[{"data":1,"prerenderedAt":3529},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/google-search-malvertising-campaign-continues-now-impersonating-ahrefs":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"ogImage":118,"summary":1282,"title":1296,"subtitle":118,"metaTitle":1297,"synopsis":1298,"hashTags":118,"publishedDate":1299,"slug":1300,"tagsCollection":1301,"relatedBlogPostsCollection":1311,"authorsCollection":2784,"content":2788,"_id":3524,"_type":3525,"_source":3526,"_file":3527,"_stem":3528,"_extension":3525},"/blog/google-search-malvertising-campaign-continues-now-impersonating-ahrefs","blog",{"id":1280,"publishedAt":1281},"2YmiesBvJHGw4wiKEKzLUq","2026-02-25T08:00:04.199Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1295},{},[1286],{"data":1287,"content":1288,"nodeType":1294},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"In December, we reported on malvertising attacks delivered via Google Search specifically targeting Google Ad Manager accounts. Now, we’ve intercepted more attacks targeting Push customers, this time impersonating Ahrefs. Here’s what you need to know. ","text","paragraph","document","Google Search malvertising campaign continues, now impersonating Ahrefs","Google Search malvertising campaign impersonating Ahrefs","New samples linked to a Push-tracked malvertising campaign detected, targeting Google accounts via an Ahrefs lure. ","2026-01-12T00:00:00.000Z","google-search-malvertising-campaign-continues-now-impersonating-ahrefs",{"items":1302},[1303,1307],{"sys":1304,"name":1306},{"id":1305},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"sys":1308,"name":1310},{"id":1309},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"items":1312},[1313,1794,2185],{"__typename":1314,"sys":1315,"content":1317,"title":1776,"synopsis":1777,"hashTags":118,"publishedDate":1778,"slug":1779,"tagsCollection":1780,"authorsCollection":1786},"BlogPosts",{"id":1316},"2obwh6WiK5IP0hnqsV4CZQ",{"json":1318},{"data":1319,"content":1320,"nodeType":1295},{},[1321,1328,1335,1342,1349,1358,1362,1372,1379,1385,1392,1398,1404,1411,1417,1424,1430,1437,1443,1446,1454,1476,1485,1505,1525,1531,1539,1559,1565,1571,1578,1581,1589,1608,1614,1621,1624,1632,1652,1659,1694,1697,1705,1724,1731,1764,1770],{"data":1322,"content":1323,"nodeType":1294},{},[1324],{"data":1325,"marks":1326,"value":1327,"nodeType":1293},{},[],"We recently detected and blocked a particularly well-crafted malvertising attack targeting one of our customers. ",{"data":1329,"content":1330,"nodeType":1294},{},[1331],{"data":1332,"marks":1333,"value":1334,"nodeType":1293},{},[],"The employee had searched for “tradingview” on Google and been served a malicious ad impersonating the real site, which they had clicked. ",{"data":1336,"content":1337,"nodeType":1294},{},[1338],{"data":1339,"marks":1340,"value":1341,"nodeType":1293},{},[],"As well as being a highly convincing clone of the real site, this attack demonstrated a number of creative detection evasion techniques designed to prevent security tools, analysts, and web scraping bots from flagging it as malicious. ",{"data":1343,"content":1344,"nodeType":1294},{},[1345],{"data":1346,"marks":1347,"value":1348,"nodeType":1293},{},[],"You can see a narrated clickthrough of the end-to-end attack in the video below. ",{"data":1350,"content":1356,"nodeType":1357},{"target":1351},{"sys":1352},{"id":1353,"type":1354,"linkType":1355},"V8NYoNBZBSZXSNBo2AfUZ","Link","Entry",[],"embedded-entry-block",{"data":1359,"content":1360,"nodeType":1361},{},[],"hr",{"data":1363,"content":1364,"nodeType":1371},{},[1365],{"data":1366,"marks":1367,"value":1370,"nodeType":1293},{},[1368],{"type":1369},"bold","Attack breakdown","heading-1",{"data":1373,"content":1374,"nodeType":1294},{},[1375],{"data":1376,"marks":1377,"value":1378,"nodeType":1293},{},[],"When the victim clicked the malicious ad, they were initially directed to tradingview-charts-compare.primevoro[.]com, but then immediately redirected to a second site. In effect, the victim would never see this initial page — it is simply used as a benign site that only forwards the victim on if certain parameters are supplied from the initial Google ad link. ",{"data":1380,"content":1384,"nodeType":1357},{"target":1381},{"sys":1382},{"id":1383,"type":1354,"linkType":1355},"1v5dADDY2y9EAwCZ7ZnWVi",[],{"data":1386,"content":1387,"nodeType":1294},{},[1388],{"data":1389,"marks":1390,"value":1391,"nodeType":1293},{},[],"The first site that the victim would see is visually identical to the real TradingView site, at tradingplatforms[.]app. ",{"data":1393,"content":1397,"nodeType":1357},{"target":1394},{"sys":1395},{"id":1396,"type":1354,"linkType":1355},"iHIbILX30HMnqM4NXx86G",[],{"data":1399,"content":1403,"nodeType":1357},{"target":1400},{"sys":1401},{"id":1402,"type":1354,"linkType":1355},"2nK9Y4ZFejHtbWT2GcVNM1",[],{"data":1405,"content":1406,"nodeType":1294},{},[1407],{"data":1408,"marks":1409,"value":1410,"nodeType":1293},{},[],"Upon clicking the login button, they are taken to another convincingly designed page, where the victim is prompted to sign in with Google. ",{"data":1412,"content":1416,"nodeType":1357},{"target":1413},{"sys":1414},{"id":1415,"type":1354,"linkType":1355},"6il7lhKUz5VIgQW9shl9oc",[],{"data":1418,"content":1419,"nodeType":1294},{},[1420],{"data":1421,"marks":1422,"value":1423,"nodeType":1293},{},[],"Upon clicking the sign in with Google button, the victim is finally taken to the reverse proxy Attacker-in-the-Middle phishing page targeting Google. If the victim logs in, their credentials and live session is stolen by the attacker. ",{"data":1425,"content":1429,"nodeType":1357},{"target":1426},{"sys":1427},{"id":1428,"type":1354,"linkType":1355},"3LSrYN6X2qnBiMBoPi1Qse",[],{"data":1431,"content":1432,"nodeType":1294},{},[1433],{"data":1434,"marks":1435,"value":1436,"nodeType":1293},{},[],"You can see the timeline of URLs accessed in the chain captured in Push’s timeline feature, below. When we investigated, the phishing page had no user reports on urlscan. ",{"data":1438,"content":1442,"nodeType":1357},{"target":1439},{"sys":1440},{"id":1441,"type":1354,"linkType":1355},"5spFXtWBhTtB4LO3cYHv8Z",[],{"data":1444,"content":1445,"nodeType":1361},{},[],{"data":1447,"content":1448,"nodeType":1371},{},[1449],{"data":1450,"marks":1451,"value":1453,"nodeType":1293},{},[1452],{"type":1369},"How did this attack evade standard detections?",{"data":1455,"content":1456,"nodeType":1294},{},[1457,1461,1472],{"data":1458,"marks":1459,"value":1460,"nodeType":1293},{},[],"It’s increasingly common for malicious sites to fly under the radar because of the effective use of ",{"data":1462,"content":1464,"nodeType":1471},{"uri":1463},"https://phishing-techniques.pushsecurity.com/",[1465],{"data":1466,"marks":1467,"value":1470,"nodeType":1293},{},[1468],{"type":1469},"underline","detection evasion techniques","hyperlink",{"data":1473,"marks":1474,"value":1475,"nodeType":1293},{},[],", designed to defeat traditional security tools and web-scraping security bots. ",{"data":1477,"content":1478,"nodeType":1484},{},[1479],{"data":1480,"marks":1481,"value":1483,"nodeType":1293},{},[1482],{"type":1369},"Malvertising completely bypasses email-based controls","heading-2",{"data":1486,"content":1487,"nodeType":1294},{},[1488,1492,1501],{"data":1489,"marks":1490,"value":1491,"nodeType":1293},{},[],"By delivering the lure via ",{"data":1493,"content":1495,"nodeType":1471},{"uri":1494},"https://phishing-techniques.pushsecurity.com/techniques/malvertising/",[1496],{"data":1497,"marks":1498,"value":1500,"nodeType":1293},{},[1499],{"type":1469},"malvertising",{"data":1502,"marks":1503,"value":1504,"nodeType":1293},{},[],", the attacker was able to completely bypass the most common phishing detection surface — email. ",{"data":1506,"content":1507,"nodeType":1294},{},[1508,1512,1521],{"data":1509,"marks":1510,"value":1511,"nodeType":1293},{},[],"Malvertising via channels like Google Search is an effective way to launch “watering hole” style attacks, casting a wide net to harvest credentials and account access that can be re-sold to other criminals for a fee, or leveraged by partners in the cybercriminal ecosystem as part of major cyber breaches (such as the recent attacks by the “",{"data":1513,"content":1515,"nodeType":1471},{"uri":1514},"https://pushsecurity.com/blog/scattered-lapsus-hunters/",[1516],{"data":1517,"marks":1518,"value":1520,"nodeType":1293},{},[1519],{"type":1469},"Scattered Lapsus$ Hunters",{"data":1522,"marks":1523,"value":1524,"nodeType":1293},{},[],"” criminal collective, all of which began with identity-based initial access). For this reason, credentials and account access are an increasingly profitable commodity for cyber criminals. ",{"data":1526,"content":1530,"nodeType":1357},{"target":1527},{"sys":1528},{"id":1529,"type":1354,"linkType":1355},"7cq2IbGHIFH2UhkjIrwxGd",[],{"data":1532,"content":1533,"nodeType":1484},{},[1534],{"data":1535,"marks":1536,"value":1538,"nodeType":1293},{},[1537],{"type":1369},"Conditional loading parameters prevented the site being flagged as known-bad",{"data":1540,"content":1541,"nodeType":1294},{},[1542,1546,1555],{"data":1543,"marks":1544,"value":1545,"nodeType":1293},{},[],"The attacker used clever ",{"data":1547,"content":1549,"nodeType":1471},{"uri":1548},"https://phishing-techniques.pushsecurity.com/techniques/conditional-loading/",[1550],{"data":1551,"marks":1552,"value":1554,"nodeType":1293},{},[1553],{"type":1469},"conditional loading",{"data":1556,"marks":1557,"value":1558,"nodeType":1293},{},[]," techniques to prevent the page being accessed unless the correct steps were followed. This means that security analysts attempting to load one of the pages in isolation would either be served with a benign page, or be blocked from accessing the page in order to analyse it for malicious content.  ",{"data":1560,"content":1564,"nodeType":1357},{"target":1561},{"sys":1562},{"id":1563,"type":1354,"linkType":1355},"2vjZTsrjuILnt5UjNx9Nce",[],{"data":1566,"content":1570,"nodeType":1357},{"target":1567},{"sys":1568},{"id":1569,"type":1354,"linkType":1355},"3pOLIA4beNZ9tU87YLlhT0",[],{"data":1572,"content":1573,"nodeType":1294},{},[1574],{"data":1575,"marks":1576,"value":1577,"nodeType":1293},{},[],"Further, the attacker tightly scoped the initial malvertising lure to prevent unwanted visitors. Google Ads can be targeted to searches coming from specific geographic locations, tailored to specific email domain matches, or specific device types (e.g. desktop, mobile, etc.). If you know where your target organization is located, you can tailor the ad to that location. ",{"data":1579,"content":1580,"nodeType":1361},{},[],{"data":1582,"content":1583,"nodeType":1371},{},[1584],{"data":1585,"marks":1586,"value":1588,"nodeType":1293},{},[1587],{"type":1369},"Further observations",{"data":1590,"content":1591,"nodeType":1294},{},[1592,1595,1604],{"data":1593,"marks":1594,"value":37,"nodeType":1293},{},[],{"data":1596,"content":1598,"nodeType":1471},{"uri":1597},"https://www.bleepingcomputer.com/news/security/google-ads-for-fake-homebrew-logmein-sites-push-infostealers/",[1599],{"data":1600,"marks":1601,"value":1603,"nodeType":1293},{},[1602],{"type":1469},"According to security researchers",{"data":1605,"marks":1606,"value":1607,"nodeType":1293},{},[],", attackers have been recently observed running ClickFix malvertising campaigns over Google Search that also impersonated TradingView. These attacks attempted to deliver malware to Mac users, harvesting sensitive information stored in the browser, cryptocurrency credentials, and exfiltrating to the command and control server.",{"data":1609,"content":1613,"nodeType":1357},{"target":1610},{"sys":1611},{"id":1612,"type":1354,"linkType":1355},"VeLfUptGY8ygKHroPxTby",[],{"data":1615,"content":1616,"nodeType":1294},{},[1617],{"data":1618,"marks":1619,"value":1620,"nodeType":1293},{},[],"Attackers have been known to target investment and cryptocurrency accounts, particularly those aligned with North Korean state-sponsored operations. This is both targeting individual users as well as business accounts used in operating exchanges themselves, such as in the massive Bybit hack earlier this year. ",{"data":1622,"content":1623,"nodeType":1361},{},[],{"data":1625,"content":1626,"nodeType":1371},{},[1627],{"data":1628,"marks":1629,"value":1631,"nodeType":1293},{},[1630],{"type":1369},"IoCs",{"data":1633,"content":1634,"nodeType":1294},{},[1635,1639,1648],{"data":1636,"marks":1637,"value":1638,"nodeType":1293},{},[],"Short-lived IoCs are of limited value when tackling modern phishing attacks due to the rate at which attackers are able to ",{"data":1640,"content":1642,"nodeType":1471},{"uri":1641},"https://phishing-techniques.pushsecurity.com/techniques/domain-rotation-redirection/",[1643],{"data":1644,"marks":1645,"value":1647,"nodeType":1293},{},[1646],{"type":1469},"quickly spin up and rotate the sites used",{"data":1649,"marks":1650,"value":1651,"nodeType":1293},{},[]," in the attack chain, often dynamically serving different URLs to site visitors. ",{"data":1653,"content":1654,"nodeType":1294},{},[1655],{"data":1656,"marks":1657,"value":1658,"nodeType":1293},{},[],"That said, the domains observed in this chain were:",{"data":1660,"content":1661,"nodeType":1693},{},[1662,1673,1683],{"data":1663,"content":1664,"nodeType":1672},{},[1665],{"data":1666,"content":1667,"nodeType":1294},{},[1668],{"data":1669,"marks":1670,"value":1671,"nodeType":1293},{},[],"hxxps://tradingview-charts-compare.primevoro.com","list-item",{"data":1674,"content":1675,"nodeType":1672},{},[1676],{"data":1677,"content":1678,"nodeType":1294},{},[1679],{"data":1680,"marks":1681,"value":1682,"nodeType":1293},{},[],"hxxps://tradingplatforms.app",{"data":1684,"content":1685,"nodeType":1672},{},[1686],{"data":1687,"content":1688,"nodeType":1294},{},[1689],{"data":1690,"marks":1691,"value":1692,"nodeType":1293},{},[],"hxxps://accounts.aeonnailspa.com","unordered-list",{"data":1695,"content":1696,"nodeType":1361},{},[],{"data":1698,"content":1699,"nodeType":1371},{},[1700],{"data":1701,"marks":1702,"value":1704,"nodeType":1293},{},[1703],{"type":1369},"How Push stopped the attack",{"data":1706,"content":1707,"nodeType":1294},{},[1708,1712,1720],{"data":1709,"marks":1710,"value":1711,"nodeType":1293},{},[],"Push doesn’t detect the redirect tricks or rely on outdated domain TI feeds. The reason we detect these attacks (which make it through all the other layers of phishing protection) is that Push sees what your users see. It doesn’t matter what ",{"data":1713,"content":1714,"nodeType":1471},{"uri":1463},[1715],{"data":1716,"marks":1717,"value":1719,"nodeType":1293},{},[1718],{"type":1469},"delivery channel or camouflage methods are used",{"data":1721,"marks":1722,"value":1723,"nodeType":1293},{},[],", Push shuts the attack down in real time, as the user loads the malicious page in their web browser.",{"data":1725,"content":1726,"nodeType":1294},{},[1727],{"data":1728,"marks":1729,"value":1730,"nodeType":1293},{},[],"This isn’t all we do: Push’s browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong — you can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.",{"data":1732,"content":1733,"nodeType":1294},{},[1734,1738,1747,1751,1760],{"data":1735,"marks":1736,"value":1737,"nodeType":1293},{},[],"To learn more about Push, ",{"data":1739,"content":1741,"nodeType":1471},{"uri":1740},"https://pushsecurity.com/resources/product-brochure",[1742],{"data":1743,"marks":1744,"value":1746,"nodeType":1293},{},[1745],{"type":1469},"check out our latest product overview",{"data":1748,"marks":1749,"value":1750,"nodeType":1293},{},[]," or ",{"data":1752,"content":1754,"nodeType":1471},{"uri":1753},"https://pushsecurity.com/demo",[1755],{"data":1756,"marks":1757,"value":1759,"nodeType":1293},{},[1758],{"type":1469},"book some time with one of our team for a live demo",{"data":1761,"marks":1762,"value":1763,"nodeType":1293},{},[],".",{"data":1765,"content":1769,"nodeType":1357},{"target":1766},{"sys":1767},{"id":1768,"type":1354,"linkType":1355},"6QzB0BlVC5mstXwXHvy2c3",[],{"data":1771,"content":1772,"nodeType":1294},{},[1773],{"data":1774,"marks":1775,"value":37,"nodeType":1293},{},[],"Analysing a sophisticated Google malvertising attack impersonating TradingView","Push recently detected and blocked a malvertising attack impersonating TradingView designed to hijack Google Workspace accounts.","2025-12-08T00:00:00.000Z","analysing-a-sophisticated-google-malvertising-attack",{"items":1781},[1782,1784],{"sys":1783,"name":1310},{"id":1309},{"sys":1785,"name":1306},{"id":1305},{"items":1787},[1788],{"fullName":1789,"firstName":1790,"jobTitle":1791,"profilePicture":1792},"Dan Green","Dan","Threat Research",{"url":1793},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"__typename":1314,"sys":1795,"content":1797,"title":2171,"synopsis":2172,"hashTags":118,"publishedDate":2173,"slug":2174,"tagsCollection":2175,"authorsCollection":2181},{"id":1796},"72lLmy0CXnOp3LWOdcUguX",{"json":1798},{"data":1799,"content":1800,"nodeType":1295},{},[1801,1808,1815,1821,1828,1861,1868,1874,1881,1887,1893,1899,1905,1911,1914,1922,1929,1936,1943,1951,1957,1977,1984,2001,2006,2009,2016,2023,2096,2103,2106,2113,2120,2127,2134,2160,2165],{"data":1802,"content":1803,"nodeType":1371},{},[1804],{"data":1805,"marks":1806,"value":1370,"nodeType":1293},{},[1807],{"type":1369},{"data":1809,"content":1810,"nodeType":1294},{},[1811],{"data":1812,"marks":1813,"value":1814,"nodeType":1293},{},[],"We recently detected and blocked a malvertising attack impacting one of our customer’s employees. The employee had searched for “Google ads” in Google Search to log into their Google Ads Manager account.  ",{"data":1816,"content":1820,"nodeType":1357},{"target":1817},{"sys":1818},{"id":1819,"type":1354,"linkType":1355},"40RyyKZC0R07wLU1OZBmH",[],{"data":1822,"content":1823,"nodeType":1294},{},[1824],{"data":1825,"marks":1826,"value":1827,"nodeType":1293},{},[],"The user:",{"data":1829,"content":1830,"nodeType":1693},{},[1831,1841,1851],{"data":1832,"content":1833,"nodeType":1672},{},[1834],{"data":1835,"content":1836,"nodeType":1294},{},[1837],{"data":1838,"marks":1839,"value":1840,"nodeType":1293},{},[],"Searched for “Google ads” in Google Search",{"data":1842,"content":1843,"nodeType":1672},{},[1844],{"data":1845,"content":1846,"nodeType":1294},{},[1847],{"data":1848,"marks":1849,"value":1850,"nodeType":1293},{},[],"Click the ad for hxxps://ads-adsword1.odoo.com/…",{"data":1852,"content":1853,"nodeType":1672},{},[1854],{"data":1855,"content":1856,"nodeType":1294},{},[1857],{"data":1858,"marks":1859,"value":1860,"nodeType":1293},{},[],"Was redirected to hxxps://sing-operador2.click/accounts/v3/login/ where the phishing form was blocked. ",{"data":1862,"content":1863,"nodeType":1294},{},[1864],{"data":1865,"marks":1866,"value":1867,"nodeType":1293},{},[],"When we came to investigate this detection further, we found that the site had already been taken down.  ",{"data":1869,"content":1873,"nodeType":1357},{"target":1870},{"sys":1871},{"id":1872,"type":1354,"linkType":1355},"6eAIVxgaEDQ9krKZvu8zyI",[],{"data":1875,"content":1876,"nodeType":1294},{},[1877],{"data":1878,"marks":1879,"value":1880,"nodeType":1293},{},[],"However, we were able to replicate the user’s activity to find other examples that show clear signs of being linked to the same campaign — both hosted on Odoo, with one also using Kartra as a redirect.",{"data":1882,"content":1886,"nodeType":1357},{"target":1883},{"sys":1884},{"id":1885,"type":1354,"linkType":1355},"1wGu0slZcKBNIUhuNk5SZN",[],{"data":1888,"content":1892,"nodeType":1357},{"target":1889},{"sys":1890},{"id":1891,"type":1354,"linkType":1355},"5SqaaD4vDzvdkzVX8ypxvB",[],{"data":1894,"content":1898,"nodeType":1357},{"target":1895},{"sys":1896},{"id":1897,"type":1354,"linkType":1355},"7IT185wut2jTtQy1lC9F5t",[],{"data":1900,"content":1904,"nodeType":1357},{"target":1901},{"sys":1902},{"id":1903,"type":1354,"linkType":1355},"78WkGo9ZTio1fYvfP7W68",[],{"data":1906,"content":1910,"nodeType":1357},{"target":1907},{"sys":1908},{"id":1909,"type":1354,"linkType":1355},"5CWMR1gxq3Uao4HGGhRLKE",[],{"data":1912,"content":1913,"nodeType":1361},{},[],{"data":1915,"content":1916,"nodeType":1371},{},[1917],{"data":1918,"marks":1919,"value":1921,"nodeType":1293},{},[1920],{"type":1369},"Why malvertising & Google ads?",{"data":1923,"content":1924,"nodeType":1294},{},[1925],{"data":1926,"marks":1927,"value":1928,"nodeType":1293},{},[],"Malvertising attacks delivered over channels like Google Search are a great way to catch victims unawares while also evading typically email-based anti-phishing controls. ",{"data":1930,"content":1931,"nodeType":1294},{},[1932],{"data":1933,"marks":1934,"value":1935,"nodeType":1293},{},[],"The flipside of this is that malvertising attacks are less likely to be targeted than phishing delivered directly to the victim via a direct message (i.e. email, social media DM, instant messenger app, SMS, etc.). This appears to be true in this case: we were served the ad from a UK location despite the initial ad targeting an EU-based company. ",{"data":1937,"content":1938,"nodeType":1294},{},[1939],{"data":1940,"marks":1941,"value":1942,"nodeType":1293},{},[],"However, that isn’t to say that malvertising attacks can’t be targeted. For example, Google Ads can be targeted to searches coming from specific geographic locations, tailored to specific email domain matches, or specific device types (e.g. desktop, mobile, etc.). If you know where your target organization is located, you can tailor the ad to that location. Even more precise ad targeting can be achieved on social media platforms. ",{"data":1944,"content":1945,"nodeType":1294},{},[1946],{"data":1947,"marks":1948,"value":1950,"nodeType":1293},{},[1949],{"type":1369},"In this case, it appears that the attacker was specifically targeting Google Ad Manager accounts. ",{"data":1952,"content":1956,"nodeType":1357},{"target":1953},{"sys":1954},{"id":1955,"type":1354,"linkType":1355},"5JA7xWPghOBln49SfkvefW",[],{"data":1958,"content":1959,"nodeType":1294},{},[1960,1964,1973],{"data":1961,"marks":1962,"value":1963,"nodeType":1293},{},[],"With malvertising on the rise as an increasingly popular attack vector for the delivery of AITM phishing, malware downloads, and ",{"data":1965,"content":1967,"nodeType":1471},{"uri":1966},"https://pushsecurity.com/blog/the-most-advanced-clickfix-yet/",[1968],{"data":1969,"marks":1970,"value":1972,"nodeType":1293},{},[1971],{"type":1469},"ClickFix",{"data":1974,"marks":1975,"value":1976,"nodeType":1293},{},[]," (4 in 5 ClickFix attacks intercepted by Push were delivered via Google Search), it makes sense that attackers are looking to increase their web of accounts from which to launch malicious ads. ",{"data":1978,"content":1979,"nodeType":1294},{},[1980],{"data":1981,"marks":1982,"value":1983,"nodeType":1293},{},[],"Particularly for organizations that are running large numbers of ads with pre-allocated budget/cards for their ad account, or organizations performing ad management/marketing services on behalf of other organizations, it’s easy to see how attackers can take over these accounts and spin up malicious ads. ",{"data":1985,"content":1986,"nodeType":1294},{},[1987,1991,1998],{"data":1988,"marks":1989,"value":1990,"nodeType":1293},{},[],"Malvertising via Google Search is an effective way to launch “watering hole” style attacks, casting a wide net to harvest credentials and account access that can be re-sold to other criminals for a fee, or leveraged by partners in the cybercriminal ecosystem as part of major cyber breaches (such as the recent attacks by the “",{"data":1992,"content":1993,"nodeType":1471},{"uri":1514},[1994],{"data":1995,"marks":1996,"value":1520,"nodeType":1293},{},[1997],{"type":1469},{"data":1999,"marks":2000,"value":1524,"nodeType":1293},{},[],{"data":2002,"content":2005,"nodeType":1357},{"target":2003},{"sys":2004},{"id":1768,"type":1354,"linkType":1355},[],{"data":2007,"content":2008,"nodeType":1361},{},[],{"data":2010,"content":2011,"nodeType":1371},{},[2012],{"data":2013,"marks":2014,"value":1631,"nodeType":1293},{},[2015],{"type":1369},{"data":2017,"content":2018,"nodeType":1294},{},[2019],{"data":2020,"marks":2021,"value":2022,"nodeType":1293},{},[],"The following domains were involved in the attacks:",{"data":2024,"content":2025,"nodeType":1693},{},[2026,2036,2046,2056,2066,2076,2086],{"data":2027,"content":2028,"nodeType":1672},{},[2029],{"data":2030,"content":2031,"nodeType":1294},{},[2032],{"data":2033,"marks":2034,"value":2035,"nodeType":1293},{},[],"hxxps://ads-adsword1.odoo.com",{"data":2037,"content":2038,"nodeType":1672},{},[2039],{"data":2040,"content":2041,"nodeType":1294},{},[2042],{"data":2043,"marks":2044,"value":2045,"nodeType":1293},{},[],"hxxps://sing-operador2.click/accounts/v3/login",{"data":2047,"content":2048,"nodeType":1672},{},[2049],{"data":2050,"content":2051,"nodeType":1294},{},[2052],{"data":2053,"marks":2054,"value":2055,"nodeType":1293},{},[],"hxxps://adsgooglie.odoo.com/",{"data":2057,"content":2058,"nodeType":1672},{},[2059],{"data":2060,"content":2061,"nodeType":1294},{},[2062],{"data":2063,"marks":2064,"value":2065,"nodeType":1293},{},[],"hxxps://word4only.online/",{"data":2067,"content":2068,"nodeType":1672},{},[2069],{"data":2070,"content":2071,"nodeType":1294},{},[2072],{"data":2073,"marks":2074,"value":2075,"nodeType":1293},{},[],"hxxps://adsloginacess.kartra.com/page/oeN7",{"data":2077,"content":2078,"nodeType":1672},{},[2079],{"data":2080,"content":2081,"nodeType":1294},{},[2082],{"data":2083,"marks":2084,"value":2085,"nodeType":1293},{},[],"hxxps://ads-o.odoo.com",{"data":2087,"content":2088,"nodeType":1672},{},[2089],{"data":2090,"content":2091,"nodeType":1294},{},[2092],{"data":2093,"marks":2094,"value":2095,"nodeType":1293},{},[],"hxxps://operador8-ads.lat/accounts/v3/login/",{"data":2097,"content":2098,"nodeType":1294},{},[2099],{"data":2100,"marks":2101,"value":2102,"nodeType":1293},{},[],"However, with the rate at which these domains were spun up and subsequently taken down (by the attacker or the site hosting the links) IoC-based detections for campaigns such as this are of limited value. ",{"data":2104,"content":2105,"nodeType":1361},{},[],{"data":2107,"content":2108,"nodeType":1371},{},[2109],{"data":2110,"marks":2111,"value":1704,"nodeType":1293},{},[2112],{"type":1369},{"data":2114,"content":2115,"nodeType":1294},{},[2116],{"data":2117,"marks":2118,"value":2119,"nodeType":1293},{},[],"Regardless of the delivery channel, all roads lead to a web page accessed in the victim’s browser — where Push is waiting to detect and block the attack. ",{"data":2121,"content":2122,"nodeType":1294},{},[2123],{"data":2124,"marks":2125,"value":2126,"nodeType":1293},{},[],"By seeing what your users see, and getting an unfiltered, real-time view of the page as it loads, Push is able to pinpoint malicious content, code, and behaviors and shut the attack down before it happens. Whether it's entering credentials onto a phishing page, approving a malicious OAuth grant, installing a risky browser extension, or insecurely accessing an app with a weak password and no MFA, Push detects the action and responds in real-time.",{"data":2128,"content":2129,"nodeType":1294},{},[2130],{"data":2131,"marks":2132,"value":2133,"nodeType":1293},{},[],"Push blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.",{"data":2135,"content":2136,"nodeType":1294},{},[2137,2140,2147,2150,2157],{"data":2138,"marks":2139,"value":1737,"nodeType":1293},{},[],{"data":2141,"content":2142,"nodeType":1471},{"uri":1740},[2143],{"data":2144,"marks":2145,"value":1746,"nodeType":1293},{},[2146],{"type":1469},{"data":2148,"marks":2149,"value":1750,"nodeType":1293},{},[],{"data":2151,"content":2152,"nodeType":1471},{"uri":1753},[2153],{"data":2154,"marks":2155,"value":1759,"nodeType":1293},{},[2156],{"type":1469},{"data":2158,"marks":2159,"value":1763,"nodeType":1293},{},[],{"data":2161,"content":2164,"nodeType":1357},{"target":2162},{"sys":2163},{"id":1768,"type":1354,"linkType":1355},[],{"data":2166,"content":2167,"nodeType":1294},{},[2168],{"data":2169,"marks":2170,"value":37,"nodeType":1293},{},[],"Analysing a malvertising attack targeting business Google accounts intercepted by Push","Analysing a malvertising attack targeting Google business accounts that was intercepted by Push. ","2025-12-02T00:00:00.000Z","analysing-a-malvertising-attack-targeting-business-google-accounts",{"items":2176},[2177,2179],{"sys":2178,"name":1306},{"id":1305},{"sys":2180,"name":1310},{"id":1309},{"items":2182},[2183],{"fullName":1789,"firstName":1790,"jobTitle":1791,"profilePicture":2184},{"url":1793},{"__typename":1314,"sys":2186,"content":2188,"title":2767,"synopsis":2768,"hashTags":118,"publishedDate":2173,"slug":2769,"tagsCollection":2770,"authorsCollection":2776},{"id":2187},"6Zosy4SU0LpjlaSWX75peb",{"json":2189},{"data":2190,"content":2191,"nodeType":1295},{},[2192,2199,2206,2213,2219,2226,2229,2237,2244,2251,2258,2264,2271,2277,2284,2290,2297,2303,2334,2341,2347,2354,2360,2367,2373,2380,2423,2426,2434,2441,2448,2455,2461,2464,2472,2479,2499,2505,2511,2517,2524,2530,2536,2556,2559,2567,2586,2592,2599,2615,2623,2630,2637,2643,2661,2669,2676,2682,2685,2692,2699,2705,2708,2716,2723,2730,2756,2761],{"data":2193,"content":2194,"nodeType":1294},{},[2195],{"data":2196,"marks":2197,"value":2198,"nodeType":1293},{},[],"We recently investigated a sophisticated phishing campaign targeting Google Workspace and Facebook Business accounts with Calendly-themed phishing lures, based around a fake job opportunity. ",{"data":2200,"content":2201,"nodeType":1294},{},[2202],{"data":2203,"marks":2204,"value":2205,"nodeType":1293},{},[],"We were first alerted to the campaign when a Push customer was hit with a highly targeted email-based attack, where the attacker used an Attacker-in-the-Middle (AiTM) phishing toolkit to target the customer’s Google Workspace account. ",{"data":2207,"content":2208,"nodeType":1294},{},[2209],{"data":2210,"marks":2211,"value":2212,"nodeType":1293},{},[],"In this case, Google was the customer’s primary enterprise IdP account, used to access native Google suite apps as well as SSO to downstream apps — effectively, the front door to their business IT stack. Despite this, the attacker’s MO was specifically the takeover of accounts used for the management of digital ads. ",{"data":2214,"content":2218,"nodeType":1357},{"target":2215},{"sys":2216},{"id":2217,"type":1354,"linkType":1355},"5oivBCf1Fqvnq0GNCSko8f",[],{"data":2220,"content":2221,"nodeType":1294},{},[2222],{"data":2223,"marks":2224,"value":2225,"nodeType":1293},{},[],"In this blog post, we break down the various TTPs used by the attacker across the campaign, and consider why ad management platforms are being specifically targeted.  ",{"data":2227,"content":2228,"nodeType":1361},{},[],{"data":2230,"content":2231,"nodeType":1371},{},[2232],{"data":2233,"marks":2234,"value":2236,"nodeType":1293},{},[2235],{"type":1369},"Variant 1: Targeting Google Workspace with a sophisticated email phish ",{"data":2238,"content":2239,"nodeType":1294},{},[2240],{"data":2241,"marks":2242,"value":2243,"nodeType":1293},{},[],"The first phishing variant we analyzed began with a multi-stage phishing email lure, framed as a job opportunity for LVMH (Louis Vuitton Moët Hennessy), which oversees more than 75 brands across sectors like fashion, cosmetics, watches, and spirits. The specific delivery address is impersonating “Inside LVMH”, the talent acquisition and training arm of LVMH.  ",{"data":2245,"content":2246,"nodeType":1294},{},[2247],{"data":2248,"marks":2249,"value":2250,"nodeType":1293},{},[],"This lure is notable for multiple reasons. It is highly targeted, well-written, populated with information from the victim, and coming from what appears to be a legitimate employee of LVMH. Even if the victim was initially suspicious, searching for the recruiter’s name would appear to confirm their identity.  ",{"data":2252,"content":2253,"nodeType":1294},{},[2254],{"data":2255,"marks":2256,"value":2257,"nodeType":1293},{},[],"It is possible, even likely, that this interaction was operated using AI, using information scraped from the internet — but in any case, the outcome achieved is highly convincing. ",{"data":2259,"content":2263,"nodeType":1357},{"target":2260},{"sys":2261},{"id":2262,"type":1354,"linkType":1355},"46BYpquURERbkhWc6C2Lpc",[],{"data":2265,"content":2266,"nodeType":1294},{},[2267],{"data":2268,"marks":2269,"value":2270,"nodeType":1293},{},[],"Only after the victim has responded to an initial email was the phishing link delivered under the guise of a Calendly link to book time for a call. ",{"data":2272,"content":2276,"nodeType":1357},{"target":2273},{"sys":2274},{"id":2275,"type":1354,"linkType":1355},"37GBkfXGEdWvdQbMq65sad",[],{"data":2278,"content":2279,"nodeType":1294},{},[2280],{"data":2281,"marks":2282,"value":2283,"nodeType":1293},{},[],"Clicking the link takes the victim to an authentic-looking page impersonating a Calendly landing page.",{"data":2285,"content":2289,"nodeType":1357},{"target":2286},{"sys":2287},{"id":2288,"type":1354,"linkType":1355},"1DwOPzK7mxsoJlEBp8cMpr",[],{"data":2291,"content":2292,"nodeType":1294},{},[2293],{"data":2294,"marks":2295,"value":2296,"nodeType":1293},{},[],"After completing the CAPTCHA check and selecting \"Continue with Google” the victim is redirected to an AiTM phishing page designed to capture Google Workspace credentials, with specific branding impersonating Calendly — making this visually distinct from most common Google-themed phishing pages. ",{"data":2298,"content":2302,"nodeType":1357},{"target":2299},{"sys":2300},{"id":2301,"type":1354,"linkType":1355},"u1SY1uUX23sxfBYLpyaKb",[],{"data":2304,"content":2305,"nodeType":1294},{},[2306,2310,2318,2322,2330],{"data":2307,"marks":2308,"value":2309,"nodeType":1293},{},[],"This page uses ",{"data":2311,"content":2312,"nodeType":1471},{"uri":1548},[2313],{"data":2314,"marks":2315,"value":2317,"nodeType":1293},{},[2316],{"type":1469},"specific targeting parameters",{"data":2319,"marks":2320,"value":2321,"nodeType":1293},{},[]," to ensure that only the intended recipient is able to access the page’s malicious functionality — a well-known ",{"data":2323,"content":2324,"nodeType":1471},{"uri":1463},[2325],{"data":2326,"marks":2327,"value":2329,"nodeType":1293},{},[2328],{"type":1469},"detection evasion technique",{"data":2331,"marks":2332,"value":2333,"nodeType":1293},{},[]," to prevent security analysts from being able to fully analyse the page (as malicious elements are not rendered until this check is completed). ",{"data":2335,"content":2336,"nodeType":1294},{},[2337],{"data":2338,"marks":2339,"value":2340,"nodeType":1293},{},[],"As you can see in the example below, attempts to use any email other than the intended victim’s email domain are blocked.   ",{"data":2342,"content":2346,"nodeType":1357},{"target":2343},{"sys":2344},{"id":2345,"type":1354,"linkType":1355},"5m8LvVYjXz0zrITgTWqxio",[],{"data":2348,"content":2349,"nodeType":1294},{},[2350],{"data":2351,"marks":2352,"value":2353,"nodeType":1293},{},[],"Only entering an allowed email domain loads the password entry field. ",{"data":2355,"content":2359,"nodeType":1357},{"target":2356},{"sys":2357},{"id":2358,"type":1354,"linkType":1355},"6KFRJSsgk2pB6x67kWdpws",[],{"data":2361,"content":2362,"nodeType":1294},{},[2363],{"data":2364,"marks":2365,"value":2366,"nodeType":1293},{},[],"We identified a number of pages that appear to be part of the same campaign. All these pages have the same visual style, Calendly-themed lure targeting Google Workspace accounts, and appear to match real employees of the respective companies being impersonated. ",{"data":2368,"content":2372,"nodeType":1357},{"target":2369},{"sys":2370},{"id":2371,"type":1354,"linkType":1355},"zMkN1U5QlvIEcfOGmhBBf",[],{"data":2374,"content":2375,"nodeType":1294},{},[2376],{"data":2377,"marks":2378,"value":2379,"nodeType":1293},{},[],"The different pages include:",{"data":2381,"content":2382,"nodeType":1693},{},[2383,2393,2403,2413],{"data":2384,"content":2385,"nodeType":1672},{},[2386],{"data":2387,"content":2388,"nodeType":1294},{},[2389],{"data":2390,"marks":2391,"value":2392,"nodeType":1293},{},[],"A different visual match for the LVMH page.",{"data":2394,"content":2395,"nodeType":1672},{},[2396],{"data":2397,"content":2398,"nodeType":1294},{},[2399],{"data":2400,"marks":2401,"value":2402,"nodeType":1293},{},[],"A Lego recruitment themed page.",{"data":2404,"content":2405,"nodeType":1672},{},[2406],{"data":2407,"content":2408,"nodeType":1294},{},[2409],{"data":2410,"marks":2411,"value":2412,"nodeType":1293},{},[],"A Mastercard HR themed page.",{"data":2414,"content":2415,"nodeType":1672},{},[2416],{"data":2417,"content":2418,"nodeType":1294},{},[2419],{"data":2420,"marks":2421,"value":2422,"nodeType":1293},{},[],"An Uber recruitment themed page.",{"data":2424,"content":2425,"nodeType":1361},{},[],{"data":2427,"content":2428,"nodeType":1371},{},[2429],{"data":2430,"marks":2431,"value":2433,"nodeType":1293},{},[2432],{"type":1369},"Variant 2: Targeting Facebook Business accounts",{"data":2435,"content":2436,"nodeType":1294},{},[2437],{"data":2438,"marks":2439,"value":2440,"nodeType":1293},{},[],"Upon further investigation, we found links to a second phishing page style that appears to be part of a longer campaign targeting Facebook accounts, dating back more than two years. ",{"data":2442,"content":2443,"nodeType":1294},{},[2444],{"data":2445,"marks":2446,"value":2447,"nodeType":1293},{},[],"In total, we identified 31 unique URLs associated with the same campaign, many of which were recycled over time to impersonate different brands. ",{"data":2449,"content":2450,"nodeType":1294},{},[2451],{"data":2452,"marks":2453,"value":2454,"nodeType":1293},{},[],"Since most of these pages appeared to be older (and no longer live) they could not be analysed further, beyond giving an indication of how the phishing campaign has evolved over time. ",{"data":2456,"content":2460,"nodeType":1357},{"target":2457},{"sys":2458},{"id":2459,"type":1354,"linkType":1355},"5PFRI9XtNVdkpYiRoIYpF",[],{"data":2462,"content":2463,"nodeType":1361},{},[],{"data":2465,"content":2466,"nodeType":1371},{},[2467],{"data":2468,"marks":2469,"value":2471,"nodeType":1293},{},[2470],{"type":1369},"Variant 3: Targeting both Google and Facebook accounts",{"data":2473,"content":2474,"nodeType":1294},{},[2475],{"data":2476,"marks":2477,"value":2478,"nodeType":1293},{},[],"We also discovered a third, more recent variant targeting both Google and Facebook accounts with Calendly-styled pages.",{"data":2480,"content":2481,"nodeType":1294},{},[2482,2486,2495],{"data":2483,"marks":2484,"value":2485,"nodeType":1293},{},[],"This variant looks to leverage a Browser-in-the-Browser style pop-up window similar to the ",{"data":2487,"content":2489,"nodeType":1471},{"uri":2488},"https://pushsecurity.com/blog/analyzing-the-latest-sneaky2fa-phishing-page/",[2490],{"data":2491,"marks":2492,"value":2494,"nodeType":1293},{},[2493],{"type":1469},"Sneaky2FA attacks we reported on recently",{"data":2496,"marks":2497,"value":2498,"nodeType":1293},{},[],". BITB allows the attacker to mask the phishing page URL by presenting a fake URL set by the attacker, inside a pop-up login window. ",{"data":2500,"content":2504,"nodeType":1357},{"target":2501},{"sys":2502},{"id":2503,"type":1354,"linkType":1355},"7w4cmyqPvhxAFrokaK9CE1",[],{"data":2506,"content":2510,"nodeType":1357},{"target":2507},{"sys":2508},{"id":2509,"type":1354,"linkType":1355},"6FUSNecz0BXLxJxoJTsALD",[],{"data":2512,"content":2516,"nodeType":1357},{"target":2513},{"sys":2514},{"id":2515,"type":1354,"linkType":1355},"2zwFDrgsLuxi4Xv2q0nPFK",[],{"data":2518,"content":2519,"nodeType":1294},{},[2520],{"data":2521,"marks":2522,"value":2523,"nodeType":1293},{},[],"The attacker also implemented additional anti-analysis functionality, beyond the specific domain targeting we observed in the first page variant — the result of which meant the page IP blocked us from interacting with it further. ",{"data":2525,"content":2529,"nodeType":1357},{"target":2526},{"sys":2527},{"id":2528,"type":1354,"linkType":1355},"3ZPdxi5cGZcn5hF1ISIUa7",[],{"data":2531,"content":2535,"nodeType":1357},{"target":2532},{"sys":2533},{"id":2534,"type":1354,"linkType":1355},"3J5pmgNL9LevE1FdX4oksf",[],{"data":2537,"content":2538,"nodeType":1294},{},[2539,2543,2552],{"data":2540,"marks":2541,"value":2542,"nodeType":1293},{},[],"Often ",{"data":2544,"content":2546,"nodeType":1471},{"uri":2545},"https://phishing-techniques.pushsecurity.com/techniques/anti-sandbox/",[2547],{"data":2548,"marks":2549,"value":2551,"nodeType":1293},{},[2550],{"type":1469},"accessing dev tools",{"data":2553,"marks":2554,"value":2555,"nodeType":1293},{},[]," on a page is enough to trigger this, specifically targeting security analysts and web-crawling security bots/tools. ",{"data":2557,"content":2558,"nodeType":1361},{},[],{"data":2560,"content":2561,"nodeType":1371},{},[2562],{"data":2563,"marks":2564,"value":2566,"nodeType":1293},{},[2565],{"type":1369},"Why are attackers targeting business ad management accounts?",{"data":2568,"content":2569,"nodeType":1294},{},[2570,2574,2582],{"data":2571,"marks":2572,"value":2573,"nodeType":1293},{},[],"The campaign shows signs of being a long-running, targeted initiative focused on compromising accounts responsible for managing digital ads on behalf of businesses. The attackers have demonstrated that they are continuing to iterate on their TTPs, introducing new page styles with increased sophistication, and new ",{"data":2575,"content":2577,"nodeType":1471},{"uri":2576},"https://phishing-techniques.pushsecurity.com/#techniques-table",[2578],{"data":2579,"marks":2580,"value":1470,"nodeType":1293},{},[2581],{"type":1469},{"data":2583,"marks":2584,"value":2585,"nodeType":1293},{},[]," to defeat security analysis tools.  ",{"data":2587,"content":2591,"nodeType":1357},{"target":2588},{"sys":2589},{"id":2590,"type":1354,"linkType":1355},"m5GsTsDb55T70MU2m72B1",[],{"data":2593,"content":2594,"nodeType":1294},{},[2595],{"data":2596,"marks":2597,"value":2598,"nodeType":1293},{},[],"We also discovered that Google recently issued a security warning specifically for agency organizations managing ads for a number of businesses, urging them to create security alerts whenever a new account is added to a Manager Account (MCC) used to view and manage multiple Google Ads accounts from a single view. ",{"data":2600,"content":2601,"nodeType":1294},{},[2602,2605,2612],{"data":2603,"marks":2604,"value":1963,"nodeType":1293},{},[],{"data":2606,"content":2607,"nodeType":1471},{"uri":1966},[2608],{"data":2609,"marks":2610,"value":1972,"nodeType":1293},{},[2611],{"type":1469},{"data":2613,"marks":2614,"value":1976,"nodeType":1293},{},[],{"data":2616,"content":2617,"nodeType":1484},{},[2618],{"data":2619,"marks":2620,"value":2622,"nodeType":1293},{},[2621],{"type":1369},"Why are attackers turning to malvertising?",{"data":2624,"content":2625,"nodeType":1294},{},[2626],{"data":2627,"marks":2628,"value":2629,"nodeType":1293},{},[],"Malvertising attacks delivered over search engines (e.g. Google Search) and social media apps (Facebook, LinkedIn, etc.) are a great way to catch victims unawares while also evading typically email-based anti-phishing controls. ",{"data":2631,"content":2632,"nodeType":1294},{},[2633],{"data":2634,"marks":2635,"value":2636,"nodeType":1293},{},[],"The flipside of this is that malvertising attacks are less likely to be targeted than phishing delivered directly to the victim via a direct message (i.e. email, social media DM, instant messenger app, SMS, etc.). ",{"data":2638,"content":2639,"nodeType":1294},{},[2640],{"data":2641,"marks":2642,"value":1942,"nodeType":1293},{},[],{"data":2644,"content":2645,"nodeType":1294},{},[2646,2650,2657],{"data":2647,"marks":2648,"value":2649,"nodeType":1293},{},[],"Malvertising is an effective way to launch “watering hole” style attacks, casting a wide net to harvest credentials and account access that can be re-sold to other criminals for a fee, or leveraged by partners in the cybercriminal ecosystem as part of major cyber breaches (such as the recent attacks by the “",{"data":2651,"content":2652,"nodeType":1471},{"uri":1514},[2653],{"data":2654,"marks":2655,"value":1520,"nodeType":1293},{},[2656],{"type":1469},{"data":2658,"marks":2659,"value":2660,"nodeType":1293},{},[],"” criminal collective, all of which began with identity-based initial access). For this reason, credentials and access are an increasingly profitable commodity for cyber criminals. ",{"data":2662,"content":2663,"nodeType":1484},{},[2664],{"data":2665,"marks":2666,"value":2668,"nodeType":1293},{},[2667],{"type":1369},"Additional considerations",{"data":2670,"content":2671,"nodeType":1294},{},[2672],{"data":2673,"marks":2674,"value":2675,"nodeType":1293},{},[],"As previously mentioned, compromising a Google Workspace account (particularly where it is the primary enterprise cloud platform used by the organization) provides comprehensive access to business apps, data, and functionality that can be exploited by attackers — effectively, it’s the access point to modern business IT. There’s a good chance that attackers establishing a foothold in this way would look to leverage this access further, or at least sell on that access to a criminal group looking to take the attack further. ",{"data":2677,"content":2681,"nodeType":1357},{"target":2678},{"sys":2679},{"id":2680,"type":1354,"linkType":1355},"7jnQqRk0JuqEtrQ3HXy3f8",[],{"data":2683,"content":2684,"nodeType":1361},{},[],{"data":2686,"content":2687,"nodeType":1371},{},[2688],{"data":2689,"marks":2690,"value":1631,"nodeType":1293},{},[2691],{"type":1369},{"data":2693,"content":2694,"nodeType":1294},{},[2695],{"data":2696,"marks":2697,"value":2698,"nodeType":1293},{},[],"We have opted not to provide the domains associated with that campaign to preserve the privacy of the individuals being impersonated by the attacker. In many cases, their full name was included in the URL for the phishing page, while their name and profile picture (most likely scraped from LinkedIn) are also visible on the landing page. ",{"data":2700,"content":2701,"nodeType":1294},{},[2702],{"data":2703,"marks":2704,"value":2102,"nodeType":1293},{},[],{"data":2706,"content":2707,"nodeType":1361},{},[],{"data":2709,"content":2710,"nodeType":1371},{},[2711],{"data":2712,"marks":2713,"value":2715,"nodeType":1293},{},[2714],{"type":1369},"Learn more about Push",{"data":2717,"content":2718,"nodeType":1294},{},[2719],{"data":2720,"marks":2721,"value":2722,"nodeType":1293},{},[],"Push researchers are continuously analysing and developing new detections based on the latest phishing kits and TTPs which enables us to stay two steps ahead of attackers.",{"data":2724,"content":2725,"nodeType":1294},{},[2726],{"data":2727,"marks":2728,"value":2729,"nodeType":1293},{},[],"Push’s browser-based security platform provides comprehensive detection and response capabilities against attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your attack surface.",{"data":2731,"content":2732,"nodeType":1294},{},[2733,2736,2743,2746,2753],{"data":2734,"marks":2735,"value":1737,"nodeType":1293},{},[],{"data":2737,"content":2738,"nodeType":1471},{"uri":1740},[2739],{"data":2740,"marks":2741,"value":1746,"nodeType":1293},{},[2742],{"type":1469},{"data":2744,"marks":2745,"value":1750,"nodeType":1293},{},[],{"data":2747,"content":2748,"nodeType":1471},{"uri":1753},[2749],{"data":2750,"marks":2751,"value":1759,"nodeType":1293},{},[2752],{"type":1469},{"data":2754,"marks":2755,"value":1763,"nodeType":1293},{},[],{"data":2757,"content":2760,"nodeType":1357},{"target":2758},{"sys":2759},{"id":1768,"type":1354,"linkType":1355},[],{"data":2762,"content":2763,"nodeType":1294},{},[2764],{"data":2765,"marks":2766,"value":37,"nodeType":1293},{},[],"Uncovering a Calendly-themed phishing campaign targeting business ad manager accounts","Investigating a phishing campaign targeting Google Ads Manager MCC accounts to propagate malvertising lures. ","uncovering-a-calendly-themed-phishing-campaign",{"items":2771},[2772,2774],{"sys":2773,"name":1310},{"id":1309},{"sys":2775,"name":1306},{"id":1305},{"items":2777},[2778],{"fullName":2779,"firstName":2780,"jobTitle":2781,"profilePicture":2782},"Luke Jennings","Luke","Vice President, R&D",{"url":2783},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg",{"items":2785},[2786],{"fullName":1789,"firstName":1790,"jobTitle":1791,"profilePicture":2787},{"url":1793},{"json":2789,"links":3387},{"nodeType":1295,"data":2790,"content":2791},{},[2792,2799,2806,2855,2861,2868,2875,2881,2887,2893,2896,2903,2910,2916,2923,2929,2935,2942,2948,2966,2969,2977,2984,2991,2998,3005,3011,3029,3032,3040,3047,3104,3111,3118,3121,3128,3135,3142,3148,3174,3177,3184,3200,3206,3249,3256,3299,3306,3379],{"nodeType":1294,"data":2793,"content":2794},{},[2795],{"nodeType":1293,"value":2796,"marks":2797,"data":2798},"In recent months, we’ve seen a significant increase in the number of attacks targeting ad manager accounts. These attacks ultimately serve up an Attacker-in-the-Middle (AITM) phishing page designed to steal the victim’s Google account. ",[],{},{"nodeType":1294,"data":2800,"content":2801},{},[2802],{"nodeType":1293,"value":2803,"marks":2804,"data":2805},"Most recently, we reported on:",[],{},{"nodeType":1693,"data":2807,"content":2808},{},[2809,2832],{"nodeType":1672,"data":2810,"content":2811},{},[2812],{"nodeType":1294,"data":2813,"content":2814},{},[2815,2819,2828],{"nodeType":1293,"value":2816,"marks":2817,"data":2818},"A campaign running ",[],{},{"nodeType":1471,"data":2820,"content":2822},{"uri":2821},"https://pushsecurity.com/blog/analysing-a-malvertising-attack-targeting-business-google-accounts/",[2823],{"nodeType":1293,"value":2824,"marks":2825,"data":2827},"fake malvertising ads for “Google Ads”",[2826],{"type":1469},{},{"nodeType":1293,"value":2829,"marks":2830,"data":2831}," in Google Search. ",[],{},{"nodeType":1672,"data":2833,"content":2834},{},[2835],{"nodeType":1294,"data":2836,"content":2837},{},[2838,2842,2851],{"nodeType":1293,"value":2839,"marks":2840,"data":2841},"A campaign using sophisticated ",[],{},{"nodeType":1471,"data":2843,"content":2845},{"uri":2844},"https://pushsecurity.com/blog/uncovering-a-calendly-themed-phishing-campaign/",[2846],{"nodeType":1293,"value":2847,"marks":2848,"data":2850},"Calendly-themed phishing lures",[2849],{"type":1469},{},{"nodeType":1293,"value":2852,"marks":2853,"data":2854}," targeting marketing professionals.",[],{},{"nodeType":1357,"data":2856,"content":2860},{"target":2857},{"sys":2858},{"id":2859,"type":1354,"linkType":1355},"1ThnhFZQIhzV179qclvzFH",[],{"nodeType":1294,"data":2862,"content":2863},{},[2864],{"nodeType":1293,"value":2865,"marks":2866,"data":2867},"Now, we’ve seen the Google Ads malvertising campaign expand to run additional ads impersonating Ahrefs, an AI marketing platform. Crucially, employees with access to Ahrefs are highly likely to also have access to Google Ads, meaning that attackers can reliably target Google accounts via Ahrefs. ",[],{},{"nodeType":1294,"data":2869,"content":2870},{},[2871],{"nodeType":1293,"value":2872,"marks":2873,"data":2874},"You can see a demo of the phishing chain below. ",[],{},{"nodeType":1357,"data":2876,"content":2880},{"target":2877},{"sys":2878},{"id":2879,"type":1354,"linkType":1355},"2XjyySGldgl9uPA7CZRms8",[],{"nodeType":1357,"data":2882,"content":2886},{"target":2883},{"sys":2884},{"id":2885,"type":1354,"linkType":1355},"yB12nGF91iq15GoHWItaX",[],{"nodeType":1357,"data":2888,"content":2892},{"target":2889},{"sys":2890},{"id":2891,"type":1354,"linkType":1355},"2NK29DaTd93kOctyWxV0RT",[],{"nodeType":1361,"data":2894,"content":2895},{},[],{"nodeType":1371,"data":2897,"content":2898},{},[2899],{"nodeType":1293,"value":1370,"marks":2900,"data":2902},[2901],{"type":1369},{},{"nodeType":1294,"data":2904,"content":2905},{},[2906],{"nodeType":1293,"value":2907,"marks":2908,"data":2909},"Users searching for “ahrefs” on Google Search were served with a fake ad impersonating Ahrefs, hosted on Squarespace, a legitimate website building and hosting platform. Previously, we’d seen this campaign use hosting sites Odoo and Kartra to similar effect. ",[],{},{"nodeType":1357,"data":2911,"content":2915},{"target":2912},{"sys":2913},{"id":2914,"type":1354,"linkType":1355},"59dhFey5rahm5sA20NudTl",[],{"nodeType":1294,"data":2917,"content":2918},{},[2919],{"nodeType":1293,"value":2920,"marks":2921,"data":2922},"Upon clicking the link, the victim was taken to a clone of the real Ahrefs site. Crucially, you can see that the domain is not the official Ahrefs domain. ",[],{},{"nodeType":1357,"data":2924,"content":2928},{"target":2925},{"sys":2926},{"id":2927,"type":1354,"linkType":1355},"48fQUiJXC1qACKUUPDliS5",[],{"nodeType":1357,"data":2930,"content":2934},{"target":2931},{"sys":2932},{"id":2933,"type":1354,"linkType":1355},"77iqOW1jDVt5Oxw8qTwnKG",[],{"nodeType":1294,"data":2936,"content":2937},{},[2938],{"nodeType":1293,"value":2939,"marks":2940,"data":2941},"However, the site is not fully interactable beyond the front page. Clicking on any link takes the user to a Google sign-in page. ",[],{},{"nodeType":1357,"data":2943,"content":2947},{"target":2944},{"sys":2945},{"id":2946,"type":1354,"linkType":1355},"7t9BoUyIFN8dlBDksjsYlD",[],{"nodeType":1294,"data":2949,"content":2950},{},[2951,2955,2962],{"nodeType":1293,"value":2952,"marks":2953,"data":2954},"This is in fact an AITM phishing page that is designed to hijack the victim’s Google account. Entering credentials and completing the MFA check will result in the attacker stealing the app session and effectively taking over the account. The phishing kit used matches ",[],{},{"nodeType":1471,"data":2956,"content":2957},{"uri":2821},[2958],{"nodeType":1293,"value":2959,"marks":2960,"data":2961},"the previous malvertising detected impersonating Google Ads",[],{},{"nodeType":1293,"value":2963,"marks":2964,"data":2965},". ",[],{},{"nodeType":1361,"data":2967,"content":2968},{},[],{"nodeType":1371,"data":2970,"content":2971},{},[2972],{"nodeType":1293,"value":2973,"marks":2974,"data":2976},"Why are attackers targeting ad manager accounts?",[2975],{"type":1369},{},{"nodeType":1294,"data":2978,"content":2979},{},[2980],{"nodeType":1293,"value":2981,"marks":2982,"data":2983},"Ad Manager accounts on platforms like Google, Facebook, and LinkedIn have become lucrative targets for cybercriminals. By compromising these accounts, attackers can exploit the digital advertising ecosystem in various ways for financial gain. ",[],{},{"nodeType":1294,"data":2985,"content":2986},{},[2987],{"nodeType":1293,"value":2988,"marks":2989,"data":2990},"The ad industry’s scale makes it attractive to fraud. Estimates suggest digital ad fraud cost advertisers tens of billions, potentially nearing $100 billion or more, with projections reaching $172 billion by 2028.",[],{},{"nodeType":1294,"data":2992,"content":2993},{},[2994],{"nodeType":1293,"value":2995,"marks":2996,"data":2997},"A hijacked Google Ad Manager account gives attackers access to significant ad spend and account data which can be monetized illicitly. The tactics range from stealthy ad fraud to overt abuse like malicious ads or extortion schemes.",[],{},{"nodeType":1294,"data":2999,"content":3000},{},[3001],{"nodeType":1293,"value":3002,"marks":3003,"data":3004},"Pretty much every enterprise today advertises their services via Google ads — this makes attacks on these accounts pretty much a unanimous problem. Agencies managing numerous client accounts are put further at risk. For example, if an attacker can compromise an MCC account (used to manage several ad accounts) they get full access to the customer portfolio. ",[],{},{"nodeType":1357,"data":3006,"content":3010},{"target":3007},{"sys":3008},{"id":3009,"type":1354,"linkType":1355},"1WPbstxHtdjnAKpF1rhCpW",[],{"nodeType":1294,"data":3012,"content":3013},{},[3014,3018,3026],{"nodeType":1293,"value":3015,"marks":3016,"data":3017},"Learn more about why attackers are targeting ad manager accounts ",[],{},{"nodeType":1471,"data":3019,"content":3021},{"uri":3020},"https://pushsecurity.com/blog/cyber-criminal-ecosystem-analysis",[3022],{"nodeType":1293,"value":3023,"marks":3024,"data":3025},"in our blog post",[],{},{"nodeType":1293,"value":2963,"marks":3027,"data":3028},[],{},{"nodeType":1361,"data":3030,"content":3031},{},[],{"nodeType":1371,"data":3033,"content":3034},{},[3035],{"nodeType":1293,"value":3036,"marks":3037,"data":3039},"Why malvertising? ",[3038],{"type":1369},{},{"nodeType":1294,"data":3041,"content":3042},{},[3043],{"nodeType":1293,"value":3044,"marks":3045,"data":3046},"Malvertising scams happen across lots of different sites, but the most common platform we see targeted is Google Search. This takes advantage of users browsing to find a website and clicking the first link that appears — in this case a fake sponsored link taking you to the attacker’s page. ",[],{},{"nodeType":1294,"data":3048,"content":3049},{},[3050,3054,3061,3065,3074,3078,3087,3091,3100],{"nodeType":1293,"value":3051,"marks":3052,"data":3053},"Malvertising attacks delivered over channels like Google Search are a great way to catch victims unawares while also evading typically email-based anti-phishing controls. Malvertising is an increasingly popular attack vector for the delivery of AITM phishing, malware downloads, and ",[],{},{"nodeType":1471,"data":3055,"content":3056},{"uri":1966},[3057],{"nodeType":1293,"value":1972,"marks":3058,"data":3060},[3059],{"type":1469},{},{"nodeType":1293,"value":3062,"marks":3063,"data":3064}," (4 in 5 ClickFix attacks intercepted by Push were delivered via Google Search). This isn’t just targeting ad manager accounts — last year, we reported on campaigns impersonating ",[],{},{"nodeType":1471,"data":3066,"content":3068},{"uri":3067},"https://pushsecurity.com/blog/analysing-a-sophisticated-google-malvertising-attack/",[3069],{"nodeType":1293,"value":3070,"marks":3071,"data":3073},"TradingView",[3072],{"type":1469},{},{"nodeType":1293,"value":3075,"marks":3076,"data":3077},", ",[],{},{"nodeType":1471,"data":3079,"content":3081},{"uri":3080},"https://pushsecurity.com/blog/phishing-with-active-directory-federation-services/",[3082],{"nodeType":1293,"value":3083,"marks":3084,"data":3086},"Microsoft Office 365",[3085],{"type":1469},{},{"nodeType":1293,"value":3088,"marks":3089,"data":3090},", and ",[],{},{"nodeType":1471,"data":3092,"content":3094},{"uri":3093},"https://pushsecurity.com/blog/investigating-a-recent-malvertising-campaign-targeting-onfido-customers/",[3095],{"nodeType":1293,"value":3096,"marks":3097,"data":3099},"Onfido",[3098],{"type":1469},{},{"nodeType":1293,"value":3101,"marks":3102,"data":3103},", to name a few. ",[],{},{"nodeType":1294,"data":3105,"content":3106},{},[3107],{"nodeType":1293,"value":3108,"marks":3109,"data":3110},"There’s a tendency to see malvertising as a more random attack, but Google Ads can be tuned to searches coming from specific geographic locations, tailored to specific email domain matches, or specific device types (e.g. desktop, mobile, etc.). If you know where your target organization is located, you can tailor the ad to that location. Even more precise ad targeting can be achieved on social media platforms. ",[],{},{"nodeType":1294,"data":3112,"content":3113},{},[3114],{"nodeType":1293,"value":3115,"marks":3116,"data":3117},"Because these attacks completely circumvent the traditional phishing detection surface (email) and often happen entirely over the internet (meaning no endpoint security controls can come into play) the only way to reliably detect and stop these attacks is to intercept them where they happen — in the user’s web browser. ",[],{},{"nodeType":1361,"data":3119,"content":3120},{},[],{"nodeType":1371,"data":3122,"content":3123},{},[3124],{"nodeType":1293,"value":1704,"marks":3125,"data":3127},[3126],{"type":1369},{},{"nodeType":1294,"data":3129,"content":3130},{},[3131],{"nodeType":1293,"value":3132,"marks":3133,"data":3134},"Regardless of the delivery channel, all roads lead to a web page accessed in the victim’s browser, where Push is waiting to detect and block the attack. Even if the page has never been previously flagged as suspicious or malicious, Push analyses the page in real time and blocks it — protecting against the latest zero-day threats.  ",[],{},{"nodeType":1294,"data":3136,"content":3137},{},[3138],{"nodeType":1293,"value":3139,"marks":3140,"data":3141},"By seeing what your users see, and getting an unfiltered, real-time view of the page as it loads, Push is able to pinpoint malicious content, code, and behaviors and shut the attack down before it happens. Whether it's entering credentials onto a phishing page, approving a malicious OAuth grant, installing a risky browser extension, or insecurely accessing an app with a weak password and no MFA, Push detects the action and shuts it down.",[],{},{"nodeType":1294,"data":3143,"content":3144},{},[3145],{"nodeType":1293,"value":2133,"marks":3146,"data":3147},[],{},{"nodeType":1294,"data":3149,"content":3150},{},[3151,3154,3161,3164,3171],{"nodeType":1293,"value":1737,"marks":3152,"data":3153},[],{},{"nodeType":1471,"data":3155,"content":3156},{"uri":1740},[3157],{"nodeType":1293,"value":1746,"marks":3158,"data":3160},[3159],{"type":1469},{},{"nodeType":1293,"value":1750,"marks":3162,"data":3163},[],{},{"nodeType":1471,"data":3165,"content":3166},{"uri":1753},[3167],{"nodeType":1293,"value":1759,"marks":3168,"data":3170},[3169],{"type":1469},{},{"nodeType":1293,"value":1763,"marks":3172,"data":3173},[],{},{"nodeType":1361,"data":3175,"content":3176},{},[],{"nodeType":1371,"data":3178,"content":3179},{},[3180],{"nodeType":1293,"value":1631,"marks":3181,"data":3183},[3182],{"type":1369},{},{"nodeType":1294,"data":3185,"content":3186},{},[3187,3190,3197],{"nodeType":1293,"value":1638,"marks":3188,"data":3189},[],{},{"nodeType":1471,"data":3191,"content":3192},{"uri":1641},[3193],{"nodeType":1293,"value":1647,"marks":3194,"data":3196},[3195],{"type":1469},{},{"nodeType":1293,"value":1651,"marks":3198,"data":3199},[],{},{"nodeType":1294,"data":3201,"content":3202},{},[3203],{"nodeType":1293,"value":1658,"marks":3204,"data":3205},[],{},{"nodeType":1693,"data":3207,"content":3208},{},[3209,3219,3229,3239],{"nodeType":1672,"data":3210,"content":3211},{},[3212],{"nodeType":1294,"data":3213,"content":3214},{},[3215],{"nodeType":1293,"value":3216,"marks":3217,"data":3218},"comandd-ok[.]com",[],{},{"nodeType":1672,"data":3220,"content":3221},{},[3222],{"nodeType":1294,"data":3223,"content":3224},{},[3225],{"nodeType":1293,"value":3226,"marks":3227,"data":3228},"ahrefs-ac.squarespace[.]com",[],{},{"nodeType":1672,"data":3230,"content":3231},{},[3232],{"nodeType":1294,"data":3233,"content":3234},{},[3235],{"nodeType":1293,"value":3236,"marks":3237,"data":3238},"ahrefs-seo-app.squarespace[.]com",[],{},{"nodeType":1672,"data":3240,"content":3241},{},[3242],{"nodeType":1294,"data":3243,"content":3244},{},[3245],{"nodeType":1293,"value":3246,"marks":3247,"data":3248},"slgn-ahrefs-app-com.squarespace[.]com",[],{},{"nodeType":1294,"data":3250,"content":3251},{},[3252],{"nodeType":1293,"value":3253,"marks":3254,"data":3255},"[Update 24th February] We also observed the following new domains:",[],{},{"nodeType":1693,"data":3257,"content":3258},{},[3259,3269,3279,3289],{"nodeType":1672,"data":3260,"content":3261},{},[3262],{"nodeType":1294,"data":3263,"content":3264},{},[3265],{"nodeType":1293,"value":3266,"marks":3267,"data":3268},"www-ahrefs-seo-ads[.]surge.sh",[],{},{"nodeType":1672,"data":3270,"content":3271},{},[3272],{"nodeType":1294,"data":3273,"content":3274},{},[3275],{"nodeType":1293,"value":3276,"marks":3277,"data":3278},"web-semrush-seo-wold[.]surge[.]sh",[],{},{"nodeType":1672,"data":3280,"content":3281},{},[3282],{"nodeType":1294,"data":3283,"content":3284},{},[3285],{"nodeType":1293,"value":3286,"marks":3287,"data":3288},"contabelforeehc[.]com",[],{},{"nodeType":1672,"data":3290,"content":3291},{},[3292],{"nodeType":1294,"data":3293,"content":3294},{},[3295],{"nodeType":1293,"value":3296,"marks":3297,"data":3298},"contabelfore[.]com",[],{},{"nodeType":1294,"data":3300,"content":3301},{},[3302],{"nodeType":1293,"value":3303,"marks":3304,"data":3305},"In addition, the following domains were previously associated with the attacks we detected in December:",[],{},{"nodeType":1693,"data":3307,"content":3308},{},[3309,3319,3329,3339,3349,3359,3369],{"nodeType":1672,"data":3310,"content":3311},{},[3312],{"nodeType":1294,"data":3313,"content":3314},{},[3315],{"nodeType":1293,"value":3316,"marks":3317,"data":3318},"ads-adsword1.odoo[.]com",[],{},{"nodeType":1672,"data":3320,"content":3321},{},[3322],{"nodeType":1294,"data":3323,"content":3324},{},[3325],{"nodeType":1293,"value":3326,"marks":3327,"data":3328},"sing-operador2[.]click/accounts/v3/login",[],{},{"nodeType":1672,"data":3330,"content":3331},{},[3332],{"nodeType":1294,"data":3333,"content":3334},{},[3335],{"nodeType":1293,"value":3336,"marks":3337,"data":3338},"adsgooglie.odoo[.]com/",[],{},{"nodeType":1672,"data":3340,"content":3341},{},[3342],{"nodeType":1294,"data":3343,"content":3344},{},[3345],{"nodeType":1293,"value":3346,"marks":3347,"data":3348},"word4only[.]online/",[],{},{"nodeType":1672,"data":3350,"content":3351},{},[3352],{"nodeType":1294,"data":3353,"content":3354},{},[3355],{"nodeType":1293,"value":3356,"marks":3357,"data":3358},"adsloginacess.kartra[.]com/page/oeN7",[],{},{"nodeType":1672,"data":3360,"content":3361},{},[3362],{"nodeType":1294,"data":3363,"content":3364},{},[3365],{"nodeType":1293,"value":3366,"marks":3367,"data":3368},"ads-o.odoo[.]com",[],{},{"nodeType":1672,"data":3370,"content":3371},{},[3372],{"nodeType":1294,"data":3373,"content":3374},{},[3375],{"nodeType":1293,"value":3376,"marks":3377,"data":3378},"operador8-ads[.]lat/accounts/v3/login/",[],{},{"nodeType":1294,"data":3380,"content":3381},{},[3382],{"nodeType":1293,"value":3383,"marks":3384,"data":3386},"Push customers do not need to take any further action.",[3385],{"type":1369},{},{"entries":3388},{"hyperlink":3389,"inline":3390,"block":3391},[],[],[3392,3400,3406,3433,3437,3444,3470,3475,3480],{"sys":3393,"__typename":3394,"title":3395,"caption":3395,"layoutMode":118,"file":3396},{"id":2859},"Image","We reported on this campaign running malicious ads for “Google Ads” in December.",{"url":3397,"width":3398,"height":3399},"https://images.ctfassets.net/y1cdw1ablpvd/4thOH70HwzZnhzWcU2zUAP/cf64ff8825037b233d5ab34bdb11d97f/image4.png",1999,1205,{"sys":3401,"__typename":3402,"title":3403,"arcadeDemoUrl":3404,"playText":3405},{"id":2879},"ArcadeDemo","Ahrefs Malvertising Attack Demo","https://demo.arcade.software/9O3tGrFzckBbTlRSnyEK?embed","30 secs",{"sys":3407,"__typename":3408,"content":3409,"name":3432,"title":118},{"id":2885},"InsightTextBlockComponent",{"json":3410},{"nodeType":1295,"data":3411,"content":3412},{},[3413,3425],{"nodeType":1294,"data":3414,"content":3415},{},[3416,3421],{"nodeType":1293,"value":3417,"marks":3418,"data":3420},"Update 24th February: ",[3419],{"type":1369},{},{"nodeType":1293,"value":3422,"marks":3423,"data":3424},"We discovered additional activity relating to this campaign with more Ahrefs malvertising on Google Search, this time pointing to fake domains hosted on surge[.]sh. We also blocked Push customers from interacting with a similar ad impersonating Semrush, also hosted on surge[.]sh. ",[],{},{"nodeType":1294,"data":3426,"content":3427},{},[3428],{"nodeType":1293,"value":3429,"marks":3430,"data":3431},"New IoCs have been added and you can see a video of this new attack below. ",[],{},"Ahrefs malvertising insight box 3",{"sys":3434,"__typename":3402,"title":3435,"arcadeDemoUrl":3436,"playText":3405},{"id":2891},"Ahrefs Malvertising v2","https://demo.arcade.software/3QIKy5x7kmMd0oSrFeOB?embed",{"sys":3438,"__typename":3394,"title":3439,"caption":3440,"layoutMode":118,"file":3441},{"id":2914},"Ahrefs malvertising lure","Ahrefs malvertising link featured on Google Search under \"Sponsored Results\"",{"url":3442,"width":3398,"height":3443},"https://images.ctfassets.net/y1cdw1ablpvd/6pfKxxRmvykxJ2t5xFJmpz/fc8d3d65b22beea965f1a45dae0b249c/image1.png",1126,{"sys":3445,"__typename":3408,"content":3446,"name":3469,"title":118},{"id":2927},{"json":3447},{"data":3448,"content":3449,"nodeType":1295},{},[3450],{"data":3451,"content":3452,"nodeType":1294},{},[3453,3457,3466],{"data":3454,"marks":3455,"value":3456,"nodeType":1293},{},[],"Notably, the site’s language is set to Brazilian Portuguese in the HTML (lang=\"pt-BR\"). Based on this, the campaign is likely linked to the same threat actors ",{"data":3458,"content":3460,"nodeType":1471},{"uri":3459},"https://www.malwarebytes.com/blog/news/2025/01/the-great-google-ads-heist-criminals-ransack-advertiser-accounts-via-fake-google-ads",[3461],{"data":3462,"marks":3463,"value":3465,"nodeType":1293},{},[3464],{"type":1469},"reported by MalwareBytes in January 2025",{"data":3467,"marks":3468,"value":2963,"nodeType":1293},{},[],"Ahrefs malvertising insight box 1",{"sys":3471,"__typename":3394,"title":3472,"caption":3472,"layoutMode":118,"file":3473},{"id":2933},"Fake Ahrefs landing page",{"url":3474,"width":3398,"height":3443},"https://images.ctfassets.net/y1cdw1ablpvd/6vlPpGpLhMOTo5ijMxZav0/bfe816a0f301914d334ec9db9dfa56b1/image2.png",{"sys":3476,"__typename":3394,"title":3477,"caption":3477,"layoutMode":118,"file":3478},{"id":2946},"Cloned Google login page used to perform AITM phishing",{"url":3479,"width":3398,"height":3443},"https://images.ctfassets.net/y1cdw1ablpvd/5uh2f3ONpNQgMssDfdtALK/1edd93a6365e60049a01367b7b7b9448/image4.png",{"sys":3481,"__typename":3408,"content":3482,"name":3523,"title":118},{"id":3009},{"json":3483},{"nodeType":1295,"data":3484,"content":3485},{},[3486,3493,3500],{"nodeType":1294,"data":3487,"content":3488},{},[3489],{"nodeType":1293,"value":3490,"marks":3491,"data":3492},"It’s also worth noting that a Google Ad Manager account is also an enterprise SSO account that can be used to access broader Google Workspace services and any connected apps that are SSO-enabled. ",[],{},{"nodeType":1294,"data":3494,"content":3495},{},[3496],{"nodeType":1293,"value":3497,"marks":3498,"data":3499},"Even if the victim isn’t predominantly a Google house, a Google account using the same email as a different identity provider account (e.g. Microsoft) can still be used to access downstream apps via SSO. This is because most apps use email as an identifier, while 3 in 5 apps also allow you to access an account using a new login method without doing any further verification checks. ",[],{},{"nodeType":1294,"data":3501,"content":3502},{},[3503,3508,3518],{"nodeType":1293,"value":3504,"marks":3505,"data":3507},"Read our ",[3506],{"type":1369},{},{"nodeType":1471,"data":3509,"content":3511},{"uri":3510},"https://pushsecurity.com/blog/cross-idp-impersonation/",[3512],{"nodeType":1293,"value":3513,"marks":3514,"data":3517},"blog post on cross-IdP impersonation",[3515,3516],{"type":1469},{"type":1369},{},{"nodeType":1293,"value":3519,"marks":3520,"data":3522}," for more information. ",[3521],{"type":1369},{},"Ahrefs malvertising insight box 2","content:blog:google-search-malvertising-campaign-continues-now-impersonating-ahrefs.json","json","content","blog/google-search-malvertising-campaign-continues-now-impersonating-ahrefs.json","blog/google-search-malvertising-campaign-continues-now-impersonating-ahrefs",1776359982285]