[{"data":1,"prerenderedAt":4547},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/how-many-vulnerable-identities-do-you-have":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"summary":1282,"title":1296,"subtitle":118,"metaTitle":1297,"synopsis":1298,"hashTags":118,"publishedDate":1299,"slug":1300,"ogImage":1301,"tagsCollection":1303,"relatedBlogPostsCollection":1313,"authorsCollection":4203,"content":4207,"_id":4542,"_type":4543,"_source":4544,"_file":4545,"_stem":4546,"_extension":4543},"/blog/how-many-vulnerable-identities-do-you-have","blog",{"id":1280,"publishedAt":1281},"2oCKAlWLSHMLeZF6j8YniH","2024-10-15T09:39:27.512Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1295},{},[1286],{"data":1287,"content":1288,"nodeType":1294},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"Answering key questions about your exposure to identity threats using Push data.","text","paragraph","document","How many vulnerable identities do you have?","Using Push data to quantify identity vulnerabilities","Using Push data to calculate how many vulnerable identities the average organization has, and how they lead to different methods of account takeover. ","2024-10-15T00:00:00.000Z","how-many-vulnerable-identities-do-you-have",{"url":1302},"https://images.ctfassets.net/y1cdw1ablpvd/7v4Zx9Ac2V6txIpDbp0WU4/ae2916d0cd69f4f7e47bf0fc1cff07d3/Sankey_chart_-_cropped_-_higher_res__1_.png",{"items":1304},[1305,1309],{"sys":1306,"name":1308},{"id":1307},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1310,"name":1312},{"id":1311},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1314},[1315,2513,3763],{"__typename":1316,"sys":1317,"content":1319,"title":2495,"synopsis":2496,"hashTags":118,"publishedDate":2497,"slug":2498,"tagsCollection":2499,"authorsCollection":2505},"BlogPosts",{"id":1318},"4OrixXXLxRmSDxa7PF9gfM",{"json":1320},{"nodeType":1295,"data":1321,"content":1322},{},[1323,1358,1371,1387,1394,1401,1405,1413,1420,1558,1566,1573,1669,1676,1683,1736,1743,1766,1823,1826,1833,1852,1872,1879,1898,1905,1917,1920,1927,1934,1982,1989,1996,2016,2019,2026,2033,2040,2060,2067,2074,2081,2101,2108,2115,2122,2129,2149,2156,2163,2170,2177,2209,2218,2221,2228,2235,2241,2248,2255,2278,2285,2292,2335,2351,2371,2377,2384,2391,2398,2430,2476,2483,2489],{"nodeType":1294,"data":1324,"content":1325},{},[1326,1330,1341,1345,1354],{"nodeType":1293,"value":1327,"marks":1328,"data":1329},"Infostealer malware seems to be grabbing the headlines right now. It’s easy to see why, too, after laying claim to one of the ",[],{},{"nodeType":1331,"data":1332,"content":1334},"hyperlink",{"uri":1333},"https://www.wired.com/story/snowflake-breach-advanced-auto-parts-lendingtree/",[1335],{"nodeType":1293,"value":1336,"marks":1337,"data":1340},"biggest breaches in history",[1338],{"type":1339},"underline",{},{"nodeType":1293,"value":1342,"marks":1343,"data":1344},". The ",[],{},{"nodeType":1331,"data":1346,"content":1348},{"uri":1347},"https://pushsecurity.com/blog/identity-attacks-in-the-wild/#id-snowflake-june-2024",[1349],{"nodeType":1293,"value":1350,"marks":1351,"data":1353},"recent attacks on Snowflake customers",[1352],{"type":1339},{},{"nodeType":1293,"value":1355,"marks":1356,"data":1357}," saw ~165 businesses compromised using stolen credentials, resulting in millions of breached customer records, with the full impact still emerging. ",[],{},{"nodeType":1294,"data":1359,"content":1360},{},[1361,1365],{"nodeType":1293,"value":1362,"marks":1363,"data":1364},"Notably, ",[],{},{"nodeType":1293,"value":1366,"marks":1367,"data":1370},"80% of the credentials used to access Snowflake customer accounts had found their way online after being stolen in infostealer infections – dating back as early as 2020. ",[1368],{"type":1369},"bold",{},{"nodeType":1294,"data":1372,"content":1373},{},[1374,1378,1383],{"nodeType":1293,"value":1375,"marks":1376,"data":1377},"The Snowflake situation is a reminder of how lucrative stolen credentials can be for attackers – and how the cybercrime ecosystem has tilted as a result. As the saying goes nowadays, ",[],{},{"nodeType":1293,"value":1379,"marks":1380,"data":1382},"hackers don’t hack in, they log in",[1381],{"type":1369},{},{"nodeType":1293,"value":1384,"marks":1385,"data":1386},". Stolen credentials are the lowest hanging fruit available to attackers, and their appetite (and the ecosystem needed to feed it) is insatiable. As an attacker, the prospect of picking up access to a major enterprise for just $10 or less (or even for free) is hard to resist – why wouldn’t you buy a ticket and take the gamble?  ",[],{},{"nodeType":1294,"data":1388,"content":1389},{},[1390],{"nodeType":1293,"value":1391,"marks":1392,"data":1393},"Infostealers are a huge part of the shift toward identity attacks. Along with phishing, infostealers are the primary mechanism for attackers to harvest credentials. Unlike phishing, infostealers can collect a large number of credentials (and other helpful data saved in the browser) in one fell swoop. But, they do have limitations. For example, you would expect any credible EDR to detect and block these attacks. And yet, the success of the attacks on Snowflake customers show us that gaps are being found and exploited.  ",[],{},{"nodeType":1294,"data":1395,"content":1396},{},[1397],{"nodeType":1293,"value":1398,"marks":1399,"data":1400},"In this article, we’ll look at the history of infostealers, how they work, and what the trends show us about how the cybercrime ecosystem is leaning into the opportunity they present.    ",[],{},{"nodeType":1402,"data":1403,"content":1404},"hr",{},[],{"nodeType":1406,"data":1407,"content":1408},"heading-1",{},[1409],{"nodeType":1293,"value":1410,"marks":1411,"data":1412},"The state of infostealers today",[],{},{"nodeType":1294,"data":1414,"content":1415},{},[1416],{"nodeType":1293,"value":1417,"marks":1418,"data":1419},"Infostealers, and the mass credential harvesting they enable, are a big part of the rise in identity attacks. The stats support this, as:",[],{},{"nodeType":1421,"data":1422,"content":1423},"unordered-list",{},[1424,1448,1470,1493,1515,1536],{"nodeType":1425,"data":1426,"content":1427},"list-item",{},[1428],{"nodeType":1294,"data":1429,"content":1430},{},[1431,1435,1444],{"nodeType":1293,"value":1432,"marks":1433,"data":1434},"One million new stealer logs are distributed every month, with an estimated 3-5% containing credentials and session cookies to corporate IT environments (",[],{},{"nodeType":1331,"data":1436,"content":1438},{"uri":1437},"https://www.bleepingcomputer.com/news/security/single-sign-on-and-the-cybercrime-ecosystem/",[1439],{"nodeType":1293,"value":1440,"marks":1441,"data":1443},"Flare",[1442],{"type":1339},{},{"nodeType":1293,"value":1445,"marks":1446,"data":1447},").",[],{},{"nodeType":1425,"data":1449,"content":1450},{},[1451],{"nodeType":1294,"data":1452,"content":1453},{},[1454,1458,1467],{"nodeType":1293,"value":1455,"marks":1456,"data":1457},"Infostealer activity increased by 266% in 2023, while the number of attacks featuring valid credentials saw a 71% increase year-over-year (",[],{},{"nodeType":1331,"data":1459,"content":1461},{"uri":1460},"https://www.ibm.com/downloads/cas/L0GKXDWJ",[1462],{"nodeType":1293,"value":1463,"marks":1464,"data":1466},"IBM",[1465],{"type":1339},{},{"nodeType":1293,"value":1445,"marks":1468,"data":1469},[],{},{"nodeType":1425,"data":1471,"content":1472},{},[1473],{"nodeType":1294,"data":1474,"content":1475},{},[1476,1480,1489],{"nodeType":1293,"value":1477,"marks":1478,"data":1479},"147,000 token replay attacks were detected by Microsoft in 2023, an 111% increase year-over-year (",[],{},{"nodeType":1331,"data":1481,"content":1483},{"uri":1482},"https://techcommunity.microsoft.com/t5/microsoft-entra-blog/how-to-break-the-token-theft-cyber-attack-chain/ba-p/4062700",[1484],{"nodeType":1293,"value":1485,"marks":1486,"data":1488},"Microsoft",[1487],{"type":1339},{},{"nodeType":1293,"value":1490,"marks":1491,"data":1492},"). ",[],{},{"nodeType":1425,"data":1494,"content":1495},{},[1496],{"nodeType":1294,"data":1497,"content":1498},{},[1499,1503,1512],{"nodeType":1293,"value":1500,"marks":1501,"data":1502},"Over 1000 credentials are posted online per day, per marketplace with an average sale price of $10, and 65% posted less than one day after being collected (",[],{},{"nodeType":1331,"data":1504,"content":1506},{"uri":1505},"https://www.verizon.com/business/en-gb/resources/reports/dbir/",[1507],{"nodeType":1293,"value":1508,"marks":1509,"data":1511},"Verizon",[1510],{"type":1339},{},{"nodeType":1293,"value":1445,"marks":1513,"data":1514},[],{},{"nodeType":1425,"data":1516,"content":1517},{},[1518],{"nodeType":1294,"data":1519,"content":1520},{},[1521,1525,1533],{"nodeType":1293,"value":1522,"marks":1523,"data":1524},"Nearly half of the malware detected last year by Sophos targeted victims’ data specifically, and the majority of that malware was classified as infostealers (",[],{},{"nodeType":1331,"data":1526,"content":1528},{"uri":1527},"https://news.sophos.com/en-us/2024/03/12/2024-sophos-threat-report/",[1529],{"nodeType":1293,"value":1530,"marks":1531,"data":1532},"Sophos",[],{},{"nodeType":1293,"value":1445,"marks":1534,"data":1535},[],{},{"nodeType":1425,"data":1537,"content":1538},{},[1539],{"nodeType":1294,"data":1540,"content":1541},{},[1542,1546,1555],{"nodeType":1293,"value":1543,"marks":1544,"data":1545},"Attacks on session cookies happen at the same order of magnitude as password-based attacks (",[],{},{"nodeType":1331,"data":1547,"content":1549},{"uri":1548},"https://github.com/WICG/dbsc/issues/13#issuecomment-1977657864",[1550],{"nodeType":1293,"value":1551,"marks":1552,"data":1554},"Google",[1553],{"type":1339},{},{"nodeType":1293,"value":1445,"marks":1556,"data":1557},[],{},{"nodeType":1559,"data":1560,"content":1561},"heading-2",{},[1562],{"nodeType":1293,"value":1563,"marks":1564,"data":1565},"How did we get here?",[],{},{"nodeType":1294,"data":1567,"content":1568},{},[1569],{"nodeType":1293,"value":1570,"marks":1571,"data":1572},"Let’s go back to the beginning. When they first emerged, infostealers were designed to steal online banking and credit card information. The most notable early example comes from as far back as 2006 with the ZeuS trojan. After the ZeuS source code was leaked in March 2011, the creation of multiple variants boosted the popularity of this type of malware and inspired the development of infostealers with increasingly sophisticated capabilities.",[],{},{"nodeType":1294,"data":1574,"content":1575},{},[1576,1580,1589,1593,1602,1606,1615,1619,1628,1631,1640,1643,1652,1656,1665],{"nodeType":1293,"value":1577,"marks":1578,"data":1579},"Modern infostealers rose to prominence in around 2018 with the emergence of ",[],{},{"nodeType":1331,"data":1581,"content":1583},{"uri":1582},"https://malpedia.caad.fkie.fraunhofer.de/details/win.arkei_stealer",[1584],{"nodeType":1293,"value":1585,"marks":1586,"data":1588},"Arkei",[1587],{"type":1339},{},{"nodeType":1293,"value":1590,"marks":1591,"data":1592},", which quickly spawned the more popular ",[],{},{"nodeType":1331,"data":1594,"content":1596},{"uri":1595},"https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar",[1597],{"nodeType":1293,"value":1598,"marks":1599,"data":1601},"Vidar",[1600],{"type":1339},{},{"nodeType":1293,"value":1603,"marks":1604,"data":1605}," stealer. Today, some of the most popular families are ",[],{},{"nodeType":1331,"data":1607,"content":1609},{"uri":1608},"https://malpedia.caad.fkie.fraunhofer.de/details/win.risepro",[1610],{"nodeType":1293,"value":1611,"marks":1612,"data":1614},"RisePro",[1613],{"type":1339},{},{"nodeType":1293,"value":1616,"marks":1617,"data":1618},", ",[],{},{"nodeType":1331,"data":1620,"content":1622},{"uri":1621},"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer",[1623],{"nodeType":1293,"value":1624,"marks":1625,"data":1627},"RedLine",[1626],{"type":1339},{},{"nodeType":1293,"value":1616,"marks":1629,"data":1630},[],{},{"nodeType":1331,"data":1632,"content":1634},{"uri":1633},"https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc",[1635],{"nodeType":1293,"value":1636,"marks":1637,"data":1639},"StealC",[1638],{"type":1339},{},{"nodeType":1293,"value":1616,"marks":1641,"data":1642},[],{},{"nodeType":1331,"data":1644,"content":1646},{"uri":1645},"https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon",[1647],{"nodeType":1293,"value":1648,"marks":1649,"data":1651},"Raccoon",[1650],{"type":1339},{},{"nodeType":1293,"value":1653,"marks":1654,"data":1655},", and ",[],{},{"nodeType":1331,"data":1657,"content":1659},{"uri":1658},"https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma",[1660],{"nodeType":1293,"value":1661,"marks":1662,"data":1664},"Lumma",[1663],{"type":1339},{},{"nodeType":1293,"value":1666,"marks":1667,"data":1668},", with new variants and families appearing all the time. ",[],{},{"nodeType":1294,"data":1670,"content":1671},{},[1672],{"nodeType":1293,"value":1673,"marks":1674,"data":1675},"Infostealers are used by all manner of threat actors of varying levels of sophistication. For larger groups with sufficient resources, the creation of new, custom stealers and malware packages is a common tactic to attempt to evade detection. ",[],{},{"nodeType":1294,"data":1677,"content":1678},{},[1679],{"nodeType":1293,"value":1680,"marks":1681,"data":1682},"But despite all the variants, infostealers do have common capabilities and characteristics, such as:",[],{},{"nodeType":1421,"data":1684,"content":1685},{},[1686,1696,1706,1716,1726],{"nodeType":1425,"data":1687,"content":1688},{},[1689],{"nodeType":1294,"data":1690,"content":1691},{},[1692],{"nodeType":1293,"value":1693,"marks":1694,"data":1695},"Extracting information from the browsers of a compromised device, such as passwords, cookies, autofill information, downloaded file information.",[],{},{"nodeType":1425,"data":1697,"content":1698},{},[1699],{"nodeType":1294,"data":1700,"content":1701},{},[1702],{"nodeType":1293,"value":1703,"marks":1704,"data":1705},"Snapshotting the desktop and system inventory, with details such as the username, location data, hardware configuration, and information regarding installed security software.",[],{},{"nodeType":1425,"data":1707,"content":1708},{},[1709],{"nodeType":1294,"data":1710,"content":1711},{},[1712],{"nodeType":1293,"value":1713,"marks":1714,"data":1715},"Sending stolen data back to a C2 server.",[],{},{"nodeType":1425,"data":1717,"content":1718},{},[1719],{"nodeType":1294,"data":1720,"content":1721},{},[1722],{"nodeType":1293,"value":1723,"marks":1724,"data":1725},"Facilitating the deployment of additional tools and malware as part of a package. ",[],{},{"nodeType":1425,"data":1727,"content":1728},{},[1729],{"nodeType":1294,"data":1730,"content":1731},{},[1732],{"nodeType":1293,"value":1733,"marks":1734,"data":1735},"Often (but not always) self-terminating once complete, leaving little trace on the victim machine and no ongoing behavior that might be detected. ",[],{},{"nodeType":1294,"data":1737,"content":1738},{},[1739],{"nodeType":1293,"value":1740,"marks":1741,"data":1742},"Infostealers are distributed in similar ways to other types of malware, such as:",[],{},{"nodeType":1421,"data":1744,"content":1745},{},[1746,1756],{"nodeType":1425,"data":1747,"content":1748},{},[1749],{"nodeType":1294,"data":1750,"content":1751},{},[1752],{"nodeType":1293,"value":1753,"marks":1754,"data":1755},"Delivery of malicious executable files via phishing emails or by having a victim download content from a malicious website. ",[],{},{"nodeType":1425,"data":1757,"content":1758},{},[1759],{"nodeType":1294,"data":1760,"content":1761},{},[1762],{"nodeType":1293,"value":1763,"marks":1764,"data":1765},"‘Drive-by’ style attacks where the victim has only to visit an infected website.",[],{},{"nodeType":1294,"data":1767,"content":1768},{},[1769,1773,1782,1785,1794,1797,1806,1810,1819],{"nodeType":1293,"value":1770,"marks":1771,"data":1772},"They’re typically spread via malvertising, P2P downloads, and deceptive software download sites. ",[],{},{"nodeType":1331,"data":1774,"content":1776},{"uri":1775},"https://www.bleepingcomputer.com/news/security/fake-cheat-lures-gamers-into-spreading-infostealer-malware/",[1777],{"nodeType":1293,"value":1778,"marks":1779,"data":1781},"Gaming forums",[1780],{"type":1339},{},{"nodeType":1293,"value":1616,"marks":1783,"data":1784},[],{},{"nodeType":1331,"data":1786,"content":1788},{"uri":1787},"https://cybersecuritynews.com/facebook-account-hijack-malware/",[1789],{"nodeType":1293,"value":1790,"marks":1791,"data":1793},"Facebook ads",[1792],{"type":1339},{},{"nodeType":1293,"value":1653,"marks":1795,"data":1796},[],{},{"nodeType":1331,"data":1798,"content":1800},{"uri":1799},"https://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube",[1801],{"nodeType":1293,"value":1802,"marks":1803,"data":1805},"YouTube video descriptions",[1804],{"type":1339},{},{"nodeType":1293,"value":1807,"marks":1808,"data":1809}," are popular locations for malicious links, but recent examples also include ",[],{},{"nodeType":1331,"data":1811,"content":1813},{"uri":1812},"https://www.bleepingcomputer.com/news/security/over-3-000-github-accounts-used-by-malware-distribution-service/",[1814],{"nodeType":1293,"value":1815,"marks":1816,"data":1818},"complex malware distribution networks on GitHub",[1817],{"type":1339},{},{"nodeType":1293,"value":1820,"marks":1821,"data":1822}," – such as the recent campaign from ‘Stargazer Goblin’ with more than 3,000 fake accounts creating and promoting hundreds of fake repositories to increase their apparent legitimacy and make them more likely to appear on GitHub's trending section.",[],{},{"nodeType":1402,"data":1824,"content":1825},{},[],{"nodeType":1406,"data":1827,"content":1828},{},[1829],{"nodeType":1293,"value":1830,"marks":1831,"data":1832},"Infostealers are key to the cybercrime ecosystem",[],{},{"nodeType":1294,"data":1834,"content":1835},{},[1836,1840,1848],{"nodeType":1293,"value":1837,"marks":1838,"data":1839},"After being stolen, ",[],{},{"nodeType":1331,"data":1841,"content":1842},{"uri":1437},[1843],{"nodeType":1293,"value":1844,"marks":1845,"data":1847},"infostealer data inevitably finds its way onto hacker forums and marketplaces",[1846],{"type":1339},{},{"nodeType":1293,"value":1849,"marks":1850,"data":1851},", both on the clearweb and darkweb. Popular infostealers have their own dedicated Telegram channels to advertise and sell stolen data. Private channels also exist, with the channel owner distributing tens of thousands of logs per week to a limited number of threat actors who pay $200-$400 for access to the channel. This allows them to get ‘first pick’ of stolen logs, which are later shared through public Telegram channels. ",[],{},{"nodeType":1294,"data":1853,"content":1854},{},[1855,1859,1868],{"nodeType":1293,"value":1856,"marks":1857,"data":1858},"Public data eventually makes its way onto services such as Have I Been Pwned (HIBP), which gives individuals and security teams some visibility of which credentials have been compromised. For example, ",[],{},{"nodeType":1331,"data":1860,"content":1862},{"uri":1861},"https://www.troyhunt.com/telegram-combolists-and-361m-email-addresses/",[1863],{"nodeType":1293,"value":1864,"marks":1865,"data":1867},"in June, Troy Hunt (creator of HIBP) wrote",[1866],{"type":1339},{},{"nodeType":1293,"value":1869,"marks":1870,"data":1871}," about the impact of channels like Telegram and the sale of combolists (username, password, login portal URL), after being sent 122GB of data scraped out of thousands of Telegram channels, containing 361M unique email addresses (of which 151M had never been seen in HIBP before). ",[],{},{"nodeType":1294,"data":1873,"content":1874},{},[1875],{"nodeType":1293,"value":1876,"marks":1877,"data":1878},"The cybercrime ecosystem is complex, with a developed supply chain and organizations fulfilling different roles as a result: from malware-as-a-service developers, to initial access brokers, to the operators that actually conduct the attacks (be they ransomware, data theft, etc.) – and many, many other roles in between. Sometimes, a single group and/or its affiliates will conduct the full chain, but this is far less common today. ",[],{},{"nodeType":1294,"data":1880,"content":1881},{},[1882,1885,1894],{"nodeType":1293,"value":37,"marks":1883,"data":1884},[],{},{"nodeType":1331,"data":1886,"content":1888},{"uri":1887},"https://www.secureworks.com/research/the-growing-threat-from-infostealers",[1889],{"nodeType":1293,"value":1890,"marks":1891,"data":1893},"Infostealers are often sold by malware developers to other attackers as a monthly subscription service.",[1892],{"type":1339},{},{"nodeType":1293,"value":1895,"marks":1896,"data":1897}," The price can range from $50 to over $1,000 USD per month for access to a stealer command and control (C2) server operated by the developer. The service often features a range of support functions, including multiple ways to view, download, and share stolen data. Self-hosted stealer C2 servers are also available and are usually sold for a flat fee. ",[],{},{"nodeType":1294,"data":1899,"content":1900},{},[1901],{"nodeType":1293,"value":1902,"marks":1903,"data":1904},"There’s also evidence that there is an element of target coordination – with one marketplace, Russian Market, allowing users to ‘preorder’ credentials for a $1,000 USD deposit from 2022. ",[],{},{"nodeType":1294,"data":1906,"content":1907},{},[1908,1913],{"nodeType":1293,"value":1909,"marks":1910,"data":1912},"So what? Well, there's evidently an abundance of breached data already online, and attackers have the tools readily available to have this pile grow exponentially bigger and more useful.",[1911],{"type":1369},{},{"nodeType":1293,"value":1914,"marks":1915,"data":1916}," It’s also probably more coordinated than we like to admit – a particularly intimidating prospect in the wake of Snowflake, which will no doubt have many criminals smelling blood in the water. ",[],{},{"nodeType":1402,"data":1918,"content":1919},{},[],{"nodeType":1406,"data":1921,"content":1922},{},[1923],{"nodeType":1293,"value":1924,"marks":1925,"data":1926},"How can stolen data be abused by attackers? ",[],{},{"nodeType":1294,"data":1928,"content":1929},{},[1930],{"nodeType":1293,"value":1931,"marks":1932,"data":1933},"It’s pretty obvious that attackers getting access to all of your passwords and session cookies is bad, but there is a clear value hierarchy from a corporate security perspective. So, from highest to lowest risk:",[],{},{"nodeType":1421,"data":1935,"content":1936},{},[1937,1952,1967],{"nodeType":1425,"data":1938,"content":1939},{},[1940],{"nodeType":1294,"data":1941,"content":1942},{},[1943,1948],{"nodeType":1293,"value":1944,"marks":1945,"data":1947},"Stolen session cookies",[1946],{"type":1369},{},{"nodeType":1293,"value":1949,"marks":1950,"data":1951}," simply need to be imported into an attacker’s browser to resume an active session on an app. That means access can be gained without needing to enter a username and password, or pass any MFA checks. ",[],{},{"nodeType":1425,"data":1953,"content":1954},{},[1955],{"nodeType":1294,"data":1956,"content":1957},{},[1958,1963],{"nodeType":1293,"value":1959,"marks":1960,"data":1962},"Stolen usernames, passwords",[1961],{"type":1369},{},{"nodeType":1293,"value":1964,"marks":1965,"data":1966},", and login page URLs can be used to access any accounts that lack MFA. ",[],{},{"nodeType":1425,"data":1968,"content":1969},{},[1970],{"nodeType":1294,"data":1971,"content":1972},{},[1973,1978],{"nodeType":1293,"value":1974,"marks":1975,"data":1977},"Stolen autofill data",[1976],{"type":1369},{},{"nodeType":1293,"value":1979,"marks":1980,"data":1981}," can be used to gather other valuable information that could be useful for impersonating the victim when speaking to social engineering IT support staff, for example to reset or remove MFA.",[],{},{"nodeType":1294,"data":1983,"content":1984},{},[1985],{"nodeType":1293,"value":1986,"marks":1987,"data":1988},"Naturally, stolen session cookies are the most valuable prize, but they are often valid for only a limited time before the user must re-authenticate, and active sessions can often be terminated by security admins. Unfortunately, it’s not that uncommon for sessions to last for up to a month, or even sometimes indefinitely.",[],{},{"nodeType":1294,"data":1990,"content":1991},{},[1992],{"nodeType":1293,"value":1993,"marks":1994,"data":1995},"Stolen usernames and passwords are a different story. As the Snowflake breaches demonstrate, passwords can remain valid for years after a breach, particularly in the world of SaaS apps where mandatory password rotation is not as common as for a user’s primary domain account.",[],{},{"nodeType":1294,"data":1997,"content":1998},{},[1999,2003,2012],{"nodeType":1293,"value":2000,"marks":2001,"data":2002},"There’s also the problem of ",[],{},{"nodeType":1331,"data":2004,"content":2006},{"uri":2005},"https://pushsecurity.com/blog/ghost-logins-when-forgotten-identities-come-back-to-haunt-you/",[2007],{"nodeType":1293,"value":2008,"marks":2009,"data":2011},"ghost logins",[2010],{"type":1339},{},{"nodeType":1293,"value":2013,"marks":2014,"data":2015}," – where a local login with a username and password (and probably lacking MFA) can exist alongside other, more secure login methods such as SSO. Given the fact that many apps are self-adopted by users, these accounts continue to exist even when an app is subsequently added to SSO via the chosen IdP, meaning they can fly under the radar of security teams. ",[],{},{"nodeType":1402,"data":2017,"content":2018},{},[],{"nodeType":1406,"data":2020,"content":2021},{},[2022],{"nodeType":1293,"value":2023,"marks":2024,"data":2025},"Should you be concerned about infostealers?",[],{},{"nodeType":1294,"data":2027,"content":2028},{},[2029],{"nodeType":1293,"value":2030,"marks":2031,"data":2032},"It’s commonly thought that infostealers are primarily a concern for unmanaged devices that lack security controls common to corporate IT, such as EDR. But there’s a couple of reasons why corporate users are also at risk:",[],{},{"nodeType":1559,"data":2034,"content":2035},{},[2036],{"nodeType":1293,"value":2037,"marks":2038,"data":2039},"EDR can be bypassed",[],{},{"nodeType":1294,"data":2041,"content":2042},{},[2043,2047,2056],{"nodeType":1293,"value":2044,"marks":2045,"data":2046},"EDR is seen as the go-to solution for defending against infostealer malware. However, attackers are always looking for ways to get around security controls by obfuscating malicious behavior and evading signature-based checks. For example, ",[],{},{"nodeType":1331,"data":2048,"content":2050},{"uri":2049},"https://thehackernews.com/2024/07/microsoft-defender-flaw-exploited-to.html",[2051],{"nodeType":1293,"value":2052,"marks":2053,"data":2055},"a flaw in Microsoft Defender SmartScreen was recently exploited to deliver infostealer malware",[2054],{"type":1339},{},{"nodeType":1293,"value":2057,"marks":2058,"data":2059},".",[],{},{"nodeType":1294,"data":2061,"content":2062},{},[2063],{"nodeType":1293,"value":2064,"marks":2065,"data":2066},"Getting total coverage across your endpoint estate is notoriously difficult, if not totally unrealistic. Unless the malware is stopped on execution, then data will inevitably be stolen, and will continue to be taken until stopped (or it self-terminates). And once an attacker has stolen employee credentials or sessions, the credential stuffing and session hijacking attacks that come next won’t touch the endpoint. For those reasons, you can’t rely on EDR as a single line of defense against infostealers.",[],{},{"nodeType":1559,"data":2068,"content":2069},{},[2070],{"nodeType":1293,"value":2071,"marks":2072,"data":2073},"Unmanaged devices such as BYOD or third-parties are vulnerable",[],{},{"nodeType":1294,"data":2075,"content":2076},{},[2077],{"nodeType":1293,"value":2078,"marks":2079,"data":2080},"Companies that support BYOD often have less secure configurations than those with fully managed devices. The same applies to third-party contractors, who often use their own devices to access company systems on a temporary basis. ",[],{},{"nodeType":1294,"data":2082,"content":2083},{},[2084,2088,2097],{"nodeType":1293,"value":2085,"marks":2086,"data":2087},"This issue was acutely felt in the Snowflake attacks: There is some suggestion that targeting key third-party suppliers – ",[],{},{"nodeType":1331,"data":2089,"content":2091},{"uri":2090},"https://www.wired.com/story/epam-snowflake-ticketmaster-breach-shinyhunters/",[2092],{"nodeType":1293,"value":2093,"marks":2094,"data":2096},"such as EPAM Systems, a software engineering firm and Snowflake ‘Elite Tier Partner’",[2095],{"type":1339},{},{"nodeType":1293,"value":2098,"marks":2099,"data":2100}," – yielded some of the access needed. It’s unclear what came first, but it’s possible (likely, even) that EPAM was identified as a target specifically because of its lucrative customer base – third-parties are a known weak point for red teamers, so it would be foolish to assume that attackers don’t also think this way. It’s possible too that EPAM were specifically targeted because of their Snowflake chops – adding another indicator that Snowflake was potentially a premeditated attack inspired by the availability of Snowflake credentials online. ",[],{},{"nodeType":1559,"data":2102,"content":2103},{},[2104],{"nodeType":1293,"value":2105,"marks":2106,"data":2107},"Browser profiles can be synced across devices, increasing the blast radius",[],{},{"nodeType":1294,"data":2109,"content":2110},{},[2111],{"nodeType":1293,"value":2112,"marks":2113,"data":2114},"It’s not uncommon for employees to access their personal email accounts from company devices. When accessing any browser, you are typically prompted to sign in with your account credentials (e.g. your Google account). If a user signs into a browser on a company device with a personal account, you’re usually prompted to sync your account across devices. This usually means that any saved passwords, search history, and settings are shared across devices. ",[],{},{"nodeType":1294,"data":2116,"content":2117},{},[2118],{"nodeType":1293,"value":2119,"marks":2120,"data":2121},"Naturally, this means that if a personal device is compromised where you’re also logged into the browser profile, then an infostealer will be able to harvest information saved into that profile across devices.",[],{},{"nodeType":1294,"data":2123,"content":2124},{},[2125],{"nodeType":1293,"value":2126,"marks":2127,"data":2128},"Even when using separate browser profiles for work and personal, it’s easy for the two to converge, or to slip into using the wrong profile. Accessing personal accounts (or at least synchronizing data across accounts) is usually a workplace policy violation, but it’s unfortunately all too common. ",[],{},{"nodeType":1294,"data":2130,"content":2131},{},[2132,2136,2145],{"nodeType":1293,"value":2133,"marks":2134,"data":2135},"Previous vulnerabilities have exacerbated this problem, such as ",[],{},{"nodeType":1331,"data":2137,"content":2139},{"uri":2138},"https://thehackernews.com/2024/01/malware-using-google-multilogin-exploit.html",[2140],{"nodeType":1293,"value":2141,"marks":2142,"data":2144},"an exploit affecting Google MultiLogin to maintain access to synced accounts even after a password reset",[2143],{"type":1339},{},{"nodeType":1293,"value":2146,"marks":2147,"data":2148},". ",[],{},{"nodeType":1559,"data":2150,"content":2151},{},[2152],{"nodeType":1293,"value":2153,"marks":2154,"data":2155},"Are infostealers a bigger problem than credential phishing? ",[],{},{"nodeType":1294,"data":2157,"content":2158},{},[2159],{"nodeType":1293,"value":2160,"marks":2161,"data":2162},"The short answer is: No. The longer answer is: They are both part of the bigger problem of identity attacks, and attackers can wield both approaches simultaneously. ",[],{},{"nodeType":1294,"data":2164,"content":2165},{},[2166],{"nodeType":1293,"value":2167,"marks":2168,"data":2169},"While they are delivered to victims in similar ways to phishing links, most organizations are arguably better protected against infostealers than modern phishing attacks because endpoint security controls provide another layer of protection, in theory – whereas modern phishing attacks don’t necessarily involve the delivery of malware that executes on the device. ",[],{},{"nodeType":1294,"data":2171,"content":2172},{},[2173],{"nodeType":1293,"value":2174,"marks":2175,"data":2176},"Infostealers arguably provide more bang for the attacker’s buck, grabbing a stack of credentials and useful data in one go. In contrast, phishing is usually much more targeted, and involves the compromise of a narrower set of credentials – typically focusing on a particular site or app. ",[],{},{"nodeType":1294,"data":2178,"content":2179},{},[2180,2184,2193,2197,2205],{"nodeType":1293,"value":2181,"marks":2182,"data":2183},"It’s worth focusing on the TTP, not the particular tool being used: The attacker technique here is ",[],{},{"nodeType":1331,"data":2185,"content":2187},{"uri":2186},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/session_cookie_theft/description.md",[2188],{"nodeType":1293,"value":2189,"marks":2190,"data":2192},"session cookie theft",[2191],{"type":1339},{},{"nodeType":1293,"value":2194,"marks":2195,"data":2196},", and subsequently session hijacking by importing the cookie into the attacker’s browser. Both infostealers and ",[],{},{"nodeType":1331,"data":2198,"content":2200},{"uri":2199},"https://pushsecurity.com/blog/phishing-2-0-how-phishing-toolkits-are-evolving-with-aitm/",[2201],{"nodeType":1293,"value":2202,"marks":2203,"data":2204},"modern phishing attacks",[],{},{"nodeType":1293,"value":2206,"marks":2207,"data":2208}," involve the theft of session tokens, and so are valid means to achieve this end. In fact, there’s nothing to stop threat groups from employing both simultaneously.",[],{},{"nodeType":2210,"data":2211,"content":2217},"embedded-entry-block",{"target":2212},{"sys":2213},{"id":2214,"type":2215,"linkType":2216},"7fil6aaQDFfJGYUnQ14k10","Link","Entry",[],{"nodeType":1402,"data":2219,"content":2220},{},[],{"nodeType":1406,"data":2222,"content":2223},{},[2224],{"nodeType":1293,"value":2225,"marks":2226,"data":2227},"Infostealers in action",[],{},{"nodeType":1294,"data":2229,"content":2230},{},[2231],{"nodeType":1293,"value":2232,"marks":2233,"data":2234},"Check out the video demo below to see the attack chain in action from the point of an infostealer compromise, showing session cookie theft, reimporting the cookies into the attacker's browser, and evading policy-based controls in M365. It also shows the targeting of downstream apps that are usually accessed via SSO in the context of both a Microsoft Entra and Okta compromise.",[],{},{"nodeType":2210,"data":2236,"content":2240},{"target":2237},{"sys":2238},{"id":2239,"type":2215,"linkType":2216},"4J7LqqjQX2W52AbmcVmjUt",[],{"nodeType":1406,"data":2242,"content":2243},{},[2244],{"nodeType":1293,"value":2245,"marks":2246,"data":2247},"What can organizations do about the infostealer threat? ",[],{},{"nodeType":1294,"data":2249,"content":2250},{},[2251],{"nodeType":1293,"value":2252,"marks":2253,"data":2254},"Security teams should have two main concerns:",[],{},{"nodeType":1421,"data":2256,"content":2257},{},[2258,2268],{"nodeType":1425,"data":2259,"content":2260},{},[2261],{"nodeType":1294,"data":2262,"content":2263},{},[2264],{"nodeType":1293,"value":2265,"marks":2266,"data":2267},"Data that is already out there from historical data dumps, but is still valid. ",[],{},{"nodeType":1425,"data":2269,"content":2270},{},[2271],{"nodeType":1294,"data":2272,"content":2273},{},[2274],{"nodeType":1293,"value":2275,"marks":2276,"data":2277},"Data in private channels that attackers could use in the future, that you are blind to. ",[],{},{"nodeType":1294,"data":2279,"content":2280},{},[2281],{"nodeType":1293,"value":2282,"marks":2283,"data":2284},"As always, the root-cause of the problem is a lack of meaningful visibility of what apps your employees are using (including those outside your IdP) and whether the associated identities are configured securely. ",[],{},{"nodeType":1294,"data":2286,"content":2287},{},[2288],{"nodeType":1293,"value":2289,"marks":2290,"data":2291},"A layered, defense-in-depth approach is required to resolve the issue, by:",[],{},{"nodeType":1421,"data":2293,"content":2294},{},[2295,2305,2315,2325],{"nodeType":1425,"data":2296,"content":2297},{},[2298],{"nodeType":1294,"data":2299,"content":2300},{},[2301],{"nodeType":1293,"value":2302,"marks":2303,"data":2304},"Deploying MFA across all your identities and apps, including any local logins that can’t be put behind SSO. ",[],{},{"nodeType":1425,"data":2306,"content":2307},{},[2308],{"nodeType":1294,"data":2309,"content":2310},{},[2311],{"nodeType":1293,"value":2312,"marks":2313,"data":2314},"Configuring time-limited session lifetimes for all apps to ensure that any stolen session tokens can only be used temporarily. ",[],{},{"nodeType":1425,"data":2316,"content":2317},{},[2318],{"nodeType":1294,"data":2319,"content":2320},{},[2321],{"nodeType":1293,"value":2322,"marks":2323,"data":2324},"Ensuring that employees don’t access or synchronize personal accounts on their work devices, as well as limiting non-work activities on their work device as much as possible.",[],{},{"nodeType":1425,"data":2326,"content":2327},{},[2328],{"nodeType":1294,"data":2329,"content":2330},{},[2331],{"nodeType":1293,"value":2332,"marks":2333,"data":2334},"Implementing a robust EDR/MDR solution to detect and respond to malware compromises on user devices. ",[],{},{"nodeType":1294,"data":2336,"content":2337},{},[2338,2342,2347],{"nodeType":1293,"value":2339,"marks":2340,"data":2341},"Organizations also have the option of investing in a commercial TI feed to detect and report data breaches affecting employees. But in our experience, these feeds contain ",[],{},{"nodeType":1293,"value":2343,"marks":2344,"data":2346},"a lot ",[2345],{"type":1369},{},{"nodeType":1293,"value":2348,"marks":2349,"data":2350},"of false positives – so unless you have password visibility for employee accounts across apps, it’s going to waste a chunk of valuable time for you and your employees.",[],{},{"nodeType":1294,"data":2352,"content":2353},{},[2354,2358,2367],{"nodeType":1293,"value":2355,"marks":2356,"data":2357},"It would be remiss of us not to mention our recently released ",[],{},{"nodeType":1331,"data":2359,"content":2361},{"uri":2360},"https://pushsecurity.com/blog/introducing-session-token-theft-detection-why-browser-is-best/",[2362],{"nodeType":1293,"value":2363,"marks":2364,"data":2366},"session token theft detection feature",[2365],{"type":1339},{},{"nodeType":1293,"value":2368,"marks":2369,"data":2370}," that identifies session token theft by adding telemetry to the user agent string – using the power of our browser agent to create a new high-fidelity signal for security teams. It can also be applied more generally to detect any session taking place in an unmanaged browser – so you can use it to spot unauthorized access to company apps in general, too.  ",[],{},{"nodeType":2210,"data":2372,"content":2376},{"target":2373},{"sys":2374},{"id":2375,"type":2215,"linkType":2216},"3XgpqEGzZSD2J0uvnCg5D8",[],{"nodeType":1559,"data":2378,"content":2379},{},[2380],{"nodeType":1293,"value":2381,"marks":2382,"data":2383},"What’s next for infostealers?",[],{},{"nodeType":1294,"data":2385,"content":2386},{},[2387],{"nodeType":1293,"value":2388,"marks":2389,"data":2390},"All the signs point to the fact that infostealers will continue being a useful tool in the attacker’s arsenal. The Snowflake attacks in particular are both a warning for defenders and encouragement for attackers. It's also a good reminder that while infostealers were once used to harvest things like VPN creds to pivot to the internal network, they're now largely used to target third-party services over the internet. ",[],{},{"nodeType":1294,"data":2392,"content":2393},{},[2394],{"nodeType":1293,"value":2395,"marks":2396,"data":2397},"To evade EDR, it’s likely that we’ll see a growing number of families and variants used by individual groups, or better ‘enterprise’ capabilities from malware-as-a-service vendors. ",[],{},{"nodeType":1294,"data":2399,"content":2400},{},[2401,2405,2414,2418,2426],{"nodeType":1293,"value":2402,"marks":2403,"data":2404},"One notable quirk is that, to date, infostealers have not really branched out from targeting browsers. Take the example of password manager apps – you would think this would be an obvious target, right? But, they’re not usually targeted (",[],{},{"nodeType":1331,"data":2406,"content":2408},{"uri":2407},"https://securitysenses.com/posts/malware-targeting-password-managers",[2409],{"nodeType":1293,"value":2410,"marks":2411,"data":2413},"with some exceptions",[2412],{"type":1339},{},{"nodeType":1293,"value":2415,"marks":2416,"data":2417},"). And when they do, ",[],{},{"nodeType":1331,"data":2419,"content":2420},{"uri":2407},[2421],{"nodeType":1293,"value":2422,"marks":2423,"data":2425},"they work by eavesdropping on the password manager’s browser extension in action",[2424],{"type":1339},{},{"nodeType":1293,"value":2427,"marks":2428,"data":2429}," – meaning they are intercepted one-at-a-time as the user uses them, rather than targeting the password manager directly and exporting the saved passwords all at once. It will be interesting to see whether these capabilities are added in the future. ",[],{},{"nodeType":1294,"data":2431,"content":2432},{},[2433,2437,2446,2450,2459,2463,2472],{"nodeType":1293,"value":2434,"marks":2435,"data":2436},"On the other hand, there are defensive security developments that could reduce the ability of attackers to leverage things like stolen session tokens, such as ",[],{},{"nodeType":1331,"data":2438,"content":2440},{"uri":2439},"https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-token-protection",[2441],{"nodeType":1293,"value":2442,"marks":2443,"data":2445},"Microsoft’s token binding feature in Entra",[2444],{"type":1339},{},{"nodeType":1293,"value":2447,"marks":2448,"data":2449},", or ",[],{},{"nodeType":1331,"data":2451,"content":2453},{"uri":2452},"https://blog.chromium.org/2024/04/fighting-cookie-theft-using-device.html",[2454],{"nodeType":1293,"value":2455,"marks":2456,"data":2458},"Google’s device bound session cookies",[2457],{"type":1339},{},{"nodeType":1293,"value":2460,"marks":2461,"data":2462},". Google also released an ",[],{},{"nodeType":1331,"data":2464,"content":2466},{"uri":2465},"https://security.googleblog.com/2024/07/improving-security-of-chrome-cookies-on.html?m=1",[2467],{"nodeType":1293,"value":2468,"marks":2469,"data":2471},"app-bound encryption feature",[2470],{"type":1339},{},{"nodeType":1293,"value":2473,"marks":2474,"data":2475},", which adds additional protection against infostealers attempting to steal browser data in Chrome if the underlying Windows device is compromised. ",[],{},{"nodeType":1294,"data":2477,"content":2478},{},[2479],{"nodeType":1293,"value":2480,"marks":2481,"data":2482},"That said, mature versions of these controls are still years away, and while session cookie theft is a key risk of infostealers, it’s not the only risk – so alternative controls and mitigations remain valuable to security teams in the present. ",[],{},{"nodeType":2210,"data":2484,"content":2488},{"target":2485},{"sys":2486},{"id":2487,"type":2215,"linkType":2216},"5loTnpvwGD3kaKMXBp23hZ",[],{"nodeType":1294,"data":2490,"content":2491},{},[2492],{"nodeType":1293,"value":37,"marks":2493,"data":2494},[],{},"What the rise of infostealers says about identity attacks","What the rise in popularity of infostealers tells us about the cybercrime ecosystem and the shift toward identity attacks. ","2024-07-31T00:00:00.000Z","what-the-rise-of-infostealers-says-about-identity-attacks",{"items":2500},[2501,2503],{"sys":2502,"name":1308},{"id":1307},{"sys":2504,"name":1312},{"id":1311},{"items":2506},[2507],{"fullName":2508,"firstName":2509,"jobTitle":2510,"profilePicture":2511},"Dan Green","Dan","Threat Research",{"url":2512},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"__typename":1316,"sys":2514,"content":2516,"title":3745,"synopsis":3746,"hashTags":118,"publishedDate":3747,"slug":3748,"tagsCollection":3749,"authorsCollection":3755},{"id":2515},"489LTCEVau7lh88tLgSPX5",{"json":2517},{"nodeType":1295,"data":2518,"content":2519},{},[2520,2527,2547,2554,2560,2567,2600,2606,2612,2619,2626,2632,2639,2659,2666,2673,2679,2686,2693,2741,2760,2767,2774,2781,2787,2794,2801,2808,2815,2822,2829,2841,2847,2854,2873,2892,2899,2906,2926,2933,2951,2958,3010,3017,3036,3043,3049,3066,3085,3092,3111,3118,3124,3131,3147,3154,3161,3167,3174,3181,3188,3195,3201,3208,3215,3222,3229,3235,3242,3249,3261,3277,3284,3291,3359,3366,3373,3380,3387,3394,3401,3408,3415,3433,3440,3446,3453,3459,3466,3473,3480,3486,3493,3500,3507,3540,3547,3554,3561,3568,3575,3582,3589,3596,3644,3650,3657,3701,3707,3714,3733,3739],{"nodeType":1294,"data":2521,"content":2522},{},[2523],{"nodeType":1293,"value":2524,"marks":2525,"data":2526},"The last time “hacking” topped the attacker actions chart in a Verizon DBIR, Gamestop was being saved by Redditors, ChatGPT didn’t exist, and Will Smith was welcome at the Oscars. ",[],{},{"nodeType":1294,"data":2528,"content":2529},{},[2530,2534,2543],{"nodeType":1293,"value":2531,"marks":2532,"data":2533},"That’s right, it was back in the ",[],{},{"nodeType":1331,"data":2535,"content":2537},{"uri":2536},"https://www.verizon.com/business/resources/reports/dbir/2021/masters-guide/",[2538],{"nodeType":1293,"value":2539,"marks":2540,"data":2542},"2021 DBIR",[2541],{"type":1339},{},{"nodeType":1293,"value":2544,"marks":2545,"data":2546}," that good old-fashioned hacking was the thing hackers did the most. ",[],{},{"nodeType":1294,"data":2548,"content":2549},{},[2550],{"nodeType":1293,"value":2551,"marks":2552,"data":2553},"In every report since, stolen credentials have been the most common “select way-in” (weird term, I know). In this year’s DBIR, stolen credentials accounted for roughly half of the breaches recorded. ",[],{},{"nodeType":2210,"data":2555,"content":2559},{"target":2556},{"sys":2557},{"id":2558,"type":2215,"linkType":2216},"16WQ5Siz92HZKCjDsxWBdr",[],{"nodeType":1294,"data":2561,"content":2562},{},[2563],{"nodeType":1293,"value":2564,"marks":2565,"data":2566},"These stats, along with others like CrowdStrike’s widely cited “80% of attacks involve identity and compromised credentials,” continue to prove that “hackers don’t hack in, they log in.” ",[],{},{"nodeType":1294,"data":2568,"content":2569},{},[2570,2574,2583,2587,2596],{"nodeType":1293,"value":2571,"marks":2572,"data":2573},"In the last year, more stories behind those statistics have started to emerge with a series of high profile “no-hack” identity attacks hitting the headlines – the most recent being the ",[],{},{"nodeType":1331,"data":2575,"content":2577},{"uri":2576},"https://pushsecurity.com/resources/video/snowflake-the-tip-of-the-iceberg/",[2578],{"nodeType":1293,"value":2579,"marks":2580,"data":2582},"Snowflake incident",[2581],{"type":1339},{},{"nodeType":1293,"value":2584,"marks":2585,"data":2586},". You can read more about that breach and others in our repository of ",[],{},{"nodeType":1331,"data":2588,"content":2590},{"uri":2589},"https://pushsecurity.com/blog/identity-attacks-in-the-wild/",[2591],{"nodeType":1293,"value":2592,"marks":2593,"data":2595},"identity attacks in the wild",[2594],{"type":1339},{},{"nodeType":1293,"value":2597,"marks":2598,"data":2599}," where we take a deep dive into the techniques attackers have been using. ",[],{},{"nodeType":2210,"data":2601,"content":2605},{"target":2602},{"sys":2603},{"id":2604,"type":2215,"linkType":2216},"6QY3hnMLMJvnk6zYHYa6pf",[],{"nodeType":2210,"data":2607,"content":2611},{"target":2608},{"sys":2609},{"id":2610,"type":2215,"linkType":2216},"7oAUuhbwgEH5XnDZrm5Zk9",[],{"nodeType":1294,"data":2613,"content":2614},{},[2615],{"nodeType":1293,"value":2616,"marks":2617,"data":2618},"Why should they go to the effort of targeting hardened and well-monitored attack surfaces like networks and endpoints with 0-day exploits or EDR-evading malware, when they can instead simply take a set of stolen credentials and fire them at popular business apps to see which pop open?",[],{},{"nodeType":1294,"data":2620,"content":2621},{},[2622],{"nodeType":1293,"value":2623,"marks":2624,"data":2625},"Taking over an account is the equivalent of compromising an endpoint or getting a foothold on a web-facing server. From this point, an attacker can move laterally, escalate their privileges, and achieve their objective of deploying ransomware, stealing data or disrupting business-critical systems. ",[],{},{"nodeType":2210,"data":2627,"content":2631},{"target":2628},{"sys":2629},{"id":2630,"type":2215,"linkType":2216},"3vdbE3kqFxvhE145q2CwOy",[],{"nodeType":1294,"data":2633,"content":2634},{},[2635],{"nodeType":1293,"value":2636,"marks":2637,"data":2638},"The data shows that account takeover, whether it’s using stolen credentials or session tokens, is now the route of least resistance for attackers, and the #1 attack vector for security teams to defend against.",[],{},{"nodeType":1294,"data":2640,"content":2641},{},[2642,2646,2655],{"nodeType":1293,"value":2643,"marks":2644,"data":2645},"I’m sure you already use a number of tools to secure your workforce identities – MFA, SSO, EDR, etc., and all of them have an important role to play. That said, they also have limitations that attackers are exploiting. We’ve laid out some of the ",[],{},{"nodeType":1331,"data":2647,"content":2649},{"uri":2648},"https://pushsecurity.com/blog/5-reasons-why-push-security-shouldnt-exist/",[2650],{"nodeType":1293,"value":2651,"marks":2652,"data":2654},"typical misconceptions that can undermine an identity security strategy",[2653],{"type":1339},{},{"nodeType":1293,"value":2656,"marks":2657,"data":2658}," so you can avoid the common pitfalls and achieve defense in depth.",[],{},{"nodeType":1406,"data":2660,"content":2661},{},[2662],{"nodeType":1293,"value":2663,"marks":2664,"data":2665},"Push vs. account takeover techniques",[],{},{"nodeType":1294,"data":2667,"content":2668},{},[2669],{"nodeType":1293,"value":2670,"marks":2671,"data":2672},"In this article, we’re going to show you how to use Push to bolster your identity security strategy and prevent account takeover. More specifically, we’ll cover how Push prevents, detects, and blocks some of the common attack techniques seen in this account takeover attack chain:",[],{},{"nodeType":2210,"data":2674,"content":2678},{"target":2675},{"sys":2676},{"id":2677,"type":2215,"linkType":2216},"1FPMzCU0mBgpg1GMSz1sJH",[],{"nodeType":1294,"data":2680,"content":2681},{},[2682],{"nodeType":1293,"value":2683,"marks":2684,"data":2685},"Push uses browser data collected by our browser agent to either detect the attack techniques directly, or identify the vulnerabilities being exploited. Upon making a detection, the browser agent enforces a relevant security control to either block the attack or prevent the user from introducing a vulnerability.",[],{},{"nodeType":1294,"data":2687,"content":2688},{},[2689],{"nodeType":1293,"value":2690,"marks":2691,"data":2692},"If you’re wondering why we’ve opted to build our tool in the browser, the short answer is that being in the browser gives us:",[],{},{"nodeType":1421,"data":2694,"content":2695},{},[2696,2711,2726],{"nodeType":1425,"data":2697,"content":2698},{},[2699],{"nodeType":1294,"data":2700,"content":2701},{},[2702,2707],{"nodeType":1293,"value":2703,"marks":2704,"data":2706},"The broadest visibility",[2705],{"type":1369},{},{"nodeType":1293,"value":2708,"marks":2709,"data":2710}," across all workforce identities, including unmanaged identities outside your IdP.",[],{},{"nodeType":1425,"data":2712,"content":2713},{},[2714],{"nodeType":1294,"data":2715,"content":2716},{},[2717,2722],{"nodeType":1293,"value":2718,"marks":2719,"data":2721},"The best telemetry",[2720],{"type":1369},{},{"nodeType":1293,"value":2723,"marks":2724,"data":2725}," for detecting identity attack TTPs and tools.",[],{},{"nodeType":1425,"data":2727,"content":2728},{},[2729],{"nodeType":1294,"data":2730,"content":2731},{},[2732,2737],{"nodeType":1293,"value":2733,"marks":2734,"data":2736},"The perfect enforcement point",[2735],{"type":1369},{},{"nodeType":1293,"value":2738,"marks":2739,"data":2740}," for stopping attacker actions or risky employee actions in real time. ",[],{},{"nodeType":1294,"data":2742,"content":2743},{},[2744,2748,2757],{"nodeType":1293,"value":2745,"marks":2746,"data":2747},"If you want a more detailed technical explanation, you can read this article by Dan on ",[],{},{"nodeType":1331,"data":2749,"content":2751},{"uri":2750},"https://pushsecurity.com/blog/the-web-proxy-is-dead-long-live-the-browser-extension/",[2752],{"nodeType":1293,"value":2753,"marks":2754,"data":2756},"why browser data is a better source of telemetry for detecting identity attacks than network, IdP and app logs",[2755],{"type":1339},{},{"nodeType":1293,"value":2057,"marks":2758,"data":2759},[],{},{"nodeType":1294,"data":2761,"content":2762},{},[2763],{"nodeType":1293,"value":2764,"marks":2765,"data":2766},"Now we’ve cleared that up, let's look at some account takeover techniques.",[],{},{"nodeType":1406,"data":2768,"content":2769},{},[2770],{"nodeType":1293,"value":2771,"marks":2772,"data":2773},"Part 1: Phishing (including AitM and BitM toolkits)",[],{},{"nodeType":1294,"data":2775,"content":2776},{},[2777],{"nodeType":1293,"value":2778,"marks":2779,"data":2780},"Phishing has been around since forever and there’s a mature category of solutions that are designed to detect and prevent it. But despite solutions like security awareness training, phishing domain detection services and email filtering tools, phishing is still one of the top breach vectors. ",[],{},{"nodeType":2210,"data":2782,"content":2786},{"target":2783},{"sys":2784},{"id":2785,"type":2215,"linkType":2216},"4urh9lIuo0ePgVIJZNtP2B",[],{"nodeType":1294,"data":2788,"content":2789},{},[2790],{"nodeType":1293,"value":2791,"marks":2792,"data":2793},"We’ve all been conditioned to think about phishing as something that happens over email, but it’s actually the browser where most of the action happens, regardless of the initial delivery channel. Push’s position in the browser gives you the ideal vantage point for detecting and stopping phishing attacks.",[],{},{"nodeType":1294,"data":2795,"content":2796},{},[2797],{"nodeType":1293,"value":2798,"marks":2799,"data":2800},"The Push browser agent performs both passive observation and active interrogation in order to detect employees having their passwords harvested or visiting cloned app login pages or pages using AitM/BitM toolkits. Phishing attacks are detected in real time so Push blocks them before your employees can enter their credentials.",[],{},{"nodeType":1559,"data":2802,"content":2803},{},[2804],{"nodeType":1293,"value":2805,"marks":2806,"data":2807},"Detecting phishing through user behavior",[],{},{"nodeType":1294,"data":2809,"content":2810},{},[2811],{"nodeType":1293,"value":2812,"marks":2813,"data":2814},"Rather than trying to detect phishing websites and domains that constantly change, Push detects and blocks phishing attempts based on observing user behavior in the browser.",[],{},{"nodeType":1294,"data":2816,"content":2817},{},[2818],{"nodeType":1293,"value":2819,"marks":2820,"data":2821},"Push does this by observing all logins and generating a fingerprint (or technically a k-anonymized salted partial hash) of the user’s password. This fingerprint is then stored locally to allow Push to perform comparisons.",[],{},{"nodeType":1294,"data":2823,"content":2824},{},[2825],{"nodeType":1293,"value":2826,"marks":2827,"data":2828},"To detect potential phishing attacks, the browser agent compares the observed password fingerprint to known fingerprints for passwords that already exist in local storage.",[],{},{"nodeType":1294,"data":2830,"content":2831},{},[2832,2837],{"nodeType":1293,"value":2833,"marks":2834,"data":2836},"This means that it works even if that employee was the first person to get phished using a new attacker site: ",[2835],{"type":1369},{},{"nodeType":1293,"value":2838,"marks":2839,"data":2840},"Push still detects it and blocks it before your employee can submit their credentials. It also works regardless of the delivery vector used to get the phishing link to the intended victim.",[],{},{"nodeType":2210,"data":2842,"content":2846},{"target":2843},{"sys":2844},{"id":2845,"type":2215,"linkType":2216},"2V2My5IpdVUwh4QugqInUw",[],{"nodeType":1294,"data":2848,"content":2849},{},[2850],{"nodeType":1293,"value":2851,"marks":2852,"data":2853},"Once you’ve discovered a malicious site, you can use Push’s companion feature, URL blocking, to add the domain to a blocklist and prevent your other end-users from even visiting the site.",[],{},{"nodeType":1294,"data":2855,"content":2856},{},[2857,2861,2869],{"nodeType":1293,"value":2858,"marks":2859,"data":2860},"You can programmatically manage URL blocking as part of responding to an attempted phishing incident by using the ",[],{},{"nodeType":1331,"data":2862,"content":2864},{"uri":2863},"https://pushsecurity.redoc.ly/rest-v1/",[2865],{"nodeType":1293,"value":2866,"marks":2867,"data":2868},"Push REST API",[],{},{"nodeType":1293,"value":2870,"marks":2871,"data":2872}," to automatically add URLs to the blocklist or to sync with other threat intelligence sources of known-bad sites.",[],{},{"nodeType":1294,"data":2874,"content":2875},{},[2876,2880,2889],{"nodeType":1293,"value":2877,"marks":2878,"data":2879},"You can find out more about this control in this ",[],{},{"nodeType":1331,"data":2881,"content":2883},{"uri":2882},"https://pushsecurity.com/blog/introducing-sso-password-protection/",[2884],{"nodeType":1293,"value":2885,"marks":2886,"data":2888},"deep-dive article",[2887],{"type":1339},{},{"nodeType":1293,"value":2146,"marks":2890,"data":2891},[],{},{"nodeType":1559,"data":2893,"content":2894},{},[2895],{"nodeType":1293,"value":2896,"marks":2897,"data":2898},"Detecting cloned login pages",[],{},{"nodeType":1294,"data":2900,"content":2901},{},[2902],{"nodeType":1293,"value":2903,"marks":2904,"data":2905},"It’s now very easy for attackers to create cloned login pages that appear to be legitimate, tricking users into providing their credentials. ",[],{},{"nodeType":1294,"data":2907,"content":2908},{},[2909,2913,2922],{"nodeType":1293,"value":2910,"marks":2911,"data":2912},"There’s a number of phishing kits that allow the attacker to simply copy the HTML code from a legitimate website and duplicate it on the malicious site, creating a virtually identical interface that tricks users into entering their credentials. A final sprinkle of typosquatting techniques completes the illusion of legitimacy. The Federal Communications Commission (FCC) ",[],{},{"nodeType":1331,"data":2914,"content":2916},{"uri":2915},"https://www.nextgov.com/cybersecurity/2024/03/fcc-staff-targeted-phishing-attack-cloned-agency-login-site/394609/",[2917],{"nodeType":1293,"value":2918,"marks":2919,"data":2921},"was a recent target",[2920],{"type":1339},{},{"nodeType":1293,"value":2923,"marks":2924,"data":2925}," of this kind of attack. ",[],{},{"nodeType":1294,"data":2927,"content":2928},{},[2929],{"nodeType":1293,"value":2930,"marks":2931,"data":2932},"Push’s cloned app detection feature detects fraudulent login pages by inspecting the resources and structure of pages users log into and fingerprinting them so they can be used to detect when that action occurs on the wrong domain. ",[],{},{"nodeType":1294,"data":2934,"content":2935},{},[2936,2940,2948],{"nodeType":1293,"value":2937,"marks":2938,"data":2939},"You can ",[],{},{"nodeType":1331,"data":2941,"content":2943},{"uri":2942},"https://pushsecurity.com/blog/introducing-cloned-login-page-detection/",[2944],{"nodeType":1293,"value":2945,"marks":2946,"data":2947},"read more about this feature here",[],{},{"nodeType":1293,"value":2057,"marks":2949,"data":2950},[],{},{"nodeType":1559,"data":2952,"content":2953},{},[2954],{"nodeType":1293,"value":2955,"marks":2956,"data":2957},"Detecting AitM and BitM toolkits",[],{},{"nodeType":1294,"data":2959,"content":2960},{},[2961,2965,2973,2976,2984,2987,2995,2999,3007],{"nodeType":1293,"value":2962,"marks":2963,"data":2964},"Adversary-in-the-Middle (AitM) phishing is a technique that uses dedicated tooling to act as a proxy between the target and a legitimate login portal for an application, principally to bypass MFA. As it’s a proxy to the real application, the page will appear exactly as the user expects, making this technique difficult to spot. Popular AitM toolkits include ",[],{},{"nodeType":1331,"data":2966,"content":2968},{"uri":2967},"https://github.com/drk1wi/Modlishka",[2969],{"nodeType":1293,"value":2970,"marks":2971,"data":2972},"Modlishka",[],{},{"nodeType":1293,"value":1616,"marks":2974,"data":2975},[],{},{"nodeType":1331,"data":2977,"content":2979},{"uri":2978},"https://github.com/muraenateam/muraena",[2980],{"nodeType":1293,"value":2981,"marks":2982,"data":2983},"Muraena",[],{},{"nodeType":1293,"value":1616,"marks":2985,"data":2986},[],{},{"nodeType":1331,"data":2988,"content":2990},{"uri":2989},"https://github.com/kgretzky/evilginx2",[2991],{"nodeType":1293,"value":2992,"marks":2993,"data":2994},"Evilginx",[],{},{"nodeType":1293,"value":2996,"marks":2997,"data":2998}," and ",[],{},{"nodeType":1331,"data":3000,"content":3002},{"uri":3001},"https://www.bleepingcomputer.com/news/security/evilproxy-uses-indeedcom-open-redirect-for-microsoft-365-phishing/",[3003],{"nodeType":1293,"value":3004,"marks":3005,"data":3006},"Evilproxy",[],{},{"nodeType":1293,"value":2146,"marks":3008,"data":3009},[],{},{"nodeType":1294,"data":3011,"content":3012},{},[3013],{"nodeType":1293,"value":3014,"marks":3015,"data":3016},"Browser-in-the-Middle (BitM) toolkits are different to AitM toolkits because they don’t act as a reverse proxy. Instead, they trick their victim into directly controlling the attacker’s own browser using remote desktop screen sharing and control approaches — think of this like VNC or RDP but using the browser as a client. This is the virtual equivalent of an attacker handing their laptop to their victim, asking them to log in to an app for them, and then taking their laptop back afterwards.",[],{},{"nodeType":1294,"data":3018,"content":3019},{},[3020,3024,3033],{"nodeType":1293,"value":3021,"marks":3022,"data":3023},"We’ve conducted a lot of research into AitM and BitM toolkits recently. If you want to learn more about how they work and see a demo of them in action, ",[],{},{"nodeType":1331,"data":3025,"content":3027},{"uri":3026},"https://pushsecurity.com/resources/video/phishing-detecting-evilginx-evilnovnc-muraena-and-modlishka/",[3028],{"nodeType":1293,"value":3029,"marks":3030,"data":3032},"head over here",[3031],{"type":1339},{},{"nodeType":1293,"value":2146,"marks":3034,"data":3035},[],{},{"nodeType":1294,"data":3037,"content":3038},{},[3039],{"nodeType":1293,"value":3040,"marks":3041,"data":3042},"Push gives you a preconfigured set of detections for AitM and BitM toolkits, informed by our threat detection team’s research into their behavior. This phishing tool detection feature will automatically prevent users from accessing a site that’s running one of these malicious tools, and display a custom warning message to your end-users.",[],{},{"nodeType":2210,"data":3044,"content":3048},{"target":3045},{"sys":3046},{"id":3047,"type":2215,"linkType":2216},"4ixcEsEW4EyqckOTmP5Pbb",[],{"nodeType":1294,"data":3050,"content":3051},{},[3052,3056,3062],{"nodeType":1293,"value":3053,"marks":3054,"data":3055},"Administrators can also consume phishing tool detection events via the ",[],{},{"nodeType":1331,"data":3057,"content":3058},{"uri":2863},[3059],{"nodeType":1293,"value":2866,"marks":3060,"data":3061},[],{},{"nodeType":1293,"value":3063,"marks":3064,"data":3065}," into their SIEM or use Push’s webhooks to alert when a warn or block event has occurred.",[],{},{"nodeType":1294,"data":3067,"content":3068},{},[3069,3073,3082],{"nodeType":1293,"value":3070,"marks":3071,"data":3072},"You can read a full write-up of this feature if you want to ",[],{},{"nodeType":1331,"data":3074,"content":3076},{"uri":3075},"https://pushsecurity.com/blog/introducing-aitm-phishing-toolkit-detection-powered-by-the-push-browser/",[3077],{"nodeType":1293,"value":3078,"marks":3079,"data":3081},"learn more",[3080],{"type":1339},{},{"nodeType":1293,"value":2146,"marks":3083,"data":3084},[],{},{"nodeType":1406,"data":3086,"content":3087},{},[3088],{"nodeType":1293,"value":3089,"marks":3090,"data":3091},"Part 2: Infostealer malware",[],{},{"nodeType":1294,"data":3093,"content":3094},{},[3095,3099,3107],{"nodeType":1293,"value":3096,"marks":3097,"data":3098},"The recent ",[],{},{"nodeType":1331,"data":3100,"content":3101},{"uri":1347},[3102],{"nodeType":1293,"value":3103,"marks":3104,"data":3106},"Snowflake breach",[3105],{"type":1339},{},{"nodeType":1293,"value":3108,"marks":3109,"data":3110}," highlighted how infostealer malware is becoming a serious issue for security teams. As well as being able to steal credentials for account takeover, infostealers can also be used to steal session tokens which then allow the attacker to assume an already authorized session without needing to bypass MFA.   ",[],{},{"nodeType":1294,"data":3112,"content":3113},{},[3114],{"nodeType":1293,"value":3115,"marks":3116,"data":3117},"Nearly half of the malware detected last year by Sophos targeted victims’ data specifically, and the majority of that malware was classified as infostealers. ",[],{},{"nodeType":2210,"data":3119,"content":3123},{"target":3120},{"sys":3121},{"id":3122,"type":2215,"linkType":2216},"66B5MBFIhbmky7VuLGbuM3",[],{"nodeType":1294,"data":3125,"content":3126},{},[3127],{"nodeType":1293,"value":3128,"marks":3129,"data":3130},"Infostealers are primarily being used by Initial Access Brokers to harvest credentials and session tokens that they then sell to other threat actors intent on executing more penetrating attacks (e.g. ransomware).  ",[],{},{"nodeType":1294,"data":3132,"content":3133},{},[3134,3137,3144],{"nodeType":1293,"value":2044,"marks":3135,"data":3136},[],{},{"nodeType":1331,"data":3138,"content":3139},{"uri":2049},[3140],{"nodeType":1293,"value":2052,"marks":3141,"data":3143},[3142],{"type":1339},{},{"nodeType":1293,"value":2057,"marks":3145,"data":3146},[],{},{"nodeType":1294,"data":3148,"content":3149},{},[3150],{"nodeType":1293,"value":3151,"marks":3152,"data":3153},"Getting total coverage across your endpoint estate is notoriously difficult, if not totally unrealistic. Unless the malware is stopped on execution, then data will inevitably be stolen, and will continue to be taken until stopped (or it self-terminates). And once an attacker has stolen employee credentials or sessions, the credential stuffing and session hijacking attacks that come next won’t touch the endpoint. ",[],{},{"nodeType":1294,"data":3155,"content":3156},{},[3157],{"nodeType":1293,"value":3158,"marks":3159,"data":3160},"For those reasons, you can’t rely on EDR as a single line of defense against infostealers. Push gives you those extra layers of defense to stop account takeover attempts that use stolen credentials and sessions.",[],{},{"nodeType":2210,"data":3162,"content":3166},{"target":3163},{"sys":3164},{"id":3165,"type":2215,"linkType":2216},"4YB6DLIE5TvaAsAAUoJd5v",[],{"nodeType":1559,"data":3168,"content":3169},{},[3170],{"nodeType":1293,"value":3171,"marks":3172,"data":3173},"Detecting stolen sessions ",[],{},{"nodeType":1294,"data":3175,"content":3176},{},[3177],{"nodeType":1293,"value":3178,"marks":3179,"data":3180},"Push uses its browser agent to inject a unique marker into the user agent string of sessions that occur in browsers enrolled in Push. You then add the list of domains where you wish to inject the marker into sessions, such as an identity provider like Okta or Microsoft. ",[],{},{"nodeType":1294,"data":3182,"content":3183},{},[3184],{"nodeType":1293,"value":3185,"marks":3186,"data":3187},"By analyzing logs from the IdP, you can identify activity from the same session that both has the Push marker and that lacks the marker. This can only ever happen when a session is extracted from a browser and maliciously imported into a different browser.",[],{},{"nodeType":1294,"data":3189,"content":3190},{},[3191],{"nodeType":1293,"value":3192,"marks":3193,"data":3194},"This is a high-fidelity signal that a stolen session token is being used by an attacker. It’s certainly a lot cleaner than relying on IP-based or geolocation-based signals, which result in frequent false positives.",[],{},{"nodeType":2210,"data":3196,"content":3200},{"target":3197},{"sys":3198},{"id":3199,"type":2215,"linkType":2216},"1XNNkaoW64t3PPvC54KGXF",[],{"nodeType":1559,"data":3202,"content":3203},{},[3204],{"nodeType":1293,"value":3205,"marks":3206,"data":3207},"Detecting stolen credentials being sold on the dark web",[],{},{"nodeType":1294,"data":3209,"content":3210},{},[3211],{"nodeType":1293,"value":3212,"marks":3213,"data":3214},"Push integrates stolen credential threat intelligence and alerts you when your employees’ credentials are being sold on the dark web. ",[],{},{"nodeType":1294,"data":3216,"content":3217},{},[3218],{"nodeType":1293,"value":3219,"marks":3220,"data":3221},"Commercial TI feeds of stolen credentials have been available for some time. But what we’ve found is that the false-positive rate is incredibly high and the vast majority of credentials are no longer in use.",[],{},{"nodeType":1294,"data":3223,"content":3224},{},[3225],{"nodeType":1293,"value":3226,"marks":3227,"data":3228},"Push validates that leaked credentials match those that are currently being used by your employees to authenticate on any apps they are using in the browser. That means that any alerts or automated actions generated by Push are actionable true positives, cutting out a huge amount of noise and saving your security team time. ",[],{},{"nodeType":2210,"data":3230,"content":3234},{"target":3231},{"sys":3232},{"id":3233,"type":2215,"linkType":2216},"3RnPM0ioGWi3CFMLkxQanO",[],{"nodeType":1406,"data":3236,"content":3237},{},[3238],{"nodeType":1293,"value":3239,"marks":3240,"data":3241},"Part 3: Credential stuffing",[],{},{"nodeType":1294,"data":3243,"content":3244},{},[3245],{"nodeType":1293,"value":3246,"marks":3247,"data":3248},"The previous sections looked at how Push detects and stops common techniques used for stealing and acquiring credentials. We’re now going to cover how Push stops stolen credentials from being used to access and take over employee accounts. ",[],{},{"nodeType":1294,"data":3250,"content":3251},{},[3252,3257],{"nodeType":1293,"value":3253,"marks":3254,"data":3256},"Credential stuffing ",[3255],{"type":1369},{},{"nodeType":1293,"value":3258,"marks":3259,"data":3260},"is when attackers use tools that automate the process of taking a list of stolen passwords and retargeting those credentials against different apps.",[],{},{"nodeType":1294,"data":3262,"content":3263},{},[3264,3268,3273],{"nodeType":1293,"value":3265,"marks":3266,"data":3267},"Closely related to credential stuffing is ",[],{},{"nodeType":1293,"value":3269,"marks":3270,"data":3272},"password spraying",[3271],{"type":1369},{},{"nodeType":1293,"value":3274,"marks":3275,"data":3276},". Instead of using stolen credentials, an attacker uses a list of commonly used usernames and passwords to attempt to compromise accounts. ",[],{},{"nodeType":1294,"data":3278,"content":3279},{},[3280],{"nodeType":1293,"value":3281,"marks":3282,"data":3283},"Both credential stuffing and password spraying are high-volume, automated attacks, and they are an unrelenting problem for most businesses. Microsoft observes 4,000 of them every second and nearly half of all login requests Auth0 receive each day are attempts at credential stuffing. ",[],{},{"nodeType":1294,"data":3285,"content":3286},{},[3287],{"nodeType":1293,"value":3288,"marks":3289,"data":3290},"The true scale of the problem is hard to grasp, as neither app vendors nor users have effective means of monitoring for unauthorized access. Typically these breaches are only detected when:",[],{},{"nodeType":1421,"data":3292,"content":3293},{},[3294,3314,3336],{"nodeType":1425,"data":3295,"content":3296},{},[3297],{"nodeType":1294,"data":3298,"content":3299},{},[3300,3304,3311],{"nodeType":1293,"value":3301,"marks":3302,"data":3303},"The attacker leaks the data they’ve stolen, like in the ",[],{},{"nodeType":1331,"data":3305,"content":3306},{"uri":1347},[3307],{"nodeType":1293,"value":3103,"marks":3308,"data":3310},[3309],{"type":1339},{},{"nodeType":1293,"value":2146,"marks":3312,"data":3313},[],{},{"nodeType":1425,"data":3315,"content":3316},{},[3317],{"nodeType":1294,"data":3318,"content":3319},{},[3320,3324,3333],{"nodeType":1293,"value":3321,"marks":3322,"data":3323},"The attacker deploys ransomware that results in business disruption, like that suffered by ",[],{},{"nodeType":1331,"data":3325,"content":3327},{"uri":3326},"https://pushsecurity.com/blog/identity-attacks-in-the-wild/#id-mgm-resorts-september-2023",[3328],{"nodeType":1293,"value":3329,"marks":3330,"data":3332},"MGM resorts",[3331],{"type":1339},{},{"nodeType":1293,"value":2057,"marks":3334,"data":3335},[],{},{"nodeType":1425,"data":3337,"content":3338},{},[3339],{"nodeType":1294,"data":3340,"content":3341},{},[3342,3346,3355],{"nodeType":1293,"value":3343,"marks":3344,"data":3345},"The attackers use a compromised account to do something deliberately in the public eye. For example, when the SEC’s X (formerly Twitter) account was compromised and ",[],{},{"nodeType":1331,"data":3347,"content":3349},{"uri":3348},"https://incyber.org/en/article/fake-sec-tweet-triggers-bitcoin-surge/#:~:text=The%20fake%20headline%20convinced%20a,an%20unauthorized%20tweet%20was%20posted.",[3350],{"nodeType":1293,"value":3351,"marks":3352,"data":3354},"sent out a message announcing the approval of Bitcoin ETF",[3353],{"type":1339},{},{"nodeType":1293,"value":3356,"marks":3357,"data":3358},".  ",[],{},{"nodeType":1294,"data":3360,"content":3361},{},[3362],{"nodeType":1293,"value":3363,"marks":3364,"data":3365},"Push gives you a number of controls to combat attacks using stolen and guessed passwords, both to prevent them from occurring, and detect them when they do.",[],{},{"nodeType":1559,"data":3367,"content":3368},{},[3369],{"nodeType":1293,"value":3370,"marks":3371,"data":3372},"Prevent employees using credentials that have already been stolen and leaked",[],{},{"nodeType":1294,"data":3374,"content":3375},{},[3376],{"nodeType":1293,"value":3377,"marks":3378,"data":3379},"First, let's stop your employees from using any credentials that have already been stolen and are available to attackers for use in a credential-stuffing attack. ",[],{},{"nodeType":1294,"data":3381,"content":3382},{},[3383],{"nodeType":1293,"value":3384,"marks":3385,"data":3386},"Push monitors stolen credential threat intelligence and compares it to the credentials employees are currently using to access their apps. ",[],{},{"nodeType":1294,"data":3388,"content":3389},{},[3390],{"nodeType":1293,"value":3391,"marks":3392,"data":3393},"You might be wondering, “Does that mean Push sees all our employees’ passwords!?” No. Rather, we use a fingerprint of each password and it's checked locally in the users’ browser and never leaves it. ",[],{},{"nodeType":1294,"data":3395,"content":3396},{},[3397],{"nodeType":1293,"value":3398,"marks":3399,"data":3400},"When we get a match – a stolen password that could successfully be used in a credential-stuffing attack – Push alerts you.",[],{},{"nodeType":1559,"data":3402,"content":3403},{},[3404],{"nodeType":1293,"value":3405,"marks":3406,"data":3407},"Enforce MFA on all employee accounts",[],{},{"nodeType":1294,"data":3409,"content":3410},{},[3411],{"nodeType":1293,"value":3412,"marks":3413,"data":3414},"Next step is to secure the accounts most vulnerable to a credential stuffing attack – those that only use a password for single-factor authentication. ",[],{},{"nodeType":1294,"data":3416,"content":3417},{},[3418,3422,3430],{"nodeType":1293,"value":3419,"marks":3420,"data":3421},"If you’re using SSO to access apps, then it’s easy to overlook instances where local accounts (e.g. username and password logins) are missing MFA – particularly if you’re relying on an IdP solution to audit and enforce MFA. ",[],{},{"nodeType":1331,"data":3423,"content":3424},{"uri":2005},[3425],{"nodeType":1293,"value":3426,"marks":3427,"data":3429},"You can read more about this problem in our blog post on ghost logins",[3428],{"type":1339},{},{"nodeType":1293,"value":2146,"marks":3431,"data":3432},[],{},{"nodeType":1294,"data":3434,"content":3435},{},[3436],{"nodeType":1293,"value":3437,"marks":3438,"data":3439},"Push observes every login made by your employees (both inside and outside SSO) and inspects the authentication protocols used. Accounts that are missing MFA are identified and presented to you in the Push platform.",[],{},{"nodeType":2210,"data":3441,"content":3445},{"target":3442},{"sys":3443},{"id":3444,"type":2215,"linkType":2216},"4t1PHxzadoTBjtJua6dzuJ",[],{"nodeType":1294,"data":3447,"content":3448},{},[3449],{"nodeType":1293,"value":3450,"marks":3451,"data":3452},"You can then use Push to enforce MFA on employee accounts, or present them with in-browser guidance requesting that they enable it themselves.  ",[],{},{"nodeType":2210,"data":3454,"content":3458},{"target":3455},{"sys":3456},{"id":3457,"type":2215,"linkType":2216},"3JSTEJGtLT0hfwnkpLRP4K",[],{"nodeType":1559,"data":3460,"content":3461},{},[3462],{"nodeType":1293,"value":3463,"marks":3464,"data":3465},"Prevent multiple accounts being compromised by credential stuffing due to password reuse",[],{},{"nodeType":1294,"data":3467,"content":3468},{},[3469],{"nodeType":1293,"value":3470,"marks":3471,"data":3472},"The credential stuffing tools that attackers use will target a long list of popular business apps. If a password is reused across multiple apps and is breached, the blast radius is naturally increased – the attacker will be able to hijack multiple accounts, across numerous business applications.",[],{},{"nodeType":1294,"data":3474,"content":3475},{},[3476],{"nodeType":1293,"value":3477,"marks":3478,"data":3479},"Push detects when employees are trying to use the same password across multiple apps. When this happens, you can request that they change their password.",[],{},{"nodeType":2210,"data":3481,"content":3485},{"target":3482},{"sys":3483},{"id":3484,"type":2215,"linkType":2216},"7ARHp2JPiHeKRYHwa2jwIZ",[],{"nodeType":1559,"data":3487,"content":3488},{},[3489],{"nodeType":1293,"value":3490,"marks":3491,"data":3492},"Prevent password spraying breaches",[],{},{"nodeType":1294,"data":3494,"content":3495},{},[3496],{"nodeType":1293,"value":3497,"marks":3498,"data":3499},"To stop your employees’ accounts from being breached by password spraying attacks, Push checks every password to see if it is easily guessable for attackers.",[],{},{"nodeType":1294,"data":3501,"content":3502},{},[3503],{"nodeType":1293,"value":3504,"marks":3505,"data":3506},"To determine if a password is easily guessable, the Push browser agent automatically checks the password against:",[],{},{"nodeType":1421,"data":3508,"content":3509},{},[3510,3520,3530],{"nodeType":1425,"data":3511,"content":3512},{},[3513],{"nodeType":1294,"data":3514,"content":3515},{},[3516],{"nodeType":1293,"value":3517,"marks":3518,"data":3519},"A list of top 10,000 weak base passwords.",[],{},{"nodeType":1425,"data":3521,"content":3522},{},[3523],{"nodeType":1294,"data":3524,"content":3525},{},[3526],{"nodeType":1293,"value":3527,"marks":3528,"data":3529},"Number and special character variations on these weak base passwords, for example: Password1! or January2022.",[],{},{"nodeType":1425,"data":3531,"content":3532},{},[3533],{"nodeType":1294,"data":3534,"content":3535},{},[3536],{"nodeType":1293,"value":3537,"marks":3538,"data":3539},"Variations on these weak base passwords that replace letters with numerals (1337), for example: P455w0rd.",[],{},{"nodeType":1294,"data":3541,"content":3542},{},[3543],{"nodeType":1293,"value":3544,"marks":3545,"data":3546},"You can also add your own custom word list that employees and attackers will predictably try and use. Push will then stop those words being used as part of passwords.",[],{},{"nodeType":1559,"data":3548,"content":3549},{},[3550],{"nodeType":1293,"value":3551,"marks":3552,"data":3553},"Detect unauthorized sessions  ",[],{},{"nodeType":1294,"data":3555,"content":3556},{},[3557],{"nodeType":1293,"value":3558,"marks":3559,"data":3560},"Once you have enabled all the Push controls that prevent employees from creating and using accounts that can be easily compromised by credential stuffing and password spraying attacks, the next line of defense is to detect when accounts are taken over.",[],{},{"nodeType":1294,"data":3562,"content":3563},{},[3564],{"nodeType":1293,"value":3565,"marks":3566,"data":3567},"Push uses its browser agent to inject a unique marker into the user agent string of sessions that occur in browsers enrolled in Push. You then add the list of domains that you want to have injected with the session marker. ",[],{},{"nodeType":1294,"data":3569,"content":3570},{},[3571],{"nodeType":1293,"value":3572,"marks":3573,"data":3574},"By analyzing logs from the IdP, you can identify activity from the same session that both has the Push marker and that lacks the marker. This indicates that the session is not being used by the legitimate user (your employees) in their usual work browser, and could be an attacker using their account. ",[],{},{"nodeType":1559,"data":3576,"content":3577},{},[3578],{"nodeType":1293,"value":3579,"marks":3580,"data":3581},"Reduce your identity attack surface",[],{},{"nodeType":1294,"data":3583,"content":3584},{},[3585],{"nodeType":1293,"value":3586,"marks":3587,"data":3588},"Finally, you’ll likely want to reduce your attack surface that can be targeted by credential stuffing. In other words, reduce the number of username and password accounts your employees have. ",[],{},{"nodeType":1294,"data":3590,"content":3591},{},[3592],{"nodeType":1293,"value":3593,"marks":3594,"data":3595},"There are a few ways that Push can help you do this.",[],{},{"nodeType":1421,"data":3597,"content":3598},{},[3599,3614,3629],{"nodeType":1425,"data":3600,"content":3601},{},[3602],{"nodeType":1294,"data":3603,"content":3604},{},[3605,3610],{"nodeType":1293,"value":3606,"marks":3607,"data":3609},"Block access to unapproved apps",[3608],{"type":1369},{},{"nodeType":1293,"value":3611,"marks":3612,"data":3613},". Using Push, you can create a block list of apps that you don’t want your users to create accounts and identities on.",[],{},{"nodeType":1425,"data":3615,"content":3616},{},[3617],{"nodeType":1294,"data":3618,"content":3619},{},[3620,3625],{"nodeType":1293,"value":3621,"marks":3622,"data":3624},"Use app banners to stop users from creating local accounts",[3623],{"type":1369},{},{"nodeType":1293,"value":3626,"marks":3627,"data":3628},". When an employee goes to sign up to an app, Push will present an app banner that tells them to use their SSO identity and not to create a username and password account.",[],{},{"nodeType":1425,"data":3630,"content":3631},{},[3632],{"nodeType":1294,"data":3633,"content":3634},{},[3635,3640],{"nodeType":1293,"value":3636,"marks":3637,"data":3639},"Get existing accounts and apps behind SSO",[3638],{"type":1369},{},{"nodeType":1293,"value":3641,"marks":3642,"data":3643},". Push shows you how your employees are logging in to every account on every app, including whether they’re using SAML or OIDC SSO. Armed with this data, you can get your employees to use your preferred SSO solution on the apps where it’s already available, and look into whether other popular apps being used in the business offer SSO.",[],{},{"nodeType":2210,"data":3645,"content":3649},{"target":3646},{"sys":3647},{"id":3648,"type":2215,"linkType":2216},"3y8L55hbcQaRYPCdYYb3xA",[],{"nodeType":1406,"data":3651,"content":3652},{},[3653],{"nodeType":1293,"value":3654,"marks":3655,"data":3656},"Stop account takeover at the push of a button",[],{},{"nodeType":1294,"data":3658,"content":3659},{},[3660,3664,3672,3676,3681,3684,3689,3693,3697],{"nodeType":1293,"value":3661,"marks":3662,"data":3663},"We’ve described a lot of controls in this article. The good news is that they’re all pre-configured on the the ",[],{},{"nodeType":1331,"data":3665,"content":3667},{"uri":3666},"https://pushsecurity.com/help/audience/administrators/docs/manage-security-controls/#start",[3668],{"nodeType":1293,"value":3669,"marks":3670,"data":3671},"Controls",[],{},{"nodeType":1293,"value":3673,"marks":3674,"data":3675}," page in the Push platform. When you get started with Push, you can simply turn on all the controls you want, and decide whether you want them to work in ",[],{},{"nodeType":1293,"value":3677,"marks":3678,"data":3680},"monitor",[3679],{"type":1369},{},{"nodeType":1293,"value":1616,"marks":3682,"data":3683},[],{},{"nodeType":1293,"value":3685,"marks":3686,"data":3688},"warn",[3687],{"type":1369},{},{"nodeType":1293,"value":3690,"marks":3691,"data":3692}," mode or ",[],{},{"nodeType":1293,"value":138,"marks":3694,"data":3696},[3695],{"type":1369},{},{"nodeType":1293,"value":3698,"marks":3699,"data":3700}," mode.    ",[],{},{"nodeType":2210,"data":3702,"content":3706},{"target":3703},{"sys":3704},{"id":3705,"type":2215,"linkType":2216},"6FCuO78yQMNZvkcbcALmis",[],{"nodeType":1559,"data":3708,"content":3709},{},[3710],{"nodeType":1293,"value":3711,"marks":3712,"data":3713},"See it for yourself",[],{},{"nodeType":1294,"data":3715,"content":3716},{},[3717,3721,3729],{"nodeType":1293,"value":3718,"marks":3719,"data":3720},"To learn more, ",[],{},{"nodeType":1331,"data":3722,"content":3724},{"uri":3723},"https://pushsecurity.com/demo/",[3725],{"nodeType":1293,"value":3726,"marks":3727,"data":3728},"book a demo",[],{},{"nodeType":1293,"value":3730,"marks":3731,"data":3732},". We’ll be happy to show you these features, along with how we discover all the apps your employees are using, even the ones not behind SSO.",[],{},{"nodeType":2210,"data":3734,"content":3738},{"target":3735},{"sys":3736},{"id":3737,"type":2215,"linkType":2216},"4IRtR9zicpB7lXdz2RvIlK",[],{"nodeType":1294,"data":3740,"content":3741},{},[3742],{"nodeType":1293,"value":37,"marks":3743,"data":3744},[],{},"Hackers don’t hack in, they log in: How to prevent account takeover with Push","How Push stops attackers from using identity attack tools and techniques to compromise your employee user accounts. ","2024-08-19T00:00:00.000Z","how-to-prevent-account-takeover-with-push",{"items":3750},[3751,3753],{"sys":3752,"name":1312},{"id":1311},{"sys":3754,"name":1308},{"id":1307},{"items":3756},[3757],{"fullName":3758,"firstName":3759,"jobTitle":3760,"profilePicture":3761},"Alex Henshall","Alex","Product Team",{"url":3762},"https://images.ctfassets.net/y1cdw1ablpvd/2rz3Pre3b1MexPIQ4hzPUe/0ef8a092b7e7df00fbce3f7d1ccb96d1/Alex_Henshall.jpeg",{"__typename":1316,"sys":3764,"content":3766,"title":4184,"synopsis":4185,"hashTags":118,"publishedDate":4186,"slug":4187,"tagsCollection":4188,"authorsCollection":4196},{"id":3765},"4EfGLsD4qOkE4AoTUoL83m",{"json":3767},{"nodeType":1295,"data":3768,"content":3769},{},[3770,3776,3798,3819,3838,3858,3881,3888,3909,3930,3937,3943,3950,3957,3964,3971,3978,3985,3992,3999,4006,4027,4034,4040,4065,4072,4087,4093,4114,4121,4128,4135,4142,4160,4167],{"nodeType":2210,"data":3771,"content":3775},{"target":3772},{"sys":3773},{"id":3774,"type":2215,"linkType":2216},"B8i0EK90Dn7FLrJXR4ANh",[],{"nodeType":1294,"data":3777,"content":3778},{},[3779,3783,3794],{"nodeType":1293,"value":3780,"marks":3781,"data":3782},"Is the golden era of MFA protection over? Watch a demo of an ",[],{},{"nodeType":3784,"data":3785,"content":3789},"entry-hyperlink",{"target":3786},{"sys":3787},{"id":3788,"type":2215,"linkType":2216},"7DJnckJxP4CXyXhPJJpby5",[3790],{"nodeType":1293,"value":3791,"marks":3792,"data":3793},"EvilNoVNC phishing attack",[],{},{"nodeType":1293,"value":3795,"marks":3796,"data":3797}," and you may be left sweating a little and whispering “FIDO2” like a protection spell.",[],{},{"nodeType":1294,"data":3799,"content":3800},{},[3801,3805,3815],{"nodeType":1293,"value":3802,"marks":3803,"data":3804},"With the widespread adoption of MFA, attackers are ",[],{},{"nodeType":3784,"data":3806,"content":3810},{"target":3807},{"sys":3808},{"id":3809,"type":2215,"linkType":2216},"6XIts2UEnrsJDki8gKDXyI",[3811],{"nodeType":1293,"value":3812,"marks":3813,"data":3814},"increasingly turning",[],{},{"nodeType":1293,"value":3816,"marks":3817,"data":3818}," to more sophisticated methods of credential theft as their initial point of entry. ",[],{},{"nodeType":1294,"data":3820,"content":3821},{},[3822,3826,3834],{"nodeType":1293,"value":3823,"marks":3824,"data":3825},"Newer phishing approaches include reverse proxies as well as tools that mimic legitimate login pages by rendering the webpages and then displaying those renders to the unsuspecting end-user. While these tools are not always common knowledge among blue teams, their use is ",[],{},{"nodeType":1331,"data":3827,"content":3829},{"uri":3828},"https://www.lab539.com/blog/6-months-tracking-aitm-campaigns",[3830],{"nodeType":1293,"value":3831,"marks":3832,"data":3833},"on the rise",[],{},{"nodeType":1293,"value":3835,"marks":3836,"data":3837},", an unsurprising response to the broad use of multi-factor authentication in many organizations.",[],{},{"nodeType":1294,"data":3839,"content":3840},{},[3841,3845,3854],{"nodeType":1293,"value":3842,"marks":3843,"data":3844},"What sets this generation of ",[],{},{"nodeType":3784,"data":3846,"content":3849},{"target":3847},{"sys":3848},{"id":3788,"type":2215,"linkType":2216},[3850],{"nodeType":1293,"value":3851,"marks":3852,"data":3853},"Adversary-in-the-Middle (AitM) phishing tools",[],{},{"nodeType":1293,"value":3855,"marks":3856,"data":3857}," apart? ",[],{},{"nodeType":1421,"data":3859,"content":3860},{},[3861,3871],{"nodeType":1425,"data":3862,"content":3863},{},[3864],{"nodeType":1294,"data":3865,"content":3866},{},[3867],{"nodeType":1293,"value":3868,"marks":3869,"data":3870},"They act as a proxy between the user and a legitimate web login page, allowing the attacker to bypass MFA and harvest credentials and session tokens.",[],{},{"nodeType":1425,"data":3872,"content":3873},{},[3874],{"nodeType":1294,"data":3875,"content":3876},{},[3877],{"nodeType":1293,"value":3878,"marks":3879,"data":3880},"They give off little scent to end-users, because the end-user is logging into the legitimate site, just by taking a detour via the attacker’s device.",[],{},{"nodeType":1294,"data":3882,"content":3883},{},[3884],{"nodeType":1293,"value":3885,"marks":3886,"data":3887},"These AitM tools are also difficult to detect — unless you have eyes in the browser.",[],{},{"nodeType":1294,"data":3889,"content":3890},{},[3891,3895,3905],{"nodeType":1293,"value":3892,"marks":3893,"data":3894},"Powered by the Push browser agent, Push now offers a ",[],{},{"nodeType":3784,"data":3896,"content":3900},{"target":3897},{"sys":3898},{"id":3899,"type":2215,"linkType":2216},"7KRnTSnJAbbiho69gNyN0B",[3901],{"nodeType":1293,"value":3902,"marks":3903,"data":3904},"preconfigured set of detections",[],{},{"nodeType":1293,"value":3906,"marks":3907,"data":3908}," for phishing tools like Evilginx and others, informed by our threat detection team’s research into their behavior. This phishing tool detection feature will automatically prevent users from accessing a site that’s running one of these malicious tools, and display a custom warning message to your end-users.",[],{},{"nodeType":1294,"data":3910,"content":3911},{},[3912,3916,3926],{"nodeType":1293,"value":3913,"marks":3914,"data":3915},"While Push already provides strong phishing protection by ",[],{},{"nodeType":3784,"data":3917,"content":3921},{"target":3918},{"sys":3919},{"id":3920,"type":2215,"linkType":2216},"4UtRVoFElDduWJBx9Sa4Cw",[3922],{"nodeType":1293,"value":3923,"marks":3924,"data":3925},"preventing SSO password use",[],{},{"nodeType":1293,"value":3927,"marks":3928,"data":3929}," on non-IdP webpages (in other words, it stops you from using your Okta password on any page that isn’t an Okta login page), this new feature allows us to sharpen our anti-phishing capabilities by detecting malware on a site before a user even interacts with the page. ",[],{},{"nodeType":1294,"data":3931,"content":3932},{},[3933],{"nodeType":1293,"value":3934,"marks":3935,"data":3936},"In this article, we’ll describe our approach to detecting these newer phishing tools, including how we’re borrowing techniques from the world of EDR, and how you can combine phishing tool detection with other Push controls for a defense-in-depth strategy that covers both the user and the application sides of the equation.",[],{},{"nodeType":2210,"data":3938,"content":3942},{"target":3939},{"sys":3940},{"id":3941,"type":2215,"linkType":2216},"59q6klX2j7ClgUvmix93sG",[],{"nodeType":1406,"data":3944,"content":3945},{},[3946],{"nodeType":1293,"value":3947,"marks":3948,"data":3949},"Taking a page from EDR",[],{},{"nodeType":1294,"data":3951,"content":3952},{},[3953],{"nodeType":1293,"value":3954,"marks":3955,"data":3956},"Most phishing prevention solutions rely on lists of known-bad sites as the source of intelligence. These are always going to be a step behind reality because they rely on ever-shifting secondary attributes such as domain names (though we won’t be disabling Chrome Safe Browsing anytime soon, and we’re not trying to replace it).",[],{},{"nodeType":1294,"data":3958,"content":3959},{},[3960],{"nodeType":1293,"value":3961,"marks":3962,"data":3963},"As veterans of the EDR world, we’re drawn to think in analogous terms. With detecting AitM phishing tools, that means expanding on the concept of dynamic analysis on the endpoint. EDR allows you to dynamically analyze the behavior of malware live and at scale, rather than focusing on easy-to-change indicators like file hashes or domain names.",[],{},{"nodeType":1294,"data":3965,"content":3966},{},[3967],{"nodeType":1293,"value":3968,"marks":3969,"data":3970},"Applying this idea to malware that runs in the browser requires a solution that is in the browser, like the Push browser agent.",[],{},{"nodeType":1294,"data":3972,"content":3973},{},[3974],{"nodeType":1293,"value":3975,"marks":3976,"data":3977},"So we’re expanding the attributes that are traditionally analyzed to spot indicators of compromise (IoCs) beyond domains, file names, file hashes, IP addresses, etc., to also include behavioral attributes of malware that are much harder to change, such as Javascript calls being made or data structures saved to local storage.",[],{},{"nodeType":1294,"data":3979,"content":3980},{},[3981],{"nodeType":1293,"value":3982,"marks":3983,"data":3984},"By performing behavioral analysis on AitM automated proxy tools, we can directly analyze the application for a precise and immediate identification. ",[],{},{"nodeType":1294,"data":3986,"content":3987},{},[3988],{"nodeType":1293,"value":3989,"marks":3990,"data":3991},"Push researchers are regularly identifying and adding detections for new toolkits — think of this like Push’s database of threat research in action.",[],{},{"nodeType":1406,"data":3993,"content":3994},{},[3995],{"nodeType":1293,"value":3996,"marks":3997,"data":3998},"How it works",[],{},{"nodeType":1294,"data":4000,"content":4001},{},[4002],{"nodeType":1293,"value":4003,"marks":4004,"data":4005},"If you’re new to Push, a bit of context may be useful. Push uses a browser agent deployed to employee browsers (we support all major browsers) to prevent, detect, and block identity attacks. ",[],{},{"nodeType":1294,"data":4007,"content":4008},{},[4009,4013,4023],{"nodeType":1293,"value":4010,"marks":4011,"data":4012},"By directly observing user behavior at the login event, Push provides broad and actionable context across all the apps your employees are using, how they are accessing them, their MFA methods, and where they’re using insecure and reused passwords. With this context as the foundation, Push enforces your desired ",[],{},{"nodeType":3784,"data":4014,"content":4018},{"target":4015},{"sys":4016},{"id":4017,"type":2215,"linkType":2216},"BtDLgVZRWQ3Ov4WgDQX1W",[4019],{"nodeType":1293,"value":4020,"marks":4021,"data":4022},"security controls",[],{},{"nodeType":1293,"value":4024,"marks":4025,"data":4026},", including preventing SSO password reuse, blocking malicious websites, or steering employees to approved apps only.",[],{},{"nodeType":1294,"data":4028,"content":4029},{},[4030],{"nodeType":1293,"value":4031,"marks":4032,"data":4033},"Once configured by an administrator, phishing tool detection will immediately check for the fingerprints of these toolkits as end-users visit websites and then display your custom warn or block message. ",[],{},{"nodeType":2210,"data":4035,"content":4039},{"target":4036},{"sys":4037},{"id":4038,"type":2215,"linkType":2216},"1LdHJjTDlOiie5mctbAVvZ",[],{"nodeType":1294,"data":4041,"content":4042},{},[4043,4047,4052,4056,4061],{"nodeType":1293,"value":4044,"marks":4045,"data":4046},"In ",[],{},{"nodeType":1293,"value":4048,"marks":4049,"data":4051},"Block",[4050],{"type":1369},{},{"nodeType":1293,"value":4053,"marks":4054,"data":4055}," mode, users cannot proceed to the site where malicious software has been detected. In ",[],{},{"nodeType":1293,"value":4057,"marks":4058,"data":4060},"Warn",[4059],{"type":1369},{},{"nodeType":1293,"value":4062,"marks":4063,"data":4064}," mode, users can choose to proceed if they are sure it’s not a phishing site.",[],{},{"nodeType":1294,"data":4066,"content":4067},{},[4068],{"nodeType":1293,"value":4069,"marks":4070,"data":4071},"In both cases, users do not need to interact with a page (by typing, clicking, etc.) for Push to trigger the custom message. ",[],{},{"nodeType":1294,"data":4073,"content":4074},{},[4075,4078,4084],{"nodeType":1293,"value":3053,"marks":4076,"data":4077},[],{},{"nodeType":1331,"data":4079,"content":4080},{"uri":2863},[4081],{"nodeType":1293,"value":2866,"marks":4082,"data":4083},[],{},{"nodeType":1293,"value":3063,"marks":4085,"data":4086},[],{},{"nodeType":2210,"data":4088,"content":4092},{"target":4089},{"sys":4090},{"id":4091,"type":2215,"linkType":2216},"6oAhxLBPVxN3Rcw2kFeVtG",[],{"nodeType":1294,"data":4094,"content":4095},{},[4096,4100,4110],{"nodeType":1293,"value":4097,"marks":4098,"data":4099},"Pairing this phishing detection capability with Push’s ",[],{},{"nodeType":3784,"data":4101,"content":4105},{"target":4102},{"sys":4103},{"id":4104,"type":2215,"linkType":2216},"6FYHbkcRUrtznPo7RarRsz",[4106],{"nodeType":1293,"value":4107,"marks":4108,"data":4109},"SSO password protection",[],{},{"nodeType":1293,"value":4111,"marks":4112,"data":4113}," feature provides a strong defense-in-depth strategy for stopping credential theft.",[],{},{"nodeType":1294,"data":4115,"content":4116},{},[4117],{"nodeType":1293,"value":4118,"marks":4119,"data":4120},"SSO password protection works by analyzing user behavior — namely, is a user entering their SSO password onto a page that does not belong to the legitimate identity provider.",[],{},{"nodeType":1294,"data":4122,"content":4123},{},[4124],{"nodeType":1293,"value":4125,"marks":4126,"data":4127},"Phishing tool detection adds in the application-level behavioral analysis. In addition, when Push identifies a new, previously unknown phishing tool in the wild via blocked SSO credential theft, we add its fingerprints to the browser agent’s detective capabilities.  ",[],{},{"nodeType":1406,"data":4129,"content":4130},{},[4131],{"nodeType":1293,"value":4132,"marks":4133,"data":4134},"Looking ahead",[],{},{"nodeType":1294,"data":4136,"content":4137},{},[4138],{"nodeType":1293,"value":4139,"marks":4140,"data":4141},"We’re just scratching the surface on this approach and are exploring how Push can identify and block other web-delivered malware and Javascript-based attack types beyond AitM tools. Think HTML smuggling, tabnabbing, and the like.",[],{},{"nodeType":1294,"data":4143,"content":4144},{},[4145,4149,4157],{"nodeType":1293,"value":4146,"marks":4147,"data":4148},"Got feedback? We’d ",[],{},{"nodeType":1331,"data":4150,"content":4152},{"uri":4151},"/contact/",[4153],{"nodeType":1293,"value":4154,"marks":4155,"data":4156},"love to talk",[],{},{"nodeType":1293,"value":2057,"marks":4158,"data":4159},[],{},{"nodeType":1406,"data":4161,"content":4162},{},[4163],{"nodeType":1293,"value":4164,"marks":4165,"data":4166},"Find out more",[],{},{"nodeType":1294,"data":4168,"content":4169},{},[4170,4174,4180],{"nodeType":1293,"value":4171,"marks":4172,"data":4173},"To see Push in action, ",[],{},{"nodeType":1331,"data":4175,"content":4176},{"uri":3723},[4177],{"nodeType":1293,"value":3726,"marks":4178,"data":4179},[],{},{"nodeType":1293,"value":4181,"marks":4182,"data":4183},". We’ll be happy to show you this feature, along with how we discover all the apps your employees are using, even the ones not behind SSO, and how we detect vulnerable identities and stop identity attacks with browser-based controls.",[],{},"Introducing AitM phishing toolkit detection, powered by the Push browser agent","Push analyzes behavioral attributes of malware to identify phishing tools like Evilginx and NakedPages and immediately block end-users from visiting them.","2024-06-06T00:00:00.000Z","introducing-aitm-phishing-toolkit-detection-powered-by-the-push-browser",{"items":4189},[4190,4194],{"sys":4191,"name":4193},{"id":4192},"5jk0kqjSdSK2L0YiistQjY","Release notes",{"sys":4195,"name":1312},{"id":1311},{"items":4197},[4198],{"fullName":4199,"firstName":4200,"jobTitle":3760,"profilePicture":4201},"Kelly Davenport","Kelly",{"url":4202},"https://images.ctfassets.net/y1cdw1ablpvd/1hi8bEuVfn5sF57LivAq6d/9a3b82426c697d765e2e450e33a18424/kelly_profile_pic.jpeg",{"items":4204},[4205],{"fullName":2508,"firstName":2509,"jobTitle":2510,"profilePicture":4206},{"url":2512},{"json":4208,"links":4514},{"nodeType":1295,"data":4209,"content":4210},{},[4211,4218,4225,4232,4239,4246,4253,4260,4266,4273,4280,4287,4294,4301,4321,4328,4335,4352,4359,4370,4377,4408,4415,4422,4429,4436,4442,4449,4456,4463,4470,4477,4484,4502,4508],{"nodeType":1294,"data":4212,"content":4213},{},[4214],{"nodeType":1293,"value":4215,"marks":4216,"data":4217},"There are many factors that can make a user account vulnerable to identity-based attack techniques. Using Push data, we calculated how many vulnerable identities the average organization has, showing how different vulnerabilities leave an identity exposed to different methods of account takeover. ",[],{},{"nodeType":1406,"data":4219,"content":4220},{},[4221],{"nodeType":1293,"value":4222,"marks":4223,"data":4224},"Our dataset",[],{},{"nodeType":1294,"data":4226,"content":4227},{},[4228],{"nodeType":1293,"value":4229,"marks":4230,"data":4231},"This analysis is based on a snapshot of when organizations begin using the Push platform, once enrollment has completed. Data from trial and partially deployed organizations is excluded. ",[],{},{"nodeType":1294,"data":4233,"content":4234},{},[4235],{"nodeType":1293,"value":4236,"marks":4237,"data":4238},"Early adopters of new identity security products like Push are likely to have a higher than average level of maturity in this area – even prior to using Push. So, the findings may not be accurate for all organizations, particularly those with lower awareness of identity security challenges. ",[],{},{"nodeType":1294,"data":4240,"content":4241},{},[4242],{"nodeType":1293,"value":4243,"marks":4244,"data":4245},"It’s also worth noting that passwordless authentication makes up a very small percentage of the overall authentication factors detected. If you’re in the minority of organizations that have widely adopted something like passkeys or biometric authentication, your identity posture will probably look quite different. But, you should still be wary of backup phishable factors and SSO gaps – more on this below.",[],{},{"nodeType":1406,"data":4247,"content":4248},{},[4249],{"nodeType":1293,"value":4250,"marks":4251,"data":4252},"Identity configurations and how they can be exploited",[],{},{"nodeType":1294,"data":4254,"content":4255},{},[4256],{"nodeType":1293,"value":4257,"marks":4258,"data":4259},"We analyzed a sample dataset of 300,000 accounts and the associated login methods – this is what we found. ",[],{},{"nodeType":2210,"data":4261,"content":4265},{"target":4262},{"sys":4263},{"id":4264,"type":2215,"linkType":2216},"2QnWVpPYRyJQaQ5TuKSSLp",[],{"nodeType":1294,"data":4267,"content":4268},{},[4269],{"nodeType":1293,"value":4270,"marks":4271,"data":4272},"Some of the key insights are explored below. ",[],{},{"nodeType":1559,"data":4274,"content":4275},{},[4276],{"nodeType":1293,"value":4277,"marks":4278,"data":4279},"Organizations are using more apps and identities than they realize",[],{},{"nodeType":1294,"data":4281,"content":4282},{},[4283],{"nodeType":1293,"value":4284,"marks":4285,"data":4286},"On average, each employee has ~15 identities tied to the business apps that they use, and each organization uses ~220 apps. The number of apps per organization doesn't show a strong correlation with the size of the organization. But, the number of accounts per user does tend to be lower for organizations with a larger employee base. ",[],{},{"nodeType":1559,"data":4288,"content":4289},{},[4290],{"nodeType":1293,"value":4291,"marks":4292,"data":4293},"Many accounts lack the most basic protections",[],{},{"nodeType":1294,"data":4295,"content":4296},{},[4297],{"nodeType":1293,"value":4298,"marks":4299,"data":4300},"37% of all accounts do not have MFA set, while ~9% of accounts with a password also have a breached, weak, or reused password, making them highly susceptible to account takeover. ",[],{},{"nodeType":1294,"data":4302,"content":4303},{},[4304,4308,4317],{"nodeType":1293,"value":4305,"marks":4306,"data":4307},"This might not seem that high at face value – but it’s enough that attackers can feasibly take over accounts linked to every business app used in the organization just by abusing password vulnerabilities through attacks like ",[],{},{"nodeType":1331,"data":4309,"content":4311},{"uri":4310},"https://pushsecurity.com/blog/what-is-credential-stuffing/",[4312],{"nodeType":1293,"value":4313,"marks":4314,"data":4316},"credential stuffing",[4315],{"type":1339},{},{"nodeType":1293,"value":4318,"marks":4319,"data":4320},". For a 1,000 user organization, this leaves them with 1,367 user accounts that are highly vulnerable to account takeover.",[],{},{"nodeType":1294,"data":4322,"content":4323},{},[4324],{"nodeType":1293,"value":4325,"marks":4326,"data":4327},"The situation gets worse when a password is the sole login method set, with these accounts lacking MFA in 4 out of 5 cases. ",[],{},{"nodeType":1559,"data":4329,"content":4330},{},[4331],{"nodeType":1293,"value":4332,"marks":4333,"data":4334},"SSO is not a silver bullet",[],{},{"nodeType":1294,"data":4336,"content":4337},{},[4338,4342,4349],{"nodeType":1293,"value":4339,"marks":4340,"data":4341},"SSO can be used to reduce an organization's susceptibility to password-based attacks, but the vast majority (97%) of SSO logins track back to an original password login to an IdP (due to the marginal use of passwordless authentication) while in 10% of cases a local password login is set alongside SSO – potentially introducing ",[],{},{"nodeType":1331,"data":4343,"content":4344},{"uri":2005},[4345],{"nodeType":1293,"value":2008,"marks":4346,"data":4348},[4347],{"type":1339},{},{"nodeType":1293,"value":2057,"marks":4350,"data":4351},[],{},{"nodeType":1294,"data":4353,"content":4354},{},[4355],{"nodeType":1293,"value":4356,"marks":4357,"data":4358},"You might expect these password-based logins to be highly scrutinized due to the criticality of these accounts – but we found that 1 in 5 IdP accounts is missing MFA, and a non-unique password is present for 10% of IdP accounts (meaning that if the same username and password combination is compromised on another app, the risk of a lateral account compromise is much higher). ",[],{},{"nodeType":1294,"data":4360,"content":4361},{},[4362,4366],{"nodeType":1293,"value":4363,"marks":4364,"data":4365},"Since Microsoft, Okta, and Google IdP accounts are the most targeted identities by attackers due to their value if compromised, these accounts are under a huge amount of pressure from attackers – ",[],{},{"nodeType":1293,"value":4367,"marks":4368,"data":4369},"multiplying the risk to single factor authentication IdP accounts.",[],{},{"nodeType":1559,"data":4371,"content":4372},{},[4373],{"nodeType":1293,"value":4374,"marks":4375,"data":4376},"Pretty much all identities can be phished",[],{},{"nodeType":1294,"data":4378,"content":4379},{},[4380,4384,4392,4396,4404],{"nodeType":1293,"value":4381,"marks":4382,"data":4383},"Almost all identities (~99%) are susceptible to phishing attacks – either because MFA is missing, or the types of MFA implemented are weak to modern phishing attacks such as ",[],{},{"nodeType":1331,"data":4385,"content":4386},{"uri":2199},[4387],{"nodeType":1293,"value":4388,"marks":4389,"data":4391},"Adversary in the Middle (AitM) phishing kits",[4390],{"type":1339},{},{"nodeType":1293,"value":4393,"marks":4394,"data":4395},", or techniques such as ",[],{},{"nodeType":1331,"data":4397,"content":4399},{"uri":4398},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/mfa_fatigue/description.md",[4400],{"nodeType":1293,"value":4401,"marks":4402,"data":4403},"MFA fatigue",[],{},{"nodeType":1293,"value":4405,"marks":4406,"data":4407},". The most common MFA methods are phone call, push notification, and one-time passcode – all of which are phishable or bypassable. ",[],{},{"nodeType":1294,"data":4409,"content":4410},{},[4411],{"nodeType":1293,"value":4412,"marks":4413,"data":4414},"Even in the small number of cases where we identified a passwordless authentication method that is regarded as phishing-resistant (e.g. passkeys, biometrics, etc.) there is a backup, phishable method set for over half of them. ",[],{},{"nodeType":1406,"data":4416,"content":4417},{},[4418],{"nodeType":1293,"value":4419,"marks":4420,"data":4421},"So... what does this mean in real terms? ",[],{},{"nodeType":1294,"data":4423,"content":4424},{},[4425],{"nodeType":1293,"value":4426,"marks":4427,"data":4428},"The main conclusion from the data is that identity vulnerabilities exist almost everywhere. Some are certainly more likely to be exploited than others (e.g. an account with a reused password and no MFA is a higher risk than an account with MFA) but attackers have the means to take over most accounts using widely available tooling and know-how. ",[],{},{"nodeType":1294,"data":4430,"content":4431},{},[4432],{"nodeType":1293,"value":4433,"marks":4434,"data":4435},"To bring this to life, here’s an infographic representing the identity attack surface for a 1,000 seat organization. ",[],{},{"nodeType":2210,"data":4437,"content":4441},{"target":4438},{"sys":4439},{"id":4440,"type":2215,"linkType":2216},"3WFzina1t5j6bDlTlGQA0l",[],{"nodeType":1294,"data":4443,"content":4444},{},[4445],{"nodeType":1293,"value":4446,"marks":4447,"data":4448},"This shows that investing in your identity security baseline only gets you so far – ultimately, you need to be prepared to detect and respond to attacks rather than relying on prevention alone. That said, progress over perfection should always be the aim when it comes to posture management, and shoring up your identity vulnerabilities is an important long-term project. ",[],{},{"nodeType":1406,"data":4450,"content":4451},{},[4452],{"nodeType":1293,"value":4453,"marks":4454,"data":4455},"Detection and response is the key",[],{},{"nodeType":1294,"data":4457,"content":4458},{},[4459],{"nodeType":1293,"value":4460,"marks":4461,"data":4462},"Looking at the scale of the challenge, it’s pretty clear that completely scrubbing your workforce identities of all possible vulnerabilities isn’t really an achievable goal. A strong baseline is important, but it will only ever get you so far. Rather than playing whack-a-mole, organizations need to prepare to detect and respond to the techniques and tools being used by attackers when they exploit these vulnerabilities.  ",[],{},{"nodeType":1294,"data":4464,"content":4465},{},[4466],{"nodeType":1293,"value":4467,"marks":4468,"data":4469},"This is nothing new – this approach has been preached by security operations leaders for more than a decade. But until now, identity security has been much more focused on prevention than detection and response. And with attackers increasingly turning to identity attacks, the sheer volume of identity vulnerabilities (and the rate that they are introduced) means that posture management alone isn’t sufficient.",[],{},{"nodeType":1294,"data":4471,"content":4472},{},[4473],{"nodeType":1293,"value":4474,"marks":4475,"data":4476},"Like endpoint and network security before, you can no longer rely on prevention alone, and organizations need to ensure they can detect and respond to indicators of identity attacks to be able to manage the risk effectively. ",[],{},{"nodeType":1406,"data":4478,"content":4479},{},[4480],{"nodeType":1293,"value":4481,"marks":4482,"data":4483},"How Push can help",[],{},{"nodeType":1294,"data":4485,"content":4486},{},[4487,4491,4499],{"nodeType":1293,"value":4488,"marks":4489,"data":4490},"Push helps organizations to detect and prevent identity attacks as they happen, by intercepting and shutting down attacks in the browser. It also provides valuable data to find and fix identity vulnerabilities before they can be exploited. ",[],{},{"nodeType":1331,"data":4492,"content":4493},{"uri":3723},[4494],{"nodeType":1293,"value":4495,"marks":4496,"data":4498},"Book a demo here to find out more.",[4497],{"type":1339},{},{"nodeType":1293,"value":37,"marks":4500,"data":4501},[],{},{"nodeType":2210,"data":4503,"content":4507},{"target":4504},{"sys":4505},{"id":4506,"type":2215,"linkType":2216},"11p9wnGrZHqp3XPpThHFk3",[],{"nodeType":1294,"data":4509,"content":4510},{},[4511],{"nodeType":1293,"value":37,"marks":4512,"data":4513},[],{},{"entries":4515},{"hyperlink":4516,"inline":4517,"block":4518},[],[],[4519,4527,4535],{"sys":4520,"__typename":4521,"title":4522,"caption":4523,"layoutMode":118,"file":4524},{"id":4264},"Image","Sankey","How identity vulnerabilities are introduced based on account authentication methods, and how they can be exploited using different attack techniques.",{"url":4525,"width":4526,"height":4526},"https://images.ctfassets.net/y1cdw1ablpvd/55oogXnSqSaDWXvUS0QhES/9e14e2456093c868881578a02d925e29/Sankey_chart_-_Final.png",4320,{"sys":4528,"__typename":4521,"title":4529,"caption":4530,"layoutMode":118,"file":4531},{"id":4440},"Infographic showing the identity vulnerability spread for a 1,000 seat organization","A 1,000 user organization has over 15,000 accounts with various configurations and associated vulnerabilities.",{"url":4532,"width":4533,"height":4534},"https://images.ctfassets.net/y1cdw1ablpvd/266iLQBVsJIQEx6dnUEVrZ/eb5b1be79b7b29365baf299053fddf42/Infographic.png",5480,3012,{"sys":4536,"__typename":4537,"type":4538,"ctaText":4539,"buttonLabel":4540,"buttonColour":4541,"buttonUrl":118},{"id":4506},"CtaWidget","Demo","Book a demo to see how Push stops account takeover","Book demo","sunny orange","content:blog:how-many-vulnerable-identities-do-you-have.json","json","content","blog/how-many-vulnerable-identities-do-you-have.json","blog/how-many-vulnerable-identities-do-you-have",1776359987451]