[{"data":1,"prerenderedAt":4089},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/how-cyber-breaches-are-driving-tighter-mfa-requirements-and-enforcement":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"ogImage":118,"summary":1282,"title":1296,"subtitle":118,"metaTitle":1297,"synopsis":1298,"hashTags":118,"publishedDate":1299,"slug":1300,"tagsCollection":1301,"relatedBlogPostsCollection":1311,"authorsCollection":3526,"content":3530,"_id":4084,"_type":4085,"_source":4086,"_file":4087,"_stem":4088,"_extension":4085},"/blog/how-cyber-breaches-are-driving-tighter-mfa-requirements-and-enforcement","blog",{"id":1280,"publishedAt":1281},"3YXrPQptEX3P0Hrd550its","2025-09-19T08:25:14.165Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1295},{},[1286],{"data":1287,"content":1288,"nodeType":1294},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"MFA regulators, insurers, and policy-makers are getting tighter on their MFA requirements, fuelled by public cyber breaches. Here's what security teams need to know about the current regulatory and insurance landscape — and how the evolution of attacks is likely to influence the future of requirements.","text","paragraph","document","How cyber breaches are driving tighter MFA requirements and enforcement","How cyber breaches are driving tighter MFA requirements","MFA regulators, insurers, and policy-makers are getting tighter on their MFA requirements, fuelled by public cyber breaches. ","2025-09-19T00:00:00.000Z","how-cyber-breaches-are-driving-tighter-mfa-requirements-and-enforcement",{"items":1302},[1303,1307],{"sys":1304,"name":1306},{"id":1305},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1308,"name":1310},{"id":1309},"3pjES4THCIfSAwhGdNwBcy","Identity security",{"items":1312},[1313,2002,2815],{"__typename":1314,"sys":1315,"content":1317,"title":1982,"synopsis":1983,"hashTags":118,"publishedDate":1984,"slug":1985,"tagsCollection":1986,"authorsCollection":1994},"BlogPosts",{"id":1316},"62Zyr35VUmijkpupWk3hoD",{"json":1318},{"data":1319,"content":1320,"nodeType":1295},{},[1321,1337,1344,1348,1358,1365,1372,1394,1403,1410,1417,1424,1431,1434,1442,1449,1455,1462,1471,1478,1485,1491,1511,1517,1524,1531,1538,1544,1547,1555,1575,1582,1615,1622,1629,1635,1642,1649,1656,1659,1667,1686,1692,1699,1706,1712,1719,1726,1729,1737,1744,1764,1809,1816,1823,1830,1833,1841,1848,1855,1862,1865,1873,1880,1911,1931,1938,1941,1949,1956,1963],{"data":1322,"content":1323,"nodeType":1294},{},[1324,1328,1333],{"data":1325,"marks":1326,"value":1327,"nodeType":1293},{},[],"The view that \"the browser is the new endpoint\" and \"the new battleground for cyber attacks\" is becoming increasingly advocated by security leaders. But what does this ",{"data":1329,"marks":1330,"value":1332,"nodeType":1293},{},[1331],{"type":312},"actually",{"data":1334,"marks":1335,"value":1336,"nodeType":1293},{},[]," mean for security teams? ",{"data":1338,"content":1339,"nodeType":1294},{},[1340],{"data":1341,"marks":1342,"value":1343,"nodeType":1293},{},[],"In this article, we’re cutting out the jargon to explore what a browser-based attack is, and what’s required for effective detection and response. ",{"data":1345,"content":1346,"nodeType":1347},{},[],"hr",{"data":1349,"content":1350,"nodeType":1357},{},[1351],{"data":1352,"marks":1353,"value":1356,"nodeType":1293},{},[1354],{"type":1355},"bold","What is the goal of a browser-based attack?   ","heading-1",{"data":1359,"content":1360,"nodeType":1294},{},[1361],{"data":1362,"marks":1363,"value":1364,"nodeType":1293},{},[],"First, it’s important to establish what the point of a browser-based attack is.",{"data":1366,"content":1367,"nodeType":1294},{},[1368],{"data":1369,"marks":1370,"value":1371,"nodeType":1293},{},[],"In most scenarios, attackers don’t think of themselves as attacking your web browser. Their end-goal is to compromise your business apps and data. That means going after the third-party apps and services that are now the backbone of business IT — and therefore the top target for attackers. ",{"data":1373,"content":1374,"nodeType":1294},{},[1375,1379,1390],{"data":1376,"marks":1377,"value":1378,"nodeType":1293},{},[],"The most common attack path today sees attackers log into third-party services, dump the data, and monetize it through extortion. You need only look at last year’s ",{"data":1380,"content":1382,"nodeType":1389},{"uri":1381},"https://pushsecurity.com/blog/snowflake-retro?utm_source=bleeping-computer&utm_medium=sponsored-content&utm_term=article",[1383],{"data":1384,"marks":1385,"value":1388,"nodeType":1293},{},[1386],{"type":1387},"underline","Snowflake","hyperlink",{"data":1391,"marks":1392,"value":1393,"nodeType":1293},{},[]," customer breaches or the still-ongoing Salesforce attacks to see the impact.",{"data":1395,"content":1401,"nodeType":1402},{"target":1396},{"sys":1397},{"id":1398,"type":1399,"linkType":1400},"5agrVXzEdwALmew2F5SPDp","Link","Entry",[],"embedded-entry-block",{"data":1404,"content":1405,"nodeType":1294},{},[1406],{"data":1407,"marks":1408,"value":1409,"nodeType":1293},{},[],"The most logical way to do this is by targeting users of those apps. And because of the changes to working practices, your users are more accessible than ever to external attackers.",{"data":1411,"content":1412,"nodeType":1294},{},[1413],{"data":1414,"marks":1415,"value":1416,"nodeType":1293},{},[],"Once upon a time, email was the primary communication channel with the wider world, and work happened locally — on your device, and inside your locked-down network environment. This made email and the endpoint the highest priority from a security perspective. But now, with modern work happening across a network of decentralized internet apps, and more varied communication channels outside of email, it’s harder to stop users from interacting with malicious content (at least, without significantly impeding their ability to do their jobs).",{"data":1418,"content":1419,"nodeType":1294},{},[1420],{"data":1421,"marks":1422,"value":1423,"nodeType":1293},{},[],"Given that the browser is the place where business apps are accessed and used, it makes sense that attacks are increasingly playing out there too. ",{"data":1425,"content":1426,"nodeType":1294},{},[1427],{"data":1428,"marks":1429,"value":1430,"nodeType":1293},{},[],"With that covered off, let’s take a closer look at the most prevalent browser-based attack techniques being used by attackers in the wild today.",{"data":1432,"content":1433,"nodeType":1347},{},[],{"data":1435,"content":1436,"nodeType":1357},{},[1437],{"data":1438,"marks":1439,"value":1441,"nodeType":1293},{},[1440],{"type":1355},"The 6 key browser-based attacks that security teams need to know about",{"data":1443,"content":1444,"nodeType":1294},{},[1445],{"data":1446,"marks":1447,"value":1448,"nodeType":1293},{},[],"Attacks that target users in their web browsers have seen an unprecedented rise in recent years. ",{"data":1450,"content":1454,"nodeType":1402},{"target":1451},{"sys":1452},{"id":1453,"type":1399,"linkType":1400},"4ogNqZdObSIJXavHP44lom",[],{"data":1456,"content":1457,"nodeType":1294},{},[1458],{"data":1459,"marks":1460,"value":1461,"nodeType":1293},{},[],"Here's our breakdown of the top 6 browser-based attacks that should be on every security team's radar right now. ",{"data":1463,"content":1464,"nodeType":1470},{},[1465],{"data":1466,"marks":1467,"value":1469,"nodeType":1293},{},[1468],{"type":1355},"1. Phishing for credentials and sessions","heading-2",{"data":1472,"content":1473,"nodeType":1294},{},[1474],{"data":1475,"marks":1476,"value":1477,"nodeType":1293},{},[],"The most direct way for an attacker to compromise a business application is to phish a user of that app. You might not necessarily think of phishing as a browser-based attack, but that’s exactly what it is today. ",{"data":1479,"content":1480,"nodeType":1294},{},[1481],{"data":1482,"marks":1483,"value":1484,"nodeType":1293},{},[],"Phishing tooling and infrastructure has evolved a lot in the past decade, while the changes to business IT means there are both many more vectors for phishing attack delivery, and apps and identities to target. Attackers can deliver links over instant messenger apps, social media, SMS, malicious ads, and using in-app messenger functionality, as well as sending emails directly from SaaS services to bypass email-based checks. Likewise, there are now hundreds of apps per enterprise to target, with varying levels of account security configuration. ",{"data":1486,"content":1490,"nodeType":1402},{"target":1487},{"sys":1488},{"id":1489,"type":1399,"linkType":1400},"3SrKOgpedLMQRpKIZqUQur",[],{"data":1492,"content":1493,"nodeType":1294},{},[1494,1498,1507],{"data":1495,"marks":1496,"value":1497,"nodeType":1293},{},[],"Whereas phishing was once entirely focused on credential theft, modern phishing attacks see the attacker intercept the victim’s session on the target app, using reverse-proxy Attacker-in-the-Middle kits that are the standard choice for attackers today. This means most forms of MFA can be bypassed, with the exception of passkeys (though attackers are finding ways to work around passkeys using ",{"data":1499,"content":1501,"nodeType":1389},{"uri":1500},"https://pushsecurity.com/blog/mfa-downgrade-attacks/?utm_source=bleeping-computer&utm_medium=sponsored-content&utm_term=article",[1502],{"data":1503,"marks":1504,"value":1506,"nodeType":1293},{},[1505],{"type":1387},"downgrade attacks",{"data":1508,"marks":1509,"value":1510,"nodeType":1293},{},[],"). ",{"data":1512,"content":1516,"nodeType":1402},{"target":1513},{"sys":1514},{"id":1515,"type":1399,"linkType":1400},"2sOFEdAwQZjWOGzNAlGavb",[],{"data":1518,"content":1519,"nodeType":1294},{},[1520],{"data":1521,"marks":1522,"value":1523,"nodeType":1293},{},[],"There are other key differences to be aware of too. Today, phishing operates on an industrial scale, using an array of obfuscation and detection evasion techniques. The latest generation of fully customized AitM phishing kits are dynamically obfuscating the code that loads the web page, implementing custom bot protection (e.g. CAPTCHA or Cloudflare Turnstile), using runtime anti-analysis features, and using legitimate SaaS and cloud services to host and deliver phishing links to cover their tracks.",{"data":1525,"content":1526,"nodeType":1294},{},[1527],{"data":1528,"marks":1529,"value":1530,"nodeType":1293},{},[],"This means that traditional anti-phishing tools at the email and network layer are struggling to keep up, with many attacks evading email-based detections (or bypassing email altogether). At the same time, proxy-based solutions now see a garbled mess of JavaScript code without the necessary context of what is actually happening in the browser to be able to piece it together effectively. Even if they don’t realize it, this means many organizations are now relying solely on blocking known-bad sites and hosts — a wildly ineffective solution in 2025 with the rate that attackers refresh and rotate their phishing infrastructure. ",{"data":1532,"content":1533,"nodeType":1294},{},[1534],{"data":1535,"marks":1536,"value":1537,"nodeType":1293},{},[],"These changes make phishing more effective than ever, and increasingly difficult to detect and block without being able to observe and analyze web pages that a user interacts with in real time — something only possible with browser-level visibility. ",{"data":1539,"content":1543,"nodeType":1402},{"target":1540},{"sys":1541},{"id":1542,"type":1399,"linkType":1400},"1II2kHyOZcShLsexx1TAgy",[],{"data":1545,"content":1546,"nodeType":1347},{},[],{"data":1548,"content":1549,"nodeType":1470},{},[1550],{"data":1551,"marks":1552,"value":1554,"nodeType":1293},{},[1553],{"type":1355},"2. Malicious copy and paste (aka. ClickFix, FileFix, etc.)",{"data":1556,"content":1557,"nodeType":1294},{},[1558,1562,1571],{"data":1559,"marks":1560,"value":1561,"nodeType":1293},{},[],"One of the biggest security trends in the past year has been the emergence of the attack technique known as ",{"data":1563,"content":1565,"nodeType":1389},{"uri":1564},"https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/",[1566],{"data":1567,"marks":1568,"value":1570,"nodeType":1293},{},[1569],{"type":1387},"ClickFix",{"data":1572,"marks":1573,"value":1574,"nodeType":1293},{},[],". ",{"data":1576,"content":1577,"nodeType":1294},{},[1578],{"data":1579,"marks":1580,"value":1581,"nodeType":1293},{},[],"Originally known as “Fake CAPTCHA”, these attacks attempt to trick users into running malicious commands on their device — typically by solving some form of verification challenge in the browser. ",{"data":1583,"content":1584,"nodeType":1294},{},[1585,1589,1598,1602,1611],{"data":1586,"marks":1587,"value":1588,"nodeType":1293},{},[],"In reality, by solving the challenge, the victim is actually copying malicious code from the page clipboard and running it on their device. It typically gives the victim instructions that involve clicking prompts and copying, pasting, and running commands directly in the Windows Run dialog box, Terminal, or PowerShell. Variants such as ",{"data":1590,"content":1592,"nodeType":1389},{"uri":1591},"https://mrd0x.com/filefix-clickfix-alternative/",[1593],{"data":1594,"marks":1595,"value":1597,"nodeType":1293},{},[1596],{"type":1387},"FileFix",{"data":1599,"marks":1600,"value":1601,"nodeType":1293},{},[]," have also emerged which instead uses the File Explorer Address Bar to execute OS commands, while recent examples have seen this attack branch out to ",{"data":1603,"content":1605,"nodeType":1389},{"uri":1604},"https://www.bleepingcomputer.com/news/security/fake-mac-fixes-trick-users-into-installing-new-shamos-infostealer/",[1606],{"data":1607,"marks":1608,"value":1610,"nodeType":1293},{},[1609],{"type":1387},"Mac via the macOS terminal",{"data":1612,"marks":1613,"value":1614,"nodeType":1293},{},[],".",{"data":1616,"content":1617,"nodeType":1294},{},[1618],{"data":1619,"marks":1620,"value":1621,"nodeType":1293},{},[],"Most commonly, these attacks are used to deliver infostealer malware, using stolen session cookies and credentials to access business apps and services. ",{"data":1623,"content":1624,"nodeType":1294},{},[1625],{"data":1626,"marks":1627,"value":1628,"nodeType":1293},{},[],"Like modern credential and session phishing, links to malicious pages are distributed over various delivery channels and using a variety of lures, including impersonating CAPTCHA, Cloudflare Turnstile, simulating an error loading a webpage, and many more. ",{"data":1630,"content":1634,"nodeType":1402},{"target":1631},{"sys":1632},{"id":1633,"type":1399,"linkType":1400},"6O9YiOfhpGFCDsTil9F3On",[],{"data":1636,"content":1637,"nodeType":1294},{},[1638],{"data":1639,"marks":1640,"value":1641,"nodeType":1293},{},[],"The variance in lure, and differences between different versions of the same lure, can make it difficult to fingerprint and detect based on visual elements alone. Also, many of the same protections being used to obfuscate and prevent analysis of phishing pages also apply to ClickFix pages, making it equally challenging to detect and block them. ",{"data":1643,"content":1644,"nodeType":1294},{},[1645],{"data":1646,"marks":1647,"value":1648,"nodeType":1293},{},[],"This leaves most of the detection and blocking down to endpoint-layer controls around user-level code execution and malware running on a device. The quantity of ClickFix-related headlines in the news would indicate that endpoint controls are being routinely bypassed, or perhaps evaded altogether by targeting personal or BYOD devices. ",{"data":1650,"content":1651,"nodeType":1294},{},[1652],{"data":1653,"marks":1654,"value":1655,"nodeType":1293},{},[],"There is a significant opportunity to detect these attacks in the browser and stop them at the earliest opportunity, before they reach the endpoint. Every ClickFix attack and variant has a key action in common — malicious code is copied from the page’s clipboard. In some cases, this happens without any user interaction (where the only requirement on the user is to run code that has been silently copied behind the scenes), presenting a strong indicator of malicious behavior that can be observed in the browser. ",{"data":1657,"content":1658,"nodeType":1347},{},[],{"data":1660,"content":1661,"nodeType":1470},{},[1662],{"data":1663,"marks":1664,"value":1666,"nodeType":1293},{},[1665],{"type":1355},"3. Malicious OAuth integrations",{"data":1668,"content":1669,"nodeType":1294},{},[1670,1674,1682],{"data":1671,"marks":1672,"value":1673,"nodeType":1293},{},[],"Malicious OAuth integrations are another way for attackers to compromise an app by tricking a user into authorizing an integration with a malicious, attacker-controlled app, with the level of data access and functionality dictated by the scopes authorized in the request. This is also known as ",{"data":1675,"content":1677,"nodeType":1389},{"uri":1676},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/consent_phishing/description.md",[1678],{"data":1679,"marks":1680,"value":1681,"nodeType":1293},{},[],"consent phishing",{"data":1683,"marks":1684,"value":1685,"nodeType":1293},{},[],". ",{"data":1687,"content":1691,"nodeType":1402},{"target":1688},{"sys":1689},{"id":1690,"type":1399,"linkType":1400},"5JaP4WSfFsFSbvaa9BQBOq",[],{"data":1693,"content":1694,"nodeType":1294},{},[1695],{"data":1696,"marks":1697,"value":1698,"nodeType":1293},{},[],"This is an effective way for attackers to bypass hardened authentication and access controls by sidestepping the typical login process to take over an account and compromise business apps. This includes phishing-resistant MFA methods like passkeys — since the standard login process does not apply. ",{"data":1700,"content":1701,"nodeType":1294},{},[1702],{"data":1703,"marks":1704,"value":1705,"nodeType":1293},{},[],"A variant of this attack has dominated the headlines recently with the ongoing Salesforce breaches. In this scenario, the attacker tricked the victim into authorizing an attacker-controlled OAuth app via the device code authorization flow in Salesforce, which requires the user to enter an 8-digit code in place of a password or MFA factor.",{"data":1707,"content":1711,"nodeType":1402},{"target":1708},{"sys":1709},{"id":1710,"type":1399,"linkType":1400},"3odEFcUcpKN553gHh2P5yr",[],{"data":1713,"content":1714,"nodeType":1294},{},[1715],{"data":1716,"marks":1717,"value":1718,"nodeType":1293},{},[],"Preventing malicious OAuth grants being authorized requires tight in-app management of user permissions and tenant security settings. This is no mean feat when considering the 100s of apps in use across the modern enterprise, many of which are not centrally managed by IT and security teams (or in some cases, are completely unknown to them). Even then, you’re limited by the controls made available by the app vendor. In this case, Salesforce has announced planned changes to OAuth app authorization in order to improve security prompted by these attacks — but many more apps with insecure configs exist for attackers to take advantage of in future. ",{"data":1720,"content":1721,"nodeType":1294},{},[1722],{"data":1723,"marks":1724,"value":1725,"nodeType":1293},{},[],"However, unlike app-specific integrations, browser-based security tools are well positioned to observe OAuth grants across all apps accessed in the browser — even the ones the security team doesn’t manage or know about, or without needing to pay for the app’s special security add-on to get visibility.",{"data":1727,"content":1728,"nodeType":1347},{},[],{"data":1730,"content":1731,"nodeType":1470},{},[1732],{"data":1733,"marks":1734,"value":1736,"nodeType":1293},{},[1735],{"type":1355},"4. Malicious browser extensions",{"data":1738,"content":1739,"nodeType":1294},{},[1740],{"data":1741,"marks":1742,"value":1743,"nodeType":1293},{},[],"Malicious browser extensions are another way for attackers to compromise your business apps by observing and capturing logins as they happen, and/or extracting session cookies and credentials saved in the browser cache and password manager. ",{"data":1745,"content":1746,"nodeType":1294},{},[1747,1751,1760],{"data":1748,"marks":1749,"value":1750,"nodeType":1293},{},[],"Attackers do this by creating their own malicious extension and tricking your users into installing it, or taking over an existing extension to gain access to browsers where it is already installed (",{"data":1752,"content":1754,"nodeType":1389},{"uri":1753},"https://secureannex.com/blog/buying-browser-extensions/",[1755],{"data":1756,"marks":1757,"value":1759,"nodeType":1293},{},[1758],{"type":1387},"it’s very easy for attackers to buy and add malicious updates to existing extensions",{"data":1761,"marks":1762,"value":1763,"nodeType":1293},{},[],", easily passing extension web store security checks). ",{"data":1765,"content":1766,"nodeType":1294},{},[1767,1771,1780,1784,1793,1797,1806],{"data":1768,"marks":1769,"value":1770,"nodeType":1293},{},[],"The news around extension-based compromises has been on the rise since the ",{"data":1772,"content":1774,"nodeType":1389},{"uri":1773},"https://www.bleepingcomputer.com/news/security/new-details-reveal-how-hackers-hijacked-35-google-chrome-extensions/",[1775],{"data":1776,"marks":1777,"value":1779,"nodeType":1293},{},[1778],{"type":1387},"Cyberhaven extension",{"data":1781,"marks":1782,"value":1783,"nodeType":1293},{},[]," was hacked in December 2024, along with at least 35 other extensions. Since then, there has been regular reporting on data-stealing extensions ",{"data":1785,"content":1787,"nodeType":1389},{"uri":1786},"https://www.bleepingcomputer.com/news/security/data-stealing-chrome-extensions-impersonate-fortinet-youtube-vpns/",[1788],{"data":1789,"marks":1790,"value":1792,"nodeType":1293},{},[1791],{"type":1387},"impersonating legitimate brands",{"data":1794,"marks":1795,"value":1796,"nodeType":1293},{},[],", and ",{"data":1798,"content":1800,"nodeType":1389},{"uri":1799},"https://www.bleepingcomputer.com/news/security/chrome-extensions-with-6-million-installs-have-hidden-tracking-code/",[1801],{"data":1802,"marks":1803,"value":1805,"nodeType":1293},{},[1804],{"type":1387},"impacting millions of users",{"data":1807,"marks":1808,"value":1614,"nodeType":1293},{},[],{"data":1810,"content":1811,"nodeType":1294},{},[1812],{"data":1813,"marks":1814,"value":1815,"nodeType":1293},{},[],"Risky browser extension permissions include broad data access, the ability to modify website content, track user activity, capture screenshots, and manage tabs or network requests. Permissions like \"read and change all data on all websites\" or access to cookies and browsing history are particularly dangerous as they can be exploited for session hijacking, data theft, malware injection, or phishing.",{"data":1817,"content":1818,"nodeType":1294},{},[1819],{"data":1820,"marks":1821,"value":1822,"nodeType":1293},{},[],"Generally, your employees should not be randomly installing browser extensions unless pre-approved by your security team. The reality, however, is that many organizations have very little visibility of the extensions their employees are using, and the potential risk they’re exposed to as a result. ",{"data":1824,"content":1825,"nodeType":1294},{},[1826],{"data":1827,"marks":1828,"value":1829,"nodeType":1293},{},[],"To tackle malicious extensions, security tools operating in the browser can track the browser extensions deployed, highlight risky permissions, compare with known-malicious extensions, identify fraudulent/unofficial versions of a legitimate extension, and highlight other risky properties commonly associated with malicious extensions (e.g. “Developer” extensions). ",{"data":1831,"content":1832,"nodeType":1347},{},[],{"data":1834,"content":1835,"nodeType":1470},{},[1836],{"data":1837,"marks":1838,"value":1840,"nodeType":1293},{},[1839],{"type":1355},"5. Malicious file delivery",{"data":1842,"content":1843,"nodeType":1294},{},[1844],{"data":1845,"marks":1846,"value":1847,"nodeType":1293},{},[],"Malicious files have been a core part of malware delivery and credential theft for many years. Just as non-email channels like malvertising and drive-by attacks are used to deliver phishing and ClickFix lures, malicious files are also distributed through similar means — leaving malicious file detection to basic known-bad checks, sandbox analysis using a proxy (not that useful in the context of sandbox-aware malware) or runtime analysis on the endpoint. ",{"data":1849,"content":1850,"nodeType":1294},{},[1851],{"data":1852,"marks":1853,"value":1854,"nodeType":1293},{},[],"This doesn’t just have to be malicious executables directly dropping malware onto the device. File downloads can also contain additional links taking the user to malicious content. In fact, one of the most common types of downloadable content are HTML Applications (HTAs), commonly used to spawn local phishing pages to stealthily capture credentials. More recently, attackers have been weaponizing SVG files for a similar purpose, running as self-contained phishing pages that render fake login portals entirely client-side. ",{"data":1856,"content":1857,"nodeType":1294},{},[1858],{"data":1859,"marks":1860,"value":1861,"nodeType":1293},{},[],"Even if malicious content cannot always be flagged from surface-level inspection of a file, recording file downloads in the browser is a useful addition to endpoint-based malware protection, and provides another layer of defense against file downloads that perform client-side attacks, or redirect the user to malicious web-based content. ",{"data":1863,"content":1864,"nodeType":1347},{},[],{"data":1866,"content":1867,"nodeType":1470},{},[1868],{"data":1869,"marks":1870,"value":1872,"nodeType":1293},{},[1871],{"type":1355},"6. Stolen credentials and MFA gaps",{"data":1874,"content":1875,"nodeType":1294},{},[1876],{"data":1877,"marks":1878,"value":1879,"nodeType":1293},{},[],"This last one isn’t so much a browser-based attack, but it is a product of them. When credentials are stolen through phishing or infostealer malware they can be used to take over accounts missing MFA. ",{"data":1881,"content":1882,"nodeType":1294},{},[1883,1887,1894,1898,1907],{"data":1884,"marks":1885,"value":1886,"nodeType":1293},{},[],"This isn’t the most sophisticated attack, but it’s very effective. You need only look at last year’s ",{"data":1888,"content":1889,"nodeType":1389},{"uri":1381},[1890],{"data":1891,"marks":1892,"value":1388,"nodeType":1293},{},[1893],{"type":1387},{"data":1895,"marks":1896,"value":1897,"nodeType":1293},{},[]," account compromises or the ",{"data":1899,"content":1901,"nodeType":1389},{"uri":1900},"https://pushsecurity.com/blog/why-attackers-are-targeting-jira-with-stolen-credentials?utm_source=bleeping-computer&utm_medium=sponsored-content&utm_term=article",[1902],{"data":1903,"marks":1904,"value":1906,"nodeType":1293},{},[1905],{"type":1387},"Jira",{"data":1908,"marks":1909,"value":1910,"nodeType":1293},{},[]," attacks earlier this year to see how attackers harness stolen credentials at scale. ",{"data":1912,"content":1913,"nodeType":1294},{},[1914,1918,1927],{"data":1915,"marks":1916,"value":1917,"nodeType":1293},{},[],"With the modern enterprise using hundreds of apps, the likelihood that an app hasn’t been configured for mandatory MFA (if possible) is high. And even when an app has been configured for SSO and connected to your primary corporate identity, ",{"data":1919,"content":1921,"nodeType":1389},{"uri":1920},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have/?utm_source=bleeping-computer&utm_medium=sponsored-content&utm_term=sidebar",[1922],{"data":1923,"marks":1924,"value":1926,"nodeType":1293},{},[1925],{"type":1387},"local “ghost logins” can continue to exist",{"data":1928,"marks":1929,"value":1930,"nodeType":1293},{},[],", accepting passwords with no MFA required. Just having visibility of your primary Identity Provider accounts (e.g. Google, Microsoft, Okta) and SSO-connected apps doesn't give you a full picture of your identity surface.",{"data":1932,"content":1933,"nodeType":1294},{},[1934],{"data":1935,"marks":1936,"value":1937,"nodeType":1293},{},[],"Logins can also be observed in the browser — in fact, it’s as close to a universal source of truth as you’re going to get about how your employees are actually logging in, which apps they’re using, and whether MFA is present, enabling security teams to find and fix vulnerable logins before they can be exploited by attackers. ",{"data":1939,"content":1940,"nodeType":1347},{},[],{"data":1942,"content":1943,"nodeType":1357},{},[1944],{"data":1945,"marks":1946,"value":1948,"nodeType":1293},{},[1947],{"type":1355},"Conclusion",{"data":1950,"content":1951,"nodeType":1294},{},[1952],{"data":1953,"marks":1954,"value":1955,"nodeType":1293},{},[],"Attacks are increasingly happening in the browser. That makes it the perfect place to detect and respond to these attacks. But right now, the browser is a blind-spot for most security teams. ",{"data":1957,"content":1958,"nodeType":1294},{},[1959],{"data":1960,"marks":1961,"value":1962,"nodeType":1293},{},[],"Push Security’s browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks browser-based attacks like AiTM phishing, credential stuffing, password spraying and session hijacking using stolen session tokens. You can also use Push to find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, risky OAuth integrations, and more to harden your identity attack surface.",{"data":1964,"content":1965,"nodeType":1294},{},[1966,1970,1979],{"data":1967,"marks":1968,"value":1969,"nodeType":1293},{},[],"If you want to learn more about how Push helps you to detect and stop attacks in the browser, ",{"data":1971,"content":1973,"nodeType":1389},{"uri":1972},"https://pushsecurity.com/demo?utm_source=bleeping-computer&utm_medium=sponsored-content&utm_term=article",[1974],{"data":1975,"marks":1976,"value":1978,"nodeType":1293},{},[1977],{"type":1387},"book some time with one of our team for a live demo",{"data":1980,"marks":1981,"value":1614,"nodeType":1293},{},[],"6 browser-based attacks every security team should be prepared for","What security teams need to know about the browser-based attack techniques that are the leading cause of breaches.","2025-09-05T00:00:00.000Z","6-browser-based-attacks-every-security-team-should-be-prepared-for",{"items":1987},[1988,1990],{"sys":1989,"name":1306},{"id":1305},{"sys":1991,"name":1993},{"id":1992},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1995},[1996],{"fullName":1997,"firstName":1998,"jobTitle":1999,"profilePicture":2000},"Dan Green","Dan","Threat Research",{"url":2001},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"__typename":1314,"sys":2003,"content":2005,"title":2803,"synopsis":2804,"hashTags":118,"publishedDate":2805,"slug":2806,"tagsCollection":2807,"authorsCollection":2811},{"id":2004},"PAPJPr3CIB6J20udYyy1r",{"json":2006},{"data":2007,"content":2008,"nodeType":1295},{},[2009,2015,2035,2042,2049,2055,2058,2066,2073,2092,2104,2111,2118,2125,2220,2223,2231,2314,2320,2323,2331,2339,2346,2353,2361,2380,2387,2395,2402,2409,2417,2424,2431,2451,2457,2460,2468,2476,2483,2588,2595,2603,2610,2617,2623,2631,2638,2645,2652,2660,2667,2674,2681,2688,2694,2697,2705,2712,2745,2752,2771,2791,2797],{"data":2010,"content":2014,"nodeType":1402},{"target":2011},{"sys":2012},{"id":2013,"type":1399,"linkType":1400},"1eBClNW4NOR66F0tl9h6lD",[],{"data":2016,"content":2017,"nodeType":1294},{},[2018,2022,2031],{"data":2019,"marks":2020,"value":2021,"nodeType":1293},{},[],"The attacks on Snowflake customers in 2024 collectively constituted the biggest cyber security event of the year in terms of the number of organizations and individuals affected (at least, if you exclude CrowdStrike causing a worldwide outage in July) — certainly, it was the largest perpetrated by a criminal group against commercial enterprises. It has been touted by some news outlets as ‘",{"data":2023,"content":2025,"nodeType":1389},{"uri":2024},"https://www.wired.com/story/snowflake-breach-advanced-auto-parts-lendingtree/",[2026],{"data":2027,"marks":2028,"value":2030,"nodeType":1293},{},[2029],{"type":1387},"one of the biggest breaches ever",{"data":2032,"marks":2033,"value":2034,"nodeType":1293},{},[],"’.  ",{"data":2036,"content":2037,"nodeType":1294},{},[2038],{"data":2039,"marks":2040,"value":2041,"nodeType":1293},{},[],"Snowflake was a watershed moment that signalled the significant opportunity presented by identity attacks on cloud services. It demonstrated how comparatively unsophisticated methods (logging in to user accounts with stolen credentials and dumping the data) can have the same or greater impact as a traditional network or endpoint based cyber attack involving vulnerability exploitation, malware deployment, ransomware, etc. ",{"data":2043,"content":2044,"nodeType":1294},{},[2045],{"data":2046,"marks":2047,"value":2048,"nodeType":1293},{},[],"Here’s everything you need to know about the Snowflake attacks — and what you can do to protect yourself against the next Snowflake in the future.",{"data":2050,"content":2054,"nodeType":1402},{"target":2051},{"sys":2052},{"id":2053,"type":1399,"linkType":1400},"4QoPUiP5q6Mwj1eWUZT15Q",[],{"data":2056,"content":2057,"nodeType":1347},{},[],{"data":2059,"content":2060,"nodeType":1357},{},[2061],{"data":2062,"marks":2063,"value":2065,"nodeType":1293},{},[2064],{"type":1355},"Snowflake: The facts",{"data":2067,"content":2068,"nodeType":1294},{},[2069],{"data":2070,"marks":2071,"value":2072,"nodeType":1293},{},[],"Cyber criminals associated with the threat group known as ShinyHunters claimed responsibility for breaching multiple organizations using Snowflake, a cloud-based data warehousing and analytics platform. ",{"data":2074,"content":2075,"nodeType":1294},{},[2076,2080,2089],{"data":2077,"marks":2078,"value":2079,"nodeType":1293},{},[],"ShinyHunters associates targeted ~165 organizations that were subjected to account takeover attacks using stolen credentials harvested from historical infostealer infections dating back as far as 2020, ",{"data":2081,"content":2083,"nodeType":1389},{"uri":2082},"https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion",[2084],{"data":2085,"marks":2086,"value":2088,"nodeType":1293},{},[2087],{"type":1387},"according to Mandiant’s investigation",{"data":2090,"marks":2091,"value":1574,"nodeType":1293},{},[],{"data":2093,"content":2094,"nodeType":2103},{},[2095],{"data":2096,"content":2097,"nodeType":1294},{},[2098],{"data":2099,"marks":2100,"value":2102,"nodeType":1293},{},[2101],{"type":1355},">80% of the compromised accounts belonging to Snowflake customers had prior credential exposure. ","blockquote",{"data":2105,"content":2106,"nodeType":1294},{},[2107],{"data":2108,"marks":2109,"value":2110,"nodeType":1293},{},[],"The impacted accounts lacked MFA, meaning successful authentication only required a valid username and password. As the Snowflake credentials found in infostealer malware credential dumps had not been rotated or updated, they remained valid and could be used to authenticate to user accounts on Snowflake tenants belonging to various customers.",{"data":2112,"content":2113,"nodeType":1294},{},[2114],{"data":2115,"marks":2116,"value":2117,"nodeType":1293},{},[],"As a data warehousing platform integrated with a range of connected cloud services, access to a customer’s Snowflake tenant provided attackers with large quantities of sensitive commercial and personal data that could be stolen and monetized by attackers in a variety of ways — such as by ransoming the victim organization, extorting individual end-customers, and selling the data on to other criminal organizations. ",{"data":2119,"content":2120,"nodeType":1294},{},[2121],{"data":2122,"marks":2123,"value":2124,"nodeType":1293},{},[],"In total, 9 public victims were named following the breach, collectively impacting hundreds of millions of people. ",{"data":2126,"content":2127,"nodeType":2219},{},[2128,2139,2149,2159,2169,2179,2189,2199,2209],{"data":2129,"content":2130,"nodeType":2138},{},[2131],{"data":2132,"content":2133,"nodeType":1294},{},[2134],{"data":2135,"marks":2136,"value":2137,"nodeType":1293},{},[],"Lending Tree: Sensitive data for over 190 million people available online including customer details, partial credit card numbers, insurance quotes and other information, being sold for $2m.","list-item",{"data":2140,"content":2141,"nodeType":2138},{},[2142],{"data":2143,"content":2144,"nodeType":1294},{},[2145],{"data":2146,"marks":2147,"value":2148,"nodeType":1293},{},[],"Truist Bank: Information belonging to 65,000 employees being sold online for $1m",{"data":2150,"content":2151,"nodeType":2138},{},[2152],{"data":2153,"content":2154,"nodeType":1294},{},[2155],{"data":2156,"marks":2157,"value":2158,"nodeType":1293},{},[],"Advance Auto Parts: 3TB of data for sale for $1.5 million. Affected 2.3 million people, as well as current and former employees and job applicants.",{"data":2160,"content":2161,"nodeType":2138},{},[2162],{"data":2163,"content":2164,"nodeType":1294},{},[2165],{"data":2166,"marks":2167,"value":2168,"nodeType":1293},{},[],"Pure Storage: Workspace with 11k customer records including company, email, LDAP username and software version numbers.",{"data":2170,"content":2171,"nodeType":2138},{},[2172],{"data":2173,"content":2174,"nodeType":1294},{},[2175],{"data":2176,"marks":2177,"value":2178,"nodeType":1293},{},[],"Los Angeles Unified: Student data, disability information, discipline details, and parent information, being sold online for $150k.",{"data":2180,"content":2181,"nodeType":2138},{},[2182],{"data":2183,"content":2184,"nodeType":1294},{},[2185],{"data":2186,"marks":2187,"value":2188,"nodeType":1293},{},[],"Neiman Marcus: 31m email addresses exposed alongside various personal information.",{"data":2190,"content":2191,"nodeType":2138},{},[2192],{"data":2193,"content":2194,"nodeType":1294},{},[2195],{"data":2196,"marks":2197,"value":2198,"nodeType":1293},{},[],"Santander: 30 million customer details for sale relating to customers of Santander Chile, Spain, and Uruguay.",{"data":2200,"content":2201,"nodeType":2138},{},[2202],{"data":2203,"content":2204,"nodeType":1294},{},[2205],{"data":2206,"marks":2207,"value":2208,"nodeType":1293},{},[],"Ticketmaster: 560 million customer details for sale, disruption to events and ticketing worldwide, increasing in scam ticket production.",{"data":2210,"content":2211,"nodeType":2138},{},[2212],{"data":2213,"content":2214,"nodeType":1294},{},[2215],{"data":2216,"marks":2217,"value":2218,"nodeType":1293},{},[],"AT&T: Call logs stolen for approximately 109 million customers (nearly all of its mobile customers). AT&T paid an undisclosed ransom fee. ","unordered-list",{"data":2221,"content":2222,"nodeType":1347},{},[],{"data":2224,"content":2225,"nodeType":1357},{},[2226],{"data":2227,"marks":2228,"value":2230,"nodeType":1293},{},[2229],{"type":1355},"The Snowflake attacks step-by-step",{"data":2232,"content":2233,"nodeType":2219},{},[2234,2244,2254,2264,2274,2284,2294,2304],{"data":2235,"content":2236,"nodeType":2138},{},[2237],{"data":2238,"content":2239,"nodeType":1294},{},[2240],{"data":2241,"marks":2242,"value":2243,"nodeType":1293},{},[],"Snowflake users were infected with infostealer malware that harvested credentials from user devices over an extended period via several infostealer malware variants, including; VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA and METASTEALER.",{"data":2245,"content":2246,"nodeType":2138},{},[2247],{"data":2248,"content":2249,"nodeType":1294},{},[2250],{"data":2251,"marks":2252,"value":2253,"nodeType":1293},{},[],"Credentials appeared on criminal marketplaces e.g. dark web forums and Telegram channels.",{"data":2255,"content":2256,"nodeType":2138},{},[2257],{"data":2258,"content":2259,"nodeType":1294},{},[2260],{"data":2261,"marks":2262,"value":2263,"nodeType":1293},{},[],"ShinyHunters saw the potential in targeting Snowflake users, based on the availability of credentials, number of customer organizations, and the value of the data that can be accessed in Snowflake. ",{"data":2265,"content":2266,"nodeType":2138},{},[2267],{"data":2268,"content":2269,"nodeType":1294},{},[2270],{"data":2271,"marks":2272,"value":2273,"nodeType":1293},{},[],"ShinyHunters embarked on a large-scale campaign targeting Snowflake customer accounts using previously breached credentials. ",{"data":2275,"content":2276,"nodeType":2138},{},[2277],{"data":2278,"content":2279,"nodeType":1294},{},[2280],{"data":2281,"marks":2282,"value":2283,"nodeType":1293},{},[],"ShinyHunters accessed user accounts that lacked MFA, belonging to approximately 165 Snowflake customers. ",{"data":2285,"content":2286,"nodeType":2138},{},[2287],{"data":2288,"content":2289,"nodeType":1294},{},[2290],{"data":2291,"marks":2292,"value":2293,"nodeType":1293},{},[],"ShinyHunters used SQL-based reconnaissance, staging, and data exfiltration techniques, expedited by custom hacker tooling developed specifically for Snowflake, to conduct attacks at scale.",{"data":2295,"content":2296,"nodeType":2138},{},[2297],{"data":2298,"content":2299,"nodeType":1294},{},[2300],{"data":2301,"marks":2302,"value":2303,"nodeType":1293},{},[],"ShinyHunters acquired massive quantities of Snowflake data based on the information that each customer stored in Snowflake or connected apps. ",{"data":2305,"content":2306,"nodeType":2138},{},[2307],{"data":2308,"content":2309,"nodeType":1294},{},[2310],{"data":2311,"marks":2312,"value":2313,"nodeType":1293},{},[],"ShinyHunters began attempts to extort Snowflake and end-customers using the data acquired.",{"data":2315,"content":2319,"nodeType":1402},{"target":2316},{"sys":2317},{"id":2318,"type":1399,"linkType":1400},"2J92gFLs1wAAGC4nQTaiWu",[],{"data":2321,"content":2322,"nodeType":1347},{},[],{"data":2324,"content":2325,"nodeType":1357},{},[2326],{"data":2327,"marks":2328,"value":2330,"nodeType":1293},{},[2329],{"type":1355},"Why did the Snowflake breaches happen?",{"data":2332,"content":2333,"nodeType":1470},{},[2334],{"data":2335,"marks":2336,"value":2338,"nodeType":1293},{},[2337],{"type":1355},"Stolen credentials remained valid for years",{"data":2340,"content":2341,"nodeType":1294},{},[2342],{"data":2343,"marks":2344,"value":2345,"nodeType":1293},{},[],"The credentials used to access Snowflake accounts from historical infostealer infections had not been changed or rotated despite dating back as far as 2020, and remained valid. ",{"data":2347,"content":2348,"nodeType":1294},{},[2349],{"data":2350,"marks":2351,"value":2352,"nodeType":1293},{},[],"This highlights the potential risk of breached credentials already in the public domain, particularly in the case of cloud services like Snowflake that may not be subject to the same levels of credential hygiene as other traditional enterprise domain accounts. ",{"data":2354,"content":2355,"nodeType":1470},{},[2356],{"data":2357,"marks":2358,"value":2360,"nodeType":1293},{},[2359],{"type":1355},"Local logins lacked MFA ",{"data":2362,"content":2363,"nodeType":1294},{},[2364,2368,2377],{"data":2365,"marks":2366,"value":2367,"nodeType":1293},{},[],"Even where organizations were primarily encouraging employees to use SSO to access their Snowflake tenant, previously created local logins with a username and password continue to exist even after introducing SSO-based logins. Further, MFA was not globally enforceable at the application level, meaning that MFA was only set when logging into an IdP account for SSO, but not for local logins. We call this problem ",{"data":2369,"content":2371,"nodeType":1389},{"uri":2370},"https://pushsecurity.com/blog/ghost-logins-when-forgotten-identities-come-back-to-haunt-you/",[2372],{"data":2373,"marks":2374,"value":2376,"nodeType":1293},{},[2375],{"type":1387},"ghost logins",{"data":2378,"marks":2379,"value":1574,"nodeType":1293},{},[],{"data":2381,"content":2382,"nodeType":1294},{},[2383],{"data":2384,"marks":2385,"value":2386,"nodeType":1293},{},[],"This meant that attackers were able to take over Snowflake accounts with only a single authentication factor (username & password). ",{"data":2388,"content":2389,"nodeType":1470},{},[2390],{"data":2391,"marks":2392,"value":2394,"nodeType":1293},{},[2393],{"type":1355},"Snowflake was a high-value target used by many organizations",{"data":2396,"content":2397,"nodeType":1294},{},[2398],{"data":2399,"marks":2400,"value":2401,"nodeType":1293},{},[],"As a data warehousing platform used by a vast number of organizations, Snowflake represented a high-value target based on the data typically stored within it, and the repeatable way in which Snowflake users could be targeted. ",{"data":2403,"content":2404,"nodeType":1294},{},[2405],{"data":2406,"marks":2407,"value":2408,"nodeType":1293},{},[],"The attacker followed a near identical process when targeting Snowflake victims, meaning it could be scripted and executed at scale, with attacks taking a matter of minutes. ",{"data":2410,"content":2411,"nodeType":1470},{},[2412],{"data":2413,"marks":2414,"value":2416,"nodeType":1293},{},[2415],{"type":1355},"Infostealer infections are driving credential availability",{"data":2418,"content":2419,"nodeType":1294},{},[2420],{"data":2421,"marks":2422,"value":2423,"nodeType":1293},{},[],"Infostealers are often seen as a low-priority issue, but are the primary source of stolen credentials used in campaigns like this one. ",{"data":2425,"content":2426,"nodeType":1294},{},[2427],{"data":2428,"marks":2429,"value":2430,"nodeType":1293},{},[],"EDR is a strong protection but is often bypassed by infostealers as attackers continually modify them to bypass security controls. Further, unmanaged devices such as those used by third-party contractors or BYOD employees often lack the robust controls applied to company-managed devices and are naturally more susceptible to infostealer attacks. And since browser profiles can be synced across devices, even personal device compromises can result in the capture of corporate credentials.  ",{"data":2432,"content":2433,"nodeType":1294},{},[2434,2438,2447],{"data":2435,"marks":2436,"value":2437,"nodeType":1293},{},[],"There is some suggestion that targeting key third-party suppliers – ",{"data":2439,"content":2441,"nodeType":1389},{"uri":2440},"https://www.wired.com/story/epam-snowflake-ticketmaster-breach-shinyhunters/",[2442],{"data":2443,"marks":2444,"value":2446,"nodeType":1293},{},[2445],{"type":1387},"such as EPAM Systems, a software engineering firm and Snowflake ‘Elite Tier Partner’",{"data":2448,"marks":2449,"value":2450,"nodeType":1293},{},[]," – provided some of the access to Snowflake customers needed. It’s unclear what came first, but it’s possible (likely, even) that EPAM was identified as a target specifically because of its lucrative customer base and Snowflake credentials — adding another indicator that Snowflake was potentially a premeditated attack inspired by the availability of Snowflake credentials online.",{"data":2452,"content":2456,"nodeType":1402},{"target":2453},{"sys":2454},{"id":2455,"type":1399,"linkType":1400},"4D0gjt5oJLNKJH8GzjP8Je",[],{"data":2458,"content":2459,"nodeType":1347},{},[],{"data":2461,"content":2462,"nodeType":1357},{},[2463],{"data":2464,"marks":2465,"value":2467,"nodeType":1293},{},[2466],{"type":1355},"Key takeaways from the Snowflake attacks",{"data":2469,"content":2470,"nodeType":1470},{},[2471],{"data":2472,"marks":2473,"value":2475,"nodeType":1293},{},[2474],{"type":1355},"Securing your IdP accounts is not enough",{"data":2477,"content":2478,"nodeType":1294},{},[2479],{"data":2480,"marks":2481,"value":2482,"nodeType":1293},{},[],"SSO can help reduce your identity attack surface, but it's not feasible to get every workforce identity behind it.",{"data":2484,"content":2485,"nodeType":2219},{},[2486,2509,2531,2566],{"data":2487,"content":2488,"nodeType":2138},{},[2489],{"data":2490,"content":2491,"nodeType":1294},{},[2492,2496,2505],{"data":2493,"marks":2494,"value":2495,"nodeType":1293},{},[],"Only 1 in 3 apps support SAML SSO, and those that offer it often charge more for it; the “",{"data":2497,"content":2499,"nodeType":1389},{"uri":2498},"https://ssotax.org/",[2500],{"data":2501,"marks":2502,"value":2504,"nodeType":1293},{},[2503],{"type":1387},"SSO tax",{"data":2506,"marks":2507,"value":2508,"nodeType":1293},{},[],"”.",{"data":2510,"content":2511,"nodeType":2138},{},[2512],{"data":2513,"content":2514,"nodeType":1294},{},[2515,2519,2528],{"data":2516,"marks":2517,"value":2518,"nodeType":1293},{},[],"Many apps are self-adopted by employees, leaving security teams unaware and unable to enforce SSO.  The typical organization has ",{"data":2520,"content":2522,"nodeType":1389},{"uri":2521},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have/",[2523],{"data":2524,"marks":2525,"value":2527,"nodeType":1293},{},[2526],{"type":1387},"hundreds of apps and thousands of unmanaged identities outside of SSO",{"data":2529,"marks":2530,"value":1614,"nodeType":1293},{},[],{"data":2532,"content":2533,"nodeType":2138},{},[2534],{"data":2535,"content":2536,"nodeType":1294},{},[2537,2541,2549,2553,2562],{"data":2538,"marks":2539,"value":2540,"nodeType":1293},{},[],"Most apps do not prevent users from creating additional \"",{"data":2542,"content":2543,"nodeType":1389},{"uri":2370},[2544],{"data":2545,"marks":2546,"value":2548,"nodeType":1293},{},[2547],{"type":1387},"ghost login",{"data":2550,"marks":2551,"value":2552,"nodeType":1293},{},[],"\" methods outside of SSO (especially by default), accounting for around ",{"data":2554,"content":2556,"nodeType":1389},{"uri":2555},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have/#id-identity-configurations-and-how-they-can-be-exploited_id-many-accounts-lack-the-most-basic-protections",[2557],{"data":2558,"marks":2559,"value":2561,"nodeType":1293},{},[2560],{"type":1387},"10% of all identities",{"data":2563,"marks":2564,"value":2565,"nodeType":1293},{},[]," observed by Push. ",{"data":2567,"content":2568,"nodeType":2138},{},[2569],{"data":2570,"content":2571,"nodeType":1294},{},[2572,2576,2584],{"data":2573,"marks":2574,"value":2575,"nodeType":1293},{},[],"In total, we identified that ",{"data":2577,"content":2578,"nodeType":1389},{"uri":2521},[2579],{"data":2580,"marks":2581,"value":2583,"nodeType":1293},{},[2582],{"type":1387},"37% (2 in 5) accounts have a password login set with no MFA",{"data":2585,"marks":2586,"value":2587,"nodeType":1293},{},[],", while 9% have no MFA AND a weak, breached, or reused password.",{"data":2589,"content":2590,"nodeType":1294},{},[2591],{"data":2592,"marks":2593,"value":2594,"nodeType":1293},{},[],"So, relying on locked-down IdP accounts and maximising the use of SSO is an important pillar of an effective identity security strategy, but there will always be gaps. Unless you recognize this, you may be blindsided by attackers finding them before you do. ",{"data":2596,"content":2597,"nodeType":1470},{},[2598],{"data":2599,"marks":2600,"value":2602,"nodeType":1293},{},[2601],{"type":1355},"The threat of infostealers and stolen credentials needs to be taken seriously",{"data":2604,"content":2605,"nodeType":1294},{},[2606],{"data":2607,"marks":2608,"value":2609,"nodeType":1293},{},[],"Breached credentials appearing online is not always seen as a top priority for security teams, particularly when there’s so much noise from all of the outdated or simply erroneous findings (anyone that’s ever subscribed to a credential TI feed knows the pain of this). ",{"data":2611,"content":2612,"nodeType":1294},{},[2613],{"data":2614,"marks":2615,"value":2616,"nodeType":1293},{},[],"But Snowflake serves as a stark reminder that despite all the false positives, stolen credentials are sometimes valid — and when weaponized at-scale they can be a powerful tool for attackers. ",{"data":2618,"content":2622,"nodeType":1402},{"target":2619},{"sys":2620},{"id":2621,"type":1399,"linkType":1400},"4EODpwKsqNivpvP2yMtZCd",[],{"data":2624,"content":2625,"nodeType":1470},{},[2626],{"data":2627,"marks":2628,"value":2630,"nodeType":1293},{},[2629],{"type":1355},"Don’t rely on third-parties to protect your identities for you",{"data":2632,"content":2633,"nodeType":1294},{},[2634],{"data":2635,"marks":2636,"value":2637,"nodeType":1293},{},[],"Snowflake came under fire following the attacks for not enabling MFA by default, or giving security teams sufficient tools to deal with the incident. ",{"data":2639,"content":2640,"nodeType":1294},{},[2641],{"data":2642,"marks":2643,"value":2644,"nodeType":1293},{},[],"This is perhaps justifiable, but is hardly the exception. Very few apps enforce MFA by default or provide a global MFA enforcement mechanism. Most don’t even provide audit logs (and when they do, the scope of logging is pretty limited). And we regularly encounter apps that don’t give you any information about account configuration as an admin — like which accounts have MFA, or the login methods that they’re using (e.g. SSO via SAML, SSO via OIDC, password, which IdPs are being used…) which is essential information to be able to secure your identity attack surface. ",{"data":2646,"content":2647,"nodeType":1294},{},[2648],{"data":2649,"marks":2650,"value":2651,"nodeType":1293},{},[],"Yes, it would be great if app vendors put security first and made controls available by default, for all customers (not just the premium ones). But in the absence of an industrywide shift toward security-first product development, it’s important that organizations don’t just point the finger at service providers — and take matters into their own hands when it comes to securing their user identities. ",{"data":2653,"content":2654,"nodeType":1470},{},[2655],{"data":2656,"marks":2657,"value":2659,"nodeType":1293},{},[2658],{"type":1355},"This isn’t a specific Snowflake problem — it could have been any application",{"data":2661,"content":2662,"nodeType":1294},{},[2663],{"data":2664,"marks":2665,"value":2666,"nodeType":1293},{},[],"While Snowflake was admittedly a high-value target because of the data it collected, apps with sensitive data (or with integrations connecting them to data collected in adjacent apps) are not in short supply. ",{"data":2668,"content":2669,"nodeType":1294},{},[2670],{"data":2671,"marks":2672,"value":2673,"nodeType":1293},{},[],"If we accept that many other apps are similarly desirable targets, then we should also consider that it’s unlikely that Snowflake is the only app that has valid credentials sitting around on the internet, waiting to be weaponized by criminals. Equally, it’s not the only app that doesn’t require mandatory MFA for user accounts, as we discussed above. The next Snowflake is likely to lurk in the same breached datasets, possibly even using the same credentials.",{"data":2675,"content":2676,"nodeType":1294},{},[2677],{"data":2678,"marks":2679,"value":2680,"nodeType":1293},{},[],"There’s been a clear increase in the number of infostealer and stolen credential related breaches and news stories since Snowflake as attackers wise up to the potential opportunity and start seeing the dollar signs. It would be naive to think that this was a one off event — the next Snowflake is probably not too far away. ",{"data":2682,"content":2683,"nodeType":1294},{},[2684],{"data":2685,"marks":2686,"value":2687,"nodeType":1293},{},[],"For a deep-dive analysis of the impact of Snowflake, check out our on-demand webinar from earlier this year.",{"data":2689,"content":2693,"nodeType":1402},{"target":2690},{"sys":2691},{"id":2692,"type":1399,"linkType":1400},"7LkU5DqE9HJ1PQu9BTg6Mw",[],{"data":2695,"content":2696,"nodeType":1347},{},[],{"data":2698,"content":2699,"nodeType":1357},{},[2700],{"data":2701,"marks":2702,"value":2704,"nodeType":1293},{},[2703],{"type":1355},"How to protect yourself from the next Snowflake using Push",{"data":2706,"content":2707,"nodeType":1294},{},[2708],{"data":2709,"marks":2710,"value":2711,"nodeType":1293},{},[],"Organizations looking to reduce their exposure to account takeover using stolen credentials should look to:",{"data":2713,"content":2714,"nodeType":2219},{},[2715,2725,2735],{"data":2716,"content":2717,"nodeType":2138},{},[2718],{"data":2719,"content":2720,"nodeType":1294},{},[2721],{"data":2722,"marks":2723,"value":2724,"nodeType":1293},{},[],"Identify the apps being used across the business and locate vulnerable workforce identities using weak, breached, or reused credentials, and missing MFA. Where SSO is the preferred login method, local username & password logins should ideally be removed. ",{"data":2726,"content":2727,"nodeType":2138},{},[2728],{"data":2729,"content":2730,"nodeType":1294},{},[2731],{"data":2732,"marks":2733,"value":2734,"nodeType":1293},{},[],"Where credentials appear in third-party data breaches, verify where they are still valid and ensure that the credentials are changed. ",{"data":2736,"content":2737,"nodeType":2138},{},[2738],{"data":2739,"content":2740,"nodeType":1294},{},[2741],{"data":2742,"marks":2743,"value":2744,"nodeType":1293},{},[],"Detect unauthorized access to workforce identities where sessions are initiated or resumed from unusual or unexpected locations. It should be noted that while this is a fairly common feature for larger enterprise cloud platforms with configurable access control policies, this is not typically possible for most SaaS applications.  ",{"data":2746,"content":2747,"nodeType":1294},{},[2748],{"data":2749,"marks":2750,"value":2751,"nodeType":1293},{},[],"All of these use cases can be achieved using Push. The Push browser extension detects all logins performed in employee browsers, capturing granular information about the login method and MFA types used, and enriching this data by integrating with your preferred IdP.",{"data":2753,"content":2754,"nodeType":1294},{},[2755,2759,2767],{"data":2756,"marks":2757,"value":2758,"nodeType":1293},{},[],"Push’s ",{"data":2760,"content":2762,"nodeType":1389},{"uri":2761},"https://pushsecurity.com/blog/verified-stolen-credential-detection",[2763],{"data":2764,"marks":2765,"value":2766,"nodeType":1293},{},[],"verified stolen credential detection feature",{"data":2768,"marks":2769,"value":2770,"nodeType":1293},{},[]," compares a k-anonymized hash of user passwords observed with stolen credential TI feeds to cut through the noise and identify where stolen credentials appearing online represent a genuine vulnerability.   ",{"data":2772,"content":2773,"nodeType":1294},{},[2774,2778,2787],{"data":2775,"marks":2776,"value":2777,"nodeType":1293},{},[],"On top of this, all logins made in browsers protected by the Push extension, across every app, are verified by ",{"data":2779,"content":2781,"nodeType":1389},{"uri":2780},"https://pushsecurity.com/blog/introducing-session-token-theft-detection-why-browser-is-best/",[2782],{"data":2783,"marks":2784,"value":2786,"nodeType":1293},{},[2785],{"type":1387},"adding a unique marker to the user agent string of the session",{"data":2788,"marks":2789,"value":2790,"nodeType":1293},{},[],", which will then appear in your IdP logs. This means that any session occurring outside of the Push-protected estate can be flagged to your security team via SIEM alert — including where an attacker uses stolen credentials to log into an app from a browser without the Push extension running. ",{"data":2792,"content":2796,"nodeType":1402},{"target":2793},{"sys":2794},{"id":2795,"type":1399,"linkType":1400},"3tqVk7Vr7pYLOEVukIJM2g",[],{"data":2798,"content":2799,"nodeType":1294},{},[2800],{"data":2801,"marks":2802,"value":37,"nodeType":1293},{},[],"Snowflake: Looking back on 2024’s landmark security event","165 Snowflake customers were targeted by criminals using stolen credentials from infostealer infections, impacting hundreds of millions of people. ","2024-11-29T00:00:00.000Z","snowflake-retro",{"items":2808},[2809],{"sys":2810,"name":1306},{"id":1305},{"items":2812},[2813],{"fullName":1997,"firstName":1998,"jobTitle":1999,"profilePicture":2814},{"url":2001},{"__typename":1314,"sys":2816,"content":2818,"title":3512,"synopsis":3513,"hashTags":118,"publishedDate":3514,"slug":3515,"tagsCollection":3516,"authorsCollection":3522},{"id":2817},"gANCbeL9AnxmbGAE5HhyG",{"json":2819},{"nodeType":1295,"data":2820,"content":2821},{},[2822,2838,2844,2850,2856,2859,2867,2874,2967,2973,2980,2987,2990,2998,3006,3013,3066,3074,3092,3122,3129,3137,3144,3150,3169,3185,3191,3198,3224,3231,3238,3271,3278,3285,3305,3308,3316,3323,3330,3337,3345,3365,3371,3379,3398,3416,3422,3430,3437,3455,3462,3468,3471,3479,3486,3493],{"nodeType":1294,"data":2823,"content":2824},{},[2825,2829,2834],{"nodeType":1293,"value":2826,"marks":2827,"data":2828},"Since late 2024, attackers have been targeting organizations using Jira, the project management tool, taking over user accounts using compromised credentials. This has resulted in ",[],{},{"nodeType":1293,"value":2830,"marks":2831,"data":2833},"six public breaches in five months",[2832],{"type":1355},{},{"nodeType":1293,"value":2835,"marks":2836,"data":2837}," where criminals made off with sensitive data and documentation, profiting by extorting the victims and selling the data on criminal forums. ",[],{},{"nodeType":1402,"data":2839,"content":2843},{"target":2840},{"sys":2841},{"id":2842,"type":1399,"linkType":1400},"3QJBi8NiId1CccFmJrp8pu",[],{"nodeType":1294,"data":2845,"content":2846},{},[2847],{"nodeType":1293,"value":37,"marks":2848,"data":2849},[],{},{"nodeType":1402,"data":2851,"content":2855},{"target":2852},{"sys":2853},{"id":2854,"type":1399,"linkType":1400},"79uXXgsAuOK9dKwYQFb0d1",[],{"nodeType":1347,"data":2857,"content":2858},{},[],{"nodeType":1357,"data":2860,"content":2861},{},[2862],{"nodeType":1293,"value":2863,"marks":2864,"data":2866},"What happened?",[2865],{"type":1355},{},{"nodeType":1294,"data":2868,"content":2869},{},[2870],{"nodeType":1293,"value":2871,"marks":2872,"data":2873},"Six attacks where stolen credentials were used to compromise the victim’s Jira tenant have been reported since November 2024, all attributed to operators belonging to the HELLCAT threat group. ",[],{},{"nodeType":2219,"data":2875,"content":2876},{},[2877,2892,2907,2922,2937,2952],{"nodeType":2138,"data":2878,"content":2879},{},[2880],{"nodeType":1294,"data":2881,"content":2882},{},[2883,2888],{"nodeType":1293,"value":2884,"marks":2885,"data":2887},"Affinitiv (March 2025): ",[2886],{"type":1355},{},{"nodeType":1293,"value":2889,"marks":2890,"data":2891},"Attackers stole a database containing over 470k unique emails and 780k records from marketing data analytics provider Affinitiv. ",[],{},{"nodeType":2138,"data":2893,"content":2894},{},[2895],{"nodeType":1294,"data":2896,"content":2897},{},[2898,2903],{"nodeType":1293,"value":2899,"marks":2900,"data":2902},"Ascom (March 2025):",[2901],{"type":1355},{},{"nodeType":1293,"value":2904,"marks":2905,"data":2906}," Attackers stole 44GB of data including source code for multiple products, details about various projects, invoices, confidential documents, and issues from the ticketing system from global telecommunications provider Ascom.",[],{},{"nodeType":2138,"data":2908,"content":2909},{},[2910],{"nodeType":1294,"data":2911,"content":2912},{},[2913,2918],{"nodeType":1293,"value":2914,"marks":2915,"data":2917},"Jaguar Land Rover (March 2025):",[2916],{"type":1355},{},{"nodeType":1293,"value":2919,"marks":2920,"data":2921}," Attackers leaked ~700 internal documents totalling several GBs of data, including proprietary documents, source code, and employee and partner data, from vehicle manufacturer Jaguar Land Rover. The breach was linked to credentials stolen by infostealers in 2021. A second threat actor is now alleged to have re-compromized Jaguar using the same credentials and achieved a much bigger breach of ~350GB. ",[],{},{"nodeType":2138,"data":2923,"content":2924},{},[2925],{"nodeType":1294,"data":2926,"content":2927},{},[2928,2933],{"nodeType":1293,"value":2929,"marks":2930,"data":2932},"Orange (February 2025):",[2931],{"type":1355},{},{"nodeType":1293,"value":2934,"marks":2935,"data":2936}," Attackers stole almost 12,000 files totaling close to 6.5GB, which includes 380k unique email addresses, source code, invoices, contracts, customer and employee information, from telecommunications provider Orange. The attacker allegedly had access to the systems for over a month before exfiltrating company data.",[],{},{"nodeType":2138,"data":2938,"content":2939},{},[2940],{"nodeType":1294,"data":2941,"content":2942},{},[2943,2948],{"nodeType":1293,"value":2944,"marks":2945,"data":2947},"Telefonica (January 2025): ",[2946],{"type":1355},{},{"nodeType":1293,"value":2949,"marks":2950,"data":2951},"Attackers stole 2.3GB of documents, tickets, and various data from telecommunications provider Telefonica. ",[],{},{"nodeType":2138,"data":2953,"content":2954},{},[2955],{"nodeType":1294,"data":2956,"content":2957},{},[2958,2963],{"nodeType":1293,"value":2959,"marks":2960,"data":2962},"Schneider Electric (November 2024): ",[2961],{"type":1355},{},{"nodeType":1293,"value":2964,"marks":2965,"data":2966},"Attackers stole 40GB of data including 75k unique email addresses, from manufacturing provider Schneider Electric, demanding a ransom payment of $125k. ",[],{},{"nodeType":1402,"data":2968,"content":2972},{"target":2969},{"sys":2970},{"id":2971,"type":1399,"linkType":1400},"1Hm5x8QlQnJsUPgFyCkeFO",[],{"nodeType":1294,"data":2974,"content":2975},{},[2976],{"nodeType":1293,"value":2977,"marks":2978,"data":2979},"So, hundreds of gigabytes of data and thousands of breached records — all from logging in with a single set of stolen credentials for each victim. There are clear signs that these attacks are ramping up in frequency and impact too, with three of the breaches occurring in March alone. ",[],{},{"nodeType":1294,"data":2981,"content":2982},{},[2983],{"nodeType":1293,"value":2984,"marks":2985,"data":2986},"These attacks all follow the same pattern, revolving around initial access to Jira accounts using compromised credentials. Once inside, the attacker has been reported to use integrated Atlassian tools like MiniOrange to scrape customer and employee data. After dumping the data, they attempt to extort a ransom payment for the deletion of the data, and when that fails, sell it on criminal marketplaces such as dark web forums and Telegram channels. HELLCAT is also responsible for a Ransomware-as-a-Service (RaaS) offering using a custom ransomware strain. ",[],{},{"nodeType":1347,"data":2988,"content":2989},{},[],{"nodeType":1357,"data":2991,"content":2992},{},[2993],{"nodeType":1293,"value":2994,"marks":2995,"data":2997},"Why are attackers targeting Jira?",[2996],{"type":1355},{},{"nodeType":1470,"data":2999,"content":3000},{},[3001],{"nodeType":1293,"value":3002,"marks":3003,"data":3005},"It’s a goldmine for attackers",[3004],{"type":1355},{},{"nodeType":1294,"data":3007,"content":3008},{},[3009],{"nodeType":1293,"value":3010,"marks":3011,"data":3012},"Apps like Jira are a goldmine for cyber attackers. For organizations using it, Jira is a central technology that underpins core business workflows. It’s used for pretty much all aspects of project management across functions, meaning it:",[],{},{"nodeType":2219,"data":3014,"content":3015},{},[3016,3026,3036,3046,3056],{"nodeType":2138,"data":3017,"content":3018},{},[3019],{"nodeType":1294,"data":3020,"content":3021},{},[3022],{"nodeType":1293,"value":3023,"marks":3024,"data":3025},"Stores huge amounts of sensitive data, from strategic business initiatives to sensitive customer data. ",[],{},{"nodeType":2138,"data":3027,"content":3028},{},[3029],{"nodeType":1294,"data":3030,"content":3031},{},[3032],{"nodeType":1293,"value":3033,"marks":3034,"data":3035},"Contains detailed information on IT infrastructure and architecture. It often acts as an issue tracker for vulnerabilities, and frequently contains credentials and secrets accidentally pasted into tickets, enabling lateral movement and further exploitation. ",[],{},{"nodeType":2138,"data":3037,"content":3038},{},[3039],{"nodeType":1294,"data":3040,"content":3041},{},[3042],{"nodeType":1293,"value":3043,"marks":3044,"data":3045},"Has deep integrations with other Cloud and DevOps technologies like GitHub repos (also a frequent target for attackers), Bitbucket, Jenkins, CircleCI, AWS, Azure, etc. ",[],{},{"nodeType":2138,"data":3047,"content":3048},{},[3049],{"nodeType":1294,"data":3050,"content":3051},{},[3052],{"nodeType":1293,"value":3053,"marks":3054,"data":3055},"Can be exploited using native functionality by, for example, creating automated workflows containing malicious scripts or deployments, or inserting malicious links into tickets to phish users in-app. ",[],{},{"nodeType":2138,"data":3057,"content":3058},{},[3059],{"nodeType":1294,"data":3060,"content":3061},{},[3062],{"nodeType":1293,"value":3063,"marks":3064,"data":3065},"Also provides access to the broader Atlassian suite through a compromised Jira account, e.g. Confluence, Bitbucket, Trello, Opsgenie, etc. ",[],{},{"nodeType":1470,"data":3067,"content":3068},{},[3069],{"nodeType":1293,"value":3070,"marks":3071,"data":3073},"Compromised credentials are waiting to be exploited",[3072],{"type":1355},{},{"nodeType":1294,"data":3075,"content":3076},{},[3077,3080,3088],{"nodeType":1293,"value":37,"marks":3078,"data":3079},[],{},{"nodeType":1389,"data":3081,"content":3083},{"uri":3082},"https://www.verizon.com/business/resources/reports/dbir/",[3084],{"nodeType":1293,"value":3085,"marks":3086,"data":3087},"Stolen credentials were the #1 attacker action in 2023/24",[],{},{"nodeType":1293,"value":3089,"marks":3090,"data":3091},", and the breach vector for 80% of web app attacks. Not surprising when you consider the fact that billions of leaked credentials are in circulation online, and attackers can pick up the latest drop for as little as $10 on criminal forums. ",[],{},{"nodeType":1294,"data":3093,"content":3094},{},[3095,3099,3107,3111,3118],{"nodeType":1293,"value":3096,"marks":3097,"data":3098},"The criminal marketplace for stolen credentials is booming, fuelled by an unprecedented rise in infostealer activity as attackers look to replicate the success of ",[],{},{"nodeType":1389,"data":3100,"content":3102},{"uri":3101},"https://pushsecurity.com/resources/2024-identity-attacks",[3103],{"nodeType":1293,"value":3104,"marks":3105,"data":3106},"high profile breaches in 2024",[],{},{"nodeType":1293,"value":3108,"marks":3109,"data":3110}," such as the attacks on ",[],{},{"nodeType":1389,"data":3112,"content":3114},{"uri":3113},"https://pushsecurity.com/blog/snowflake-retro/",[3115],{"nodeType":1293,"value":1388,"marks":3116,"data":3117},[],{},{"nodeType":1293,"value":3119,"marks":3120,"data":3121}," customers — where 165 customer tenants and hundreds of millions of breached records were compromised using credentials dating found in infostealer credential dumps dating as far back as 2020.",[],{},{"nodeType":1294,"data":3123,"content":3124},{},[3125],{"nodeType":1293,"value":3126,"marks":3127,"data":3128},"Like Snowflake, attackers have clearly noticed that compromised credentials are a reliable way to access Jira accounts. And the more these attacks succeed, the stronger the signal for other attackers to look for insecure identities. ",[],{},{"nodeType":1470,"data":3130,"content":3131},{},[3132],{"nodeType":1293,"value":3133,"marks":3134,"data":3136},"But wait: This isn’t just a Jira problem",[3135],{"type":1355},{},{"nodeType":1294,"data":3138,"content":3139},{},[3140],{"nodeType":1293,"value":3141,"marks":3142,"data":3143},"If an organization isn’t relying on Jira, they’re probably using a product with similar functionality such as ServiceNow, Asana, Zendesk, Notion, Oracle, etc. These alternatives are an equally viable target for attackers. ",[],{},{"nodeType":1402,"data":3145,"content":3149},{"target":3146},{"sys":3147},{"id":3148,"type":1399,"linkType":1400},"4hgYhQiAykupZ6n7Js2zJA",[],{"nodeType":1294,"data":3151,"content":3152},{},[3153,3157,3165],{"nodeType":1293,"value":3154,"marks":3155,"data":3156},"Jira and many apps like it, fall into a category where it’s a core business app, but isn’t as well-secured (or can’t be configured as securely) as full enterprise cloud platforms — increasing the likelihood that accounts are using weak, breached, or reused credentials, and have gaps in MFA coverage. Again, there are clear similarities with the attacks on Snowflake customers last year. And more recently, breaches like ",[],{},{"nodeType":1389,"data":3158,"content":3160},{"uri":3159},"https://www.bleepingcomputer.com/news/security/oracle-denies-data-breach-after-hacker-claims-theft-of-6-million-data-records/",[3161],{"nodeType":1293,"value":3162,"marks":3163,"data":3164},"the theft of 6 million Oracle records",[],{},{"nodeType":1293,"value":3166,"marks":3167,"data":3168}," (including  passwords) provide plenty of fuel for attackers looking to take advantage of unsecured accounts. ",[],{},{"nodeType":1294,"data":3170,"content":3171},{},[3172,3176,3181],{"nodeType":1293,"value":3173,"marks":3174,"data":3175},"Using Push data, we compared the posture of accounts that ",[],{},{"nodeType":1293,"value":3177,"marks":3178,"data":3180},"use a password to log in",[3179],{"type":1355},{},{"nodeType":1293,"value":3182,"marks":3183,"data":3184}," when organizations first begin using our platform.",[],{},{"nodeType":1402,"data":3186,"content":3190},{"target":3187},{"sys":3188},{"id":3189,"type":1399,"linkType":1400},"4xOUAqait2RG4IH00vh2RM",[],{"nodeType":1294,"data":3192,"content":3193},{},[3194],{"nodeType":1293,"value":3195,"marks":3196,"data":3197},"Clearly, this isn’t just a Jira problem — and it won’t be long before attackers take advantage. ",[],{},{"nodeType":1294,"data":3199,"content":3200},{},[3201,3204,3212,3216,3221],{"nodeType":1293,"value":37,"marks":3202,"data":3203},[],{},{"nodeType":1389,"data":3205,"content":3206},{"uri":2521},[3207],{"nodeType":1293,"value":3208,"marks":3209,"data":3211},"These stats are in the ballpark of our average findings from across all apps",[3210],{"type":1387},{},{"nodeType":1293,"value":3213,"marks":3214,"data":3215}," — with 2 in 5 identities using a password to log in AND missing MFA, rising to 4 in 5 when a password is the sole login method. Considering the fact that organizations are using hundreds of apps (220+ on average), ",[],{},{"nodeType":1293,"value":3217,"marks":3218,"data":3220},"there are many, many more apps that can be targeted in a similar way to Jira",[3219],{"type":1355},{},{"nodeType":1293,"value":1574,"marks":3222,"data":3223},[],{},{"nodeType":1357,"data":3225,"content":3226},{},[3227],{"nodeType":1293,"value":3228,"marks":3229,"data":3230},"Preventing account takeover with stolen credentials",[],{},{"nodeType":1294,"data":3232,"content":3233},{},[3234],{"nodeType":1293,"value":3235,"marks":3236,"data":3237},"To ensure that your workforce identities can’t be compromised using stolen credentials, you need to:",[],{},{"nodeType":2219,"data":3239,"content":3240},{},[3241,3251,3261],{"nodeType":2138,"data":3242,"content":3243},{},[3244],{"nodeType":1294,"data":3245,"content":3246},{},[3247],{"nodeType":1293,"value":3248,"marks":3249,"data":3250},"Ensure MFA is configured for all user accounts. ",[],{},{"nodeType":2138,"data":3252,"content":3253},{},[3254],{"nodeType":1294,"data":3255,"content":3256},{},[3257],{"nodeType":1293,"value":3258,"marks":3259,"data":3260},"Ensure employees are not using weak, breached, or stolen passwords. ",[],{},{"nodeType":2138,"data":3262,"content":3263},{},[3264],{"nodeType":1294,"data":3265,"content":3266},{},[3267],{"nodeType":1293,"value":3268,"marks":3269,"data":3270},"Where possible, ensure users are using SSO to log in via your preferred identity provider (IdP).",[],{},{"nodeType":1294,"data":3272,"content":3273},{},[3274],{"nodeType":1293,"value":3275,"marks":3276,"data":3277},"This is a tricky problem to solve in Jira itself. Jira doesn’t provide the capabilities to enforce these controls — to get access to some of the required functionality, like being able to require MFA for all users within your tenant, enforce SSO logins, or see if a user has MFA enabled, you need Atlassian Access — a separate tier of identity management product for Atlassian. Even then, you can’t do things like centrally administer password resets. ",[],{},{"nodeType":1294,"data":3279,"content":3280},{},[3281],{"nodeType":1293,"value":3282,"marks":3283,"data":3284},"And as we’ve pointed out — this isn’t just a Jira problem. Very few apps provide this level of identity visibility and control (even at the premium tier) — so what about when the next app hits the headlines? ",[],{},{"nodeType":1294,"data":3286,"content":3287},{},[3288,3292,3301],{"nodeType":1293,"value":3289,"marks":3290,"data":3291},"You could ingest a compromised credential TI feed to get some visibility of what’s out there, but then you’re relying on asking every user with a breached password to change it (not really reliable or enforceable!). When we ",[],{},{"nodeType":1389,"data":3293,"content":3295},{"uri":3294},"https://pushsecurity.com/blog/verified-stolen-credential-detection/",[3296],{"nodeType":1293,"value":3297,"marks":3298,"data":3300},"recently reviewed a range of TI feeds against our identity data set",[3299],{"type":1387},{},{"nodeType":1293,"value":3302,"marks":3303,"data":3304},", we found that less than 1% of the data was valid — like looking for a needle in a haystack. ",[],{},{"nodeType":1347,"data":3306,"content":3307},{},[],{"nodeType":1357,"data":3309,"content":3310},{},[3311],{"nodeType":1293,"value":3312,"marks":3313,"data":3315},"Prevent account takeover with Push",[3314],{"type":1355},{},{"nodeType":1294,"data":3317,"content":3318},{},[3319],{"nodeType":1293,"value":3320,"marks":3321,"data":3322},"Thankfully, there’s a better way. Push provides layered controls to harden your workforce identities against credential attacks, as well as other methods of account takeover like MFA-bypass phishing and session hijacking. Our lightweight, browser-based solution can be deployed in minutes across your entire user base. ",[],{},{"nodeType":1294,"data":3324,"content":3325},{},[3326],{"nodeType":1293,"value":3327,"marks":3328,"data":3329},"So when a core business app like Jira comes under fire, you can quickly take action to prevent account takeover.  ",[],{},{"nodeType":1294,"data":3331,"content":3332},{},[3333],{"nodeType":1293,"value":3334,"marks":3335,"data":3336},"Here’s how Push users can protect themselves against the threat of stolen credentials:",[],{},{"nodeType":1470,"data":3338,"content":3339},{},[3340],{"nodeType":1293,"value":3341,"marks":3342,"data":3344},"Step 1: Deploy MFA across all accounts",[3343],{"type":1355},{},{"nodeType":1294,"data":3346,"content":3347},{},[3348,3352,3361],{"nodeType":1293,"value":3349,"marks":3350,"data":3351},"Whenever an application comes under heavy scrutiny from attackers, it’s a good idea to deploy MFA across all accounts as a first response action. ",[],{},{"nodeType":1389,"data":3353,"content":3355},{"uri":3354},"https://pushsecurity.com/blog/enforce-mfa-on-third-party-apps/",[3356],{"nodeType":1293,"value":3357,"marks":3358,"data":3360},"Push enables you to quickly find and close MFA gaps",[3359],{"type":1387},{},{"nodeType":1293,"value":3362,"marks":3363,"data":3364}," by prompting the user to configure MFA when they log in to the app. ",[],{},{"nodeType":1402,"data":3366,"content":3370},{"target":3367},{"sys":3368},{"id":3369,"type":1399,"linkType":1400},"4OVJU6FRSVU9j1WB9NGyJ4",[],{"nodeType":1470,"data":3372,"content":3373},{},[3374],{"nodeType":1293,"value":3375,"marks":3376,"data":3378},"Step 2: Detect when accounts are using stolen credentials and trigger a password change",[3377],{"type":1355},{},{"nodeType":1294,"data":3380,"content":3381},{},[3382,3386,3394],{"nodeType":1293,"value":3383,"marks":3384,"data":3385},"Push integrates with commercial TI feeds to see ",[],{},{"nodeType":1389,"data":3387,"content":3388},{"uri":3294},[3389],{"nodeType":1293,"value":3390,"marks":3391,"data":3393},"when your employees are actually using a breached password to log in to one of their accounts",[3392],{"type":1387},{},{"nodeType":1293,"value":3395,"marks":3396,"data":3397},", eliminating manual triage. You can also bring your own TI feed to maximize its value. ",[],{},{"nodeType":1294,"data":3399,"content":3400},{},[3401,3405,3413],{"nodeType":1293,"value":3402,"marks":3403,"data":3404},"When a stolen credential (or any other password vulnerability) is found, the next time they log into the app they will be prompted to change it via the ",[],{},{"nodeType":1389,"data":3406,"content":3408},{"uri":3407},"https://pushsecurity.com/blog/introducing-strong-password-enforcement/",[3409],{"nodeType":1293,"value":3410,"marks":3411,"data":3412},"strong password enforcement feature",[],{},{"nodeType":1293,"value":1574,"marks":3414,"data":3415},[],{},{"nodeType":1402,"data":3417,"content":3421},{"target":3418},{"sys":3419},{"id":3420,"type":1399,"linkType":1400},"shpVOAMlk7OE1mWrE9h8S",[],{"nodeType":1470,"data":3423,"content":3424},{},[3425],{"nodeType":1293,"value":3426,"marks":3427,"data":3429},"Step 3: Ensure employees are using SSO (and remediate ghost logins)",[3428],{"type":1355},{},{"nodeType":1294,"data":3431,"content":3432},{},[3433],{"nodeType":1293,"value":3434,"marks":3435,"data":3436},"Once you’ve secured your accounts against the risk of immediate account takeover, you can harden them further by ensuring that accounts are using your preferred SSO method and IdP. ",[],{},{"nodeType":1294,"data":3438,"content":3439},{},[3440,3444,3451],{"nodeType":1293,"value":3441,"marks":3442,"data":3443},"[Insight box: It’s not enough to have users adopt SSO, however. Local username and password accounts can continue to exist and be used alongside SSO unless specifically configured (and configurable) within the app. These local accounts are a form of ",[],{},{"nodeType":1389,"data":3445,"content":3446},{"uri":2370},[3447],{"nodeType":1293,"value":2548,"marks":3448,"data":3450},[3449],{"type":1387},{},{"nodeType":1293,"value":3452,"marks":3453,"data":3454},", providing backdoor access to your business apps without needing to breach your locked-down IdP accounts used for SSO. This is why it’s important to have MFA set at the application level if local accounts are used — you can’t just rely on your IdP being securely configured.] ",[],{},{"nodeType":1294,"data":3456,"content":3457},{},[3458],{"nodeType":1293,"value":3459,"marks":3460,"data":3461},"Once you’ve migrated to SSO, it’s best practice to have your employees remove these local accounts so they don’t lie dormant for attackers to take advantage of in the future. You can set an app banner for all users accessing the app, instructing them to log in using SSO, and to disable their local password once they’ve done so.",[],{},{"nodeType":1402,"data":3463,"content":3467},{"target":3464},{"sys":3465},{"id":3466,"type":1399,"linkType":1400},"606mt5mVoJGaMmk82mLIFH",[],{"nodeType":1347,"data":3469,"content":3470},{},[],{"nodeType":1357,"data":3472,"content":3473},{},[3474],{"nodeType":1293,"value":3475,"marks":3476,"data":3478},"Protect and defend your entire identity attack surface",[3477],{"type":1355},{},{"nodeType":1294,"data":3480,"content":3481},{},[3482],{"nodeType":1293,"value":3483,"marks":3484,"data":3485},"Push provides comprehensive identity attack detection and response capabilities across every app and workforce identity.    ",[],{},{"nodeType":1294,"data":3487,"content":3488},{},[3489],{"nodeType":1293,"value":3490,"marks":3491,"data":3492},"We stop attacks like MFA-bypass phishing, credential stuffing, password spraying and session hijacking using stolen session tokens. You can also use Push to find and fix identity vulnerabilities across every app that your employees use like: ghost logins; SSO coverage gaps; MFA gaps; weak, breached and reused passwords; risky OAuth integrations; and more. ",[],{},{"nodeType":1294,"data":3494,"content":3495},{},[3496,3500,3508],{"nodeType":1293,"value":3497,"marks":3498,"data":3499},"If you want to learn more about how Push helps you to detect and defeat common identity attack techniques, ",[],{},{"nodeType":1389,"data":3501,"content":3503},{"uri":3502},"https://pushsecurity.com/demo?utm_campaign=9983377-FY25Q1_Bleeping-Computer-Organic-Article&utm_source=bleepingcomputer&utm_medium=sponsored-content&utm_content=organic%20article",[3504],{"nodeType":1293,"value":3505,"marks":3506,"data":3507},"book some time with one of our team",[],{},{"nodeType":1293,"value":3509,"marks":3510,"data":3511}," for a live demo. ",[],{},"6 breaches in 5 months: Why attackers are targeting Jira with stolen credentials","Attackers are persistently targeting Jira accounts with stolen credentials. What can we learn from this trend?","2025-03-25T00:00:00.000Z","why-attackers-are-targeting-jira-with-stolen-credentials",{"items":3517},[3518,3520],{"sys":3519,"name":1306},{"id":1305},{"sys":3521,"name":1993},{"id":1992},{"items":3523},[3524],{"fullName":1997,"firstName":1998,"jobTitle":1999,"profilePicture":3525},{"url":2001},{"items":3527},[3528],{"fullName":1997,"firstName":1998,"jobTitle":1999,"profilePicture":3529},{"url":2001},{"json":3531,"links":4038},{"nodeType":1295,"data":3532,"content":3533},{},[3534,3541,3559,3566,3569,3577,3584,3591,3719,3726,3732,3735,3743,3750,3757,3764,3771,3779,3786,3793,3796,3804,3811,3818,3825,3831,3838,3866,3876,3882,3885,3893,3901,3908,3941,3947,3953,3959,3962,3970,3977,3996,4001,4007],{"nodeType":1294,"data":3535,"content":3536},{},[3537],{"nodeType":1293,"value":3538,"marks":3539,"data":3540},"Many security leaders would confidently say they have MFA deployed everywhere. But that confidence often disappears when a breach investigation begins. The reality? MFA coverage is far from complete.",[],{},{"nodeType":1294,"data":3542,"content":3543},{},[3544,3548,3556],{"nodeType":1293,"value":3545,"marks":3546,"data":3547},"MFA is inconsistently enforced across the modern identity surface. Logins without MFA frequently slip through the cracks, exposing critical access points to business systems and data. And attackers know it — as they demonstrated best in ",[],{},{"nodeType":1389,"data":3549,"content":3550},{"uri":3113},[3551],{"nodeType":1293,"value":3552,"marks":3553,"data":3555},"2024's infamous Snowflake breaches",[3554],{"type":1387},{},{"nodeType":1293,"value":1574,"marks":3557,"data":3558},[],{},{"nodeType":1294,"data":3560,"content":3561},{},[3562],{"nodeType":1293,"value":3563,"marks":3564,"data":3565},"Regulators and insurers are catching on, too. Where MFA was once considered best practice, it’s now an expectation; implied in some frameworks, explicitly required in others, and enforced more aggressively than ever before. Whether you’re trying to meet PCI DSS, HIPAA, or GDPR requirements, the question is no longer if you have MFA, it’s where and how it’s enforced — and can you prove it?",[],{},{"nodeType":1347,"data":3567,"content":3568},{},[],{"nodeType":1357,"data":3570,"content":3571},{},[3572],{"nodeType":1293,"value":3573,"marks":3574,"data":3576},"Framework-by-framework breakdown: what they really say about MFA",[3575],{"type":1355},{},{"nodeType":1294,"data":3578,"content":3579},{},[3580],{"nodeType":1293,"value":3581,"marks":3582,"data":3583},"MFA isn’t just a checkbox. It’s a regulatory expectation. While some frameworks spell that out clearly, others imply it in broader language. Either way, the enforcement trend is undeniable: organizations are being held accountable if MFA is missing.",[],{},{"nodeType":1294,"data":3585,"content":3586},{},[3587],{"nodeType":1293,"value":3588,"marks":3589,"data":3590},"Here’s how key frameworks treat MFA today:",[],{},{"nodeType":2219,"data":3592,"content":3593},{},[3594,3604,3627,3650,3699,3709],{"nodeType":2138,"data":3595,"content":3596},{},[3597],{"nodeType":1294,"data":3598,"content":3599},{},[3600],{"nodeType":1293,"value":3601,"marks":3602,"data":3603},"PCI DSS v4.0 requires mandatory MFA for all non-console administrative access and remote access to cardholder environments.",[],{},{"nodeType":2138,"data":3605,"content":3606},{},[3607],{"nodeType":1294,"data":3608,"content":3609},{},[3610,3614,3623],{"nodeType":1293,"value":3611,"marks":3612,"data":3613},"HIPAA doesn’t use the term “MFA” directly, but under the Security Rule, it mandates “reasonable and appropriate safeguards,” and the absence of MFA has led to audit findings and penalties — e.g. a US children’s hospital received a ",[],{},{"nodeType":1389,"data":3615,"content":3617},{"uri":3616},"https://compliancy-group.com/childrens-hospital-colorado-fined-by-ocr/",[3618],{"nodeType":1293,"value":3619,"marks":3620,"data":3622},"$500,000",[3621],{"type":1387},{},{"nodeType":1293,"value":3624,"marks":3625,"data":3626}," HIPAA fine for insufficient MFA.",[],{},{"nodeType":2138,"data":3628,"content":3629},{},[3630],{"nodeType":1294,"data":3631,"content":3632},{},[3633,3637,3646],{"nodeType":1293,"value":3634,"marks":3635,"data":3636},"GDPR similarly focuses on “appropriate technical measures.” In 2023, the UK’s ICO fined a UK software company ",[],{},{"nodeType":1389,"data":3638,"content":3640},{"uri":3639},"https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/03/software-provider-fined-3m-following-2022-ransomware-attack/",[3641],{"nodeType":1293,"value":3642,"marks":3643,"data":3645},"£3.07 million",[3644],{"type":1387},{},{"nodeType":1293,"value":3647,"marks":3648,"data":3649}," for a breach involving missing MFA, setting a clear precedent.",[],{},{"nodeType":2138,"data":3651,"content":3652},{},[3653],{"nodeType":1294,"data":3654,"content":3655},{},[3656,3660,3669,3673,3682,3686,3695],{"nodeType":1293,"value":3657,"marks":3658,"data":3659},"NYDFS 500 is clear: MFA is required for all user access to covered systems, not just privileged accounts. MFA gaps resulted in a ",[],{},{"nodeType":1389,"data":3661,"content":3663},{"uri":3662},"https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202104141",[3664],{"nodeType":1293,"value":3665,"marks":3666,"data":3668},"$3 million settlement",[3667],{"type":1387},{},{"nodeType":1293,"value":3670,"marks":3671,"data":3672}," against a financial services company, a ",[],{},{"nodeType":1389,"data":3674,"content":3676},{"uri":3675},"https://www.dfs.ny.gov/system/files/documents/2023/05/ea20230524_co_onemain.pdf",[3677],{"nodeType":1293,"value":3678,"marks":3679,"data":3681},"$4.2 million",[3680],{"type":1387},{},{"nodeType":1293,"value":3683,"marks":3684,"data":3685}," dollar fine against a personal loan provider, and a ",[],{},{"nodeType":1389,"data":3687,"content":3689},{"uri":3688},"https://www.dfs.ny.gov/reports_and_publications/press_releases/pr20241125",[3690],{"nodeType":1293,"value":3691,"marks":3692,"data":3694},"$1.55 million",[3693],{"type":1387},{},{"nodeType":1293,"value":3696,"marks":3697,"data":3698}," fine against an auto insurer.",[],{},{"nodeType":2138,"data":3700,"content":3701},{},[3702],{"nodeType":1294,"data":3703,"content":3704},{},[3705],{"nodeType":1293,"value":3706,"marks":3707,"data":3708},"NIST SP 800-63-3 and CISA’s EO 14028 elevate the standard further, calling for phishing-resistant MFA for federal systems and contractors.",[],{},{"nodeType":2138,"data":3710,"content":3711},{},[3712],{"nodeType":1294,"data":3713,"content":3714},{},[3715],{"nodeType":1293,"value":3716,"marks":3717,"data":3718},"Frameworks and standards like ISO/IEC 27001, CIS Controls v8, and SOC 2 increasingly expect MFA coverage to be demonstrated during audits and certification processes.",[],{},{"nodeType":1294,"data":3720,"content":3721},{},[3722],{"nodeType":1293,"value":3723,"marks":3724,"data":3725},"These frameworks vary in tone and scope, but the message is consistent across the board. MFA must be enforced, not just in theory.",[],{},{"nodeType":1402,"data":3727,"content":3731},{"target":3728},{"sys":3729},{"id":3730,"type":1399,"linkType":1400},"7dOxw1w8Ut5WDBDOki20We",[],{"nodeType":1347,"data":3733,"content":3734},{},[],{"nodeType":1357,"data":3736,"content":3737},{},[3738],{"nodeType":1293,"value":3739,"marks":3740,"data":3742},"Insurers are scrutinising MFA gaps too",[3741],{"type":1355},{},{"nodeType":1294,"data":3744,"content":3745},{},[3746],{"nodeType":1293,"value":3747,"marks":3748,"data":3749},"It’s not just regulators getting stricter. Insurers are building in MFA as a minimum condition of insurance coverage. ",[],{},{"nodeType":1294,"data":3751,"content":3752},{},[3753],{"nodeType":1293,"value":3754,"marks":3755,"data":3756},"Organizations are incentivized to have MFA. Roughly 20-25% of cyber insurance premiums are dictated by the security controls in place: MFA, EDR, regular patching, etc. ",[],{},{"nodeType":1294,"data":3758,"content":3759},{},[3760],{"nodeType":1293,"value":3761,"marks":3762,"data":3763},"After a breach, insurers bring in incident response teams to analyze what happened. Their job is to determine how the attacker got in and whether the controls you claimed to have were actually in place. If the entry point had no effective MFA and your policy attested that it did, the insurer may treat that as misrepresentation.",[],{},{"nodeType":1294,"data":3765,"content":3766},{},[3767],{"nodeType":1293,"value":3768,"marks":3769,"data":3770},"If your self-attested MFA coverage doesn’t hold up under investigation, your provider may not be required to pay, and you’re left footing the bill for IR, recovery, legal fees, and business disruption.",[],{},{"nodeType":1470,"data":3772,"content":3773},{},[3774],{"nodeType":1293,"value":3775,"marks":3776,"data":3778},"Case study: City of Hamilton, Ontario",[3777],{"type":1355},{},{"nodeType":1294,"data":3780,"content":3781},{},[3782],{"nodeType":1293,"value":3783,"marks":3784,"data":3785},"The Canadian city of Hamilton, Ontario fell victim to a ransomware attack in February 2024. Attackers disabled nearly 80% of the city’s network and demanded a ransom of roughly $18.5 million in exchange for a decryption tool to unscramble the data.",[],{},{"nodeType":1294,"data":3787,"content":3788},{},[3789],{"nodeType":1293,"value":3790,"marks":3791,"data":3792},"They attempted to claim $5 million under their cyber insurance policy. After more than a year of dispute, the claim was denied because of MFA gaps — a condition of the coverage. Taxpayers were left to foot the $18.3 million bill, including cleanup, rebuild, and one-time consultancy fees.",[],{},{"nodeType":1347,"data":3794,"content":3795},{},[],{"nodeType":1357,"data":3797,"content":3798},{},[3799],{"nodeType":1293,"value":3800,"marks":3801,"data":3803},"The future of compliance will be driven by cyber attacks",[3802],{"type":1355},{},{"nodeType":1294,"data":3805,"content":3806},{},[3807],{"nodeType":1293,"value":3808,"marks":3809,"data":3810},"The direction of travel is consistent: frameworks are getting stricter, auditors are getting more technical, and enforcement is starting to hit data processors as well as controllers. ",[],{},{"nodeType":1294,"data":3812,"content":3813},{},[3814],{"nodeType":1293,"value":3815,"marks":3816,"data":3817},"But there’s more to it than that. In-the-wild breaches are exposing just how much business IT has evolved — and where security controls haven’t kept up. ",[],{},{"nodeType":1294,"data":3819,"content":3820},{},[3821],{"nodeType":1293,"value":3822,"marks":3823,"data":3824},"With the SaaS-ification of enterprise IT, core business systems aren’t locally deployed and centrally managed in the way they used to be. Instead, they’re logged into over the internet, via a web browser.",[],{},{"nodeType":1402,"data":3826,"content":3830},{"target":3827},{"sys":3828},{"id":3829,"type":1399,"linkType":1400},"4h4hUYAghbZavOwjRTnBe2",[],{"nodeType":1294,"data":3832,"content":3833},{},[3834],{"nodeType":1293,"value":3835,"marks":3836,"data":3837},"So it’s not surprising that modern attackers are now targeting these apps directly. The most logical way to do this is by targeting users of those apps via identities — the vehicle by which apps are accessed and used. ",[],{},{"nodeType":1294,"data":3839,"content":3840},{},[3841,3845,3853,3857,3862],{"nodeType":1293,"value":3842,"marks":3843,"data":3844},"Sitting outside the typical security control boundary, it’s no surprise that this has become the soft underbelly in the crosshairs of attackers. Organizations are dealing with a vast and vulnerable attack surface consisting of ",[],{},{"nodeType":1389,"data":3846,"content":3847},{"uri":2521},[3848],{"nodeType":1293,"value":3849,"marks":3850,"data":3852},"hundreds of applications, with thousands of accounts",[3851],{"type":1387},{},{"nodeType":1293,"value":3854,"marks":3855,"data":3856}," spread across the app estate. ",[],{},{"nodeType":1293,"value":3858,"marks":3859,"data":3861},"2 in 5 of these accounts are missing MFA",[3860],{"type":1355},{},{"nodeType":1293,"value":3863,"marks":3864,"data":3865},", and many also have a password vulnerability (such as appearing in a password breach or compromised credential feed) that means they’re sitting ducks for an attacker, waiting to be exploited. ",[],{},{"nodeType":2103,"data":3867,"content":3868},{},[3869],{"nodeType":1294,"data":3870,"content":3871},{},[3872],{"nodeType":1293,"value":3873,"marks":3874,"data":3875},"Due to SaaS blind-spots, 2 in 5 accounts are missing MFA. ",[],{},{"nodeType":1402,"data":3877,"content":3881},{"target":3878},{"sys":3879},{"id":3880,"type":1399,"linkType":1400},"3WFzina1t5j6bDlTlGQA0l",[],{"nodeType":1347,"data":3883,"content":3884},{},[],{"nodeType":1357,"data":3886,"content":3887},{},[3888],{"nodeType":1293,"value":3889,"marks":3890,"data":3892},"What security teams can do about it",[3891],{"type":1355},{},{"nodeType":1470,"data":3894,"content":3895},{},[3896],{"nodeType":1293,"value":3897,"marks":3898,"data":3900},"Achieve complete MFA visibility and remediate gaps with Push Security",[3899],{"type":1355},{},{"nodeType":1294,"data":3902,"content":3903},{},[3904],{"nodeType":1293,"value":3905,"marks":3906,"data":3907},"You can’t enforce identity policy if you can’t see where it breaks. Push gives you live, browser-based insight into how users actually authenticate – what apps they access, how they log in, and where protections like MFA fall short. Because Push runs natively in the browser, you get full coverage and built-in guardrails, without relying on app integrations, enabling you to:",[],{},{"nodeType":2219,"data":3909,"content":3910},{},[3911,3921,3931],{"nodeType":2138,"data":3912,"content":3913},{},[3914],{"nodeType":1294,"data":3915,"content":3916},{},[3917],{"nodeType":1293,"value":3918,"marks":3919,"data":3920},"Understand how identities are really used across apps",[],{},{"nodeType":2138,"data":3922,"content":3923},{},[3924],{"nodeType":1294,"data":3925,"content":3926},{},[3927],{"nodeType":1293,"value":3928,"marks":3929,"data":3930},"Catch misconfigurations, missing MFA, and accounts using vulnerable passwords",[],{},{"nodeType":2138,"data":3932,"content":3933},{},[3934],{"nodeType":1294,"data":3935,"content":3936},{},[3937],{"nodeType":1293,"value":3938,"marks":3939,"data":3940},"Guide users to fix issues before they become incidents",[],{},{"nodeType":1402,"data":3942,"content":3946},{"target":3943},{"sys":3944},{"id":3945,"type":1399,"linkType":1400},"1axELRNRyXglrf81FEkDhb",[],{"nodeType":1294,"data":3948,"content":3949},{},[3950],{"nodeType":1293,"value":37,"marks":3951,"data":3952},[],{},{"nodeType":1402,"data":3954,"content":3958},{"target":3955},{"sys":3956},{"id":3957,"type":1399,"linkType":1400},"2mpx0GOwIviUAdvLGitxua",[],{"nodeType":1347,"data":3960,"content":3961},{},[],{"nodeType":1470,"data":3963,"content":3964},{},[3965],{"nodeType":1293,"value":3966,"marks":3967,"data":3969},"Prepare your organization for the new world of browser-based attacks",[3968],{"type":1355},{},{"nodeType":1294,"data":3971,"content":3972},{},[3973],{"nodeType":1293,"value":3974,"marks":3975,"data":3976},"As attacks continue to evolve, we can expect regulators, insurers, and policy-makers to follow. ",[],{},{"nodeType":1294,"data":3978,"content":3979},{},[3980,3983,3992],{"nodeType":1293,"value":37,"marks":3981,"data":3982},[],{},{"nodeType":1389,"data":3984,"content":3986},{"uri":3985},"https://pushsecurity.com/blog/6-browser-based-attacks-every-security-team-should-be-prepared-for/",[3987],{"nodeType":1293,"value":3988,"marks":3989,"data":3991},"Attacks that target users in their web browsers have seen an unprecedented rise in recent years",[3990],{"type":1387},{},{"nodeType":1293,"value":3993,"marks":3994,"data":3995},", exploiting the biggest security blind-spot in the enterprise security stack. ",[],{},{"nodeType":1402,"data":3997,"content":4000},{"target":3998},{"sys":3999},{"id":1453,"type":1399,"linkType":1400},[],{"nodeType":1294,"data":4002,"content":4003},{},[4004],{"nodeType":1293,"value":1962,"marks":4005,"data":4006},[],{},{"nodeType":1294,"data":4008,"content":4009},{},[4010,4014,4023,4027,4035],{"nodeType":1293,"value":4011,"marks":4012,"data":4013},"To learn more about Push, ",[],{},{"nodeType":1389,"data":4015,"content":4017},{"uri":4016},"https://pushsecurity.com/resources/product-brochure",[4018],{"nodeType":1293,"value":4019,"marks":4020,"data":4022},"check out our latest product overview",[4021],{"type":1387},{},{"nodeType":1293,"value":4024,"marks":4025,"data":4026}," or ",[],{},{"nodeType":1389,"data":4028,"content":4030},{"uri":4029},"https://pushsecurity.com/demo",[4031],{"nodeType":1293,"value":1978,"marks":4032,"data":4034},[4033],{"type":1387},{},{"nodeType":1293,"value":1614,"marks":4036,"data":4037},[],{},{"entries":4039},{"hyperlink":4040,"inline":4041,"block":4042},[],[],[4043,4050,4058,4066,4072,4076],{"sys":4044,"__typename":4045,"type":4046,"ctaText":4047,"buttonLabel":87,"buttonColour":4048,"buttonUrl":4049},{"id":3730},"CtaWidget","Custom","New whitepaper: Get the big picture on current MFA regulation and compliance","sea blue","https://pushsecurity.com/resources/mfa-regulation-compliance",{"sys":4051,"__typename":4052,"title":4053,"caption":4053,"layoutMode":118,"file":4054},{"id":3829},"Image","Attacks have shifted from targeting local networks to SaaS services, accessed through employee web browsers.",{"url":4055,"width":4056,"height":4057},"https://images.ctfassets.net/y1cdw1ablpvd/SadRsmdnNZofhrKddH01D/1ba16316bdfa666b2bc387d5b694e515/image2.png",1506,574,{"sys":4059,"__typename":4052,"title":4060,"caption":4061,"layoutMode":118,"file":4062},{"id":3880},"Infographic showing the identity vulnerability spread for a 1,000 seat organization","A 1,000 user organization has over 15,000 accounts with various configurations and associated vulnerabilities.",{"url":4063,"width":4064,"height":4065},"https://images.ctfassets.net/y1cdw1ablpvd/266iLQBVsJIQEx6dnUEVrZ/eb5b1be79b7b29365baf299053fddf42/Infographic.png",5480,3012,{"sys":4067,"__typename":4068,"title":4069,"arcadeDemoUrl":4070,"playText":4071},{"id":3945},"ArcadeDemo","Find and close MFA gaps with Push Security","https://demo.arcade.software/qEDIGb9n7EEPCWFntm56?embed","2 mins",{"sys":4073,"__typename":4045,"type":4046,"ctaText":4074,"buttonLabel":87,"buttonColour":4075,"buttonUrl":4049},{"id":3957},"Get our whitepaper to learn how attackers are exploiting MFA gaps and what security teams can do about it","sunny orange",{"sys":4077,"__typename":4052,"title":4078,"caption":4079,"layoutMode":118,"file":4080},{"id":1453},"Browser-based attacks like AITM phishing, ClickFix, and consent phishing have seen an unprecedented rise in recent years.","Browser-based attacks like AITM phishing, ClickFix, and consent phishing are the fastest-growing threats of 2025. ",{"url":4081,"width":4082,"height":4083},"https://images.ctfassets.net/y1cdw1ablpvd/1eCBgB8nNDu5955f1BwFO6/b80d5cb43c7acd75e1a670d4ae22b2ec/Browser-based_attacks_graphic__1_.png",2012,1272,"content:blog:how-cyber-breaches-are-driving-tighter-mfa-requirements-and-enforcement.json","json","content","blog/how-cyber-breaches-are-driving-tighter-mfa-requirements-and-enforcement.json","blog/how-cyber-breaches-are-driving-tighter-mfa-requirements-and-enforcement",1776359983168]