[{"data":1,"prerenderedAt":3435},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/how-attackers-compromise-azure-organizations-through-saas-apps":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"ogImage":118,"summary":1282,"title":1296,"subtitle":118,"metaTitle":1297,"synopsis":1298,"hashTags":118,"publishedDate":1299,"slug":1300,"tagsCollection":1301,"relatedBlogPostsCollection":1311,"authorsCollection":2020,"content":2024,"_id":3430,"_type":3431,"_source":3432,"_file":3433,"_stem":3434,"_extension":3431},"/blog/how-attackers-compromise-azure-organizations-through-saas-apps","blog",{"id":1280,"publishedAt":1281},"3JXKiUMGU8JBpndhLRYOCJ","2023-08-31T12:26:21.402Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1295},{},[1286],{"data":1287,"content":1288,"nodeType":1294},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"Common ways an app or integration could lead to compromise in Microsoft Azure: consent phishing, unverified apps, hijackable URLs & implicit grant flow. ","text","paragraph","document","How attackers compromise Azure organizations through SaaS apps ","Microsoft Azure attacks: Use SaaS apps to compromise an org ","This article covers common ways an app could lead to compromise in Microsoft Azure, and what to look out for when determining risk to your organization.","2023-01-03T00:00:00.000Z","how-attackers-compromise-azure-organizations-through-saas-apps",{"items":1302},[1303,1307],{"sys":1304,"name":1306},{"id":1305},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1308,"name":1310},{"id":1309},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1312},[1313,1525],{"__typename":1314,"sys":1315,"content":1317,"title":1507,"synopsis":1508,"hashTags":118,"publishedDate":1509,"slug":1510,"tagsCollection":1511,"authorsCollection":1517},"BlogPosts",{"id":1316},"1bV8YTSQHvveCTnRc4H8su",{"json":1318},{"nodeType":1295,"data":1319,"content":1320},{},[1321,1328,1335,1344,1361,1367,1374,1381,1413,1419,1438,1457,1476],{"nodeType":1294,"data":1322,"content":1323},{},[1324],{"nodeType":1293,"value":1325,"marks":1326,"data":1327},"With more platforms adding support for Multi-factor Authentication (MFA) and users increasingly adopting it to secure their accounts, attackers are adapting and moving to new methods of compromising user accounts. In this post we’ll take a look at consent phishing and how it is being used to bypass MFA and also skirt key attributes of phishing that are taught in traditional user awareness campaigns, such as links to untrusted domains.",[],{},{"nodeType":1294,"data":1329,"content":1330},{},[1331],{"nodeType":1293,"value":1332,"marks":1333,"data":1334},"Imagine yourself sitting down at your desk first thing on a Monday morning, cup of coffee steaming next to your keyboard as you click through your backlog of emails. You open the below email and you see that Karl has shared a financial report with you. ",[],{},{"nodeType":1336,"data":1337,"content":1343},"embedded-entry-block",{"target":1338},{"sys":1339},{"id":1340,"type":1341,"linkType":1342},"7zysXleQdpE6isqi9OU56l","Link","Entry",[],{"nodeType":1294,"data":1345,"content":1346},{},[1347,1351,1357],{"nodeType":1293,"value":1348,"marks":1349,"data":1350},"Maybe you’ve been waiting for the latest financials or you suspect this was sent erroneously but you’re curious and want to take a peek. When you click the link you are presented with a prompt that with your Monday brain looks just like the “Yes give me access” prompt you’ve clicked through a thousand times. I mean, it's a ",[],{},{"nodeType":1293,"value":1352,"marks":1353,"data":1356},"microsoftonline.com",[1354],{"type":1355},"bold",{},{"nodeType":1293,"value":1358,"marks":1359,"data":1360}," domain, it's https and there’s a green tick in the corner so everything looks fine. ",[],{},{"nodeType":1336,"data":1362,"content":1366},{"target":1363},{"sys":1364},{"id":1365,"type":1341,"linkType":1342},"6nPueTKEjLphqlytbQ0gcx",[],{"nodeType":1294,"data":1368,"content":1369},{},[1370],{"nodeType":1293,"value":1371,"marks":1372,"data":1373},"If you’d looked closely you may have noticed that this was in fact asking you to approve access rather than granting you access. But with your muscle memory in full control you click “Accept” before even glancing at the screen. You wait for the spreadsheet to open but are presented with a generic “File does not exist” error page. Oh well, apparently Karl realised his mistake and deleted the file or revoked your access. Onto the next email.",[],{},{"nodeType":1294,"data":1375,"content":1376},{},[1377],{"nodeType":1293,"value":1378,"marks":1379,"data":1380},"And just like that you’ve been consent phished. You’ve just granted the attackers permanent access to your account, which they retain even if you change your password or have MFA enabled. Chances are the attacker’s tools will immediately start downloading every piece of data you just granted them access to, which they can then explore at their leisure. ",[],{},{"nodeType":1294,"data":1382,"content":1383},{},[1384,1388,1397,1401,1409],{"nodeType":1293,"value":1385,"marks":1386,"data":1387},"To spot this you need to audit the apps you’ve approved, something you are doing regularly, right? Seriously though, this isn’t something many people check. These integrations are designed to be as seamless as possible and not to get in your way. But if this has piqued your interest you can check what access you have personally granted on ",[],{},{"nodeType":1389,"data":1390,"content":1392},"hyperlink",{"uri":1391},"https://myaccount.google.com/permissions",[1393],{"nodeType":1293,"value":1394,"marks":1395,"data":1396},"Google Workspace",[],{},{"nodeType":1293,"value":1398,"marks":1399,"data":1400}," and ",[],{},{"nodeType":1389,"data":1402,"content":1404},{"uri":1403},"https://myapps.microsoft.com/",[1405],{"nodeType":1293,"value":1406,"marks":1407,"data":1408},"Microsoft 365",[],{},{"nodeType":1293,"value":1410,"marks":1411,"data":1412},".",[],{},{"nodeType":1336,"data":1414,"content":1418},{"target":1415},{"sys":1416},{"id":1417,"type":1341,"linkType":1342},"BPIX02LWblUNnkQw1TFWD",[],{"nodeType":1294,"data":1420,"content":1421},{},[1422,1426,1434],{"nodeType":1293,"value":1423,"marks":1424,"data":1425},"If you’d been paying attention when you clicked “Accept” you might have noticed that you were granting some pretty serious permissions here. These permissions allow the attackers to read and write any files you have access to - they could download all these files and then delete them. The attackers also got permission to send emails as you. They could send emails to your colleagues from you and phish them too, this isn’t impersonation where the email just “looks” like it came from you, the email DID come from you. Lastly the attackers asked for permission to manipulate your Outlook settings, with this they could set up a ",[],{},{"nodeType":1389,"data":1427,"content":1429},{"uri":1428},"/features/detect-malicious-mail-rules/",[1430],{"nodeType":1293,"value":1431,"marks":1432,"data":1433},"mail forwarding rule",[],{},{"nodeType":1293,"value":1435,"marks":1436,"data":1437}," so that they get copies of all your emails forwarded to them directly without even having to log in. And all of this happens until you delete the underlying OAuth app.",[],{},{"nodeType":1294,"data":1439,"content":1440},{},[1441,1445,1453],{"nodeType":1293,"value":1442,"marks":1443,"data":1444},"In a ",[],{},{"nodeType":1389,"data":1446,"content":1448},{"uri":1447},"https://www.microsoft.com/security/blog/2020/07/08/protecting-remote-workforce-application-attacks-consent-phishing/",[1449],{"nodeType":1293,"value":1450,"marks":1451,"data":1452},"blog post",[],{},{"nodeType":1293,"value":1454,"marks":1455,"data":1456}," Microsoft warns that these attacks are on the rise. One notable example of this comes from the SANS Institute. They reported in August of 2020 that they had fallen victim to one of these attacks. As part of the investigation they produced a report with details on how the attackers managed to convince an employee to install a malicious Microsoft 365 add-in to gain access. ",[],{},{"nodeType":1294,"data":1458,"content":1459},{},[1460,1464,1472],{"nodeType":1293,"value":1461,"marks":1462,"data":1463},"So what can you do about this threat today? The only fool proof method of preventing this kind of attack is to prevent users from granting access to third party apps. This is terrible for users though, and you’ll be missing out on all the productivity benefits these apps can bring. A more balanced approach is to let users find and request apps, but have administrators approve the apps. More and more platforms (including Microsoft 365 and Slack) are offering built-in “admin consent” workflows to make getting a second pair of eyes on new apps even easier. You can also make it even easier for users  by pre-approving widely used apps from trusted publishers and users won’t even notice there is new protection in place 99% of the time. We are also actively working on this problem and if you would like to join our ",[],{},{"nodeType":1389,"data":1465,"content":1467},{"uri":1466},"/features/secure-oauth-permissions-and-applications/",[1468],{"nodeType":1293,"value":1469,"marks":1470,"data":1471},"early access program",[],{},{"nodeType":1293,"value":1473,"marks":1474,"data":1475}," please get in touch.",[],{},{"nodeType":1294,"data":1477,"content":1478},{},[1479,1483,1491,1495,1503],{"nodeType":1293,"value":1480,"marks":1481,"data":1482},"Consent phishing is still an emerging technique and we believe that it has not reached peak usage by attackers yet. We are actively researching this attack technique as it continues to evolve. Follow us on Twitter ",[],{},{"nodeType":1389,"data":1484,"content":1486},{"uri":1485},"https://twitter.com/PushSecurity",[1487],{"nodeType":1293,"value":1488,"marks":1489,"data":1490},"@pushsecurity",[],{},{"nodeType":1293,"value":1492,"marks":1493,"data":1494},", ",[],{},{"nodeType":1389,"data":1496,"content":1498},{"uri":1497},"https://www.linkedin.com/company/push-security",[1499],{"nodeType":1293,"value":1500,"marks":1501,"data":1502},"LinkedIn",[],{},{"nodeType":1293,"value":1504,"marks":1505,"data":1506}," or subscribe to our mailing list below to get the latest updates and tips for managing this for your users.",[],{},"Consent phishing: the emerging phishing technique that can bypass 2FA","Consent phishing is an emerging technique attackers are using to compromise user accounts, even if they have Multi-factor Authentication (MFA or 2FA) enabled.","2021-07-06T00:00:00.000+01:00","consent-phishing-the-emerging-phishing-technique-that-can-bypass-2fa",{"items":1512},[1513,1515],{"sys":1514,"name":1306},{"id":1305},{"sys":1516,"name":1310},{"id":1309},{"items":1518},[1519],{"fullName":1520,"firstName":1521,"jobTitle":1522,"profilePicture":1523},"Alex Triaca","Alex","Chief Architect",{"url":1524},"https://images.ctfassets.net/y1cdw1ablpvd/LmC3LyTH5V9NthbqKuqA2/8291887e41c15613bf98f6fd55773817/117-0-2.jpg",{"__typename":1314,"sys":1526,"content":1528,"title":2000,"synopsis":2001,"hashTags":118,"publishedDate":2002,"slug":2003,"tagsCollection":2004,"authorsCollection":2012},{"id":1527},"14NiRrBrLFVkR8h05RCD7F",{"json":1529},{"data":1530,"content":1531,"nodeType":1295},{},[1532,1540,1548,1572,1580,1601,1608,1614,1621,1629,1636,1643,1650,1657,1664,1671,1678,1684,1691,1698,1705,1712,1732,1738,1745,1751,1758,1764,1771,1778,1785,1830,1837,1857,1864,1954,1974,1981,1988,1994],{"data":1533,"content":1534,"nodeType":1294},{},[1535],{"data":1536,"marks":1537,"value":1539,"nodeType":1293},{},[1538],{"type":312},"You get a call from your CFO: “Jenkins! ACME just called to find out why we haven’t paid invoices for the last 3 months? Didn’t you make payment last week?”",{"data":1541,"content":1542,"nodeType":1294},{},[1543],{"data":1544,"marks":1545,"value":1547,"nodeType":1293},{},[1546],{"type":312},"You think back a bit. “Yip! I received another invoice a few days ago and made payment yesterday. I also paid the contractor doing renovations on your house. By the way, congrats on the new kitchen.”",{"data":1549,"content":1550,"nodeType":1294},{},[1551,1555,1568],{"data":1552,"marks":1553,"value":1554,"nodeType":1293},{},[],"Many companies have had similar incidents occur over the last couple of years - it’s a classic ",{"data":1556,"content":1560,"nodeType":1567},{"target":1557},{"sys":1558},{"id":1559,"type":1341,"linkType":1342},"pj2eLZXa4PyrY1DD4NCHt",[1561],{"data":1562,"marks":1563,"value":1566,"nodeType":1293},{},[1564],{"type":1565},"underline","Business Email Compromise","entry-hyperlink",{"data":1569,"marks":1570,"value":1571,"nodeType":1293},{},[]," (BEC) scenario. An attacker managed to gain access to Jenkins in accounting’s email and intercepted email from legitimate creditors, replacing their banking details with the attacker's own, and even forging invoices from non-existent suppliers. Forged emails are then sent from the CEO or CFO to approve the payments.",{"data":1573,"content":1574,"nodeType":1294},{},[1575],{"data":1576,"marks":1577,"value":1579,"nodeType":1293},{},[1578],{"type":312},"But how did they manage to gain access to the account? Our security team enforced multi-factor authentication (MFA) a few weeks ago. We’re supposed to be secure!?",{"data":1581,"content":1582,"nodeType":1294},{},[1583,1587,1597],{"data":1584,"marks":1585,"value":1586,"nodeType":1293},{},[],"As detailed in our ",{"data":1588,"content":1591,"nodeType":1567},{"target":1589},{"sys":1590},{"id":1316,"type":1341,"linkType":1342},[1592],{"data":1593,"marks":1594,"value":1596,"nodeType":1293},{},[1595],{"type":1565},"blog post about consent phishing",{"data":1598,"marks":1599,"value":1600,"nodeType":1293},{},[],", this attack method will bypass MFA, since the paired malicious third-party integration app (sometimes called OAuth) generates an authentication token. MFA checks are only applied when logging in with your username and password, so in this case, the attacker was able to get a valid access token into Jenkins’ account. ",{"data":1602,"content":1603,"nodeType":1294},{},[1604],{"data":1605,"marks":1606,"value":1607,"nodeType":1293},{},[],"While this isn’t necessarily the same level of access provided with a username/password combo, it might be, based on the scopes Jenkins granted the third-party integration app access to when they clicked ‘Accept’. ",{"data":1609,"content":1613,"nodeType":1336},{"target":1610},{"sys":1611},{"id":1612,"type":1341,"linkType":1342},"5BIHqq49jJOHsEHLgc8Tb9",[],{"data":1615,"content":1616,"nodeType":1294},{},[1617],{"data":1618,"marks":1619,"value":1620,"nodeType":1293},{},[],"The list of third-party integration scopes can include anything from relatively benign things like retrieving your name, surname, and email address, to more dangerous or excessive permissions such as full access to your mailbox, the ability to configure mail rules to forward or delete email, and full access to your OneDrive or Sharepoint files. Worse case scenario: if you belong to groups with password reset capabilities, the attacker may be able to perform full account takeovers.",{"data":1622,"content":1623,"nodeType":1628},{},[1624],{"data":1625,"marks":1626,"value":1627,"nodeType":1293},{},[],"How do you detect and respond to such incidents?","heading-2",{"data":1630,"content":1631,"nodeType":1294},{},[1632],{"data":1633,"marks":1634,"value":1635,"nodeType":1293},{},[],"The main issue is detection. In my experience as an incident responder working with Fortune 500 companies at MWR Infosecurity, I found that BEC attacks are usually detected when associated parties start asking questions about non-payment (or unrecognized payments), which can take weeks or months from the day of compromise. By this point your cloud provider’s logs are likely to have rolled over and you’re unlikely to find much useful information to populate your incident timeline.",{"data":1637,"content":1638,"nodeType":1294},{},[1639],{"data":1640,"marks":1641,"value":1642,"nodeType":1293},{},[],"Shameless plug alert: Push’s ChatOps functionality can greatly assist here as it detects such malicious rules when created, and sends a message to the owner of the account (Jenkins) asking if they created the rule. Sometimes a user will have a legitimate use for creating mail rules to forward messages to another account, and this allows them to acknowledge the rule and mark it as safe. In case they didn’t create it, they can flag it as such and this will cause an alert to be sent to their security team. This is practically instant detection and invaluable when preventing fraudulent payments. And getting input from the account owner cuts way down on alert fatigue for your team.",{"data":1644,"content":1645,"nodeType":1628},{},[1646],{"data":1647,"marks":1648,"value":1649,"nodeType":1293},{},[],"\nMitigate the attack \n",{"data":1651,"content":1652,"nodeType":1294},{},[1653],{"data":1654,"marks":1655,"value":1656,"nodeType":1293},{},[],"Once you’ve detected the incident, your next step is to remediate. Typically, this would require someone on the  security team to find the offending rule in your cloud provider’s control panel to disable it, which can take some time, depending on the team’s availability and other factors. ",{"data":1658,"content":1659,"nodeType":1294},{},[1660],{"data":1661,"marks":1662,"value":1663,"nodeType":1293},{},[],"Detecting the creation of malicious mail rules would require you to configure policies and alerts in your cloud provider’s control panel, and requires someone from the security team to monitor for notifications. If your IT person is also responsible for security in your organization, it’s unlikely that they would spend an appropriate amount of time looking at alerts and, in many cases, would need to follow up with employees to confirm if they had indeed created the rules. If you’re a larger organization, your dedicated security person will likely have higher priority tasks, too.",{"data":1665,"content":1666,"nodeType":1294},{},[1667],{"data":1668,"marks":1669,"value":1670,"nodeType":1293},{},[],"Discovering a breach is usually related to someone noticing unrecognized payments, vendors querying a lack of payments, or phishing emails being sent to fellow employees or contacts outside of your organization. If an attacker is careful to avoid causing too much interruption, then it’s likely that you won’t discover the breach until all the damage has been done. Usually by this point, performing an investigation will reveal very little due to important investigation artifacts disappearing due to logs rolling over.",{"data":1672,"content":1673,"nodeType":1294},{},[1674],{"data":1675,"marks":1676,"value":1677,"nodeType":1293},{},[],"If you’re using Push, we would automatically detect the mail rule, talk to the employee whose email the mail rule was created within, and if they didn’t set the mail rule up themselves, we would assume it was created by an attacker and alert your security team. Push’s ChatOps will disable the offending rule and mark it as suspicious.",{"data":1679,"content":1683,"nodeType":1336},{"target":1680},{"sys":1681},{"id":1682,"type":1341,"linkType":1342},"6rV4EiwTgmBsmYEaUvv55b",[],{"data":1685,"content":1686,"nodeType":1294},{},[1687],{"data":1688,"marks":1689,"value":1690,"nodeType":1293},{},[],"If this were a typical credential compromise scenario, the account’s password would be reset and everyone would go about their lives. However, since no credentials were compromised in our example, you’d go onto the next step to…",{"data":1692,"content":1693,"nodeType":1628},{},[1694],{"data":1695,"marks":1696,"value":1697,"nodeType":1293},{},[],"Remove the app’s permissions and revoke the tokens",{"data":1699,"content":1700,"nodeType":1294},{},[1701],{"data":1702,"marks":1703,"value":1704,"nodeType":1293},{},[],"As I mentioned earlier, third-party integration apps generate tokens, which can be valid for an hour to sometimes 24 hours or more, depending on the integrating app, how it is being used, and if it makes use of refresh tokens.",{"data":1706,"content":1707,"nodeType":1294},{},[1708],{"data":1709,"marks":1710,"value":1711,"nodeType":1293},{},[],"Invalidating third-party integration access permissions requires accessing your cloud provider’s control panel. In this example, you need to revoke access for a malicious app in a Microsoft 365 tenant. Microsoft’s guidance on this is very useful, but unfortunately not as simple as just pressing a button.",{"data":1713,"content":1714,"nodeType":1294},{},[1715,1719,1728],{"data":1716,"marks":1717,"value":1718,"nodeType":1293},{},[],"To view Microsoft’s recommendations for dealing with a malicious app, you’d need to navigate to the ",{"data":1720,"content":1722,"nodeType":1389},{"uri":1721},"https://portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId~/null",[1723],{"data":1724,"marks":1725,"value":1727,"nodeType":1293},{},[1726],{"type":1565},"Enterprise applications",{"data":1729,"marks":1730,"value":1731,"nodeType":1293},{},[]," section in Azure, and locate the app by searching for its name or Application ID, which can be found in the Push app’s OAuth integrations page. In the app menu, click on ‘Permissions,’ then ‘Review permissions.’ ",{"data":1733,"content":1737,"nodeType":1336},{"target":1734},{"sys":1735},{"id":1736,"type":1341,"linkType":1342},"5Z6T2anRIJ1he2phTbcFot",[],{"data":1739,"content":1740,"nodeType":1294},{},[1741],{"data":1742,"marks":1743,"value":1744,"nodeType":1293},{},[],"On the slide-out menu, select “This application is malicious and I’m compromised.”",{"data":1746,"content":1750,"nodeType":1336},{"target":1747},{"sys":1748},{"id":1749,"type":1341,"linkType":1342},"2lGnKdKTjXAVYBiOtYrbEl",[],{"data":1752,"content":1753,"nodeType":1294},{},[1754],{"data":1755,"marks":1756,"value":1757,"nodeType":1293},{},[],"This will provide you with pre-generated PowerShell scripts to 1) Remove all users assigned to the application, 2) Revoke all permissions granted to the application, and 3) Revoke refresh tokens for all users.",{"data":1759,"content":1763,"nodeType":1336},{"target":1760},{"sys":1761},{"id":1762,"type":1341,"linkType":1342},"3qdGQ12PdZFLEyIpmMkwPi",[],{"data":1765,"content":1766,"nodeType":1628},{},[1767],{"data":1768,"marks":1769,"value":1770,"nodeType":1293},{},[],"How to prevent similar attacks",{"data":1772,"content":1773,"nodeType":1294},{},[1774],{"data":1775,"marks":1776,"value":1777,"nodeType":1293},{},[],"A very important step following a compromise is to review what happened, how it happened, and what could be done to prevent the incident from occurring again. The interesting part about this incident is that it wasn’t due to a weak password, or even the lack of MFA that led to compromise. It came down to social engineering: instructing an employee to click a link by an account masquerading as their CFO.",{"data":1779,"content":1780,"nodeType":1294},{},[1781],{"data":1782,"marks":1783,"value":1784,"nodeType":1293},{},[],"For the purposes of this hypothetical incident, we’ll establish that the following occurred:",{"data":1786,"content":1787,"nodeType":1829},{},[1788,1799,1809,1819],{"data":1789,"content":1790,"nodeType":1798},{},[1791],{"data":1792,"content":1793,"nodeType":1294},{},[1794],{"data":1795,"marks":1796,"value":1797,"nodeType":1293},{},[],"Andrew Jenkins was targeted in a phishing attack","list-item",{"data":1800,"content":1801,"nodeType":1798},{},[1802],{"data":1803,"content":1804,"nodeType":1294},{},[1805],{"data":1806,"marks":1807,"value":1808,"nodeType":1293},{},[],"Andrew authenticated via Microsoft 365, which is a legitimate and expected authentication mechanism and occurs almost daily",{"data":1810,"content":1811,"nodeType":1798},{},[1812],{"data":1813,"content":1814,"nodeType":1294},{},[1815],{"data":1816,"marks":1817,"value":1818,"nodeType":1293},{},[],"No attachments were downloaded, thus in this isolated incident there was no code execution on Andrew’s host, meaning that Anti-Virus or Endpoint Detection & Response (EDR) would not have prevented it",{"data":1820,"content":1821,"nodeType":1798},{},[1822],{"data":1823,"content":1824,"nodeType":1294},{},[1825],{"data":1826,"marks":1827,"value":1828,"nodeType":1293},{},[],"The attacker gained full access to Andrew’s mailbox","unordered-list",{"data":1831,"content":1832,"nodeType":1294},{},[1833],{"data":1834,"marks":1835,"value":1836,"nodeType":1293},{},[],"The malicious app was disabled by Microsoft after some time, so a full investigation into its capabilities was not possible. We don’t know whether another phishing page was presented after the integration took place, thus to be on the safe side we need to assume this happened and led to credential compromise.",{"data":1838,"content":1839,"nodeType":1294},{},[1840,1844,1853],{"data":1841,"marks":1842,"value":1843,"nodeType":1293},{},[],"The app was unverified, which has historically been true in most of these scenarios. Publishers need to associate a Microsoft Partner Network (MPN) ID with the app, which follows a ",{"data":1845,"content":1847,"nodeType":1389},{"uri":1846},"https://docs.microsoft.com/en-us/partner-center/verification-responses",[1848],{"data":1849,"marks":1850,"value":1852,"nodeType":1293},{},[1851],{"type":1565},"verification process",{"data":1854,"marks":1855,"value":1856,"nodeType":1293},{},[],", in order to have it appear as a verified app. This Microsoft 365 tenant was configured to allow unverified integrations due to an oversight following an app migration project.",{"data":1858,"content":1859,"nodeType":1294},{},[1860],{"data":1861,"marks":1862,"value":1863,"nodeType":1293},{},[],"This leads us to the following to help prevent similar attacks from occurring in future, and to make sure there is no opportunity for the attacker to leverage any existing foothold:",{"data":1865,"content":1866,"nodeType":1829},{},[1867,1877,1887,1897,1918,1934,1944],{"data":1868,"content":1869,"nodeType":1798},{},[1870],{"data":1871,"content":1872,"nodeType":1294},{},[1873],{"data":1874,"marks":1875,"value":1876,"nodeType":1293},{},[],"Disable the integration and remove the malicious app’s permissions",{"data":1878,"content":1879,"nodeType":1798},{},[1880],{"data":1881,"content":1882,"nodeType":1294},{},[1883],{"data":1884,"marks":1885,"value":1886,"nodeType":1293},{},[],"Reset Andrew Jenkins’ credentials",{"data":1888,"content":1889,"nodeType":1798},{},[1890],{"data":1891,"content":1892,"nodeType":1294},{},[1893],{"data":1894,"marks":1895,"value":1896,"nodeType":1293},{},[],"Be aware of and review newly created mail rules",{"data":1898,"content":1899,"nodeType":1798},{},[1900],{"data":1901,"content":1902,"nodeType":1294},{},[1903,1906,1915],{"data":1904,"marks":1905,"value":37,"nodeType":1293},{},[],{"data":1907,"content":1909,"nodeType":1389},{"uri":1908},"https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?tabs=azure-portal",[1910],{"data":1911,"marks":1912,"value":1914,"nodeType":1293},{},[1913],{"type":1565},"Confirm that the Microsoft 365 tenant is set to disallow integrations from unverified apps",{"data":1916,"marks":1917,"value":37,"nodeType":1293},{},[],{"data":1919,"content":1920,"nodeType":1798},{},[1921],{"data":1922,"content":1923,"nodeType":1829},{},[1924],{"data":1925,"content":1926,"nodeType":1798},{},[1927],{"data":1928,"content":1929,"nodeType":1294},{},[1930],{"data":1931,"marks":1932,"value":1933,"nodeType":1293},{},[],"Note: as of November 9th, 2020, integrations with unverified apps are disabled by default.",{"data":1935,"content":1936,"nodeType":1798},{},[1937],{"data":1938,"content":1939,"nodeType":1294},{},[1940],{"data":1941,"marks":1942,"value":1943,"nodeType":1293},{},[],"Communicate with employees and other affected parties to be weary of these types of attacks",{"data":1945,"content":1946,"nodeType":1798},{},[1947],{"data":1948,"content":1949,"nodeType":1294},{},[1950],{"data":1951,"marks":1952,"value":1953,"nodeType":1293},{},[],"Perform regular audits against your Microsoft 365 tenants to highlight any discrepancies and integrations with unusual or unnecessary permissions.",{"data":1955,"content":1956,"nodeType":1294},{},[1957,1961,1970],{"data":1958,"marks":1959,"value":1960,"nodeType":1293},{},[],"Microsoft implementing safe defaults towards limiting integrations from unverified publishers was a step in the right direction. However, there have been ",{"data":1962,"content":1964,"nodeType":1389},{"uri":1963},"https://www.proofpoint.com/us/blog/cloud-security/oivavoii-active-malicious-hybrid-cloud-threats-campaign",[1965],{"data":1966,"marks":1967,"value":1969,"nodeType":1293},{},[1968],{"type":1565},"cases",{"data":1971,"marks":1972,"value":1973,"nodeType":1293},{},[]," where attackers utilized compromised publishers to perform similar attacks. ",{"data":1975,"content":1976,"nodeType":1628},{},[1977],{"data":1978,"marks":1979,"value":1980,"nodeType":1293},{},[],"Conclusion",{"data":1982,"content":1983,"nodeType":1294},{},[1984],{"data":1985,"marks":1986,"value":1987,"nodeType":1293},{},[],"While the process isn’t exactly straightforward, catching early indicators like malicious mail rules helps you prevent an attacker from launching additional attacks like phishing campaigns as they try to gain access to sensitive business data. Removing the mail rule is just the start of the process, you really need to revoke permissions and take the other steps we covered in this post to stop an attack from going any further. We’ll publish some more content on SaaS incident response on our blog, so subscribe to get our guidance straight into your inbox.",{"data":1989,"content":1993,"nodeType":1336},{"target":1990},{"sys":1991},{"id":1992,"type":1341,"linkType":1342},"6oHRbGLus4bstsAc7E0zBD",[],{"data":1995,"content":1996,"nodeType":1294},{},[1997],{"data":1998,"marks":1999,"value":37,"nodeType":1293},{},[],"How to kick off an incident response investigation for a compromised SaaS account","We'll walk through how to quickly detect and mitigate business email compromise (BEC) and then prevent future attacks.","2022-09-20T00:00:00.000Z","how-to-kick-off-an-incident-response-investigation-for-a-compromised-saas",{"items":2005},[2006,2008],{"sys":2007,"name":1310},{"id":1309},{"sys":2009,"name":2011},{"id":2010},"3pjES4THCIfSAwhGdNwBcy","Identity security",{"items":2013},[2014],{"fullName":2015,"firstName":2016,"jobTitle":2017,"profilePicture":2018},"Johann Scheepers","Johann","Senior Security Engineer",{"url":2019},"https://images.ctfassets.net/y1cdw1ablpvd/75IEOH93vR0hbvxuqTu1m3/f6222745ee6892ea07bc18727a5a5ae7/T016S22KZ96-U02LU3SKC2D-e1e755770536-512.png",{"items":2021},[2022],{"fullName":2015,"firstName":2016,"jobTitle":2017,"profilePicture":2023},{"url":2019},{"json":2025,"links":3333},{"nodeType":1295,"data":2026,"content":2027},{},[2028,2035,2041,2049,2056,2077,2084,2090,2097,2104,2111,2146,2152,2159,2280,2287,2294,2550,2557,2564,2570,2603,2610,2617,2623,2630,2636,2643,2650,2656,2663,2670,2676,2683,2690,2696,2703,2719,2725,2732,2764,2771,2791,2798,2805,2812,2818,2856,2876,2930,2937,2944,2964,2983,2990,3023,3029,3036,3043,3050,3057,3064,3071,3089,3095,3102,3121,3128,3135,3141,3148,3155,3161,3168,3214,3221,3227,3234,3240,3247,3254,3287,3293,3300,3307,3314,3321,3327],{"nodeType":1294,"data":2029,"content":2030},{},[2031],{"nodeType":1293,"value":2032,"marks":2033,"data":2034},"With the proliferation of SaaS apps and integrations comes an equal helping of uncertainty surrounding the associated security risks. If you’ve ever found yourself in a position where you’ve had to review a SaaS app integration, whether it’s during the remediation stage of an incident or simply during the process of tending to a user request, then keep on reading. ",[],{},{"nodeType":1294,"data":2036,"content":2037},{},[2038],{"nodeType":1293,"value":1298,"marks":2039,"data":2040},[],{},{"nodeType":2042,"data":2043,"content":2044},"heading-1",{},[2045],{"nodeType":1293,"value":2046,"marks":2047,"data":2048},"Consent phishing",[],{},{"nodeType":1628,"data":2050,"content":2051},{},[2052],{"nodeType":1293,"value":2053,"marks":2054,"data":2055},"The issue:",[],{},{"nodeType":1294,"data":2057,"content":2058},{},[2059,2063,2073],{"nodeType":1293,"value":2060,"marks":2061,"data":2062},"This method of compromising user accounts has been covered a ",[],{},{"nodeType":1567,"data":2064,"content":2067},{"target":2065},{"sys":2066},{"id":1316,"type":1341,"linkType":1342},[2068],{"nodeType":1293,"value":2069,"marks":2070,"data":2072},"few times",[2071],{"type":1565},{},{"nodeType":1293,"value":2074,"marks":2075,"data":2076}," by Push. Without rehashing too much of the content, the main idea behind consent phishing is to get a user to perform an integration while the app masquerades as something official. ",[],{},{"nodeType":1294,"data":2078,"content":2079},{},[2080],{"nodeType":1293,"value":2081,"marks":2082,"data":2083},"As an example, a user is sent an email where the content is either surprisingly legitimate, or sparks sufficient curiosity to make them want to access the data behind the link. They are directed to a Microsoft or Google login page, where the app asks for certain permissions, such as mailbox access. The user, having performed these actions before, thinks nothing of it and clicks ‘allow’. The attacker successfully tricked the user to give them access to their mailbox (or whichever privileges the app was requesting).",[],{},{"nodeType":1336,"data":2085,"content":2089},{"target":2086},{"sys":2087},{"id":2088,"type":1341,"linkType":1342},"2zeeE8NrgX4MnpHdIjszot",[],{"nodeType":1628,"data":2091,"content":2092},{},[2093],{"nodeType":1293,"value":2094,"marks":2095,"data":2096},"The solution:",[],{},{"nodeType":1294,"data":2098,"content":2099},{},[2100],{"nodeType":1293,"value":2101,"marks":2102,"data":2103},"There are two ways to help prevent this type of compromise:",[],{},{"nodeType":1294,"data":2105,"content":2106},{},[2107],{"nodeType":1293,"value":2108,"marks":2109,"data":2110},"The first is to go the “block everything” route by preventing any integrations from being added to your tenants at all. This is quite heavy-handed and a bit like throwing the baby out with the bathwater, as this approach leads to IT/security departments becoming known as the departments of ‘NO’, potentially resulting in users circumventing controls, and the emergence of shadow IT.",[],{},{"nodeType":1294,"data":2112,"content":2113},{},[2114,2118,2127,2131,2142],{"nodeType":1293,"value":2115,"marks":2116,"data":2117},"The second is to be sensible about what to allow and what to prevent during SaaS integrations. For instance, in Microsoft 365 administrators are able to ",[],{},{"nodeType":1389,"data":2119,"content":2121},{"uri":2120},"https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-permission-classifications",[2122],{"nodeType":1293,"value":2123,"marks":2124,"data":2126},"specify low-risk scopes",[2125],{"type":1565},{},{"nodeType":1293,"value":2128,"marks":2129,"data":2130},", such as ones specifically used for performing social logins (which are okay to do ",[],{},{"nodeType":1567,"data":2132,"content":2136},{"target":2133},{"sys":2134},{"id":2135,"type":1341,"linkType":1342},"68syxk4cmD6QOdVRcDqgEZ",[2137],{"nodeType":1293,"value":2138,"marks":2139,"data":2141},"by the way",[2140],{"type":1565},{},{"nodeType":1293,"value":2143,"marks":2144,"data":2145},"). Admins can then allow employees to perform social logins, and integrate apps making use of other low-risk scopes from  verified apps only. Employees can also request access to anything requiring other scopes. This is a great way to enable users to perform their jobs, while preventing them from accidentally exposing themselves or the wider organization to unnecessary risk.",[],{},{"nodeType":1336,"data":2147,"content":2151},{"target":2148},{"sys":2149},{"id":2150,"type":1341,"linkType":1342},"44NsMwlLpX4qnZP94GyTSO",[],{"nodeType":1294,"data":2153,"content":2154},{},[2155],{"nodeType":1293,"value":2156,"marks":2157,"data":2158},"When configuring the above for the first time, Microsoft provides a list of 5 scopes:",[],{},{"nodeType":2160,"data":2161,"content":2162},"table",{},[2163,2188,2211,2234,2257],{"nodeType":2164,"data":2165,"content":2166},"table-row",{},[2167,2178],{"nodeType":2168,"data":2169,"content":2170},"table-cell",{},[2171],{"nodeType":1294,"data":2172,"content":2173},{},[2174],{"nodeType":1293,"value":2175,"marks":2176,"data":2177},"profile",[],{},{"nodeType":2168,"data":2179,"content":2180},{},[2181],{"nodeType":1294,"data":2182,"content":2183},{},[2184],{"nodeType":1293,"value":2185,"marks":2186,"data":2187},"View user's basic profile",[],{},{"nodeType":2164,"data":2189,"content":2190},{},[2191,2201],{"nodeType":2168,"data":2192,"content":2193},{},[2194],{"nodeType":1294,"data":2195,"content":2196},{},[2197],{"nodeType":1293,"value":2198,"marks":2199,"data":2200},"openid",[],{},{"nodeType":2168,"data":2202,"content":2203},{},[2204],{"nodeType":1294,"data":2205,"content":2206},{},[2207],{"nodeType":1293,"value":2208,"marks":2209,"data":2210},"Sign users in",[],{},{"nodeType":2164,"data":2212,"content":2213},{},[2214,2224],{"nodeType":2168,"data":2215,"content":2216},{},[2217],{"nodeType":1294,"data":2218,"content":2219},{},[2220],{"nodeType":1293,"value":2221,"marks":2222,"data":2223},"email",[],{},{"nodeType":2168,"data":2225,"content":2226},{},[2227],{"nodeType":1294,"data":2228,"content":2229},{},[2230],{"nodeType":1293,"value":2231,"marks":2232,"data":2233},"View user's email address",[],{},{"nodeType":2164,"data":2235,"content":2236},{},[2237,2247],{"nodeType":2168,"data":2238,"content":2239},{},[2240],{"nodeType":1294,"data":2241,"content":2242},{},[2243],{"nodeType":1293,"value":2244,"marks":2245,"data":2246},"User.Read",[],{},{"nodeType":2168,"data":2248,"content":2249},{},[2250],{"nodeType":1294,"data":2251,"content":2252},{},[2253],{"nodeType":1293,"value":2254,"marks":2255,"data":2256},"Sign in and read user profile",[],{},{"nodeType":2164,"data":2258,"content":2259},{},[2260,2270],{"nodeType":2168,"data":2261,"content":2262},{},[2263],{"nodeType":1294,"data":2264,"content":2265},{},[2266],{"nodeType":1293,"value":2267,"marks":2268,"data":2269},"Offline_access",[],{},{"nodeType":2168,"data":2271,"content":2272},{},[2273],{"nodeType":1294,"data":2274,"content":2275},{},[2276],{"nodeType":1293,"value":2277,"marks":2278,"data":2279},"Maintain access to data you. have given it access to (refresh tokens)",[],{},{"nodeType":1294,"data":2281,"content":2282},{},[2283],{"nodeType":1293,"value":2284,"marks":2285,"data":2286},"The above scopes are the minimum required to enable social logins to take place, and would cover a good amount of apps that only require basic information for account creation purposes. ",[],{},{"nodeType":1294,"data":2288,"content":2289},{},[2290],{"nodeType":1293,"value":2291,"marks":2292,"data":2293},"If you’d like to go a step further, you should also consider approving the following to allow users to integrate these relatively common scopes from verified apps:",[],{},{"nodeType":2160,"data":2295,"content":2296},{},[2297,2320,2343,2366,2389,2412,2435,2458,2481,2504,2527],{"nodeType":2164,"data":2298,"content":2299},{},[2300,2310],{"nodeType":2168,"data":2301,"content":2302},{},[2303],{"nodeType":1294,"data":2304,"content":2305},{},[2306],{"nodeType":1293,"value":2307,"marks":2308,"data":2309},"Calendars.Read",[],{},{"nodeType":2168,"data":2311,"content":2312},{},[2313],{"nodeType":1294,"data":2314,"content":2315},{},[2316],{"nodeType":1293,"value":2317,"marks":2318,"data":2319},"Read user calendars",[],{},{"nodeType":2164,"data":2321,"content":2322},{},[2323,2333],{"nodeType":2168,"data":2324,"content":2325},{},[2326],{"nodeType":1294,"data":2327,"content":2328},{},[2329],{"nodeType":1293,"value":2330,"marks":2331,"data":2332},"Calendars.ReadWrite",[],{},{"nodeType":2168,"data":2334,"content":2335},{},[2336],{"nodeType":1294,"data":2337,"content":2338},{},[2339],{"nodeType":1293,"value":2340,"marks":2341,"data":2342},"Have full access to user calendars",[],{},{"nodeType":2164,"data":2344,"content":2345},{},[2346,2356],{"nodeType":2168,"data":2347,"content":2348},{},[2349],{"nodeType":1294,"data":2350,"content":2351},{},[2352],{"nodeType":1293,"value":2353,"marks":2354,"data":2355},"Calendars.ReadWrite.Shared",[],{},{"nodeType":2168,"data":2357,"content":2358},{},[2359],{"nodeType":1294,"data":2360,"content":2361},{},[2362],{"nodeType":1293,"value":2363,"marks":2364,"data":2365},"Read and write user and shared calendars",[],{},{"nodeType":2164,"data":2367,"content":2368},{},[2369,2379],{"nodeType":2168,"data":2370,"content":2371},{},[2372],{"nodeType":1294,"data":2373,"content":2374},{},[2375],{"nodeType":1293,"value":2376,"marks":2377,"data":2378},"Contacts.Read",[],{},{"nodeType":2168,"data":2380,"content":2381},{},[2382],{"nodeType":1294,"data":2383,"content":2384},{},[2385],{"nodeType":1293,"value":2386,"marks":2387,"data":2388},"Read user contacts",[],{},{"nodeType":2164,"data":2390,"content":2391},{},[2392,2402],{"nodeType":2168,"data":2393,"content":2394},{},[2395],{"nodeType":1294,"data":2396,"content":2397},{},[2398],{"nodeType":1293,"value":2399,"marks":2400,"data":2401},"Contacts.Read.Shared",[],{},{"nodeType":2168,"data":2403,"content":2404},{},[2405],{"nodeType":1294,"data":2406,"content":2407},{},[2408],{"nodeType":1293,"value":2409,"marks":2410,"data":2411},"Read user and shared contacts",[],{},{"nodeType":2164,"data":2413,"content":2414},{},[2415,2425],{"nodeType":2168,"data":2416,"content":2417},{},[2418],{"nodeType":1294,"data":2419,"content":2420},{},[2421],{"nodeType":1293,"value":2422,"marks":2423,"data":2424},"Contacts.ReadWrite",[],{},{"nodeType":2168,"data":2426,"content":2427},{},[2428],{"nodeType":1294,"data":2429,"content":2430},{},[2431],{"nodeType":1293,"value":2432,"marks":2433,"data":2434},"Have full access to user contacts",[],{},{"nodeType":2164,"data":2436,"content":2437},{},[2438,2448],{"nodeType":2168,"data":2439,"content":2440},{},[2441],{"nodeType":1294,"data":2442,"content":2443},{},[2444],{"nodeType":1293,"value":2445,"marks":2446,"data":2447},"Contacts.ReadWrite.Shared",[],{},{"nodeType":2168,"data":2449,"content":2450},{},[2451],{"nodeType":1294,"data":2452,"content":2453},{},[2454],{"nodeType":1293,"value":2455,"marks":2456,"data":2457},"Read and write user and shared contacts",[],{},{"nodeType":2164,"data":2459,"content":2460},{},[2461,2471],{"nodeType":2168,"data":2462,"content":2463},{},[2464],{"nodeType":1294,"data":2465,"content":2466},{},[2467],{"nodeType":1293,"value":2468,"marks":2469,"data":2470},"People.Read",[],{},{"nodeType":2168,"data":2472,"content":2473},{},[2474],{"nodeType":1294,"data":2475,"content":2476},{},[2477],{"nodeType":1293,"value":2478,"marks":2479,"data":2480},"Read users' relevant people lists",[],{},{"nodeType":2164,"data":2482,"content":2483},{},[2484,2494],{"nodeType":2168,"data":2485,"content":2486},{},[2487],{"nodeType":1294,"data":2488,"content":2489},{},[2490],{"nodeType":1293,"value":2491,"marks":2492,"data":2493},"Files.Read.Selected",[],{},{"nodeType":2168,"data":2495,"content":2496},{},[2497],{"nodeType":1294,"data":2498,"content":2499},{},[2500],{"nodeType":1293,"value":2501,"marks":2502,"data":2503},"Read files that the user selects",[],{},{"nodeType":2164,"data":2505,"content":2506},{},[2507,2517],{"nodeType":2168,"data":2508,"content":2509},{},[2510],{"nodeType":1294,"data":2511,"content":2512},{},[2513],{"nodeType":1293,"value":2514,"marks":2515,"data":2516},"Files.ReadWrite.Selected",[],{},{"nodeType":2168,"data":2518,"content":2519},{},[2520],{"nodeType":1294,"data":2521,"content":2522},{},[2523],{"nodeType":1293,"value":2524,"marks":2525,"data":2526},"Read and write files that the user selects",[],{},{"nodeType":2164,"data":2528,"content":2529},{},[2530,2540],{"nodeType":2168,"data":2531,"content":2532},{},[2533],{"nodeType":1294,"data":2534,"content":2535},{},[2536],{"nodeType":1293,"value":2537,"marks":2538,"data":2539},"User.ReadWrite",[],{},{"nodeType":2168,"data":2541,"content":2542},{},[2543],{"nodeType":1294,"data":2544,"content":2545},{},[2546],{"nodeType":1293,"value":2547,"marks":2548,"data":2549},"Read and write access to user profile",[],{},{"nodeType":1294,"data":2551,"content":2552},{},[2553],{"nodeType":1293,"value":2554,"marks":2555,"data":2556},"We’ve determined these scopes to be relatively low-risk, but this would depend on the risk appetite of your organization. Pre-approving the scopes will go a long way towards enabling your users to make use of SaaS apps without raising unnecessary approval requests from your IT or security team.",[],{},{"nodeType":2042,"data":2558,"content":2559},{},[2560],{"nodeType":1293,"value":2561,"marks":2562,"data":2563},"Unverified apps",[],{},{"nodeType":1628,"data":2565,"content":2566},{},[2567],{"nodeType":1293,"value":2053,"marks":2568,"data":2569},[],{},{"nodeType":1294,"data":2571,"content":2572},{},[2573,2577,2586,2590,2599],{"nodeType":1293,"value":2574,"marks":2575,"data":2576},"First, let’s define what causes an app to be classified as unverified. When you see an app in your tenant that’s marked as unverified, it means that the tenant that publishes the app has not gone through the ",[],{},{"nodeType":1389,"data":2578,"content":2580},{"uri":2579},"https://learn.microsoft.com/en-gb/azure/active-directory/develop/publisher-verification-overview",[2581],{"nodeType":1293,"value":2582,"marks":2583,"data":2585},"Publisher Verification",[2584],{"type":1565},{},{"nodeType":1293,"value":2587,"marks":2588,"data":2589}," process. Going through the verification process requires the publisher to have a Microsoft Partner Network (MPN) account, which typically involves ",[],{},{"nodeType":1389,"data":2591,"content":2593},{"uri":2592},"https://learn.microsoft.com/en-us/partner-center/verification-responses",[2594],{"nodeType":1293,"value":2595,"marks":2596,"data":2598},"verifying",[2597],{"type":1565},{},{"nodeType":1293,"value":2600,"marks":2601,"data":2602}," their business address, email address, and a few additional due diligence tasks. ",[],{},{"nodeType":1294,"data":2604,"content":2605},{},[2606],{"nodeType":1293,"value":2607,"marks":2608,"data":2609},"While I’m sure this is not a 100% infallible process, at the very least it provides you with the confidence that someone at Microsoft had reached out to the company and spoken to someone who claims they are who they say they are. This is opposed to a random person creating a Microsoft Azure tenant and marking their app as being published by Adobe, as an example.",[],{},{"nodeType":1294,"data":2611,"content":2612},{},[2613],{"nodeType":1293,"value":2614,"marks":2615,"data":2616},"At Push, we’ve noticed plenty of unverified apps published by legitimate vendors. This could be related to vendors having multiple tenants, and not having completed the verification process across all yet. As an example, we have a few of Adobe’s apps for Microsoft 365:",[],{},{"nodeType":1336,"data":2618,"content":2622},{"target":2619},{"sys":2620},{"id":2621,"type":1341,"linkType":1342},"4eDWZKrMau1AfU4pXgOW42",[],{"nodeType":1294,"data":2624,"content":2625},{},[2626],{"nodeType":1293,"value":2627,"marks":2628,"data":2629},"In the above image, we have a verified app from Adobe, Inc. We know this due to the ‘Verified Publisher’ attribute that is included when parsing the information provided by Microsoft. We can also see that the only reply url is one associated directly with Adobe – adobe.com. Next, we have an unverified app:",[],{},{"nodeType":1336,"data":2631,"content":2635},{"target":2632},{"sys":2633},{"id":2634,"type":1341,"linkType":1342},"5e5RhdYiMh0Q3CZzmNoRDI",[],{"nodeType":1294,"data":2637,"content":2638},{},[2639],{"nodeType":1293,"value":2640,"marks":2641,"data":2642},"This app does not include the ‘verified publisher’ attribute when reading the information provided by Microsoft. However, the app only has one reply url, and this is again a subdomain of adobe.com.",[],{},{"nodeType":1294,"data":2644,"content":2645},{},[2646],{"nodeType":1293,"value":2647,"marks":2648,"data":2649},"The takeaway here is that not all unverified apps are malicious. More often than not it’s related to the vendor not having gone through the verification process, but this means it unfortunately becomes the security team’s burden to figure out.",[],{},{"nodeType":1628,"data":2651,"content":2652},{},[2653],{"nodeType":1293,"value":2094,"marks":2654,"data":2655},[],{},{"nodeType":1294,"data":2657,"content":2658},{},[2659],{"nodeType":1293,"value":2660,"marks":2661,"data":2662},"At Push, we attempt to review every application we come across to determine if it's legit and whether it belongs to the vendor it claims to originate from. There are multiple ways to do this, but as a general rule of thumb if all the app’s reply urls are associated with the vendor, you are good. You can perform an integration from the app’s website to verify that the particular app ID (seen in the metadata tag above) is the one you are looking at in your environment.",[],{},{"nodeType":2042,"data":2664,"content":2665},{},[2666],{"nodeType":1293,"value":2667,"marks":2668,"data":2669},"Apps with excessive privileges",[],{},{"nodeType":1628,"data":2671,"content":2672},{},[2673],{"nodeType":1293,"value":2053,"marks":2674,"data":2675},[],{},{"nodeType":1294,"data":2677,"content":2678},{},[2679],{"nodeType":1293,"value":2680,"marks":2681,"data":2682},"When you first start doing deep dives on permissions associated with apps in your environment, you find yourself looking at some apps and wonder out loud “we’re granting this vendor access to what?!",[],{},{"nodeType":1294,"data":2684,"content":2685},{},[2686],{"nodeType":1293,"value":2687,"marks":2688,"data":2689},"It’s a totally normal response, but don't worry, we’re here to help. Let’s take diagrams.net as an example:",[],{},{"nodeType":1336,"data":2691,"content":2695},{"target":2692},{"sys":2693},{"id":2694,"type":1341,"linkType":1342},"7DcPUSZ0nDYKmIy4E9xEHs",[],{"nodeType":1294,"data":2697,"content":2698},{},[2699],{"nodeType":1293,"value":2700,"marks":2701,"data":2702},"At first glance this doesn’t seem too bad. For the purposes of this example, let’s say the app was approved by 49 users. That means if diagrams.net got compromised, an attacker would potentially have access to 49 of your user’s OneDrive files. “That’s OK!” you say. “This will only affect a handful of files they’ve been working on locally. Our policy specifies that any company data, specifically data containing PII, be stored in SharePoint.”",[],{},{"nodeType":1294,"data":2704,"content":2705},{},[2706,2710,2715],{"nodeType":1293,"value":2707,"marks":2708,"data":2709},"And then comes the part where you notice the following permission: ",[],{},{"nodeType":1293,"value":2711,"marks":2712,"data":2714},"Sites.Read.All",[2713],{"type":312},{},{"nodeType":1293,"value":2716,"marks":2717,"data":2718},". This permission gives the application the ability to read every file across all SharePoint sites in your organization (that the users have permission to access.) Suddenly the scope of data access is much larger than you hoped.",[],{},{"nodeType":1628,"data":2720,"content":2721},{},[2722],{"nodeType":1293,"value":2094,"marks":2723,"data":2724},[],{},{"nodeType":1294,"data":2726,"content":2727},{},[2728],{"nodeType":1293,"value":2729,"marks":2730,"data":2731},"When faced with the dilemma of granting apps access to resources within your organization, the best course of action is to do a risk assessment.",[],{},{"nodeType":1294,"data":2733,"content":2734},{},[2735,2739,2747,2751,2760],{"nodeType":1293,"value":2736,"marks":2737,"data":2738},"This requires some good ol’ googling and reviewing the security policies of the app’s creator. You ideally also want to know who they use to process your data. Through this process, I found a ",[],{},{"nodeType":1389,"data":2740,"content":2742},{"uri":2741},"https://www.diagrams.net/blog/data-protection",[2743],{"nodeType":1293,"value":1450,"marks":2744,"data":2746},[2745],{"type":1565},{},{"nodeType":1293,"value":2748,"marks":2749,"data":2750}," on diagrams.net detailing their approach to security and user privacy. They do make note that they don’t ",[],{},{"nodeType":1389,"data":2752,"content":2754},{"uri":2753},"https://www.diagrams.net/blog/data-protection#:~:text=Because%20your%20sensitive%20diagram%20data%20doesn%E2%80%99t%20leave%20your%20infrastructure%20and%20is%20never%20stored%20on%20the%20diagrams.net%20servers%2C%20diagrams.net%20is%20a%20tool%20which%20lets%20you%20comply%20with%20data%20protection%20certifications%20(ISO%2027000%2C%2027001%20and%2027002)%20and%20the%20GDPR.",[2755],{"nodeType":1293,"value":2756,"marks":2757,"data":2759},"store any sensitive customer data data on their servers",[2758],{"type":1565},{},{"nodeType":1293,"value":2761,"marks":2762,"data":2763},", and thus let you comply with GDPR, ISO 2700* etc. certifications if you use their services.",[],{},{"nodeType":1294,"data":2765,"content":2766},{},[2767],{"nodeType":1293,"value":2768,"marks":2769,"data":2770},"While this is great from a tick box exercise perspective, this doesn’t address the original concern – how much risk are you taking on by letting their app integrate with your environment? What could an attacker who compromises diagrams.net have access to and how do you lessen the risk while still allowing employees to use the app?",[],{},{"nodeType":1294,"data":2772,"content":2773},{},[2774,2778,2787],{"nodeType":1293,"value":2775,"marks":2776,"data":2777},"Further in the same blog post, they link to a GitHub ",[],{},{"nodeType":1389,"data":2779,"content":2781},{"uri":2780},"https://github.com/jgraph/security-privacy-legal",[2782],{"nodeType":1293,"value":2783,"marks":2784,"data":2786},"repository",[2785],{"type":1565},{},{"nodeType":1293,"value":2788,"marks":2789,"data":2790}," that contains their security and privacy processes, policies, and even some pentest reports. They do a great job of including this information, by the way, so cheers to diagrams.net!",[],{},{"nodeType":1294,"data":2792,"content":2793},{},[2794],{"nodeType":1293,"value":2795,"marks":2796,"data":2797},"At this point you should have a better understanding of the security of the vendor you’re integrating into your organization, and whether it’s okay to accept the risk. Documenting and adding the information you found to your risk register is also a good idea. Likely, you’ll be taking this information to your Information Security Manager for risk acceptance. ",[],{},{"nodeType":1294,"data":2799,"content":2800},{},[2801],{"nodeType":1293,"value":2802,"marks":2803,"data":2804},"We’re working on ways to provide this information to our clients through the Push app dashboard in future, too. Sign up or subscribe to our blog to get product updates when features like this are introduced. ",[],{},{"nodeType":2042,"data":2806,"content":2807},{},[2808],{"nodeType":1293,"value":2809,"marks":2810,"data":2811},"Hijackable urls and implicit grant flow",[],{},{"nodeType":1628,"data":2813,"content":2814},{},[2815],{"nodeType":1293,"value":2053,"marks":2816,"data":2817},[],{},{"nodeType":1294,"data":2819,"content":2820},{},[2821,2826,2836,2841,2851],{"nodeType":1293,"value":2822,"marks":2823,"data":2825},"Developer side note: The implicit grant flow is no longer recommended due to security-related concerns and that it won’t function where ",[2824],{"type":312},{},{"nodeType":1389,"data":2827,"content":2829},{"uri":2828},"https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-third-party-cookies-spas#:~:text=Many%20browsers%20block%20third%2Dparty%20cookies%2C%20cookies%20on%20requests%20to%20domains%20other%20than%20the%20domain%20shown%20in%20the%20browser%27s%20address%20bar.%20This%20block%20breaks%20the%20implicit%20flow%20and%20requires%20new%20authentication%20patterns%20to%20successfully%20sign%20in%20users.",[2830],{"nodeType":1293,"value":2831,"marks":2832,"data":2835},"3rd party cookies are blocked in browsers",[2833,2834],{"type":1565},{"type":312},{},{"nodeType":1293,"value":2837,"marks":2838,"data":2840},". Instead, you should switch to using the ",[2839],{"type":312},{},{"nodeType":1389,"data":2842,"content":2844},{"uri":2843},"https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow",[2845],{"nodeType":1293,"value":2846,"marks":2847,"data":2850},"authorization code flow",[2848,2849],{"type":1565},{"type":312},{},{"nodeType":1293,"value":2852,"marks":2853,"data":2855}," if applicable to your requirements.",[2854],{"type":312},{},{"nodeType":1294,"data":2857,"content":2858},{},[2859,2863,2872],{"nodeType":1293,"value":2860,"marks":2861,"data":2862},"Let’s quickly go over how OAuth2’s implicit grant flow works so you can better understand how to spot potentially risky apps and integrations, and why this can result in a security concern. Microsoft provides a great ",[],{},{"nodeType":1389,"data":2864,"content":2866},{"uri":2865},"https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow",[2867],{"nodeType":1293,"value":2868,"marks":2869,"data":2871},"breakdown",[2870],{"type":1565},{},{"nodeType":1293,"value":2873,"marks":2874,"data":2875}," of the implicit grant flow, however for the purposes of brevity (and simplicity), it does the following:",[],{},{"nodeType":2877,"data":2878,"content":2879},"ordered-list",{},[2880,2890,2900,2910,2920],{"nodeType":1798,"data":2881,"content":2882},{},[2883],{"nodeType":1294,"data":2884,"content":2885},{},[2886],{"nodeType":1293,"value":2887,"marks":2888,"data":2889},"A user goes to a web app and clicks a login link",[],{},{"nodeType":1798,"data":2891,"content":2892},{},[2893],{"nodeType":1294,"data":2894,"content":2895},{},[2896],{"nodeType":1293,"value":2897,"marks":2898,"data":2899},"The web app redirects the user to authenticate and authorize the app. This is performed against your identity provider (in this example, Microsoft)",[],{},{"nodeType":1798,"data":2901,"content":2902},{},[2903],{"nodeType":1294,"data":2904,"content":2905},{},[2906],{"nodeType":1293,"value":2907,"marks":2908,"data":2909},"If this is the first time authorizing the app, the user is presented with a list of scopes (permissions) the app will need access to, and the user clicks “approve”",[],{},{"nodeType":1798,"data":2911,"content":2912},{},[2913],{"nodeType":1294,"data":2914,"content":2915},{},[2916],{"nodeType":1293,"value":2917,"marks":2918,"data":2919},"This responds with a token to one of the hard-coded reply urls associated with the app integration (e.g. https://apps.diagrams.net/microsoft as with the ‘Apps with excessive privileges’ example)",[],{},{"nodeType":1798,"data":2921,"content":2922},{},[2923],{"nodeType":1294,"data":2924,"content":2925},{},[2926],{"nodeType":1293,"value":2927,"marks":2928,"data":2929},"The app uses the token to access the user’s resources with the permissions approved in step 3",[],{},{"nodeType":1294,"data":2931,"content":2932},{},[2933],{"nodeType":1293,"value":2934,"marks":2935,"data":2936},"Based on the flow above, if an attacker gets their hands on the token from step 4, they can perform requests as the user, granting them access to your resources. To get the token, you need to control one of the hardcoded reply url endpoints, and convince a user to authenticate to the app – perhaps via a phishing attack.",[],{},{"nodeType":1294,"data":2938,"content":2939},{},[2940],{"nodeType":1293,"value":2941,"marks":2942,"data":2943},"As an example, some of the apps we’ve reviewed contained reply urls which were subdomains of azurewebsites.net and ngrok.io. These urls don’t appear problematic at first. However, the urls could have been used during the development process, and were forgotten about at the conclusion of the project. During the review process we follow at Push, we found multiple examples of such urls that were no longer in use.",[],{},{"nodeType":1294,"data":2945,"content":2946},{},[2947,2951,2960],{"nodeType":1293,"value":2948,"marks":2949,"data":2950},"This could allow an attacker to register the urls and perform phishing attacks against organizations that use these particular apps, granting the attacker access to previously- approved scopes and resources. The outcome of this attack would be similar to ",[],{},{"nodeType":1389,"data":2952,"content":2954},{"uri":2953},"https://www.oauth.com/oauth2-servers/authorization/security-considerations/#:~:text=Redirect%20URL%20Manipulation",[2955],{"nodeType":1293,"value":2956,"marks":2957,"data":2959},"redirect URL manipulation",[2958],{"type":1565},{},{"nodeType":1293,"value":2961,"marks":2962,"data":2963},", but instead of taking advantage of an open or misconfigured redirect, the attacker is in control of the endpoint where the token ends up.",[],{},{"nodeType":1294,"data":2965,"content":2966},{},[2967,2971,2979],{"nodeType":1293,"value":2968,"marks":2969,"data":2970},"How would you even go about detecting if an app makes use of the implicit grant flow? This requires getting your hands dirty with making authorization requests to your tenant for the specific app ID, and passing the “response_type=token” parameter in the url. This should return an error if the app is not configured with the implicit grant flow. If you’d like to test this yourself, you can follow the “Run in Postman” link at the top of ",[],{},{"nodeType":1389,"data":2972,"content":2973},{"uri":2865},[2974],{"nodeType":1293,"value":2975,"marks":2976,"data":2978},"this article",[2977],{"type":1565},{},{"nodeType":1293,"value":2980,"marks":2981,"data":2982}," to make this process a bit easier.",[],{},{"nodeType":1294,"data":2984,"content":2985},{},[2986],{"nodeType":1293,"value":2987,"marks":2988,"data":2989},"Another example of a hijackable url includes dangling DNS records. Let’s say your app includes a reply url pointing to a legacy server used for development (eg. apptesting-dev.ctrlaltsecure.com). This server was hosted on an EC2 instance in AWS, and has long since been decommissioned. However, the IP address associated with the instance is still pointing to the same address. A determined attacker could potentially gain access to the IP address by spinning up resources until it’s assigned to them.",[],{},{"nodeType":1294,"data":2991,"content":2992},{},[2993,2997,3006,3010,3019],{"nodeType":1293,"value":2994,"marks":2995,"data":2996},"OWASP has ",[],{},{"nodeType":1389,"data":2998,"content":3000},{"uri":2999},"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/10-Test_for_Subdomain_Takeover",[3001],{"nodeType":1293,"value":3002,"marks":3003,"data":3005},"published an article",[3004],{"type":1565},{},{"nodeType":1293,"value":3007,"marks":3008,"data":3009}," and HackerOne ",[],{},{"nodeType":1389,"data":3011,"content":3013},{"uri":3012},"https://www.hackerone.com/application-security/guide-subdomain-takeovers",[3014],{"nodeType":1293,"value":3015,"marks":3016,"data":3018},"posted a guide",[3017],{"type":1565},{},{"nodeType":1293,"value":3020,"marks":3021,"data":3022}," highlighting ways to take over subdomains , and it’s very easy to overlook.",[],{},{"nodeType":1628,"data":3024,"content":3025},{},[3026],{"nodeType":1293,"value":2094,"marks":3027,"data":3028},[],{},{"nodeType":1294,"data":3030,"content":3031},{},[3032],{"nodeType":1293,"value":3033,"marks":3034,"data":3035},"Unfortunately there is no elegant solution to this problem, and it’s not easy to spot as you would need to review each url to see if it’s still in use, in addition to figuring out if the app makes use of the implicit grant flow. Even then, is the active url being used by the developer, or has an attacker already claimed it.",[],{},{"nodeType":1294,"data":3037,"content":3038},{},[3039],{"nodeType":1293,"value":3040,"marks":3041,"data":3042},"The best course of action here is likely to make use of a proxy that prevents users from accessing unclassified urls, or urls with a low reputation. However, you will risk breaking applications and making your developers angry. This also does not solve the dangling DNS issue, as with the EC2 instance problem above.",[],{},{"nodeType":1294,"data":3044,"content":3045},{},[3046],{"nodeType":1293,"value":3047,"marks":3048,"data":3049},"Another option is to contact vendors of apps that you’ve noticed including such urls in their apps and ask them to remove the stale entries from their apps.",[],{},{"nodeType":2042,"data":3051,"content":3052},{},[3053],{"nodeType":1293,"value":3054,"marks":3055,"data":3056},"You think you’ve been compromised. Now what?",[],{},{"nodeType":1294,"data":3058,"content":3059},{},[3060],{"nodeType":1293,"value":3061,"marks":3062,"data":3063},"\nRegardless of the method of compromise, there’s a few steps you can take to review what happened and to prevent further access into your environment.",[],{},{"nodeType":1628,"data":3065,"content":3066},{},[3067],{"nodeType":1293,"value":3068,"marks":3069,"data":3070},"Review app sign-in logs",[],{},{"nodeType":1294,"data":3072,"content":3073},{},[3074,3078,3085],{"nodeType":1293,"value":3075,"marks":3076,"data":3077},"In Azure Active Directory, head to ",[],{},{"nodeType":1389,"data":3079,"content":3080},{"uri":1721},[3081],{"nodeType":1293,"value":1727,"marks":3082,"data":3084},[3083],{"type":1565},{},{"nodeType":1293,"value":3086,"marks":3087,"data":3088}," and click on the app you want to review. In the new window, click on sign-in logs. You will be presented with a list of user sign-ins (interactive and non-interactive), service principal sign-ins, and managed identity sign-ins.",[],{},{"nodeType":1336,"data":3090,"content":3094},{"target":3091},{"sys":3092},{"id":3093,"type":1341,"linkType":1342},"2L7vf2zjZBelGMJSjP2inY",[],{"nodeType":1294,"data":3096,"content":3097},{},[3098],{"nodeType":1293,"value":3099,"marks":3100,"data":3101},"What you typically need to look for is non-interactive user sign-in logs. Non-interactive sign-ins are related to login events performed on behalf of a user where usernames and passwords were not used (read: tokens). You want to review the sign-ins to determine if there were authentication events from IP addresses unrelated to normal employee activity, which can include discrepancies in geographical locations, and out-of-hours activity. Service principal sign-ins would also be of interest, however it would be more difficult to determine odd behavior as you wouldn’t have user sign-ins to compare with.",[],{},{"nodeType":1294,"data":3103,"content":3104},{},[3105,3109,3117],{"nodeType":1293,"value":3106,"marks":3107,"data":3108},"You could also review Azure’s ",[],{},{"nodeType":1389,"data":3110,"content":3112},{"uri":3111},"https://portal.azure.com/#view/Microsoft_AAD_IAM/SecurityMenuBlade/~/RiskySignIns",[3113],{"nodeType":1293,"value":3114,"marks":3115,"data":3116},"risky sign-ins ",[],{},{"nodeType":1293,"value":3118,"marks":3119,"data":3120},"page, as these issues are likely to show up already classified. Just make sure your filters include non-interactive sign-in methods.",[],{},{"nodeType":1628,"data":3122,"content":3123},{},[3124],{"nodeType":1293,"value":3125,"marks":3126,"data":3127},"Review app audit logs",[],{},{"nodeType":1294,"data":3129,"content":3130},{},[3131],{"nodeType":1293,"value":3132,"marks":3133,"data":3134},"In the same window underneath sign-in logs, you’ll find the audit logs section. Audit logs will provide you with crucial information relating to when an app was integrated, by who, and which permissions were delegated.",[],{},{"nodeType":1336,"data":3136,"content":3140},{"target":3137},{"sys":3138},{"id":3139,"type":1341,"linkType":1342},"5HRLoa9zlIWZdZGLN84Yae",[],{"nodeType":1628,"data":3142,"content":3143},{},[3144],{"nodeType":1293,"value":3145,"marks":3146,"data":3147},"Disable the app",[],{},{"nodeType":1294,"data":3149,"content":3150},{},[3151],{"nodeType":1293,"value":3152,"marks":3153,"data":3154},"If you’ve determined that an app was involved in an incident, the first step would be to disable the app to prevent malicious actors from performing any further authentication. Under the application’s properties, change the setting “Enable for users to sign-in?” from “Yes” to “No”, followed by clicking “Save.”",[],{},{"nodeType":1336,"data":3156,"content":3160},{"target":3157},{"sys":3158},{"id":3159,"type":1341,"linkType":1342},"12NnJ8OhD3K27rFRJ48t6a",[],{"nodeType":1628,"data":3162,"content":3163},{},[3164],{"nodeType":1293,"value":3165,"marks":3166,"data":3167},"Revoke all refresh tokens",[],{},{"nodeType":1294,"data":3169,"content":3170},{},[3171,3175,3184,3188,3197,3201,3210],{"nodeType":1293,"value":3172,"marks":3173,"data":3174},"Disabling the app is not enough to prevent attackers from maintaining access to your environment. ",[],{},{"nodeType":1389,"data":3176,"content":3178},{"uri":3177},"https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens",[3179],{"nodeType":1293,"value":3180,"marks":3181,"data":3183},"Refresh tokens",[3182],{"type":1565},{},{"nodeType":1293,"value":3185,"marks":3186,"data":3187}," provide a way for apps to retrieve new access tokens without bugging users with pesky sign-in screens. Tokens are typically valid for between ",[],{},{"nodeType":1389,"data":3189,"content":3191},{"uri":3190},"https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#access-token-lifetime:~:text=The%20default%20lifetime%20of%20an%20access%20token%20is%20variable.%20When%20issued%2C%20the%20default%20lifetime%20of%20an%20access%20token%20is%20assigned%20a%20random%20value%20ranging%20between%2060%2D90%20minutes%20(75%20minutes%20on%20average).",[3192],{"nodeType":1293,"value":3193,"marks":3194,"data":3196},"60 to 90 minutes",[3195],{"type":1565},{},{"nodeType":1293,"value":3198,"marks":3199,"data":3200},", and if a refresh token has been issued, the token holder can request new tokens for ",[],{},{"nodeType":1389,"data":3202,"content":3204},{"uri":3203},"https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens#:~:text=The%20default%20lifetime%20for%20the%20refresh%20tokens%20is%2024%20hours%20for%20single%20page%20apps%20and%2090%20days%20for%20all%20other%20scenarios",[3205],{"nodeType":1293,"value":3206,"marks":3207,"data":3209},"up to 90 days",[3208],{"type":1565},{},{"nodeType":1293,"value":3211,"marks":3212,"data":3213},"! ",[],{},{"nodeType":1294,"data":3215,"content":3216},{},[3217],{"nodeType":1293,"value":3218,"marks":3219,"data":3220},"So, revoking refresh tokens is an important step as part of the mitigation and recovery steps. This step can be performed with some PowerShell – luckily Microsoft provides pre-generated scripts for you to copy and paste. Click on ‘Permissions’ for the app, followed by ‘Review permissions.’ ",[],{},{"nodeType":1336,"data":3222,"content":3226},{"target":3223},{"sys":3224},{"id":3225,"type":1341,"linkType":1342},"7vuFmlmZbzfNhWHPj8ToHm",[],{"nodeType":1294,"data":3228,"content":3229},{},[3230],{"nodeType":1293,"value":3231,"marks":3232,"data":3233},"In the new window, click on ‘This application is malicious and I’m compromised.’ This will present you with the necessary PowerShell scripts to remove users from the app, revoke all permissions granted to the app, and finally to revoke refresh tokens associated with the app.",[],{},{"nodeType":1336,"data":3235,"content":3239},{"target":3236},{"sys":3237},{"id":3238,"type":1341,"linkType":1342},"4NnD6WKRHlnzKE0F4GUDEm",[],{"nodeType":1628,"data":3241,"content":3242},{},[3243],{"nodeType":1293,"value":3244,"marks":3245,"data":3246},"What to do if the initial access token was stolen",[],{},{"nodeType":1294,"data":3248,"content":3249},{},[3250],{"nodeType":1293,"value":3251,"marks":3252,"data":3253},"The initial access token cannot be revoked. In practice, if an attacker has managed to steal an access token it will be valid for the remainder of its lifespan, which is typically one hour. This is true even if the account is disabled, the compromised app deleted, and all refresh tokens revoked. If you’re responding to an incident, you will need to keep an eye on audit logs for an hour or more after performing the above steps to make sure the valid access token wasn’t still being used to perform actions in the environment.",[],{},{"nodeType":1294,"data":3255,"content":3256},{},[3257,3261,3270,3274,3283],{"nodeType":1293,"value":3258,"marks":3259,"data":3260},"Microsoft’s response to this was to develop something called ",[],{},{"nodeType":1389,"data":3262,"content":3264},{"uri":3263},"https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation",[3265],{"nodeType":1293,"value":3266,"marks":3267,"data":3269},"continuous access evaluation",[3268],{"type":1565},{},{"nodeType":1293,"value":3271,"marks":3272,"data":3273},". However, they admit in the article that it does not address a scenario where an attacker exfiltrated the token outside of a ",[],{},{"nodeType":1389,"data":3275,"content":3277},{"uri":3276},"https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation#:~:text=Token%20export%20to%20a%20machine%20outside%20of%20a%20trusted%20network%20can%20be%20prevented%20with%20Conditional%20Access%20location%20policies",[3278],{"nodeType":1293,"value":3279,"marks":3280,"data":3282},"trusted network",[3281],{"type":1565},{},{"nodeType":1293,"value":3284,"marks":3285,"data":3286},", in which case conditional access policy enforcement would be required to address the issue. Continuous access evaluation is ideal for handling specific cases of user access into the environment such as employee contract termination, or scenarios where conditional access policies are violated.",[],{},{"nodeType":2042,"data":3288,"content":3289},{},[3290],{"nodeType":1293,"value":1980,"marks":3291,"data":3292},[],{},{"nodeType":1294,"data":3294,"content":3295},{},[3296],{"nodeType":1293,"value":3297,"marks":3298,"data":3299},"This article should have given you a better understanding of the most common issues presented when reviewing SaaS apps integrated into your environment. ",[],{},{"nodeType":1294,"data":3301,"content":3302},{},[3303],{"nodeType":1293,"value":3304,"marks":3305,"data":3306},"Determining whether using an app would result in compromise is not a simple task, especially if you haven’t observed malicious behavior. As such, the best course of action is to consider all angles, which include the business case of users requiring its use, the permission scopes, and whether the vendor’s security practices are in line with your requirements.",[],{},{"nodeType":1294,"data":3308,"content":3309},{},[3310],{"nodeType":1293,"value":3311,"marks":3312,"data":3313},"SaaS is a new(ish) frontier that can be really daunting to defend against attackers, but it's not impossible to reduce risk without simply blocking access to SaaS. And, remember: denying users access to tools will make them find ways around the limitations.",[],{},{"nodeType":1294,"data":3315,"content":3316},{},[3317],{"nodeType":1293,"value":3318,"marks":3319,"data":3320},"We hope this article helps you get a better handle on how to determine if you’ve been compromised, and respond to incidents involving SaaS apps and/or OAuth integrations to your core work platforms.",[],{},{"nodeType":1336,"data":3322,"content":3326},{"target":3323},{"sys":3324},{"id":3325,"type":1341,"linkType":1342},"2y0INxqAi594O7rCAVKhTI",[],{"nodeType":1294,"data":3328,"content":3329},{},[3330],{"nodeType":1293,"value":37,"marks":3331,"data":3332},[],{},{"entries":3334},{"inline":3335,"hyperlink":3336,"block":3343},[],[3337,3339],{"sys":3338,"__typename":1314,"title":1507,"slug":1510},{"id":1316},{"sys":3340,"__typename":1314,"title":3341,"slug":3342},{"id":2135},"Is it safe to allow my employees to connect third-party apps to our M365/Google Workspace tenant?","is-it-safe-to-allow-my-employees-to-connect-third-party-apps-to-our-m365",[3344,3353,3361,3369,3377,3385,3393,3401,3408,3416,3424],{"sys":3345,"__typename":3346,"title":3347,"caption":118,"layoutMode":3348,"file":3349},{"id":2088},"Image","Consent phishing example","Left aligned",{"url":3350,"width":3351,"height":3352},"https://images.ctfassets.net/y1cdw1ablpvd/6HYzFiGjBi8ae4IDlDhtbx/238e9456dfe0aa62b5723f95a944be36/image2.png",500,765,{"sys":3354,"__typename":3346,"title":3355,"caption":3356,"layoutMode":3348,"file":3357},{"id":2150},"User consent for applications","Microsoft 365 permission-configuring page options",{"url":3358,"width":3359,"height":3360},"https://images.ctfassets.net/y1cdw1ablpvd/65HmUDGZM8VCDRIeUUdEPY/3fe867fef120cc2190f8440d11b760f7/image9.png",546,288,{"sys":3362,"__typename":3346,"title":3363,"caption":3364,"layoutMode":3348,"file":3365},{"id":2621},"Adobe app integration details","Push's integration panel with our Adobe app details with verified publisher information",{"url":3366,"width":3367,"height":3368},"https://images.ctfassets.net/y1cdw1ablpvd/6Rg5TnvmAqZDFFyVx5x5I1/34fa8feaeb3775b6a96d6089772540be/image7.png",651,673,{"sys":3370,"__typename":3346,"title":3371,"caption":3372,"layoutMode":3348,"file":3373},{"id":2634},"Acrobat integration details","Push's integration panel with our Adobe app details. This instance shows unverified, but is not malicious",{"url":3374,"width":3375,"height":3376},"https://images.ctfassets.net/y1cdw1ablpvd/3dKH7ObNU1nRkqvOUKuqw0/0ed37374b74952164b589f9b9b60aa29/image6.png",663,732,{"sys":3378,"__typename":3346,"title":3379,"caption":3380,"layoutMode":3348,"file":3381},{"id":2694},"Diagrams.net oauth integration panel","Example of a Microsoft integration that was granted excessive permissions (Sites.Read.All)",{"url":3382,"width":3383,"height":3384},"https://images.ctfassets.net/y1cdw1ablpvd/1dbB6L6VNOL332mmGI4szQ/13a6a7dd456303fc75a404a44407653c/image5.png",652,728,{"sys":3386,"__typename":3346,"title":3387,"caption":3388,"layoutMode":3348,"file":3389},{"id":3093},"Azure active directory","An application's sign-in logs detailing user activity",{"url":3390,"width":3391,"height":3392},"https://images.ctfassets.net/y1cdw1ablpvd/6fHOFS9XjBLpUQBdgjrsoc/61411340965dd7c158e8e5b94671654a/image3.png",1150,545,{"sys":3394,"__typename":3346,"title":3395,"caption":3396,"layoutMode":3348,"file":3397},{"id":3139},"Azure enterprise app audit log page","Azure enterprise applications audit log page detailing the scopes that were delegated to a sign-in event.",{"url":3398,"width":3399,"height":3400},"https://images.ctfassets.net/y1cdw1ablpvd/75u2Mq5FiX2rVW1760QSNf/22cf898dd65e38ce7e6f585486148987/image1.png",748,229,{"sys":3402,"__typename":3346,"title":3403,"caption":3403,"layoutMode":3348,"file":3404},{"id":3159},"Disabling an Azure application integration",{"url":3405,"width":3406,"height":3407},"https://images.ctfassets.net/y1cdw1ablpvd/2qiV0t6oaYhIEHpJTh7VS5/b7b04792ad8c9c575b238ce629c5de9d/image8.png",984,300,{"sys":3409,"__typename":3346,"title":3410,"caption":3411,"layoutMode":3348,"file":3412},{"id":3225},"Azure permission review tab","Navigating to the permission review tab for an integrated application",{"url":3413,"width":3414,"height":3415},"https://images.ctfassets.net/y1cdw1ablpvd/2JtsVllKju7mumigafESsj/174a50115c736a288e2c3182a31c4e9d/image10.png",682,579,{"sys":3417,"__typename":3346,"title":3418,"caption":3419,"layoutMode":3348,"file":3420},{"id":3238},"Revoking access","Auto-generated PowerShell scripts to revoke access to an integrated application.",{"url":3421,"width":3422,"height":3423},"https://images.ctfassets.net/y1cdw1ablpvd/2VNTXdvWQeAmD2TTlz7iDA/2e26e2943f593315c32b82f58f20a665/image4.png",830,671,{"sys":3425,"__typename":3426,"type":1500,"ctaText":3427,"buttonLabel":3428,"buttonColour":3429,"buttonUrl":118},{"id":3325},"CtaWidget","See more original research and technical content from Push","Follow us on LinkedIn","orange","content:blog:how-attackers-compromise-azure-organizations-through-saas-apps.json","json","content","blog/how-attackers-compromise-azure-organizations-through-saas-apps.json","blog/how-attackers-compromise-azure-organizations-through-saas-apps",1776359993655]