Okta users and provide skeleton key-like functionality to authenticate to Okta as any user they like. ",{"data":2696,"content":2697,"nodeType":1294},{},[2698],{"data":2699,"marks":2700,"value":2701,"nodeType":1293},{},[],"The context of this in Adam’s article was primarily a traditional Windows domain compromise scenario where an attacker could use this method as a form of incredibly powerful domain-level persistence or to move laterally to other accounts. This is applicable in late-stage kill chain phases, where the attacker has already achieved a total organization-level compromise. ",{"data":2703,"content":2704,"nodeType":1294},{},[2705],{"data":2706,"marks":2707,"value":2708,"nodeType":1293},{},[],"So, how can this technique be leveraged earlier in the kill chain? We’ll consider the following two scenarios for this article:",{"data":2710,"content":2711,"nodeType":1437},{},[2712,2727],{"data":2713,"content":2714,"nodeType":1441},{},[2715],{"data":2716,"content":2717,"nodeType":1294},{},[2718,2723],{"data":2719,"marks":2720,"value":2722,"nodeType":1293},{},[2721],{"type":1416},"Oktajacking for initial access",{"data":2724,"marks":2725,"value":2726,"nodeType":1293},{},[]," - directly phishing credentials via a valid Okta tenant we create",{"data":2728,"content":2729,"nodeType":1441},{},[2730],{"data":2731,"content":2732,"nodeType":1294},{},[2733,2738],{"data":2734,"marks":2735,"value":2737,"nodeType":1293},{},[2736],{"type":1416},"Oktajacking for lateral movement ",{"data":2739,"marks":2740,"value":2741,"nodeType":1293},{},[],"- capturing credentials via a watering hole attack when having admin-level compromised a SaaS application in use by the target organization",{"data":2743,"content":2746,"nodeType":1322},{"target":2744},{"sys":2745},{"id":1535,"type":1327,"linkType":1328},[],{"data":2748,"content":2749,"nodeType":1538},{},[2750],{"data":2751,"marks":2752,"value":2722,"nodeType":1293},{},[],{"data":2754,"content":2755,"nodeType":1294},{},[2756,2760,2769],{"data":2757,"marks":2758,"value":2759,"nodeType":1293},{},[],"The most common way someone might attack Okta-protected organizations would be to conduct traditional phishing attacks hosted on an attacker-controlled domain that emulate an Okta login page. A great article to check out on this would be Nick Vangilder’s article, ",{"data":2761,"content":2763,"nodeType":1345},{"uri":2762},"https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23",[2764],{"data":2765,"marks":2766,"value":2768,"nodeType":1293},{},[2767],{"type":2441},"Okta for Red Teamers - Perimeter Edition. ",{"data":2770,"marks":2771,"value":37,"nodeType":1293},{},[],{"data":2773,"content":2774,"nodeType":1294},{},[2775],{"data":2776,"marks":2777,"value":2778,"nodeType":1293},{},[],"However, as with most phishing attacks this involves the use of a malicious domain to host the phishing server. Okta AD synchronization allows us to use legitimate Okta domains to do the phishing for us. This attack can catch out even the most security conscious users.",{"data":2780,"content":2781,"nodeType":1294},{},[2782],{"data":2783,"marks":2784,"value":2785,"nodeType":1293},{},[],"To do this, we set up an attacker-controlled Okta tenant as a poisoned tenant and configure it for AD integration, using Adam Chester’s python script to harvest credentials. This enables actual Okta-owned domains to be used in phishing attacks to target users. A careful attacker would likely use a tenant name similar to the target organization’s real Okta tenant name. This is incredibly powerful and is likely to be effective against even the most security conscious users. ",{"data":2787,"content":2788,"nodeType":1294},{},[2789],{"data":2790,"marks":2791,"value":2792,"nodeType":1293},{},[],"A few prerequisites and tweaks are required in order to make this attack successful:",{"data":2794,"content":2795,"nodeType":1437},{},[2796,2806,2816],{"data":2797,"content":2798,"nodeType":1441},{},[2799],{"data":2800,"content":2801,"nodeType":1294},{},[2802],{"data":2803,"marks":2804,"value":2805,"nodeType":1293},{},[],"Import and activate accounts from AD that match the emails of users you want to target - this will ensure these emails are mapped to AD for authentication and cause Okta to send the credentials to the monitoring script.",{"data":2807,"content":2808,"nodeType":1441},{},[2809],{"data":2810,"content":2811,"nodeType":1294},{},[2812],{"data":2813,"marks":2814,"value":2815,"nodeType":1293},{},[],"Make a small modification to the python script to accept any password as valid, rather than a specific skeleton key. ",{"data":2817,"content":2818,"nodeType":1441},{},[2819],{"data":2820,"content":2821,"nodeType":1294},{},[2822],{"data":2823,"marks":2824,"value":2825,"nodeType":1293},{},[],"Modify the default authentication policy for Okta to allow single-factor password authentication for the target users - this will prevent them being prompted to use Okta Verify as part of the login process.",{"data":2827,"content":2828,"nodeType":1294},{},[2829],{"data":2830,"marks":2831,"value":2832,"nodeType":1293},{},[],"The goal for the last two actions above is to allow target users to authenticate legitimately and then redirect them elsewhere, while capturing their credentials. This is better achieved by having their first password accepted rather than them continually failing to authenticate, which may eventually raise alarm bells. ",{"data":2834,"content":2835,"nodeType":1294},{},[2836],{"data":2837,"marks":2838,"value":2839,"nodeType":1293},{},[],"In this case, we’ll use Okta’s bug bounty system as a test for our poisoned tenant, but in practice an attacker could set up a legitimate Okta tenant, pay for it and name it whatever they like. ",{"data":2841,"content":2842,"nodeType":1294},{},[2843],{"data":2844,"marks":2845,"value":2846,"nodeType":1293},{},[],"The end result is a legitimate Okta domain and login page that will capture credentials for the attacker, which can then be used in highly convincing phishing attacks. In this example, the following URL will capture credentials for us:",{"data":2848,"content":2849,"nodeType":1294},{},[2850,2853,2861],{"data":2851,"marks":2852,"value":37,"nodeType":1293},{},[],{"data":2854,"content":2856,"nodeType":1345},{"uri":2855},"https://bugcrowd-oie-lukejennings-1.oktapreview.com/",[2857],{"data":2858,"marks":2859,"value":2855,"nodeType":1293},{},[2860],{"type":2441},{"data":2862,"marks":2863,"value":37,"nodeType":1293},{},[],{"data":2865,"content":2869,"nodeType":1322},{"target":2866},{"sys":2867},{"id":2868,"type":1327,"linkType":1328},"2KBgFSFnmIdKqfpp8sPGb1",[],{"data":2871,"content":2875,"nodeType":1322},{"target":2872},{"sys":2873},{"id":2874,"type":1327,"linkType":1328},"5ef3me94SCAdM5vYXodqbF",[],{"data":2877,"content":2881,"nodeType":1322},{"target":2878},{"sys":2879},{"id":2880,"type":1327,"linkType":1328},"3OFjwQRQTJynaPme8WY9cp",[],{"data":2883,"content":2884,"nodeType":1538},{},[2885],{"data":2886,"marks":2887,"value":2888,"nodeType":1293},{},[],"Oktajacking for lateral movement",{"data":2890,"content":2891,"nodeType":1294},{},[2892,2896,2906],{"data":2893,"marks":2894,"value":2895,"nodeType":1293},{},[],"In both the previous section and our article on ",{"data":2897,"content":2901,"nodeType":1457},{"target":2898},{"sys":2899},{"id":2900,"type":1327,"linkType":1328},"3F96pyn4qqkbVctSOH69vm",[2902],{"data":2903,"marks":2904,"value":2604,"nodeType":1293},{},[2905],{"type":2441},{"data":2907,"marks":2908,"value":2909,"nodeType":1293},{},[],", we focused on conducting highly convincing phishing attacks by sending URLs for legitimate SaaS domains that capture credentials. ",{"data":2911,"content":2912,"nodeType":1294},{},[2913],{"data":2914,"marks":2915,"value":2916,"nodeType":1293},{},[],"But what if we achieve an admin-level compromise of a SaaS app used by a target organization that authenticates via Okta already? How can we leverage that access to perform lateral movement?",{"data":2918,"content":2919,"nodeType":1294},{},[2920],{"data":2921,"marks":2922,"value":2923,"nodeType":1293},{},[],"We can change the SAML configuration in the compromised SaaS application to point to a different Okta instance that we control and then conduct the same credential capture attack we saw in the previous section. ",{"data":2925,"content":2926,"nodeType":1294},{},[2927],{"data":2928,"marks":2929,"value":2930,"nodeType":1293},{},[],"In other words, we can then authenticate to the target SaaS application as any user we like and also capture Okta credentials for all legitimate users also using that application without needing to send any phishing links. ",{"data":2932,"content":2933,"nodeType":1294},{},[2934],{"data":2935,"marks":2936,"value":2937,"nodeType":1293},{},[],"We’re going to use Datadog as a demo example for this - just because we need something real to target. To be crystal clear, this will work for basically any app that supports SAML. This is not a bug in SAML, or in Okta, or Datadog - it's the consequence of having privileged administrative access to an app, and the ability to change SSO configuration.\n\nTo set up the attack, we need to first:",{"data":2939,"content":2940,"nodeType":1437},{},[2941,2951,2961,2971,2981,2991],{"data":2942,"content":2943,"nodeType":1441},{},[2944],{"data":2945,"content":2946,"nodeType":1294},{},[2947],{"data":2948,"marks":2949,"value":2950,"nodeType":1293},{},[],"Compromise the organization’s Datadog tenant at admin-level",{"data":2952,"content":2953,"nodeType":1441},{},[2954],{"data":2955,"content":2956,"nodeType":1294},{},[2957],{"data":2958,"marks":2959,"value":2960,"nodeType":1293},{},[],"Create a malicious Okta tenant and connect it to an active directory instance with the same email domain as the target organization",{"data":2962,"content":2963,"nodeType":1441},{},[2964],{"data":2965,"content":2966,"nodeType":1294},{},[2967],{"data":2968,"marks":2969,"value":2970,"nodeType":1293},{},[],"Create AD accounts for all users that will be targeted so they can be imported into Okta as AD account - in practice, it would be best to copy the list of users from Datadog and replicate this in AD and Okta",{"data":2972,"content":2973,"nodeType":1441},{},[2974],{"data":2975,"content":2976,"nodeType":1294},{},[2977],{"data":2978,"marks":2979,"value":2980,"nodeType":1293},{},[],"Run Adam Chester’s python script to harvest credentials for Okta AD authentication and modify it to accept any password ",{"data":2982,"content":2983,"nodeType":1441},{},[2984],{"data":2985,"content":2986,"nodeType":1294},{},[2987],{"data":2988,"marks":2989,"value":2990,"nodeType":1293},{},[],"Modify the Datadog SAML configuration to point to the malicious Okta tenant, instead of the original legitimate Okta tenant",{"data":2992,"content":2993,"nodeType":1441},{},[2994],{"data":2995,"content":2996,"nodeType":1294},{},[2997],{"data":2998,"marks":2999,"value":3000,"nodeType":1293},{},[],"Sit back, relax, and watch the credentials coming in",{"data":3002,"content":3003,"nodeType":1294},{},[3004],{"data":3005,"marks":3006,"value":3007,"nodeType":1293},{},[],"Now we’ll explain what happens from the perspective of other users of the target organization’s Datadog tenant that has been compromised:",{"data":3009,"content":3010,"nodeType":1437},{},[3011,3021,3031,3041],{"data":3012,"content":3013,"nodeType":1441},{},[3014],{"data":3015,"content":3016,"nodeType":1294},{},[3017],{"data":3018,"marks":3019,"value":3020,"nodeType":1293},{},[],"Their Datadog session expires and they’re redirected back to the SAML login provider for re-authentication - in this case, to our malicious Okta tenant we have substituted for the real Okta tenant",{"data":3022,"content":3023,"nodeType":1441},{},[3024],{"data":3025,"content":3026,"nodeType":1294},{},[3027],{"data":3028,"marks":3029,"value":3030,"nodeType":1293},{},[],"The user enters their credentials into the login page for our malicious Okta tenant. Our instance of Adam Chester’s AD synchronization script harvests the user’s login credentials.",{"data":3032,"content":3033,"nodeType":1441},{},[3034],{"data":3035,"content":3036,"nodeType":1294},{},[3037],{"data":3038,"marks":3039,"value":3040,"nodeType":1293},{},[],"The user is already accustomed to using Okta to access Datadog, the Okta login page they are directed to is on a legitimate Okta domain and they haven’t clicked any links in emails/IM messages so there is no reason for suspicion.",{"data":3042,"content":3043,"nodeType":1441},{},[3044],{"data":3045,"content":3046,"nodeType":1294},{},[3047],{"data":3048,"marks":3049,"value":3050,"nodeType":1293},{},[],"The modification we made to accept any credentials means the script returns true to Okta and causes Okta to accept the authentication attempt. This causes the user to be logged into the legitimate Datadog tenant again, where they can carry on their work, unaware they have just had their Okta credentials stolen.",{"data":3052,"content":3053,"nodeType":1294},{},[3054],{"data":3055,"marks":3056,"value":3057,"nodeType":1293},{},[],"The following video shows what a login attempt to Datadog looks like after the SAML configuration has been modified to point to our malicious Okta tenant. You can see how all the URLs observed are legitimate Datadog and Okta domains, any password will be accepted and harvested and the target user will be logged into the legitimate Datadog tenant successfully at the end.",{"data":3059,"content":3063,"nodeType":1322},{"target":3060},{"sys":3061},{"id":3062,"type":1327,"linkType":1328},"dHVOdvHLdVzOEGai6qtSl",[],{"data":3065,"content":3066,"nodeType":1294},{},[3067],{"data":3068,"marks":3069,"value":3070,"nodeType":1293},{},[],"This type of attack sits somewhere in the middle of the kill chain between the initial access phishing we covered in the previous section and the full active directory/Okta domain compromise Adam Chester covered in his article. In this instance, we are looking at leveraging a more limited admin-level compromise of a single SaaS application to extend our access much further. ",{"data":3072,"content":3073,"nodeType":1294},{},[3074,3078,3083],{"data":3075,"marks":3076,"value":3077,"nodeType":1293},{},[],"When an organization relies on SaaS apps, it’s likely there may be some apps that are not considered particularly security critical and also may have “admins” that are actually just members of non-technical teams in the business. An admin-level compromise of ",{"data":3079,"marks":3080,"value":3082,"nodeType":1293},{},[3081],{"type":312},"any",{"data":3084,"marks":3085,"value":3086,"nodeType":1293},{},[]," SaaS application used by the organization can be used to conduct highly stealthy Okta credential capturing for all users. With those credentials, an attacker can expand their access and move laterally to other accounts and applications. ",{"data":3088,"content":3092,"nodeType":1322},{"target":3089},{"sys":3090},{"id":3091,"type":1327,"linkType":1328},"2y0INxqAi594O7rCAVKhTI",[],{"data":3094,"content":3095,"nodeType":1538},{},[3096],{"data":3097,"marks":3098,"value":3099,"nodeType":1293},{},[],"Impact",{"data":3101,"content":3102,"nodeType":1294},{},[3103],{"data":3104,"marks":3105,"value":3106,"nodeType":1293},{},[],"Let’s take a step back and consider the key points of impact here:",{"data":3108,"content":3109,"nodeType":1437},{},[3110,3120,3130],{"data":3111,"content":3112,"nodeType":1441},{},[3113],{"data":3114,"content":3115,"nodeType":1294},{},[3116],{"data":3117,"marks":3118,"value":3119,"nodeType":1293},{},[],"Attackers can send phishing links pointing to legitimate Okta domains and use those to capture credentials due to the way Okta AD synchronization works - this bypasses common user security training around checking domains are legitimate",{"data":3121,"content":3122,"nodeType":1441},{},[3123],{"data":3124,"content":3125,"nodeType":1294},{},[3126],{"data":3127,"marks":3128,"value":3129,"nodeType":1293},{},[],"If an attacker compromises a legitimate SaaS tenant in use by an organization protected by Okta, they can modify the SAML configuration to point to their own malicious Okta tenant and thus capture credentials using the same method",{"data":3131,"content":3132,"nodeType":1441},{},[3133],{"data":3134,"content":3135,"nodeType":1294},{},[3136],{"data":3137,"marks":3138,"value":3139,"nodeType":1293},{},[],"It would be extremely unlikely legitimate users would notice as it is part of the normal authentication flow, all domains observed would be legitimate SaaS and Okta domains, and they would be logged in successfully to the real SaaS tenant after entering their password",{"data":3141,"content":3142,"nodeType":1538},{},[3143],{"data":3144,"marks":3145,"value":3146,"nodeType":1293},{},[],"Conclusion",{"data":3148,"content":3149,"nodeType":1294},{},[3150],{"data":3151,"marks":3152,"value":3153,"nodeType":1293},{},[],"Okta is an identity management service that can help manage and protect access to a large number of applications used by an organization. However, due to the manner in which Okta AD synchronization works, it’s possible to use phishing links pointing to legitimate Okta domains to capture users credentials.",{"data":3155,"content":3156,"nodeType":1294},{},[3157],{"data":3158,"marks":3159,"value":3160,"nodeType":1293},{},[],"Additionally, admin access to any application in use with Okta needs to be carefully considered even if the application itself is not particularly sensitive. This is because a compromise of that application, or of a user account with admin access to it, can be used to modify the existing Okta SAML configuration to point to a malicious Okta tenant and conduct an extremely stealthy credential harvesting attack of all users of the application. ",{"data":3162,"content":3163,"nodeType":1294},{},[3164],{"data":3165,"marks":3166,"value":3167,"nodeType":1293},{},[],"Defenders should carefully monitor user access to Okta URLs that do not match their own legitimate tenant as it could be a sign of credential capturing attacks.","Oktajacking","In this article, we'll show you how to use Okta to do keylogging for you, without needing to have your own malicious domain hosting your malicious SAML server. ","2023-12-06T00:00:00.000Z","oktajacking",{"items":3173},[3174,3176],{"sys":3175,"name":1306},{"id":1305},{"sys":3177,"name":2541},{"id":2540},{"items":3179},[3180],{"fullName":3181,"firstName":3182,"jobTitle":3183,"profilePicture":3184},"Luke Jennings","Luke","Vice President, R&D",{"url":3185},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg",{"items":3187},[3188],{"fullName":3189,"firstName":3190,"jobTitle":3191,"profilePicture":3192},"Dan Green","Dan","Threat Research",{"url":3193},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"json":3195,"links":4030},{"nodeType":1295,"data":3196,"content":3197},{},[3198,3205,3212,3219,3251,3258,3265,3284,3291,3298,3316,3323,3330,3337,3343,3350,3393,3400,3407,3414,3437,3444,3451,3458,3506,3513,3520,3527,3534,3546,3553,3561,3568,3601,3608,3615,3622,3629,3699,3707,3714,3721,3755,3762,3770,3777,3784,3796,3812,3842,3862,3869,3888,3895,3902,3920,3927,3934,3941,3974,3981,4000,4018,4024],{"nodeType":1294,"data":3199,"content":3200},{},[3201],{"nodeType":1293,"value":3202,"marks":3203,"data":3204},"Identity attacks like phishing, credential stuffing, and session hijacking are now the leading cause of cyber security breaches, as attackers shift their attention to the sprawl of third-party applications and services that has become the backbone of business IT. ",[],{},{"nodeType":1294,"data":3206,"content":3207},{},[3208],{"nodeType":1293,"value":3209,"marks":3210,"data":3211},"The attacker’s goal in these attacks is account takeover: logging into a user account to access your company app tenant. From there, the attacker can usually achieve all of their objectives from inside the compromised app, usually involving dumping sensitive data with which to hold the company to ransom, or selling the data on underground criminal marketplaces. ",[],{},{"nodeType":1294,"data":3213,"content":3214},{},[3215],{"nodeType":1293,"value":3216,"marks":3217,"data":3218},"These attack techniques have been commonplace for over a decade — but the shift in attack context away from attacking endpoints (user devices and servers) to cloud services is seeing something of an identity attack renaissance. ",[],{},{"nodeType":1294,"data":3220,"content":3221},{},[3222,3225,3234,3238,3247],{"nodeType":1293,"value":37,"marks":3223,"data":3224},[],{},{"nodeType":1345,"data":3226,"content":3228},{"uri":3227},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/ghost_logins/description.md",[3229],{"nodeType":1293,"value":3230,"marks":3231,"data":3233},"Ghost logins",[3232],{"type":2441},{},{"nodeType":1293,"value":3235,"marks":3236,"data":3237}," are one of the leading factors in successful ",[],{},{"nodeType":1345,"data":3239,"content":3241},{"uri":3240},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/credential_stuffing/description.md",[3242],{"nodeType":1293,"value":3243,"marks":3244,"data":3246},"credential stuffing",[3245],{"type":2441},{},{"nodeType":1293,"value":3248,"marks":3249,"data":3250}," attacks driving account takeover.",[],{},{"nodeType":1538,"data":3252,"content":3253},{},[3254],{"nodeType":1293,"value":3255,"marks":3256,"data":3257},"Ghost logins 101",[],{},{"nodeType":1294,"data":3259,"content":3260},{},[3261],{"nodeType":1293,"value":3262,"marks":3263,"data":3264},"Simply put, ghost logins are often-forgotten alternative login methods that are tricky for security teams to manage and secure — because they don’t know about them. Because of this, they’re likely to possess weak configurations that make them susceptible to account takeover attacks. ",[],{},{"nodeType":1294,"data":3266,"content":3267},{},[3268,3272,3280],{"nodeType":1293,"value":3269,"marks":3270,"data":3271},"We found that ",[],{},{"nodeType":1345,"data":3273,"content":3275},{"uri":3274},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have/",[3276],{"nodeType":1293,"value":3277,"marks":3278,"data":3279},"ghost logins are present in ~10% of the accounts per organization",[],{},{"nodeType":1293,"value":3281,"marks":3282,"data":3283},". ",[],{},{"nodeType":1575,"data":3285,"content":3286},{},[3287],{"nodeType":1293,"value":3288,"marks":3289,"data":3290},"Why do ghost logins exist?",[],{},{"nodeType":1294,"data":3292,"content":3293},{},[3294],{"nodeType":1293,"value":3295,"marks":3296,"data":3297},"Identity management used to be something that was centrally contained and managed using an enterprise identity service like Active Directory. Most users probably only had one or two identities that you really cared about: the one they used to log into their company laptop and domain, and maybe also to log into a VPN. ",[],{},{"nodeType":1294,"data":3299,"content":3300},{},[3301,3305,3312],{"nodeType":1293,"value":3302,"marks":3303,"data":3304},"Now, there are ",[],{},{"nodeType":1345,"data":3306,"content":3307},{"uri":3274},[3308],{"nodeType":1293,"value":3309,"marks":3310,"data":3311},"200+ business apps in use per company, creating 1000s of sprawled identities",[],{},{"nodeType":1293,"value":3313,"marks":3314,"data":3315}," across an ecosystem of business apps and services accessed over the internet.",[],{},{"nodeType":1294,"data":3317,"content":3318},{},[3319],{"nodeType":1293,"value":3320,"marks":3321,"data":3322},"Most businesses have tried to solve this problem with single sign on (SSO). The logic being that if you can use a single set of credentials (and therefore, a single identity) to access all of your business apps, and then secure those credentials with MFA, then this problem goes away. However…",[],{},{"nodeType":1575,"data":3324,"content":3325},{},[3326],{"nodeType":1293,"value":3327,"marks":3328,"data":3329},"SSO expectations versus reality",[],{},{"nodeType":1294,"data":3331,"content":3332},{},[3333],{"nodeType":1293,"value":3334,"marks":3335,"data":3336},"Unfortunately, the reality of SSO implementation is flawed. Most apps accept multiple login methods that can be configured — and used — simultaneously (yes, most apps don’t have proper session controls).  ",[],{},{"nodeType":1322,"data":3338,"content":3342},{"target":3339},{"sys":3340},{"id":3341,"type":1327,"linkType":1328},"3sOz3HkiyJpY9nFtGCWEOV",[],{"nodeType":1294,"data":3344,"content":3345},{},[3346],{"nodeType":1293,"value":3347,"marks":3348,"data":3349},"This is made worse by the fact that:",[],{},{"nodeType":1437,"data":3351,"content":3352},{},[3353,3363,3373,3383],{"nodeType":1441,"data":3354,"content":3355},{},[3356],{"nodeType":1294,"data":3357,"content":3358},{},[3359],{"nodeType":1293,"value":3360,"marks":3361,"data":3362},"Most apps can't be locked down to restrict which login methods are accepted.",[],{},{"nodeType":1441,"data":3364,"content":3365},{},[3366],{"nodeType":1294,"data":3367,"content":3368},{},[3369],{"nodeType":1293,"value":3370,"marks":3371,"data":3372},"Users often self-adopt apps, and default to a username and password (and typically miss out MFA). ",[],{},{"nodeType":1441,"data":3374,"content":3375},{},[3376],{"nodeType":1294,"data":3377,"content":3378},{},[3379],{"nodeType":1293,"value":3380,"marks":3381,"data":3382},"SSO isn’t always possible if you aren’t using a supported IdP — and only one in three apps support SAML, the preferred enterprise-grade protocol.",[],{},{"nodeType":1441,"data":3384,"content":3385},{},[3386],{"nodeType":1294,"data":3387,"content":3388},{},[3389],{"nodeType":1293,"value":3390,"marks":3391,"data":3392},"Even where SSO is possible, configuring an app for SSO doesn't automatically delete any legacy local logins.",[],{},{"nodeType":1294,"data":3394,"content":3395},{},[3396],{"nodeType":1293,"value":3397,"marks":3398,"data":3399},"Inevitably, this means that there are many situations in which users will create local accounts — typically with a username and password, and without MFA. This is how ghost logins are born.",[],{},{"nodeType":1575,"data":3401,"content":3402},{},[3403],{"nodeType":1293,"value":3404,"marks":3405,"data":3406},"How are ghost logins created? ",[],{},{"nodeType":1294,"data":3408,"content":3409},{},[3410],{"nodeType":1293,"value":3411,"marks":3412,"data":3413},"Ghost logins can be created in the following ways:",[],{},{"nodeType":1437,"data":3415,"content":3416},{},[3417,3427],{"nodeType":1441,"data":3418,"content":3419},{},[3420],{"nodeType":1294,"data":3421,"content":3422},{},[3423],{"nodeType":1293,"value":3424,"marks":3425,"data":3426},"A user self-adopts an app, setting up an account with a local username and password. The app is later adopted companywide and brought under SSO. This creates an additional SSO login method, likely as the default, but the local login will continue to exist unless explicitly disabled or deleted. ",[],{},{"nodeType":1441,"data":3428,"content":3429},{},[3430],{"nodeType":1294,"data":3431,"content":3432},{},[3433],{"nodeType":1293,"value":3434,"marks":3435,"data":3436},"Secondary/backup login methods can often be added later in the app settings after logging in. This includes things like setting up a secondary email to send a login link to, or setting up API access to remove the need to authenticate altogether. ",[],{},{"nodeType":1294,"data":3438,"content":3439},{},[3440],{"nodeType":1293,"value":3441,"marks":3442,"data":3443},"So, ghost logins are very easily introduced through the normal course of app adoption and use by employees. ",[],{},{"nodeType":1575,"data":3445,"content":3446},{},[3447],{"nodeType":1293,"value":3448,"marks":3449,"data":3450},"Why do ghost logins pose a risk? ",[],{},{"nodeType":1294,"data":3452,"content":3453},{},[3454],{"nodeType":1293,"value":3455,"marks":3456,"data":3457},"Ghost logins pose a risk for a number of reasons, as they: ",[],{},{"nodeType":1437,"data":3459,"content":3460},{},[3461,3476,3491],{"nodeType":1441,"data":3462,"content":3463},{},[3464],{"nodeType":1294,"data":3465,"content":3466},{},[3467,3472],{"nodeType":1293,"value":3468,"marks":3469,"data":3471},"Typically have less secure configurations ",[3470],{"type":1416},{},{"nodeType":1293,"value":3473,"marks":3474,"data":3475},"than your preferred login method – and may be missing key controls like MFA.  ",[],{},{"nodeType":1441,"data":3477,"content":3478},{},[3479],{"nodeType":1294,"data":3480,"content":3481},{},[3482,3487],{"nodeType":1293,"value":3483,"marks":3484,"data":3486},"Are effectively shadow logins",[3485],{"type":1416},{},{"nodeType":1293,"value":3488,"marks":3489,"data":3490}," – IT/security don’t know about them, and if using an IdP as your primary identity security interface, they won’t necessarily be visible without taking a deeper look at individual apps. ",[],{},{"nodeType":1441,"data":3492,"content":3493},{},[3494],{"nodeType":1294,"data":3495,"content":3496},{},[3497,3502],{"nodeType":1293,"value":3498,"marks":3499,"data":3501},"Can be used simultaneously with SSO",[3500],{"type":1416},{},{"nodeType":1293,"value":3503,"marks":3504,"data":3505}," – so you can have an unrestricted number of concurrent sessions with SSO and non SSO logins active at the same time, without the user being kicked out of the previous session.",[],{},{"nodeType":1294,"data":3507,"content":3508},{},[3509],{"nodeType":1293,"value":3510,"marks":3511,"data":3512},"Ghost logins provide opportunities for attackers to bypass security controls for initial access and persistence in an application (which we’ll come onto in more detail later). They also provide an opportunity for malicious insiders, e.g. a disgruntled employee, to access systems even after SSO access is revoked. If the security team relies on IdP logs to audit app logins, these accounts can go undetected.",[],{},{"nodeType":1294,"data":3514,"content":3515},{},[3516],{"nodeType":1293,"value":3517,"marks":3518,"data":3519},"To be able to identify them, you’d need to log into the app admin dashboard. But depending on how the app was adopted, you (as a security admin) may not even be an app-level admin — it’s not unusual for individual teams to administer their own apps. And even if you do have access, it’s not always easy (or possible) to gather this level of information about user account configuration. ",[],{},{"nodeType":1294,"data":3521,"content":3522},{},[3523],{"nodeType":1293,"value":3524,"marks":3525,"data":3526},"It’s very easy to see how these vulnerable login methods can be overlooked by security teams – let’s look at how they can be identified and exploited by attackers. ",[],{},{"nodeType":1538,"data":3528,"content":3529},{},[3530],{"nodeType":1293,"value":3531,"marks":3532,"data":3533},"How can ghost logins be exploited by attackers?",[],{},{"nodeType":1294,"data":3535,"content":3536},{},[3537,3542],{"nodeType":1293,"value":3538,"marks":3539,"data":3541},"Let’s take an example scenario:",[3540],{"type":1416},{},{"nodeType":1293,"value":3543,"marks":3544,"data":3545}," You’re using an IdP solution like Okta or Microsoft/Entra with SAML SSO as the default login method for your core business apps. Via your IdP you require MFA when authenticating to your IdP apps page, and also potentially when signing into an individual connected app. ",[],{},{"nodeType":1294,"data":3547,"content":3548},{},[3549],{"nodeType":1293,"value":3550,"marks":3551,"data":3552},"However, you only recently introduced your IdP solution, and your users previously accessed this app with a local username and password. Although you asked your users to configure MFA in the app itself, not all of them did. And when you deployed your IdP solution, you didn’t manually unset all the local password-based logins for the apps you connected to it. ",[],{},{"nodeType":1294,"data":3554,"content":3555},{},[3556],{"nodeType":1293,"value":3557,"marks":3558,"data":3560},"Unknown to you, there are now hundreds of local accounts for core business apps which lack MFA. ",[3559],{"type":1416},{},{"nodeType":1294,"data":3562,"content":3563},{},[3564],{"nodeType":1293,"value":3565,"marks":3566,"data":3567},"There are two main scenarios in which ghost logins can be utilized by an attacker:",[],{},{"nodeType":1437,"data":3569,"content":3570},{},[3571,3586],{"nodeType":1441,"data":3572,"content":3573},{},[3574],{"nodeType":1294,"data":3575,"content":3576},{},[3577,3582],{"nodeType":1293,"value":3578,"marks":3579,"data":3581},"To bypass robustly configured login methods",[3580],{"type":1416},{},{"nodeType":1293,"value":3583,"marks":3584,"data":3585}," such as SSO to compromise an app identity during the initial access phase of an attack. ",[],{},{"nodeType":1441,"data":3587,"content":3588},{},[3589],{"nodeType":1294,"data":3590,"content":3591},{},[3592,3597],{"nodeType":1293,"value":3593,"marks":3594,"data":3596},"To create additional login methods for an already compromised account to ensure persistent access",[3595],{"type":1416},{},{"nodeType":1293,"value":3598,"marks":3599,"data":3600}," – even if the original compromised login method is revoked or disabled. This could be either the result of compromising an identity belonging to a specific app, or having previously compromised an IdP account (e.g. Okta).",[],{},{"nodeType":1294,"data":3602,"content":3603},{},[3604],{"nodeType":1293,"value":3605,"marks":3606,"data":3607},"Let's look at these use cases in more detail. ",[],{},{"nodeType":1575,"data":3609,"content":3610},{},[3611],{"nodeType":1293,"value":3612,"marks":3613,"data":3614},"Ghost logins for initial access",[],{},{"nodeType":1294,"data":3616,"content":3617},{},[3618],{"nodeType":1293,"value":3619,"marks":3620,"data":3621},"Arguably the most dangerous use case for ghost logins is to conduct credential attacks against accounts using a username and password. Logins with a weak or guessable password, or a reused password that has appeared in a public data breach dump, are primed for account takeover. ",[],{},{"nodeType":1294,"data":3623,"content":3624},{},[3625],{"nodeType":1293,"value":3626,"marks":3627,"data":3628},"The cyber crime ecosystem is leaning toward the theft, sale, and use of stolen credentials (not just emails and passwords, but session tokens too). ",[],{},{"nodeType":1437,"data":3630,"content":3631},{},[3632,3655,3677],{"nodeType":1441,"data":3633,"content":3634},{},[3635],{"nodeType":1294,"data":3636,"content":3637},{},[3638,3642,3651],{"nodeType":1293,"value":3639,"marks":3640,"data":3641},"There are 600 million identity attacks per day, with 99% involving passwords (",[],{},{"nodeType":1345,"data":3643,"content":3645},{"uri":3644},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/Microsoft%20Digital%20Defense%20Report%202024%20%281%29.pdf",[3646],{"nodeType":1293,"value":3647,"marks":3648,"data":3650},"Microsoft",[3649],{"type":2441},{},{"nodeType":1293,"value":3652,"marks":3653,"data":3654},").",[],{},{"nodeType":1441,"data":3656,"content":3657},{},[3658],{"nodeType":1294,"data":3659,"content":3660},{},[3661,3665,3674],{"nodeType":1293,"value":3662,"marks":3663,"data":3664},"Over 1000 credentials are posted online per day, per marketplace with an average sale price of $10, and 65% posted less than one day after being collected (",[],{},{"nodeType":1345,"data":3666,"content":3668},{"uri":3667},"https://www.verizon.com/business/en-gb/resources/reports/dbir/",[3669],{"nodeType":1293,"value":3670,"marks":3671,"data":3673},"Verizon",[3672],{"type":2441},{},{"nodeType":1293,"value":3652,"marks":3675,"data":3676},[],{},{"nodeType":1441,"data":3678,"content":3679},{},[3680],{"nodeType":1294,"data":3681,"content":3682},{},[3683,3687,3696],{"nodeType":1293,"value":3684,"marks":3685,"data":3686},"One million new stealer logs are distributed every month, with an estimated 3-5% containing credentials and session cookies to corporate IT environments (",[],{},{"nodeType":1345,"data":3688,"content":3690},{"uri":3689},"https://www.bleepingcomputer.com/news/security/single-sign-on-and-the-cybercrime-ecosystem/",[3691],{"nodeType":1293,"value":3692,"marks":3693,"data":3695},"Flare",[3694],{"type":2441},{},{"nodeType":1293,"value":3652,"marks":3697,"data":3698},[],{},{"nodeType":1294,"data":3700,"content":3701},{},[3702],{"nodeType":1293,"value":3703,"marks":3704,"data":3706},"So, it’s easier than ever for attackers to gather breached credentials and weaponize them at scale. ",[3705],{"type":1416},{},{"nodeType":1294,"data":3708,"content":3709},{},[3710],{"nodeType":1293,"value":3711,"marks":3712,"data":3713},"Realistically, any username and password combination for addresses belonging to a specific organization/domain can be attempted on any app. Breached credential data will often provide a strong indicator of other apps also in use for that organization. And for apps with a custom tenant URL (that cannot be easily guessed) data dumps often helpfully include the URLs for those login pages, too.  ",[],{},{"nodeType":1294,"data":3715,"content":3716},{},[3717],{"nodeType":1293,"value":3718,"marks":3719,"data":3720},"The risk posed by the massive amounts of leaked credentials available is heightened because: ",[],{},{"nodeType":1437,"data":3722,"content":3723},{},[3724,3745],{"nodeType":1441,"data":3725,"content":3726},{},[3727],{"nodeType":1294,"data":3728,"content":3729},{},[3730,3734,3741],{"nodeType":1293,"value":3731,"marks":3732,"data":3733},"Many employees reuse passwords, with ",[],{},{"nodeType":1345,"data":3735,"content":3736},{"uri":3274},[3737],{"nodeType":1293,"value":3738,"marks":3739,"data":3740},"~9% of all accounts using a breached, weak, or reused password",[],{},{"nodeType":1293,"value":3742,"marks":3743,"data":3744},". This isn’t just for low-risk apps either, and includes the reuse of highly sensitive IdP creds. ",[],{},{"nodeType":1441,"data":3746,"content":3747},{},[3748],{"nodeType":1294,"data":3749,"content":3750},{},[3751],{"nodeType":1293,"value":3752,"marks":3753,"data":3754},"Organizations don’t typically rotate or enforce changes to SaaS app passwords in the same way they might for company account/device login connected to Active Directory.  ",[],{},{"nodeType":1294,"data":3756,"content":3757},{},[3758],{"nodeType":1293,"value":3759,"marks":3760,"data":3761},"Ghost logins aren’t limited to just username and password either. For example, a breached social account such as Facebook or Google can result in a broader compromise if those accounts have been connected to any corporate apps.   ",[],{},{"nodeType":1294,"data":3763,"content":3764},{},[3765],{"nodeType":1293,"value":3766,"marks":3767,"data":3769},"So, exploiting ghost logins can be a highly effective method for attackers to gain initial access to a user account from which to launch further attacks.  ",[3768],{"type":1416},{},{"nodeType":1575,"data":3771,"content":3772},{},[3773],{"nodeType":1293,"value":3774,"marks":3775,"data":3776},"Ghost logins for persistence and defense evasion",[],{},{"nodeType":1294,"data":3778,"content":3779},{},[3780],{"nodeType":1293,"value":3781,"marks":3782,"data":3783},"Now, we’ll take a look at how attackers can leverage ghost logins as part of the later stages of an attack, having already established an initial foothold via account compromise. ",[],{},{"nodeType":1294,"data":3785,"content":3786},{},[3787,3791],{"nodeType":1293,"value":3788,"marks":3789,"data":3790},"If an organization has a reasonable level of security monitoring in-place (depending on log availability from the particular app vendor), or a victim receives a notification about an unusual login (e.g. from a new device or unusual IP) then access to an account can be short-lived. ",[],{},{"nodeType":1293,"value":3792,"marks":3793,"data":3795},"However, ghost logins can provide attackers with the tools to maintain persistent access to a compromised account, even if the initial compromised login method is disabled or revoked. ",[3794],{"type":1416},{},{"nodeType":1294,"data":3797,"content":3798},{},[3799,3803,3808],{"nodeType":1293,"value":3800,"marks":3801,"data":3802},"For example, if a social login is used to access an account, an adversary may be able to configure a separate username/password login, or even (though much less commonly) connect a second social account that the adversary controls. This allows the adversary to maintain persistent access to the user account ",[],{},{"nodeType":1293,"value":3804,"marks":3805,"data":3807},"even in the event of password changes or MFA changes",[3806],{"type":1416},{},{"nodeType":1293,"value":3809,"marks":3810,"data":3811},". The attack will go unnoticed if the victim organization relies on SSO logs for auditing access to SaaS applications because the attack bypasses SSO, as the login remains local to the SaaS app or, in the case of an OIDC SSO login, the adversary’s own social account.",[],{},{"nodeType":1294,"data":3813,"content":3814},{},[3815,3819,3826,3830,3838],{"nodeType":1293,"value":3816,"marks":3817,"data":3818},"Another quirk is that it’s common for ordinary users to become app-level admins when an app is self-adopted by an individual or team. If an attacker is able to gain control of such an account, it can then be used to target other users without needing to deliver phishing links by hijacking SAML-based authentication. In this scenario, users attempting to sign in using SAML SSO are directed it to an attacker-controlled tenant in a watering hole attack (also known as ",[],{},{"nodeType":1345,"data":3820,"content":3821},{"uri":2598},[3822],{"nodeType":1293,"value":2604,"marks":3823,"data":3825},[3824],{"type":2441},{},{"nodeType":1293,"value":3827,"marks":3828,"data":3829},", which you can ",[],{},{"nodeType":1345,"data":3831,"content":3832},{"uri":2565},[3833],{"nodeType":1293,"value":3834,"marks":3835,"data":3837},"read more about in another blog post",[3836],{"type":2441},{},{"nodeType":1293,"value":3839,"marks":3840,"data":3841},"). ",[],{},{"nodeType":1294,"data":3843,"content":3844},{},[3845,3849,3858],{"nodeType":1293,"value":3846,"marks":3847,"data":3848},"If you're curious as to how an attacker might be able to compromise an IdP account such as Okta, ",[],{},{"nodeType":1345,"data":3850,"content":3852},{"uri":3851},"https://pushsecurity.com/blog/phishing-2-0-how-phishing-toolkits-are-evolving-with-aitm/",[3853],{"nodeType":1293,"value":3854,"marks":3855,"data":3857},"you should check out our blog post on AitM and BitM phishing techniques",[3856],{"type":2441},{},{"nodeType":1293,"value":3859,"marks":3860,"data":3861},".  ",[],{},{"nodeType":1538,"data":3863,"content":3864},{},[3865],{"nodeType":1293,"value":3866,"marks":3867,"data":3868},"Case study: Snowflake",[],{},{"nodeType":1294,"data":3870,"content":3871},{},[3872,3876,3884],{"nodeType":1293,"value":3873,"marks":3874,"data":3875},"The ",[],{},{"nodeType":1345,"data":3877,"content":3879},{"uri":3878},"https://pushsecurity.com/blog/identity-attacks-in-the-wild/#id-snowflake-june-2024",[3880],{"nodeType":1293,"value":3881,"marks":3882,"data":3883},"recent attacks on 165 Snowflake customers",[],{},{"nodeType":1293,"value":3885,"marks":3886,"data":3887},", resulting in hundreds of millions of breached customer records, were the product of a credential stuffing campaign using stolen credentials from infostealer infections dating back to 2020. ",[],{},{"nodeType":1294,"data":3889,"content":3890},{},[3891],{"nodeType":1293,"value":3892,"marks":3893,"data":3894},"The industry response to Snowflake was typical: check whether Snowflake has been set up for SSO, and if so, job done — we’re protected by MFA.",[],{},{"nodeType":1294,"data":3896,"content":3897},{},[3898],{"nodeType":1293,"value":3899,"marks":3900,"data":3901},"The reality was that MFA was not — and could not — be centrally enforced for username and password accounts. Even if MFA was applied at the IdP level for SSO logins, it was not enforced for local username and password logins. It needed to be opted-into by the user. ",[],{},{"nodeType":1294,"data":3903,"content":3904},{},[3905,3909,3917],{"nodeType":1293,"value":3906,"marks":3907,"data":3908},"This meant the most logical thing to do was to disable local accounts. But because Snowflake is essentially a cloud-hosted SQL database, there was no easy-to-use GUI to access local account config data. Once you’d managed to get an admin account with the right permissions, you needed to run various commands to find and unset the accounts. ",[],{},{"nodeType":1345,"data":3910,"content":3912},{"uri":3911},"https://pushsecurity.com/resources/video/demonstrating-ghost-logins-in-snowflake-and-how-to-remediate-them/",[3913],{"nodeType":1293,"value":3914,"marks":3915,"data":3916},"But if you didn’t have the exact type of admin account, misleading results would be returned — and even after you had fixed the vulnerability it took hours to update the database. ",[],{},{"nodeType":1293,"value":37,"marks":3918,"data":3919},[],{},{"nodeType":1294,"data":3921,"content":3922},{},[3923],{"nodeType":1293,"value":3924,"marks":3925,"data":3926},"This meant that organizations were exposed to these attacks for a prolonged period, and were left uncertain as to whether they had addressed the vulnerabilities or not. ",[],{},{"nodeType":1538,"data":3928,"content":3929},{},[3930],{"nodeType":1293,"value":3931,"marks":3932,"data":3933},"Using Push to find and fix ghost logins across your app inventory",[],{},{"nodeType":1294,"data":3935,"content":3936},{},[3937],{"nodeType":1293,"value":3938,"marks":3939,"data":3940},"Finding and fixing ghost logins is a challenge for most organizations. Since you can’t rely on the view provided by your IdP, you need to:",[],{},{"nodeType":1437,"data":3942,"content":3943},{},[3944,3954,3964],{"nodeType":1441,"data":3945,"content":3946},{},[3947],{"nodeType":1294,"data":3948,"content":3949},{},[3950],{"nodeType":1293,"value":3951,"marks":3952,"data":3953},"Discover the apps in use across your organization",[],{},{"nodeType":1441,"data":3955,"content":3956},{},[3957],{"nodeType":1294,"data":3958,"content":3959},{},[3960],{"nodeType":1293,"value":3961,"marks":3962,"data":3963},"Get admin rights, audit each app, and unset any local credentials (enforcing MFA at the app-level too if you can, for good measure)",[],{},{"nodeType":1441,"data":3965,"content":3966},{},[3967],{"nodeType":1294,"data":3968,"content":3969},{},[3970],{"nodeType":1293,"value":3971,"marks":3972,"data":3973},"Configure the app to prevent local accounts being created (again, if possible)",[],{},{"nodeType":1294,"data":3975,"content":3976},{},[3977],{"nodeType":1293,"value":3978,"marks":3979,"data":3980},"Not only is this a sisyphean task with continually moving goalposts, but depending on which apps you use, and how they’ve been designed, it may not be possible to remediate every instance of ghost logins. For that reason, it’s important to also invest in your identity threat detection and response capabilities — for when, not if, an account takeover attempt occurs. ",[],{},{"nodeType":1294,"data":3982,"content":3983},{},[3984,3988,3997],{"nodeType":1293,"value":3985,"marks":3986,"data":3987},"Push helps organizations to defend against ghost logins and other identity threats with a defense-in-depth approach: Using a browser-based agent to generate visibility of all logins (not just via IdP logs) while also detecting, intercepting, and shutting down account takeover attempts via phishing, credential stuffing, and session hijacking. ",[],{},{"nodeType":1345,"data":3989,"content":3991},{"uri":3990},"https://pushsecurity.com/",[3992],{"nodeType":1293,"value":3993,"marks":3994,"data":3996},"Learn more here.",[3995],{"type":2441},{},{"nodeType":1293,"value":37,"marks":3998,"data":3999},[],{},{"nodeType":1294,"data":4001,"content":4002},{},[4003,4007,4015],{"nodeType":1293,"value":4004,"marks":4005,"data":4006},"And if you'd like to learn more about ghost logins and other identity attack techniques, ",[],{},{"nodeType":1345,"data":4008,"content":4010},{"uri":4009},"https://github.com/pushsecurity/saas-attacks?tab=readme-ov-file",[4011],{"nodeType":1293,"value":4012,"marks":4013,"data":4014},"check out the SaaS attack matrix on GitHub",[],{},{"nodeType":1293,"value":3281,"marks":4016,"data":4017},[],{},{"nodeType":1322,"data":4019,"content":4023},{"target":4020},{"sys":4021},{"id":4022,"type":1327,"linkType":1328},"1VMpMgZvx9hgps2OoxCTmF",[],{"nodeType":1294,"data":4025,"content":4026},{},[4027],{"nodeType":1293,"value":37,"marks":4028,"data":4029},[],{},{"entries":4031},{"hyperlink":4032,"inline":4033,"block":4034},[],[],[4035,4044],{"sys":4036,"__typename":4037,"title":4038,"caption":4039,"layoutMode":118,"file":4040},{"id":3341},"Image","Table: Possible login methods (app-depending)","Possible login methods (app-depending)",{"url":4041,"width":4042,"height":4043},"https://images.ctfassets.net/y1cdw1ablpvd/3Yp7zlOF1rje7MdlCGi9Jg/4e42024b09d9aa114b2740514b3e19bd/Screenshot_2024-10-30_at_13.23.48.png",3158,1394,{"sys":4045,"__typename":4046,"type":4047,"ctaText":4048,"buttonLabel":4049,"buttonColour":4050,"buttonUrl":118},{"id":4022},"CtaWidget","Demo","Book a demo to see how Push helps you to find and fix identity vulnerabilities like ghost logins","Book a demo","sunny orange","content:blog:ghost-logins-when-forgotten-identities-come-back-to-haunt-you.json","json","content","blog/ghost-logins-when-forgotten-identities-come-back-to-haunt-you.json","blog/ghost-logins-when-forgotten-identities-come-back-to-haunt-you",1776359988483]