[{"data":1,"prerenderedAt":4252},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/how-push-stopped-a-high-risk-linkedin-spear-phishing-attack":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"ogImage":118,"summary":1282,"title":1296,"subtitle":118,"metaTitle":1297,"synopsis":1292,"hashTags":118,"publishedDate":1298,"slug":1299,"tagsCollection":1300,"relatedBlogPostsCollection":1310,"authorsCollection":3636,"content":3640,"_id":4247,"_type":4248,"_source":4249,"_file":4250,"_stem":4251,"_extension":4248},"/blog/how-push-stopped-a-high-risk-linkedin-spear-phishing-attack","blog",{"id":1280,"publishedAt":1281},"2yEhB2gFC2TJDLquVP3cg2","2025-11-17T15:27:01.915Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1295},{},[1286],{"data":1287,"content":1288,"nodeType":1294},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"How Push saved a company exec from a sophisticated Attacker-in-the-Middle phishing attack delivered via a LinkedIn direct message.","text","paragraph","document","How Push stopped a high risk LinkedIn spear-phishing attack against a company exec","How Push stopped a high risk LinkedIn spear-phishing attack","2025-09-08T00:00:00.000Z","how-push-stopped-a-high-risk-linkedin-spear-phishing-attack",{"items":1301},[1302,1306],{"sys":1303,"name":1305},{"id":1304},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"sys":1307,"name":1309},{"id":1308},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"items":1311},[1312,1999,2628],{"__typename":1313,"sys":1314,"content":1316,"title":1981,"synopsis":1982,"hashTags":118,"publishedDate":1983,"slug":1984,"tagsCollection":1985,"authorsCollection":1991},"BlogPosts",{"id":1315},"62Zyr35VUmijkpupWk3hoD",{"json":1317},{"data":1318,"content":1319,"nodeType":1295},{},[1320,1336,1343,1347,1357,1364,1371,1393,1402,1409,1416,1423,1430,1433,1441,1448,1454,1461,1470,1477,1484,1490,1510,1516,1523,1530,1537,1543,1546,1554,1574,1581,1614,1621,1628,1634,1641,1648,1655,1658,1666,1685,1691,1698,1705,1711,1718,1725,1728,1736,1743,1763,1808,1815,1822,1829,1832,1840,1847,1854,1861,1864,1872,1879,1910,1930,1937,1940,1948,1955,1962],{"data":1321,"content":1322,"nodeType":1294},{},[1323,1327,1332],{"data":1324,"marks":1325,"value":1326,"nodeType":1293},{},[],"The view that \"the browser is the new endpoint\" and \"the new battleground for cyber attacks\" is becoming increasingly advocated by security leaders. But what does this ",{"data":1328,"marks":1329,"value":1331,"nodeType":1293},{},[1330],{"type":312},"actually",{"data":1333,"marks":1334,"value":1335,"nodeType":1293},{},[]," mean for security teams? ",{"data":1337,"content":1338,"nodeType":1294},{},[1339],{"data":1340,"marks":1341,"value":1342,"nodeType":1293},{},[],"In this article, we’re cutting out the jargon to explore what a browser-based attack is, and what’s required for effective detection and response. ",{"data":1344,"content":1345,"nodeType":1346},{},[],"hr",{"data":1348,"content":1349,"nodeType":1356},{},[1350],{"data":1351,"marks":1352,"value":1355,"nodeType":1293},{},[1353],{"type":1354},"bold","What is the goal of a browser-based attack?   ","heading-1",{"data":1358,"content":1359,"nodeType":1294},{},[1360],{"data":1361,"marks":1362,"value":1363,"nodeType":1293},{},[],"First, it’s important to establish what the point of a browser-based attack is.",{"data":1365,"content":1366,"nodeType":1294},{},[1367],{"data":1368,"marks":1369,"value":1370,"nodeType":1293},{},[],"In most scenarios, attackers don’t think of themselves as attacking your web browser. Their end-goal is to compromise your business apps and data. That means going after the third-party apps and services that are now the backbone of business IT — and therefore the top target for attackers. ",{"data":1372,"content":1373,"nodeType":1294},{},[1374,1378,1389],{"data":1375,"marks":1376,"value":1377,"nodeType":1293},{},[],"The most common attack path today sees attackers log into third-party services, dump the data, and monetize it through extortion. You need only look at last year’s ",{"data":1379,"content":1381,"nodeType":1388},{"uri":1380},"https://pushsecurity.com/blog/snowflake-retro?utm_source=bleeping-computer&utm_medium=sponsored-content&utm_term=article",[1382],{"data":1383,"marks":1384,"value":1387,"nodeType":1293},{},[1385],{"type":1386},"underline","Snowflake","hyperlink",{"data":1390,"marks":1391,"value":1392,"nodeType":1293},{},[]," customer breaches or the still-ongoing Salesforce attacks to see the impact.",{"data":1394,"content":1400,"nodeType":1401},{"target":1395},{"sys":1396},{"id":1397,"type":1398,"linkType":1399},"5agrVXzEdwALmew2F5SPDp","Link","Entry",[],"embedded-entry-block",{"data":1403,"content":1404,"nodeType":1294},{},[1405],{"data":1406,"marks":1407,"value":1408,"nodeType":1293},{},[],"The most logical way to do this is by targeting users of those apps. And because of the changes to working practices, your users are more accessible than ever to external attackers.",{"data":1410,"content":1411,"nodeType":1294},{},[1412],{"data":1413,"marks":1414,"value":1415,"nodeType":1293},{},[],"Once upon a time, email was the primary communication channel with the wider world, and work happened locally — on your device, and inside your locked-down network environment. This made email and the endpoint the highest priority from a security perspective. But now, with modern work happening across a network of decentralized internet apps, and more varied communication channels outside of email, it’s harder to stop users from interacting with malicious content (at least, without significantly impeding their ability to do their jobs).",{"data":1417,"content":1418,"nodeType":1294},{},[1419],{"data":1420,"marks":1421,"value":1422,"nodeType":1293},{},[],"Given that the browser is the place where business apps are accessed and used, it makes sense that attacks are increasingly playing out there too. ",{"data":1424,"content":1425,"nodeType":1294},{},[1426],{"data":1427,"marks":1428,"value":1429,"nodeType":1293},{},[],"With that covered off, let’s take a closer look at the most prevalent browser-based attack techniques being used by attackers in the wild today.",{"data":1431,"content":1432,"nodeType":1346},{},[],{"data":1434,"content":1435,"nodeType":1356},{},[1436],{"data":1437,"marks":1438,"value":1440,"nodeType":1293},{},[1439],{"type":1354},"The 6 key browser-based attacks that security teams need to know about",{"data":1442,"content":1443,"nodeType":1294},{},[1444],{"data":1445,"marks":1446,"value":1447,"nodeType":1293},{},[],"Attacks that target users in their web browsers have seen an unprecedented rise in recent years. ",{"data":1449,"content":1453,"nodeType":1401},{"target":1450},{"sys":1451},{"id":1452,"type":1398,"linkType":1399},"4ogNqZdObSIJXavHP44lom",[],{"data":1455,"content":1456,"nodeType":1294},{},[1457],{"data":1458,"marks":1459,"value":1460,"nodeType":1293},{},[],"Here's our breakdown of the top 6 browser-based attacks that should be on every security team's radar right now. ",{"data":1462,"content":1463,"nodeType":1469},{},[1464],{"data":1465,"marks":1466,"value":1468,"nodeType":1293},{},[1467],{"type":1354},"1. Phishing for credentials and sessions","heading-2",{"data":1471,"content":1472,"nodeType":1294},{},[1473],{"data":1474,"marks":1475,"value":1476,"nodeType":1293},{},[],"The most direct way for an attacker to compromise a business application is to phish a user of that app. You might not necessarily think of phishing as a browser-based attack, but that’s exactly what it is today. ",{"data":1478,"content":1479,"nodeType":1294},{},[1480],{"data":1481,"marks":1482,"value":1483,"nodeType":1293},{},[],"Phishing tooling and infrastructure has evolved a lot in the past decade, while the changes to business IT means there are both many more vectors for phishing attack delivery, and apps and identities to target. Attackers can deliver links over instant messenger apps, social media, SMS, malicious ads, and using in-app messenger functionality, as well as sending emails directly from SaaS services to bypass email-based checks. Likewise, there are now hundreds of apps per enterprise to target, with varying levels of account security configuration. ",{"data":1485,"content":1489,"nodeType":1401},{"target":1486},{"sys":1487},{"id":1488,"type":1398,"linkType":1399},"3SrKOgpedLMQRpKIZqUQur",[],{"data":1491,"content":1492,"nodeType":1294},{},[1493,1497,1506],{"data":1494,"marks":1495,"value":1496,"nodeType":1293},{},[],"Whereas phishing was once entirely focused on credential theft, modern phishing attacks see the attacker intercept the victim’s session on the target app, using reverse-proxy Attacker-in-the-Middle kits that are the standard choice for attackers today. This means most forms of MFA can be bypassed, with the exception of passkeys (though attackers are finding ways to work around passkeys using ",{"data":1498,"content":1500,"nodeType":1388},{"uri":1499},"https://pushsecurity.com/blog/mfa-downgrade-attacks/?utm_source=bleeping-computer&utm_medium=sponsored-content&utm_term=article",[1501],{"data":1502,"marks":1503,"value":1505,"nodeType":1293},{},[1504],{"type":1386},"downgrade attacks",{"data":1507,"marks":1508,"value":1509,"nodeType":1293},{},[],"). ",{"data":1511,"content":1515,"nodeType":1401},{"target":1512},{"sys":1513},{"id":1514,"type":1398,"linkType":1399},"2sOFEdAwQZjWOGzNAlGavb",[],{"data":1517,"content":1518,"nodeType":1294},{},[1519],{"data":1520,"marks":1521,"value":1522,"nodeType":1293},{},[],"There are other key differences to be aware of too. Today, phishing operates on an industrial scale, using an array of obfuscation and detection evasion techniques. The latest generation of fully customized AitM phishing kits are dynamically obfuscating the code that loads the web page, implementing custom bot protection (e.g. CAPTCHA or Cloudflare Turnstile), using runtime anti-analysis features, and using legitimate SaaS and cloud services to host and deliver phishing links to cover their tracks.",{"data":1524,"content":1525,"nodeType":1294},{},[1526],{"data":1527,"marks":1528,"value":1529,"nodeType":1293},{},[],"This means that traditional anti-phishing tools at the email and network layer are struggling to keep up, with many attacks evading email-based detections (or bypassing email altogether). At the same time, proxy-based solutions now see a garbled mess of JavaScript code without the necessary context of what is actually happening in the browser to be able to piece it together effectively. Even if they don’t realize it, this means many organizations are now relying solely on blocking known-bad sites and hosts — a wildly ineffective solution in 2025 with the rate that attackers refresh and rotate their phishing infrastructure. ",{"data":1531,"content":1532,"nodeType":1294},{},[1533],{"data":1534,"marks":1535,"value":1536,"nodeType":1293},{},[],"These changes make phishing more effective than ever, and increasingly difficult to detect and block without being able to observe and analyze web pages that a user interacts with in real time — something only possible with browser-level visibility. ",{"data":1538,"content":1542,"nodeType":1401},{"target":1539},{"sys":1540},{"id":1541,"type":1398,"linkType":1399},"1II2kHyOZcShLsexx1TAgy",[],{"data":1544,"content":1545,"nodeType":1346},{},[],{"data":1547,"content":1548,"nodeType":1469},{},[1549],{"data":1550,"marks":1551,"value":1553,"nodeType":1293},{},[1552],{"type":1354},"2. Malicious copy and paste (aka. ClickFix, FileFix, etc.)",{"data":1555,"content":1556,"nodeType":1294},{},[1557,1561,1570],{"data":1558,"marks":1559,"value":1560,"nodeType":1293},{},[],"One of the biggest security trends in the past year has been the emergence of the attack technique known as ",{"data":1562,"content":1564,"nodeType":1388},{"uri":1563},"https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/",[1565],{"data":1566,"marks":1567,"value":1569,"nodeType":1293},{},[1568],{"type":1386},"ClickFix",{"data":1571,"marks":1572,"value":1573,"nodeType":1293},{},[],". ",{"data":1575,"content":1576,"nodeType":1294},{},[1577],{"data":1578,"marks":1579,"value":1580,"nodeType":1293},{},[],"Originally known as “Fake CAPTCHA”, these attacks attempt to trick users into running malicious commands on their device — typically by solving some form of verification challenge in the browser. ",{"data":1582,"content":1583,"nodeType":1294},{},[1584,1588,1597,1601,1610],{"data":1585,"marks":1586,"value":1587,"nodeType":1293},{},[],"In reality, by solving the challenge, the victim is actually copying malicious code from the page clipboard and running it on their device. It typically gives the victim instructions that involve clicking prompts and copying, pasting, and running commands directly in the Windows Run dialog box, Terminal, or PowerShell. Variants such as ",{"data":1589,"content":1591,"nodeType":1388},{"uri":1590},"https://mrd0x.com/filefix-clickfix-alternative/",[1592],{"data":1593,"marks":1594,"value":1596,"nodeType":1293},{},[1595],{"type":1386},"FileFix",{"data":1598,"marks":1599,"value":1600,"nodeType":1293},{},[]," have also emerged which instead uses the File Explorer Address Bar to execute OS commands, while recent examples have seen this attack branch out to ",{"data":1602,"content":1604,"nodeType":1388},{"uri":1603},"https://www.bleepingcomputer.com/news/security/fake-mac-fixes-trick-users-into-installing-new-shamos-infostealer/",[1605],{"data":1606,"marks":1607,"value":1609,"nodeType":1293},{},[1608],{"type":1386},"Mac via the macOS terminal",{"data":1611,"marks":1612,"value":1613,"nodeType":1293},{},[],".",{"data":1615,"content":1616,"nodeType":1294},{},[1617],{"data":1618,"marks":1619,"value":1620,"nodeType":1293},{},[],"Most commonly, these attacks are used to deliver infostealer malware, using stolen session cookies and credentials to access business apps and services. ",{"data":1622,"content":1623,"nodeType":1294},{},[1624],{"data":1625,"marks":1626,"value":1627,"nodeType":1293},{},[],"Like modern credential and session phishing, links to malicious pages are distributed over various delivery channels and using a variety of lures, including impersonating CAPTCHA, Cloudflare Turnstile, simulating an error loading a webpage, and many more. ",{"data":1629,"content":1633,"nodeType":1401},{"target":1630},{"sys":1631},{"id":1632,"type":1398,"linkType":1399},"6O9YiOfhpGFCDsTil9F3On",[],{"data":1635,"content":1636,"nodeType":1294},{},[1637],{"data":1638,"marks":1639,"value":1640,"nodeType":1293},{},[],"The variance in lure, and differences between different versions of the same lure, can make it difficult to fingerprint and detect based on visual elements alone. Also, many of the same protections being used to obfuscate and prevent analysis of phishing pages also apply to ClickFix pages, making it equally challenging to detect and block them. ",{"data":1642,"content":1643,"nodeType":1294},{},[1644],{"data":1645,"marks":1646,"value":1647,"nodeType":1293},{},[],"This leaves most of the detection and blocking down to endpoint-layer controls around user-level code execution and malware running on a device. The quantity of ClickFix-related headlines in the news would indicate that endpoint controls are being routinely bypassed, or perhaps evaded altogether by targeting personal or BYOD devices. ",{"data":1649,"content":1650,"nodeType":1294},{},[1651],{"data":1652,"marks":1653,"value":1654,"nodeType":1293},{},[],"There is a significant opportunity to detect these attacks in the browser and stop them at the earliest opportunity, before they reach the endpoint. Every ClickFix attack and variant has a key action in common — malicious code is copied from the page’s clipboard. In some cases, this happens without any user interaction (where the only requirement on the user is to run code that has been silently copied behind the scenes), presenting a strong indicator of malicious behavior that can be observed in the browser. ",{"data":1656,"content":1657,"nodeType":1346},{},[],{"data":1659,"content":1660,"nodeType":1469},{},[1661],{"data":1662,"marks":1663,"value":1665,"nodeType":1293},{},[1664],{"type":1354},"3. Malicious OAuth integrations",{"data":1667,"content":1668,"nodeType":1294},{},[1669,1673,1681],{"data":1670,"marks":1671,"value":1672,"nodeType":1293},{},[],"Malicious OAuth integrations are another way for attackers to compromise an app by tricking a user into authorizing an integration with a malicious, attacker-controlled app, with the level of data access and functionality dictated by the scopes authorized in the request. This is also known as ",{"data":1674,"content":1676,"nodeType":1388},{"uri":1675},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/consent_phishing/description.md",[1677],{"data":1678,"marks":1679,"value":1680,"nodeType":1293},{},[],"consent phishing",{"data":1682,"marks":1683,"value":1684,"nodeType":1293},{},[],". ",{"data":1686,"content":1690,"nodeType":1401},{"target":1687},{"sys":1688},{"id":1689,"type":1398,"linkType":1399},"5JaP4WSfFsFSbvaa9BQBOq",[],{"data":1692,"content":1693,"nodeType":1294},{},[1694],{"data":1695,"marks":1696,"value":1697,"nodeType":1293},{},[],"This is an effective way for attackers to bypass hardened authentication and access controls by sidestepping the typical login process to take over an account and compromise business apps. This includes phishing-resistant MFA methods like passkeys — since the standard login process does not apply. ",{"data":1699,"content":1700,"nodeType":1294},{},[1701],{"data":1702,"marks":1703,"value":1704,"nodeType":1293},{},[],"A variant of this attack has dominated the headlines recently with the ongoing Salesforce breaches. In this scenario, the attacker tricked the victim into authorizing an attacker-controlled OAuth app via the device code authorization flow in Salesforce, which requires the user to enter an 8-digit code in place of a password or MFA factor.",{"data":1706,"content":1710,"nodeType":1401},{"target":1707},{"sys":1708},{"id":1709,"type":1398,"linkType":1399},"3odEFcUcpKN553gHh2P5yr",[],{"data":1712,"content":1713,"nodeType":1294},{},[1714],{"data":1715,"marks":1716,"value":1717,"nodeType":1293},{},[],"Preventing malicious OAuth grants being authorized requires tight in-app management of user permissions and tenant security settings. This is no mean feat when considering the 100s of apps in use across the modern enterprise, many of which are not centrally managed by IT and security teams (or in some cases, are completely unknown to them). Even then, you’re limited by the controls made available by the app vendor. In this case, Salesforce has announced planned changes to OAuth app authorization in order to improve security prompted by these attacks — but many more apps with insecure configs exist for attackers to take advantage of in future. ",{"data":1719,"content":1720,"nodeType":1294},{},[1721],{"data":1722,"marks":1723,"value":1724,"nodeType":1293},{},[],"However, unlike app-specific integrations, browser-based security tools are well positioned to observe OAuth grants across all apps accessed in the browser — even the ones the security team doesn’t manage or know about, or without needing to pay for the app’s special security add-on to get visibility.",{"data":1726,"content":1727,"nodeType":1346},{},[],{"data":1729,"content":1730,"nodeType":1469},{},[1731],{"data":1732,"marks":1733,"value":1735,"nodeType":1293},{},[1734],{"type":1354},"4. Malicious browser extensions",{"data":1737,"content":1738,"nodeType":1294},{},[1739],{"data":1740,"marks":1741,"value":1742,"nodeType":1293},{},[],"Malicious browser extensions are another way for attackers to compromise your business apps by observing and capturing logins as they happen, and/or extracting session cookies and credentials saved in the browser cache and password manager. ",{"data":1744,"content":1745,"nodeType":1294},{},[1746,1750,1759],{"data":1747,"marks":1748,"value":1749,"nodeType":1293},{},[],"Attackers do this by creating their own malicious extension and tricking your users into installing it, or taking over an existing extension to gain access to browsers where it is already installed (",{"data":1751,"content":1753,"nodeType":1388},{"uri":1752},"https://secureannex.com/blog/buying-browser-extensions/",[1754],{"data":1755,"marks":1756,"value":1758,"nodeType":1293},{},[1757],{"type":1386},"it’s very easy for attackers to buy and add malicious updates to existing extensions",{"data":1760,"marks":1761,"value":1762,"nodeType":1293},{},[],", easily passing extension web store security checks). ",{"data":1764,"content":1765,"nodeType":1294},{},[1766,1770,1779,1783,1792,1796,1805],{"data":1767,"marks":1768,"value":1769,"nodeType":1293},{},[],"The news around extension-based compromises has been on the rise since the ",{"data":1771,"content":1773,"nodeType":1388},{"uri":1772},"https://www.bleepingcomputer.com/news/security/new-details-reveal-how-hackers-hijacked-35-google-chrome-extensions/",[1774],{"data":1775,"marks":1776,"value":1778,"nodeType":1293},{},[1777],{"type":1386},"Cyberhaven extension",{"data":1780,"marks":1781,"value":1782,"nodeType":1293},{},[]," was hacked in December 2024, along with at least 35 other extensions. Since then, there has been regular reporting on data-stealing extensions ",{"data":1784,"content":1786,"nodeType":1388},{"uri":1785},"https://www.bleepingcomputer.com/news/security/data-stealing-chrome-extensions-impersonate-fortinet-youtube-vpns/",[1787],{"data":1788,"marks":1789,"value":1791,"nodeType":1293},{},[1790],{"type":1386},"impersonating legitimate brands",{"data":1793,"marks":1794,"value":1795,"nodeType":1293},{},[],", and ",{"data":1797,"content":1799,"nodeType":1388},{"uri":1798},"https://www.bleepingcomputer.com/news/security/chrome-extensions-with-6-million-installs-have-hidden-tracking-code/",[1800],{"data":1801,"marks":1802,"value":1804,"nodeType":1293},{},[1803],{"type":1386},"impacting millions of users",{"data":1806,"marks":1807,"value":1613,"nodeType":1293},{},[],{"data":1809,"content":1810,"nodeType":1294},{},[1811],{"data":1812,"marks":1813,"value":1814,"nodeType":1293},{},[],"Risky browser extension permissions include broad data access, the ability to modify website content, track user activity, capture screenshots, and manage tabs or network requests. Permissions like \"read and change all data on all websites\" or access to cookies and browsing history are particularly dangerous as they can be exploited for session hijacking, data theft, malware injection, or phishing.",{"data":1816,"content":1817,"nodeType":1294},{},[1818],{"data":1819,"marks":1820,"value":1821,"nodeType":1293},{},[],"Generally, your employees should not be randomly installing browser extensions unless pre-approved by your security team. The reality, however, is that many organizations have very little visibility of the extensions their employees are using, and the potential risk they’re exposed to as a result. ",{"data":1823,"content":1824,"nodeType":1294},{},[1825],{"data":1826,"marks":1827,"value":1828,"nodeType":1293},{},[],"To tackle malicious extensions, security tools operating in the browser can track the browser extensions deployed, highlight risky permissions, compare with known-malicious extensions, identify fraudulent/unofficial versions of a legitimate extension, and highlight other risky properties commonly associated with malicious extensions (e.g. “Developer” extensions). ",{"data":1830,"content":1831,"nodeType":1346},{},[],{"data":1833,"content":1834,"nodeType":1469},{},[1835],{"data":1836,"marks":1837,"value":1839,"nodeType":1293},{},[1838],{"type":1354},"5. Malicious file delivery",{"data":1841,"content":1842,"nodeType":1294},{},[1843],{"data":1844,"marks":1845,"value":1846,"nodeType":1293},{},[],"Malicious files have been a core part of malware delivery and credential theft for many years. Just as non-email channels like malvertising and drive-by attacks are used to deliver phishing and ClickFix lures, malicious files are also distributed through similar means — leaving malicious file detection to basic known-bad checks, sandbox analysis using a proxy (not that useful in the context of sandbox-aware malware) or runtime analysis on the endpoint. ",{"data":1848,"content":1849,"nodeType":1294},{},[1850],{"data":1851,"marks":1852,"value":1853,"nodeType":1293},{},[],"This doesn’t just have to be malicious executables directly dropping malware onto the device. File downloads can also contain additional links taking the user to malicious content. In fact, one of the most common types of downloadable content are HTML Applications (HTAs), commonly used to spawn local phishing pages to stealthily capture credentials. More recently, attackers have been weaponizing SVG files for a similar purpose, running as self-contained phishing pages that render fake login portals entirely client-side. ",{"data":1855,"content":1856,"nodeType":1294},{},[1857],{"data":1858,"marks":1859,"value":1860,"nodeType":1293},{},[],"Even if malicious content cannot always be flagged from surface-level inspection of a file, recording file downloads in the browser is a useful addition to endpoint-based malware protection, and provides another layer of defense against file downloads that perform client-side attacks, or redirect the user to malicious web-based content. ",{"data":1862,"content":1863,"nodeType":1346},{},[],{"data":1865,"content":1866,"nodeType":1469},{},[1867],{"data":1868,"marks":1869,"value":1871,"nodeType":1293},{},[1870],{"type":1354},"6. Stolen credentials and MFA gaps",{"data":1873,"content":1874,"nodeType":1294},{},[1875],{"data":1876,"marks":1877,"value":1878,"nodeType":1293},{},[],"This last one isn’t so much a browser-based attack, but it is a product of them. When credentials are stolen through phishing or infostealer malware they can be used to take over accounts missing MFA. ",{"data":1880,"content":1881,"nodeType":1294},{},[1882,1886,1893,1897,1906],{"data":1883,"marks":1884,"value":1885,"nodeType":1293},{},[],"This isn’t the most sophisticated attack, but it’s very effective. You need only look at last year’s ",{"data":1887,"content":1888,"nodeType":1388},{"uri":1380},[1889],{"data":1890,"marks":1891,"value":1387,"nodeType":1293},{},[1892],{"type":1386},{"data":1894,"marks":1895,"value":1896,"nodeType":1293},{},[]," account compromises or the ",{"data":1898,"content":1900,"nodeType":1388},{"uri":1899},"https://pushsecurity.com/blog/why-attackers-are-targeting-jira-with-stolen-credentials?utm_source=bleeping-computer&utm_medium=sponsored-content&utm_term=article",[1901],{"data":1902,"marks":1903,"value":1905,"nodeType":1293},{},[1904],{"type":1386},"Jira",{"data":1907,"marks":1908,"value":1909,"nodeType":1293},{},[]," attacks earlier this year to see how attackers harness stolen credentials at scale. ",{"data":1911,"content":1912,"nodeType":1294},{},[1913,1917,1926],{"data":1914,"marks":1915,"value":1916,"nodeType":1293},{},[],"With the modern enterprise using hundreds of apps, the likelihood that an app hasn’t been configured for mandatory MFA (if possible) is high. And even when an app has been configured for SSO and connected to your primary corporate identity, ",{"data":1918,"content":1920,"nodeType":1388},{"uri":1919},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have/?utm_source=bleeping-computer&utm_medium=sponsored-content&utm_term=sidebar",[1921],{"data":1922,"marks":1923,"value":1925,"nodeType":1293},{},[1924],{"type":1386},"local “ghost logins” can continue to exist",{"data":1927,"marks":1928,"value":1929,"nodeType":1293},{},[],", accepting passwords with no MFA required. Just having visibility of your primary Identity Provider accounts (e.g. Google, Microsoft, Okta) and SSO-connected apps doesn't give you a full picture of your identity surface.",{"data":1931,"content":1932,"nodeType":1294},{},[1933],{"data":1934,"marks":1935,"value":1936,"nodeType":1293},{},[],"Logins can also be observed in the browser — in fact, it’s as close to a universal source of truth as you’re going to get about how your employees are actually logging in, which apps they’re using, and whether MFA is present, enabling security teams to find and fix vulnerable logins before they can be exploited by attackers. ",{"data":1938,"content":1939,"nodeType":1346},{},[],{"data":1941,"content":1942,"nodeType":1356},{},[1943],{"data":1944,"marks":1945,"value":1947,"nodeType":1293},{},[1946],{"type":1354},"Conclusion",{"data":1949,"content":1950,"nodeType":1294},{},[1951],{"data":1952,"marks":1953,"value":1954,"nodeType":1293},{},[],"Attacks are increasingly happening in the browser. That makes it the perfect place to detect and respond to these attacks. But right now, the browser is a blind-spot for most security teams. ",{"data":1956,"content":1957,"nodeType":1294},{},[1958],{"data":1959,"marks":1960,"value":1961,"nodeType":1293},{},[],"Push Security’s browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks browser-based attacks like AiTM phishing, credential stuffing, password spraying and session hijacking using stolen session tokens. You can also use Push to find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, risky OAuth integrations, and more to harden your identity attack surface.",{"data":1963,"content":1964,"nodeType":1294},{},[1965,1969,1978],{"data":1966,"marks":1967,"value":1968,"nodeType":1293},{},[],"If you want to learn more about how Push helps you to detect and stop attacks in the browser, ",{"data":1970,"content":1972,"nodeType":1388},{"uri":1971},"https://pushsecurity.com/demo?utm_source=bleeping-computer&utm_medium=sponsored-content&utm_term=article",[1973],{"data":1974,"marks":1975,"value":1977,"nodeType":1293},{},[1976],{"type":1386},"book some time with one of our team for a live demo",{"data":1979,"marks":1980,"value":1613,"nodeType":1293},{},[],"6 browser-based attacks every security team should be prepared for","What security teams need to know about the browser-based attack techniques that are the leading cause of breaches.","2025-09-05T00:00:00.000Z","6-browser-based-attacks-every-security-team-should-be-prepared-for",{"items":1986},[1987,1989],{"sys":1988,"name":1309},{"id":1308},{"sys":1990,"name":1305},{"id":1304},{"items":1992},[1993],{"fullName":1994,"firstName":1995,"jobTitle":1996,"profilePicture":1997},"Dan Green","Dan","Threat Research",{"url":1998},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"__typename":1313,"sys":2000,"content":2002,"title":2610,"synopsis":2611,"hashTags":118,"publishedDate":2612,"slug":2613,"tagsCollection":2614,"authorsCollection":2620},{"id":2001},"5y6UUG3mMTu1dFhtKO0AUT",{"json":2003},{"data":2004,"content":2005,"nodeType":1295},{},[2006,2013,2020,2040,2047,2067,2074,2077,2085,2092,2099,2105,2112,2160,2202,2210,2217,2237,2275,2281,2288,2294,2301,2309,2340,2346,2349,2357,2377,2397,2428,2434,2437,2445,2452,2547,2550,2558,2577,2584,2591],{"data":2007,"content":2008,"nodeType":1294},{},[2009],{"data":2010,"marks":2011,"value":2012,"nodeType":1293},{},[],"Everything we do at Push is research-driven. Our detections for phishing attacks were created through hands-on analysis of phishing kits that our customers have been targeted with. This gives us a steady supply of all manner of modern Attacker-in-the-Middle phishing kits to analyze — from the classic Evilginx-style phish kit to professionalized criminal as-a-Service infrastructure. ",{"data":2014,"content":2015,"nodeType":1294},{},[2016],{"data":2017,"marks":2018,"value":2019,"nodeType":1293},{},[],"In our most recent phish kit teardown, we encountered a standard reverse-proxy clone of a Microsoft login page — nothing unusual at first glance. But increasingly, a lot of the innovation comes outside of the phishing page itself. ",{"data":2021,"content":2022,"nodeType":1294},{},[2023,2027,2036],{"data":2024,"marks":2025,"value":2026,"nodeType":1293},{},[],"The art in detection evasion comes from being able to successfully deliver the page to a user and have them open the page without it being intercepted by an email security, proxy scanner, URL TI feed, or web analysis tool. To achieve this, the attacker found a way to redirect from a legitimate ",{"data":2028,"content":2030,"nodeType":1388},{"uri":2029},"http://outlook.office.com",[2031],{"data":2032,"marks":2033,"value":2035,"nodeType":1293},{},[2034],{"type":1386},"outlook.office.com",{"data":2037,"marks":2038,"value":2039,"nodeType":1293},{},[]," link to a phishing website. ",{"data":2041,"content":2042,"nodeType":1294},{},[2043],{"data":2044,"marks":2045,"value":2046,"nodeType":1293},{},[],"This is essentially an open redirect vulnerability — maybe not the classic example where someone has forgotten to do input sanitization on their website, but the outcome is the same.",{"data":2048,"content":2049,"nodeType":1294},{},[2050,2054,2063],{"data":2051,"marks":2052,"value":2053,"nodeType":1293},{},[],"Central to our analysis was the use of our timelines feature, ",{"data":2055,"content":2057,"nodeType":1388},{"uri":2056},"https://pushsecurity.com/blog/introducing-push-detections/",[2058],{"data":2059,"marks":2060,"value":2062,"nodeType":1293},{},[2061],{"type":1386},"part of our latest Detections feature release",{"data":2064,"marks":2065,"value":2066,"nodeType":1293},{},[],". I’m not going to talk in any detail about this, but the TL;DR is that it allows us to trace back the entire chain of browsing activity leading up to a detection — showing the full (sometimes lengthy) redirect chain from the initial link delivery source to the actual phishing page, tabs opened and closed, popup windows, forms submitted, passwords entered, and more. ",{"data":2068,"content":2069,"nodeType":1294},{},[2070],{"data":2071,"marks":2072,"value":2073,"nodeType":1293},{},[],"First, let’s go through the steps of my investigation before looking at the findings (and the implications for phishing detection evasion techniques). ",{"data":2075,"content":2076,"nodeType":1346},{},[],{"data":2078,"content":2079,"nodeType":1356},{},[2080],{"data":2081,"marks":2082,"value":2084,"nodeType":1293},{},[2083],{"type":1354},"Investigation walkthrough",{"data":2086,"content":2087,"nodeType":1294},{},[2088],{"data":2089,"marks":2090,"value":2091,"nodeType":1293},{},[],"As I opened with, there was nothing especially notable about the phishing page itself — a standard reverse-proxy AitM page designed to intercept the user’s session as they authenticate, bypassing MFA in the process. ",{"data":2093,"content":2094,"nodeType":1294},{},[2095],{"data":2096,"marks":2097,"value":2098,"nodeType":1293},{},[],"This was not targeted delivery — employees from several customers were impacted. I’ve included an example of how one user arrived at the site below.",{"data":2100,"content":2104,"nodeType":1401},{"target":2101},{"sys":2102},{"id":2103,"type":1398,"linkType":1399},"51MnOL9XqQDkllK2Jer4S9",[],{"data":2106,"content":2107,"nodeType":1294},{},[2108],{"data":2109,"marks":2110,"value":2111,"nodeType":1293},{},[],"This one stood out to me for a few reasons. ",{"data":2113,"content":2114,"nodeType":2159},{},[2115,2126,2149],{"data":2116,"content":2117,"nodeType":2125},{},[2118],{"data":2119,"content":2120,"nodeType":1294},{},[2121],{"data":2122,"marks":2123,"value":2124,"nodeType":1293},{},[],"The user had accessed the malicious link from Google search. They searched “Office 265\" (a typo presumably), clicked a link, and were taken to an Office login page.","list-item",{"data":2127,"content":2128,"nodeType":2125},{},[2129],{"data":2130,"content":2131,"nodeType":1294},{},[2132,2136,2145],{"data":2133,"marks":2134,"value":2135,"nodeType":1293},{},[],"The Outlook link had a number of Google Ads tracking parameters attached, meaning they clicked an ad, not an organic link — making this a ",{"data":2137,"content":2139,"nodeType":1388},{"uri":2138},"https://pushsecurity.github.io/phishing-techniques/techniques/malvertising/",[2140],{"data":2141,"marks":2142,"value":2144,"nodeType":1293},{},[2143],{"type":1386},"malvertising",{"data":2146,"marks":2147,"value":2148,"nodeType":1293},{},[]," attack. ",{"data":2150,"content":2151,"nodeType":2125},{},[2152],{"data":2153,"content":2154,"nodeType":1294},{},[2155],{"data":2156,"marks":2157,"value":2158,"nodeType":1293},{},[],"Another domain — bluegraintours[.]com — was in the URL path, after which they were redirected to the Microsoft-impersonating phishing site (login-microsoftonline[.]offirmtm[.]com ...). ","unordered-list",{"data":2161,"content":2162,"nodeType":1294},{},[2163,2167,2176,2180,2187,2191,2198],{"data":2164,"marks":2165,"value":2166,"nodeType":1293},{},[],"This got me wondering — how did they get ",{"data":2168,"content":2170,"nodeType":1388},{"uri":2169},"http://office.com",[2171],{"data":2172,"marks":2173,"value":2175,"nodeType":1293},{},[2174],{"type":1386},"office.com",{"data":2177,"marks":2178,"value":2179,"nodeType":1293},{},[]," to redirect to the phishing site, and why was the bluegraintours domain in the path of an ",{"data":2181,"content":2182,"nodeType":1388},{"uri":2169},[2183],{"data":2184,"marks":2185,"value":2175,"nodeType":1293},{},[2186],{"type":1386},{"data":2188,"marks":2189,"value":2190,"nodeType":1293},{},[]," link? There was no indication that an actual phishing email was interacted with, it seemed to all happen directly from the legitimate ",{"data":2192,"content":2193,"nodeType":1388},{"uri":2169},[2194],{"data":2195,"marks":2196,"value":2175,"nodeType":1293},{},[2197],{"type":1386},{"data":2199,"marks":2200,"value":2201,"nodeType":1293},{},[]," link. ",{"data":2203,"content":2204,"nodeType":1469},{},[2205],{"data":2206,"marks":2207,"value":2209,"nodeType":1293},{},[2208],{"type":1354},"Redirecting to a malicious login page via ADFS",{"data":2211,"content":2212,"nodeType":1294},{},[2213],{"data":2214,"marks":2215,"value":2216,"nodeType":1293},{},[],"From memory, I knew that the tenant name can appear in the URL when you’re accessing a specific Microsoft tenant for your organization — essentially a domain-specific landing page. ",{"data":2218,"content":2219,"nodeType":1294},{},[2220,2224,2233],{"data":2221,"marks":2222,"value":2223,"nodeType":1293},{},[],"It turns out the attacker had set up a custom Microsoft tenant with ",{"data":2225,"content":2227,"nodeType":1388},{"uri":2226},"https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/ad-fs-overview",[2228],{"data":2229,"marks":2230,"value":2232,"nodeType":1293},{},[2231],{"type":1386},"Active Directory Federation Services (ADFS)",{"data":2234,"marks":2235,"value":2236,"nodeType":1293},{},[]," configured. If you’re not familiar, ADFS is an SSO solution that is often used to connect on-premises Active Directory with cloud services like Microsoft 365 or Azure Active Directory. This means Microsoft will perform the redirect to the custom malicious domain. ",{"data":2238,"content":2239,"nodeType":1294},{},[2240,2244,2253,2257,2266,2270],{"data":2241,"marks":2242,"value":2243,"nodeType":1293},{},[],"This is strikingly similar to ",{"data":2245,"content":2247,"nodeType":1388},{"uri":2246},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/samljacking/description.md",[2248],{"data":2249,"marks":2250,"value":2252,"nodeType":1293},{},[2251],{"type":1386},"SAMLjacking",{"data":2254,"marks":2255,"value":2256,"nodeType":1293},{},[],", a technique I’ve ",{"data":2258,"content":2260,"nodeType":1388},{"uri":2259},"https://pushsecurity.com/blog/samljacking-a-poisoned-tenant/",[2261],{"data":2262,"marks":2263,"value":2265,"nodeType":1293},{},[2264],{"type":1386},"blogged about previously",{"data":2267,"marks":2268,"value":2269,"nodeType":1293},{},[]," which allows you to change the identity provider domain that an application’s users authenticate through. Attackers can change this link to their phishing page that proxies the legitimate site to phish users through legitimate sign-in links — ",{"data":2271,"marks":2272,"value":2274,"nodeType":1293},{},[2273],{"type":1354},"so I guess that makes this ADFSjacking?",{"data":2276,"content":2280,"nodeType":1401},{"target":2277},{"sys":2278},{"id":2279,"type":1398,"linkType":1399},"3BXyDhMC69355gLRqyIwQP",[],{"data":2282,"content":2283,"nodeType":1294},{},[2284],{"data":2285,"marks":2286,"value":2287,"nodeType":1293},{},[],"I had initially assumed that bluegraintours was a legitimate website that had been compromised by the attacker and used as a redirect, which is pretty common behavior for threat groups. However, it turns out that it’s actually a fake website that the attackers have probably vibe-coded. ",{"data":2289,"content":2293,"nodeType":1401},{"target":2290},{"sys":2291},{"id":2292,"type":1398,"linkType":1399},"1hnWJ0jgsPqRELDqUeFzf3",[],{"data":2295,"content":2296,"nodeType":1294},{},[2297],{"data":2298,"marks":2299,"value":2300,"nodeType":1293},{},[],"It’s worth noting that this isn’t something that the phishing victim would see as part of the attack — it’s purely used as an invisible redirect. This is most likely to be an attempt to mask the nature of the domain for domain categorization purposes, which is typical for proxy-based solutions to prevent users from browsing to unapproved things — this way, automated scanners will classify it as a travel blog. ",{"data":2302,"content":2303,"nodeType":1469},{},[2304],{"data":2305,"marks":2306,"value":2308,"nodeType":1293},{},[2307],{"type":1354},"Conditional loading interrupted the page analysis",{"data":2310,"content":2311,"nodeType":1294},{},[2312,2316,2325,2329,2336],{"data":2313,"marks":2314,"value":2315,"nodeType":1293},{},[],"While the user was taken to the phishing page at the end of the chain, ",{"data":2317,"content":2319,"nodeType":1388},{"uri":2318},"https://pushsecurity.github.io/phishing-techniques/techniques/conditional-loading/",[2320],{"data":2321,"marks":2322,"value":2324,"nodeType":1293},{},[2323],{"type":1386},"conditional loading",{"data":2326,"marks":2327,"value":2328,"nodeType":1293},{},[]," restrictions prevented us from recreating the full attack flow when loading the initial link clicked by the user. This happens when certain conditions of the page load aren’t met. Because the kit decides I’m not a valid target, I’m redirected back to ",{"data":2330,"content":2331,"nodeType":1388},{"uri":2169},[2332],{"data":2333,"marks":2334,"value":2175,"nodeType":1293},{},[2335],{"type":1386},{"data":2337,"marks":2338,"value":2339,"nodeType":1293},{},[],". However, we were able to skip ahead and bypass the conditional loading to access the phishing server directly. ",{"data":2341,"content":2345,"nodeType":1401},{"target":2342},{"sys":2343},{"id":2344,"type":1398,"linkType":1399},"68rW6CHJOJ2u3mCc08lGvZ",[],{"data":2347,"content":2348,"nodeType":1346},{},[],{"data":2350,"content":2351,"nodeType":1356},{},[2352],{"data":2353,"marks":2354,"value":2356,"nodeType":1293},{},[2355],{"type":1354},"Key takeaways",{"data":2358,"content":2359,"nodeType":1294},{},[2360,2364,2373],{"data":2361,"marks":2362,"value":2363,"nodeType":1293},{},[],"While this isn’t a vulnerability per se, the ability for attackers to add their own Microsoft ADFS server to host their phishing page and have Microsoft redirect to it is a concerning development that will make URL-based detections even more challenging than they already are. ",{"data":2365,"content":2367,"nodeType":1388},{"uri":2366},"https://pushsecurity.github.io/phishing-techniques/techniques/trusted-website-hosting/",[2368],{"data":2369,"marks":2370,"value":2372,"nodeType":1293},{},[2371],{"type":1386},"Hosting phishing links on trusted third-party websites",{"data":2374,"marks":2375,"value":2376,"nodeType":1293},{},[]," is a highly effective way of both bypassing URL-based detections and implementing layers of obfuscation in their phishing delivery chain that can break automated analysis tools.  ",{"data":2378,"content":2379,"nodeType":1294},{},[2380,2384,2393],{"data":2381,"marks":2382,"value":2383,"nodeType":1293},{},[],"This is basically the equivalent to ",{"data":2385,"content":2387,"nodeType":1388},{"uri":2386},"http://outlook.com",[2388],{"data":2389,"marks":2390,"value":2392,"nodeType":1293},{},[2391],{"type":1386},"Outlook.com",{"data":2394,"marks":2395,"value":2396,"nodeType":1293},{},[]," having an open redirect vulnerability, which would be a huge deal in the eyes of most security practitioners. In practice, it’s a little harder for the average attacker to make use of this, but anyone that is willing to create a Microsoft tenant and set up ADFS could create similar phishing infrastructure  — which only requires passing a credit card check. ",{"data":2398,"content":2399,"nodeType":1294},{},[2400,2404,2411,2415,2424],{"data":2401,"marks":2402,"value":2403,"nodeType":1293},{},[],"The other notable component to this attack is the use of ",{"data":2405,"content":2406,"nodeType":1388},{"uri":2138},[2407],{"data":2408,"marks":2409,"value":2144,"nodeType":1293},{},[2410],{"type":1386},{"data":2412,"marks":2413,"value":2414,"nodeType":1293},{},[]," as the lure delivery channel. This is a trend we spotted recently with ",{"data":2416,"content":2418,"nodeType":1388},{"uri":2417},"https://pushsecurity.com/blog/investigating-a-recent-malvertising-campaign-targeting-onfido-customers/",[2419],{"data":2420,"marks":2421,"value":2423,"nodeType":1293},{},[2422],{"type":1386},"Scattered Spider’s use of Onfido-based malvertising lures",{"data":2425,"marks":2426,"value":2427,"nodeType":1293},{},[],". Malvertising is a great way for attackers to sidestep phishing controls placed at the email layer (where the majority are) and, as in this case, can create a highly-convincing and difficult-to-spot phishing scenario.  ",{"data":2429,"content":2433,"nodeType":1401},{"target":2430},{"sys":2431},{"id":2432,"type":1398,"linkType":1399},"6QzB0BlVC5mstXwXHvy2c3",[],{"data":2435,"content":2436,"nodeType":1346},{},[],{"data":2438,"content":2439,"nodeType":1356},{},[2440],{"data":2441,"marks":2442,"value":2444,"nodeType":1293},{},[2443],{"type":1354},"Detection recommendations",{"data":2446,"content":2447,"nodeType":1294},{},[2448],{"data":2449,"marks":2450,"value":2451,"nodeType":1293},{},[],"There are a couple of tool-agnostic hardening options that can used to limit exposure to the specifics of this attack:",{"data":2453,"content":2454,"nodeType":2159},{},[2455,2465,2486],{"data":2456,"content":2457,"nodeType":2125},{},[2458],{"data":2459,"content":2460,"nodeType":1294},{},[2461],{"data":2462,"marks":2463,"value":2464,"nodeType":1293},{},[],"Monitoring for ADFS redirects in proxy logs that could be malicious, i.e. login.microsoftonline.com redirecting to another domain with /adfs/ls/ in the path. Many organizations do not use ADFS, while those that do should be able to filter legitimate ones to their legitimate domain relatively easily. ",{"data":2466,"content":2467,"nodeType":2125},{},[2468],{"data":2469,"content":2470,"nodeType":1294},{},[2471,2475,2482],{"data":2472,"marks":2473,"value":2474,"nodeType":1293},{},[],"Monitoring for Google redirects to ",{"data":2476,"content":2477,"nodeType":1388},{"uri":2169},[2478],{"data":2479,"marks":2480,"value":2175,"nodeType":1293},{},[2481],{"type":1386},{"data":2483,"marks":2484,"value":2485,"nodeType":1293},{},[]," with Google ad parameters for more specific detection of malvertising + ADFS hijacking as in this example. ",{"data":2487,"content":2488,"nodeType":2125},{},[2489],{"data":2490,"content":2491,"nodeType":1294},{},[2492,2496,2505,2509,2518,2521,2530,2534,2543],{"data":2493,"marks":2494,"value":2495,"nodeType":1293},{},[],"Deploying ad blockers to all of your browsers to stop malvertising attacks — though this only serves to tackle one of the several possible delivery vectors, such as links delivered using ",{"data":2497,"content":2499,"nodeType":1388},{"uri":2498},"https://pushsecurity.github.io/phishing-techniques/techniques/email-legitimate-app/",[2500],{"data":2501,"marks":2502,"value":2504,"nodeType":1293},{},[2503],{"type":1386},"legitimate third-party services",{"data":2506,"marks":2507,"value":2508,"nodeType":1293},{},[],", ",{"data":2510,"content":2512,"nodeType":1388},{"uri":2511},"https://pushsecurity.github.io/phishing-techniques/techniques/social-media/",[2513],{"data":2514,"marks":2515,"value":2517,"nodeType":1293},{},[2516],{"type":1386},"social media",{"data":2519,"marks":2520,"value":2508,"nodeType":1293},{},[],{"data":2522,"content":2524,"nodeType":1388},{"uri":2523},"https://pushsecurity.github.io/phishing-techniques/techniques/instant-messenger/",[2525],{"data":2526,"marks":2527,"value":2529,"nodeType":1293},{},[2528],{"type":1386},"instant messenger",{"data":2531,"marks":2532,"value":2533,"nodeType":1293},{},[],", or ",{"data":2535,"content":2537,"nodeType":1388},{"uri":2536},"https://pushsecurity.github.io/phishing-techniques/techniques/email-attachment/",[2538],{"data":2539,"marks":2540,"value":2542,"nodeType":1293},{},[2541],{"type":1386},"email attachment",{"data":2544,"marks":2545,"value":2546,"nodeType":1293},{},[],". (This is one of the limitations of focusing on specific delivery mechanisms — attackers have more to choose from than ever before. It’s not just an email problem). ",{"data":2548,"content":2549,"nodeType":1346},{},[],{"data":2551,"content":2552,"nodeType":1356},{},[2553],{"data":2554,"marks":2555,"value":2557,"nodeType":1293},{},[2556],{"type":1354},"Learn more about Push",{"data":2559,"content":2560,"nodeType":1294},{},[2561,2565,2573],{"data":2562,"marks":2563,"value":2564,"nodeType":1293},{},[],"Push doesn’t detect the redirect tricks, or relies on outdated domain TI feeds. It doesn’t matter what ",{"data":2566,"content":2568,"nodeType":1388},{"uri":2567},"https://phishing-techniques.pushsecurity.com/",[2569],{"data":2570,"marks":2571,"value":2572,"nodeType":1293},{},[],"delivery channel or camouflage methods are used",{"data":2574,"marks":2575,"value":2576,"nodeType":1293},{},[],", Push detects and blocks attacks by identifying the attack in real time, as the user loads the page in their web browser.",{"data":2578,"content":2579,"nodeType":1294},{},[2580],{"data":2581,"marks":2582,"value":2583,"nodeType":1293},{},[],"Push’s browser-based security platform provides comprehensive identity attack detection and response capabilities against techniques like AiTM phishing, credential stuffing, password spraying, and session hijacking using stolen session tokens. ",{"data":2585,"content":2586,"nodeType":1294},{},[2587],{"data":2588,"marks":2589,"value":2590,"nodeType":1293},{},[],"You can also use Push to find and fix identity vulnerabilities across every app that your employees use, including ghost logins; SSO coverage gaps; MFA gaps; weak, breached and reused passwords; risky OAuth integrations; and more.",{"data":2592,"content":2593,"nodeType":1294},{},[2594,2598,2607],{"data":2595,"marks":2596,"value":2597,"nodeType":1293},{},[],"If you want to learn more about how Push helps you to detect and defeat common identity attack techniques, ",{"data":2599,"content":2601,"nodeType":1388},{"uri":2600},"https://pushsecurity.com/demo/",[2602],{"data":2603,"marks":2604,"value":2606,"nodeType":1293},{},[2605],{"type":1386},"request a demo.",{"data":2608,"marks":2609,"value":37,"nodeType":1293},{},[],"How attackers are using Active Directory Federation Services to phish with legit office.com links","Push recently identified a novel phishing attack using Active Directory Federation Services to get Microsoft to send victims to a phishing site.","2025-08-12T00:00:00.000Z","phishing-with-active-directory-federation-services",{"items":2615},[2616,2618],{"sys":2617,"name":1305},{"id":1304},{"sys":2619,"name":1309},{"id":1308},{"items":2621},[2622],{"fullName":2623,"firstName":2624,"jobTitle":2625,"profilePicture":2626},"Luke Jennings","Luke","Vice President, R&D",{"url":2627},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg",{"__typename":1313,"sys":2629,"content":2631,"title":3618,"synopsis":3619,"hashTags":118,"publishedDate":3620,"slug":3621,"tagsCollection":3622,"authorsCollection":3628},{"id":2630},"6OFdfAsoPUECeRAetWvedp",{"json":2632},{"nodeType":1295,"data":2633,"content":2634},{},[2635,2642,2654,2666,2678,2690,2696,2716,2723,2739,2746,2752,2755,2763,2770,2777,2784,2790,2793,2801,2808,2828,2835,2842,2849,2856,2862,2869,2876,2883,2914,2921,2940,2947,2954,2974,2994,3014,3020,3027,3043,3050,3057,3064,3084,3092,3099,3106,3109,3117,3124,3131,3138,3181,3187,3194,3209,3298,3304,3311,3318,3381,3388,3395,3402,3408,3415,3422,3429,3435,3442,3449,3456,3462,3482,3489,3496,3539,3545,3548,3556,3580,3583,3590,3596,3602],{"nodeType":1294,"data":2636,"content":2637},{},[2638],{"nodeType":1293,"value":2639,"marks":2640,"data":2641},"Oh, look! A time capsule from 2010. Wonder what’s inside … ",[],{},{"nodeType":1294,"data":2643,"content":2644},{},[2645,2650],{"nodeType":1293,"value":2646,"marks":2647,"data":2649},"Listening to:",[2648],{"type":1354},{},{"nodeType":1293,"value":2651,"marks":2652,"data":2653}," “Like a G6” by Far East Movement (on a Nokia C7 — hey, it even had a touchscreen).",[],{},{"nodeType":1294,"data":2655,"content":2656},{},[2657,2662],{"nodeType":1293,"value":2658,"marks":2659,"data":2661},"Major news event:",[2660],{"type":1354},{},{"nodeType":1293,"value":2663,"marks":2664,"data":2665}," Eyjafjallajökull volcano erupts in Iceland, disrupting air travel.",[],{},{"nodeType":1294,"data":2667,"content":2668},{},[2669,2674],{"nodeType":1293,"value":2670,"marks":2671,"data":2673},"Worried about:",[2672],{"type":1354},{},{"nodeType":1293,"value":2675,"marks":2676,"data":2677}," Exploitable Flash browser plugins and static HTML phishing sites.",[],{},{"nodeType":1294,"data":2679,"content":2680},{},[2681,2686],{"nodeType":1293,"value":2682,"marks":2683,"data":2685},"How to be a hero?",[2684],{"type":1354},{},{"nodeType":1293,"value":2687,"marks":2688,"data":2689}," Roll out the latest AV, implement a web proxy, and add a “report phishing” button to your email solution.",[],{},{"nodeType":1401,"data":2691,"content":2695},{"target":2692},{"sys":2693},{"id":2694,"type":1398,"linkType":1399},"54xYbMs0ii96xb2jgQVX9m",[],{"nodeType":1294,"data":2697,"content":2698},{},[2699,2703,2712],{"nodeType":1293,"value":2700,"marks":2701,"data":2702},"We’re halfway through 2025, and the time capsule for this year may need to be an XL when it comes to ",[],{},{"nodeType":1388,"data":2704,"content":2706},{"uri":2705},"https://pushsecurity.com/blog/scattered-spider-ttp-evolution-in-2025/",[2707],{"nodeType":1293,"value":2708,"marks":2709,"data":2711},"how much has happened",[2710],{"type":1386},{},{"nodeType":1293,"value":2713,"marks":2714,"data":2715}," in the world of browser-based attacks. (Yet fittingly, Drake’s “Nokia” is a pop hit.)",[],{},{"nodeType":1294,"data":2717,"content":2718},{},[2719],{"nodeType":1293,"value":2720,"marks":2721,"data":2722},"While at least we don’t have to worry about Flash anymore, the browser is now the new battleground, and workforce identities are the most common target. Security teams are struggling with approaches and tools that attackers have outpaced.",[],{},{"nodeType":1294,"data":2724,"content":2725},{},[2726,2730,2735],{"nodeType":1293,"value":2727,"marks":2728,"data":2729},"In this article, we’ll cover how browser-based attacks have evolved, and how Push is taking a new approach with the release of our ",[],{},{"nodeType":1293,"value":2731,"marks":2732,"data":2734},"Detections",[2733],{"type":1354},{},{"nodeType":1293,"value":2736,"marks":2737,"data":2738}," capabilities, now generally available to all customers.",[],{},{"nodeType":1294,"data":2740,"content":2741},{},[2742],{"nodeType":1293,"value":2743,"marks":2744,"data":2745},"Push Detections use real-time telemetry to help you understand context, user behavior, and attacker techniques, and then respond — a modern tool for modern browser-based attacks.",[],{},{"nodeType":1401,"data":2747,"content":2751},{"target":2748},{"sys":2749},{"id":2750,"type":1398,"linkType":1399},"2ULDSj85bXtT2OgpXKBHtB",[],{"nodeType":1346,"data":2753,"content":2754},{},[],{"nodeType":1356,"data":2756,"content":2757},{},[2758],{"nodeType":1293,"value":2759,"marks":2760,"data":2762},"The old world vs. the new world",[2761],{"type":1354},{},{"nodeType":1294,"data":2764,"content":2765},{},[2766],{"nodeType":1293,"value":2767,"marks":2768,"data":2769},"In the early 2010s, the typical attack path involved sending a user an email with a link to a static HTML webpage (most commonly a generic Exchange Web Access clone) that tricked them into giving you Active Directory creds. These could be used to log in to an exposed remote desktop service or the victim’s mailbox, giving the attacker a foothold to install malware. Anyone who’s done “red teaming 101” will recognize this scenario. ",[],{},{"nodeType":1294,"data":2771,"content":2772},{},[2773],{"nodeType":1293,"value":2774,"marks":2775,"data":2776},"A compromised identity was once just part of a system compromise. That meant the scope of detection and response was focused on the organization’s Active Directory domain, correlated with endpoint and network logs. ",[],{},{"nodeType":1294,"data":2778,"content":2779},{},[2780],{"nodeType":1293,"value":2781,"marks":2782,"data":2783},"But now, identity attacks happen beyond traditional on-premises networks, impacting cloud identities that are created, used, and attacked in the browser. What was once the familiar backbone of business IT — internal apps and thick clients — has been replaced with a sprawling cloud and SaaS ecosystem that can be targeted directly via identity, without touching the endpoint. ",[],{},{"nodeType":1401,"data":2785,"content":2789},{"target":2786},{"sys":2787},{"id":2788,"type":1398,"linkType":1399},"2F2p4eTMCHo3LfNQJZeGWB",[],{"nodeType":1346,"data":2791,"content":2792},{},[],{"nodeType":1356,"data":2794,"content":2795},{},[2796],{"nodeType":1293,"value":2797,"marks":2798,"data":2800},"Why detection and response hasn’t kept up with threat evolution",[2799],{"type":1354},{},{"nodeType":1294,"data":2802,"content":2803},{},[2804],{"nodeType":1293,"value":2805,"marks":2806,"data":2807},"This shift in attacker TTPs is forcing a change in how we handle detection and response. ",[],{},{"nodeType":1294,"data":2809,"content":2810},{},[2811,2815,2824],{"nodeType":1293,"value":2812,"marks":2813,"data":2814},"But a lot of organizations are still applying the same old playbooks to this new world where identity attacks are the ",[],{},{"nodeType":1388,"data":2816,"content":2818},{"uri":2817},"https://pushsecurity.com/resources/2024-identity-attacks",[2819],{"nodeType":1293,"value":2820,"marks":2821,"data":2823},"leading cause of breaches",[2822],{"type":1386},{},{"nodeType":1293,"value":2825,"marks":2826,"data":2827},", with uneven outcomes. ",[],{},{"nodeType":1294,"data":2829,"content":2830},{},[2831],{"nodeType":1293,"value":2832,"marks":2833,"data":2834},"This isn’t because of a lack of effort or skill on the part of security teams. It’s a reflection of the tools that have been available. ",[],{},{"nodeType":1294,"data":2836,"content":2837},{},[2838],{"nodeType":1293,"value":2839,"marks":2840,"data":2841},"Let’s look at some of the ways detection and response hasn’t kept up with the evolution of browser-borne threats in this new landscape.",[],{},{"nodeType":1469,"data":2843,"content":2844},{},[2845],{"nodeType":1293,"value":2846,"marks":2847,"data":2848},"Incomplete identity visibility ",[],{},{"nodeType":1294,"data":2850,"content":2851},{},[2852],{"nodeType":1293,"value":2853,"marks":2854,"data":2855},"Today’s cloud identity providers see a fraction of the overall logins your users make to online apps, compared to the comprehensive visibility of Active Directory in the old world. You don’t know where users are logging in, how they’re logging in, or whether these logins are securely using phishing-resistant methods.",[],{},{"nodeType":1401,"data":2857,"content":2861},{"target":2858},{"sys":2859},{"id":2860,"type":1398,"linkType":1399},"1SUYueQct7dtWwLh3AaAtA",[],{"nodeType":1294,"data":2863,"content":2864},{},[2865],{"nodeType":1293,"value":2866,"marks":2867,"data":2868},"This means that identity attacks are routinely bypassing preventative, account hygiene-based controls, putting the strain on detection and response. ",[],{},{"nodeType":1469,"data":2870,"content":2871},{},[2872],{"nodeType":1293,"value":2873,"marks":2874,"data":2875},"Limited detection coverage ",[],{},{"nodeType":1294,"data":2877,"content":2878},{},[2879],{"nodeType":1293,"value":2880,"marks":2881,"data":2882},"Email and network security tools got pretty good at intercepting old-school phishing attacks like the ones from our proverbial time capsule: static HTML pages delivered over email that could be intercepted and analyzed when entering the mailbox or being loaded by the user. ",[],{},{"nodeType":1294,"data":2884,"content":2885},{},[2886,2890,2900,2905,2909],{"nodeType":1293,"value":2887,"marks":2888,"data":2889},"But with modern phishing attacks dynamically obfuscating the code that loads the web page, implementing custom bot protection, and using runtime anti-analysis features, they’re ",[],{},{"nodeType":1388,"data":2891,"content":2893},{"uri":2892},"https://pushsecurity.com/blog/why-most-phishing-attacks-feel-like-a-zero-day/",[2894],{"nodeType":1293,"value":2895,"marks":2896,"data":2899},"increasingly difficult to detect",[2897,2898],{"type":1386},{"type":1354},{},{"nodeType":1293,"value":2901,"marks":2902,"data":2904}," ",[2903],{"type":1354},{},{"nodeType":1293,"value":2906,"marks":2907,"data":2908},"using conventional tools",[],{},{"nodeType":1293,"value":2910,"marks":2911,"data":2913},".   ",[2912],{"type":1354},{},{"nodeType":1294,"data":2915,"content":2916},{},[2917],{"nodeType":1293,"value":2918,"marks":2919,"data":2920},"Of course, email-based detections aren’t much use if attackers are using legitimate services to camouflage their links, or bypassing email altogether by switching to alternative delivery channels like messaging apps (such as Slack and Teams), as well as public services like LinkedIn and Reddit. ",[],{},{"nodeType":1294,"data":2922,"content":2923},{},[2924,2928,2936],{"nodeType":1293,"value":2925,"marks":2926,"data":2927},"More recently, groups like ",[],{},{"nodeType":1388,"data":2929,"content":2930},{"uri":2705},[2931],{"nodeType":1293,"value":2932,"marks":2933,"data":2935},"Scattered Spider",[2934],{"type":1386},{},{"nodeType":1293,"value":2937,"marks":2938,"data":2939}," have even been seen using malvertising techniques, delivering phishing links masquerading as paid Google ads.",[],{},{"nodeType":1469,"data":2941,"content":2942},{},[2943],{"nodeType":1293,"value":2944,"marks":2945,"data":2946},"Inadequate security logs",[],{},{"nodeType":1294,"data":2948,"content":2949},{},[2950],{"nodeType":1293,"value":2951,"marks":2952,"data":2953},"If you fail to spot the attack pre-account takeover, you’re reliant on being able to detect and investigate suspicious or malicious activity resulting from the compromise. ",[],{},{"nodeType":1294,"data":2955,"content":2956},{},[2957,2961,2970],{"nodeType":1293,"value":2958,"marks":2959,"data":2960},"This was more straightforward (if not easy) when you had the luxury of a ",[],{},{"nodeType":1388,"data":2962,"content":2964},{"uri":2963},"https://pushsecurity.com/blog/shifting-detection-left-for-more-effective-itdr/",[2965],{"nodeType":1293,"value":2966,"marks":2967,"data":2969},"typical on-prem network to fall back",[2968],{"type":1386},{},{"nodeType":1293,"value":2971,"marks":2972,"data":2973}," on. But with cloud exploitation taking place in a matter of minutes, you don’t get much warning — and your endpoint and network-based alarms can’t help you. ",[],{},{"nodeType":1294,"data":2975,"content":2976},{},[2977,2981,2990],{"nodeType":1293,"value":2978,"marks":2979,"data":2980},"The situation is further complicated by the fact that you simply don’t have the logs you need because of the huge variability in how cloud and SaaS services provide logs (with many ",[],{},{"nodeType":1388,"data":2982,"content":2984},{"uri":2983},"https://pushsecurity.com/blog/minimum-viable-identity-security/#id-enable-security-teams-to-detect-and-respond-to-identity-attacks",[2985],{"nodeType":1293,"value":2986,"marks":2987,"data":2989},"failing to provide security logs",[2988],{"type":1386},{},{"nodeType":1293,"value":2991,"marks":2992,"data":2993}," with relevant data points at all). So chances are you’re flying blind when it comes to large chunks of your business app suite. ",[],{},{"nodeType":1294,"data":2995,"content":2996},{},[2997,3001,3010],{"nodeType":1293,"value":2998,"marks":2999,"data":3000},"Ultimately, you’re stuck with what you can observe — typically network traffic. But ",[],{},{"nodeType":1388,"data":3002,"content":3004},{"uri":3003},"https://pushsecurity.com/blog/the-web-proxy-is-dead-long-live-the-browser-extension/",[3005],{"nodeType":1293,"value":3006,"marks":3007,"data":3009},"even with a TLS-terminating proxy",[3008],{"type":1386},{},{"nodeType":1293,"value":3011,"marks":3012,"data":3013},", extracting fine-grained identity data points isn’t really achievable. You’re looking from the outside-in at malicious activity that’s happening in the user’s browser and trying to infer what happened.  ",[],{},{"nodeType":1401,"data":3015,"content":3019},{"target":3016},{"sys":3017},{"id":3018,"type":1398,"linkType":1399},"7FMdHtbE63GMCavObETf3O",[],{"nodeType":1469,"data":3021,"content":3022},{},[3023],{"nodeType":1293,"value":3024,"marks":3025,"data":3026},"Spotty control enforcement",[],{},{"nodeType":1294,"data":3028,"content":3029},{},[3030,3034,3039],{"nodeType":1293,"value":3031,"marks":3032,"data":3033},"And in the case that you do identify that a user clicked a malicious link and ",[],{},{"nodeType":1293,"value":3035,"marks":3036,"data":3038},"maybe ",[3037],{"type":312},{},{"nodeType":1293,"value":3040,"marks":3041,"data":3042},"entered their credentials into the page — now what? ",[],{},{"nodeType":1294,"data":3044,"content":3045},{},[3046],{"nodeType":1293,"value":3047,"marks":3048,"data":3049},"You can reset the account in the affected app, ideally terminating active sessions — which may or may not be possible, depending on the app. This might take a while if you don’t centrally manage the app, and involve some painful emergency phone calls to employees. ",[],{},{"nodeType":1294,"data":3051,"content":3052},{},[3053],{"nodeType":1293,"value":3054,"marks":3055,"data":3056},"What about apps where the same password is reused? ",[],{},{"nodeType":1294,"data":3058,"content":3059},{},[3060],{"nodeType":1293,"value":3061,"marks":3062,"data":3063},"Or if it’s an IdP account used for SSO, what about the other apps that might be accessible now? ",[],{},{"nodeType":1294,"data":3065,"content":3066},{},[3067,3071,3080],{"nodeType":1293,"value":3068,"marks":3069,"data":3070},"If the attacker has created stealthy backdoors that persist through credential changes (like ",[],{},{"nodeType":1388,"data":3072,"content":3074},{"uri":3073},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/ghost_logins/description.md",[3075],{"nodeType":1293,"value":3076,"marks":3077,"data":3079},"creating an API key or a malicious OAuth integration",[3078],{"type":1386},{},{"nodeType":1293,"value":3081,"marks":3082,"data":3083},") they could still be lurking in your environment.",[],{},{"nodeType":1294,"data":3085,"content":3086},{},[3087],{"nodeType":1293,"value":3088,"marks":3089,"data":3091},"Suddenly, you’re not dealing with one possible control point, you’re dealing with several. ",[3090],{"type":1354},{},{"nodeType":1294,"data":3093,"content":3094},{},[3095],{"nodeType":1293,"value":3096,"marks":3097,"data":3098},"And if you can’t trace the attack back to a source — because your email solution missed it, or it didn’t come via email, how can you triage the impact to other users? ",[],{},{"nodeType":1294,"data":3100,"content":3101},{},[3102],{"nodeType":1293,"value":3103,"marks":3104,"data":3105},"It’s no wonder that security teams are struggling to adapt. ",[],{},{"nodeType":1346,"data":3107,"content":3108},{},[],{"nodeType":1356,"data":3110,"content":3111},{},[3112],{"nodeType":1293,"value":3113,"marks":3114,"data":3116},"How Push is solving modern identity investigations in the browser",[3115],{"type":1354},{},{"nodeType":1294,"data":3118,"content":3119},{},[3120],{"nodeType":1293,"value":3121,"marks":3122,"data":3123},"The good news? We’ve seen this phenomenon play out before: In the early 2010s, in fact, when AV evolved into EDR. What was the big innovation then? Getting inside the data stream, in real time, and detecting and responding from a much higher-fidelity source of telemetry.",[],{},{"nodeType":1294,"data":3125,"content":3126},{},[3127],{"nodeType":1293,"value":3128,"marks":3129,"data":3130},"This time around, security teams need tools that take them inside the browser layer.",[],{},{"nodeType":1294,"data":3132,"content":3133},{},[3134],{"nodeType":1293,"value":3135,"marks":3136,"data":3137},"This approach gives you the right vantage point to defend against and investigate browser-based identity attacks, providing access to:",[],{},{"nodeType":2159,"data":3139,"content":3140},{},[3141,3151,3161,3171],{"nodeType":2125,"data":3142,"content":3143},{},[3144],{"nodeType":1294,"data":3145,"content":3146},{},[3147],{"nodeType":1293,"value":3148,"marks":3149,"data":3150},"Full decrypted HTTP traffic — not just DNS and TCP/IP metadata",[],{},{"nodeType":2125,"data":3152,"content":3153},{},[3154],{"nodeType":1294,"data":3155,"content":3156},{},[3157],{"nodeType":1293,"value":3158,"marks":3159,"data":3160},"Full user interaction tracing — every click, keystroke, or DOM change",[],{},{"nodeType":2125,"data":3162,"content":3163},{},[3164],{"nodeType":1294,"data":3165,"content":3166},{},[3167],{"nodeType":1293,"value":3168,"marks":3169,"data":3170},"Full inspection at every layer of execution, not just the initial HTML served",[],{},{"nodeType":2125,"data":3172,"content":3173},{},[3174],{"nodeType":1294,"data":3175,"content":3176},{},[3177],{"nodeType":1293,"value":3178,"marks":3179,"data":3180},"Full access to browser APIs, to correlate with browser history, local storage, cookies, etc.",[],{},{"nodeType":1401,"data":3182,"content":3186},{"target":3183},{"sys":3184},{"id":3185,"type":1398,"linkType":1399},"5qt0s8e1TIEUxhU1GzFO63",[],{"nodeType":1294,"data":3188,"content":3189},{},[3190],{"nodeType":1293,"value":3191,"marks":3192,"data":3193},"With this data, teams have the information they need to respond to and investigate browser-based attacks. But to become valuable, this data needs a translation layer that turns it from raw logs into actionable information.",[],{},{"nodeType":1294,"data":3195,"content":3196},{},[3197,3201,3205],{"nodeType":1293,"value":3198,"marks":3199,"data":3200},"That’s where Push’s ",[],{},{"nodeType":1293,"value":2731,"marks":3202,"data":3204},[3203],{"type":1354},{},{"nodeType":1293,"value":3206,"marks":3207,"data":3208}," capability comes in. With it, you can:",[],{},{"nodeType":2159,"data":3210,"content":3211},{},[3212,3248,3258,3268,3278,3288],{"nodeType":2125,"data":3213,"content":3214},{},[3215],{"nodeType":1294,"data":3216,"content":3217},{},[3218,3222,3231,3235,3244],{"nodeType":1293,"value":3219,"marks":3220,"data":3221},"Get alerted in your platform of choice (via the Push admin console, ",[],{},{"nodeType":1388,"data":3223,"content":3225},{"uri":3224},"https://pushsecurity.com/help/audience/administrators/docs/connect-to-siem-or-soar/send-webhook-events-to-slack/",[3226],{"nodeType":1293,"value":3227,"marks":3228,"data":3230},"Slack integration",[3229],{"type":1386},{},{"nodeType":1293,"value":3232,"marks":3233,"data":3234},", or your ",[],{},{"nodeType":1388,"data":3236,"content":3238},{"uri":3237},"https://pushsecurity.com/help/audience/administrators/docs/connect-to-siem-or-soar/",[3239],{"nodeType":1293,"value":3240,"marks":3241,"data":3243},"SIEM/SOAR",[3242],{"type":1386},{},{"nodeType":1293,"value":3245,"marks":3246,"data":3247}," of choice) whenever Push detects a browser-based attack, such as AiTM phishing or a cloned login page.",[],{},{"nodeType":2125,"data":3249,"content":3250},{},[3251],{"nodeType":1294,"data":3252,"content":3253},{},[3254],{"nodeType":1293,"value":3255,"marks":3256,"data":3257},"Review a curated timeline of the incident: Where a phishing link originated; whether a user entered their credentials on the page; what kind of phishkit was used; and whether the attack was blocked by Push.",[],{},{"nodeType":2125,"data":3259,"content":3260},{},[3261],{"nodeType":1294,"data":3262,"content":3263},{},[3264],{"nodeType":1293,"value":3265,"marks":3266,"data":3267},"See all the other impacted accounts and apps that shared a password with the phished account so you can remediate them.",[],{},{"nodeType":2125,"data":3269,"content":3270},{},[3271],{"nodeType":1294,"data":3272,"content":3273},{},[3274],{"nodeType":1293,"value":3275,"marks":3276,"data":3277},"See a screenshot captured by the Push browser extension of the phishing page, so you can see exactly what the user saw before the page disappears.",[],{},{"nodeType":2125,"data":3279,"content":3280},{},[3281],{"nodeType":1294,"data":3282,"content":3283},{},[3284],{"nodeType":1293,"value":3285,"marks":3286,"data":3287},"Get additional context from urlscan.io about the domains connected to the incident, helping you understand whether a domain has been reported as malicious by other users, when it was registered, and how many times it’s been scanned.",[],{},{"nodeType":2125,"data":3289,"content":3290},{},[3291],{"nodeType":1294,"data":3292,"content":3293},{},[3294],{"nodeType":1293,"value":3295,"marks":3296,"data":3297},"Interrogate and send this telemetry to your SIEM for you to operationalize it as part of SecOps workflows and hunt across events for similar incident characteristics.",[],{},{"nodeType":1401,"data":3299,"content":3303},{"target":3300},{"sys":3301},{"id":3302,"type":1398,"linkType":1399},"5iPYWpPx4IZ2M1DykQiWsN",[],{"nodeType":1469,"data":3305,"content":3306},{},[3307],{"nodeType":1293,"value":3308,"marks":3309,"data":3310},"Browser context",[],{},{"nodeType":1294,"data":3312,"content":3313},{},[3314],{"nodeType":1293,"value":3315,"marks":3316,"data":3317},"With Push, there’s no more: ",[],{},{"nodeType":2159,"data":3319,"content":3320},{},[3321,3331,3341,3351,3361,3371],{"nodeType":2125,"data":3322,"content":3323},{},[3324],{"nodeType":1294,"data":3325,"content":3326},{},[3327],{"nodeType":1293,"value":3328,"marks":3329,"data":3330},"Waiting (and hoping) that a browser-based attack gets recognized and reported by a user.",[],{},{"nodeType":2125,"data":3332,"content":3333},{},[3334],{"nodeType":1294,"data":3335,"content":3336},{},[3337],{"nodeType":1293,"value":3338,"marks":3339,"data":3340},"Guesswork as to exactly what happened on the phishing page. ",[],{},{"nodeType":2125,"data":3342,"content":3343},{},[3344],{"nodeType":1294,"data":3345,"content":3346},{},[3347],{"nodeType":1293,"value":3348,"marks":3349,"data":3350},"Struggling to get your hands on a live version of the page to see if it was actually malicious and getting thwarted because the attacker used a one-time phishing link. ",[],{},{"nodeType":2125,"data":3352,"content":3353},{},[3354],{"nodeType":1294,"data":3355,"content":3356},{},[3357],{"nodeType":1293,"value":3358,"marks":3359,"data":3360},"Manually tracing the attack to see if it arrived by email so you can quarantine the messages. ",[],{},{"nodeType":2125,"data":3362,"content":3363},{},[3364],{"nodeType":1294,"data":3365,"content":3366},{},[3367],{"nodeType":1293,"value":3368,"marks":3369,"data":3370},"Trawling through voluminous proxy logs for scraps of information (who else visited the link; where did it originate; etc.).",[],{},{"nodeType":2125,"data":3372,"content":3373},{},[3374],{"nodeType":1294,"data":3375,"content":3376},{},[3377],{"nodeType":1293,"value":3378,"marks":3379,"data":3380},"Spending precious time on urlscan or VirusTotal to get basic context on a domain or IP address. ",[],{},{"nodeType":1294,"data":3382,"content":3383},{},[3384],{"nodeType":1293,"value":3385,"marks":3386,"data":3387},"Instead, Push gives you all the information you need in one place to investigate and respond. ",[],{},{"nodeType":1294,"data":3389,"content":3390},{},[3391],{"nodeType":1293,"value":3392,"marks":3393,"data":3394},"The foundation for these detections is the Push browser agent, which can be silently installed in all major browsers in your environment to begin streaming information about a user’s entire identity footprint. ",[],{},{"nodeType":1294,"data":3396,"content":3397},{},[3398],{"nodeType":1293,"value":3399,"marks":3400,"data":3401},"This valuable telemetry, combined with Push’s out-of-the-box controls and detections, gives you a seat on the user’s side of the equation, capturing reliable information about network requests, scripts loaded by a malicious website, and what a user clicked and navigated to: the ingredients for showing you how a browser-based attack unfolded, start to finish.",[],{},{"nodeType":1401,"data":3403,"content":3407},{"target":3404},{"sys":3405},{"id":3406,"type":1398,"linkType":1399},"7ylgcaNDrxYhw7bULixM1C",[],{"nodeType":1294,"data":3409,"content":3410},{},[3411],{"nodeType":1293,"value":3412,"marks":3413,"data":3414},"Push raises a detection when it observes a phishing attack or when a user attempts to visit a blocked URL. You can view detections in the Push admin console, or send them to your SIEM or SOAR for correlation and analysis.",[],{},{"nodeType":1469,"data":3416,"content":3417},{},[3418],{"nodeType":1293,"value":3419,"marks":3420,"data":3421},"Screenshot capture",[],{},{"nodeType":1294,"data":3423,"content":3424},{},[3425],{"nodeType":1293,"value":3426,"marks":3427,"data":3428},"The Push extension can also capture a screenshot at the time of a detection firing. This means security teams can see the visual characteristics of the page even if it’s since been taken down (and no more looking at bot protection screens like Cloudflare Turnstile on urlscan). ",[],{},{"nodeType":1401,"data":3430,"content":3434},{"target":3431},{"sys":3432},{"id":3433,"type":1398,"linkType":1399},"58HPrc7wImm3mLxPK0yJOG",[],{"nodeType":1469,"data":3436,"content":3437},{},[3438],{"nodeType":1293,"value":3439,"marks":3440,"data":3441},"Blast radius analysis for all impacted accounts & apps",[],{},{"nodeType":1294,"data":3443,"content":3444},{},[3445],{"nodeType":1293,"value":3446,"marks":3447,"data":3448},"With Push’s knowledge of your workforce identities — based on observing logins in the browser that use corporate credentials — the platform can also provide an analysis of the blast radius of an attack by showing you where other accounts and apps are impacted or at risk.",[],{},{"nodeType":1294,"data":3450,"content":3451},{},[3452],{"nodeType":1293,"value":3453,"marks":3454,"data":3455},"This information helps you understand the true impact of an incident so you can remediate all affected accounts.",[],{},{"nodeType":1401,"data":3457,"content":3461},{"target":3458},{"sys":3459},{"id":3460,"type":1398,"linkType":1399},"77e8XMl2Rb0p7ZrG2wmURO",[],{"nodeType":1294,"data":3463,"content":3464},{},[3465,3469,3478],{"nodeType":1293,"value":3466,"marks":3467,"data":3468},"Push is able to provide this blast radius analysis by ",[],{},{"nodeType":1388,"data":3470,"content":3472},{"uri":3471},"https://pushsecurity.com/help/10043/#how-push-securely-analyzes-passwords",[3473],{"nodeType":1293,"value":3474,"marks":3475,"data":3477},"securely fingerprinting users’ passwords",[3476],{"type":1386},{},{"nodeType":1293,"value":3479,"marks":3480,"data":3481}," when a login is observed; analyzing them for security posture issues such as missing MFA, or stolen, weak, or reused passwords; and then raising that relevant context for a given detection.",[],{},{"nodeType":1469,"data":3483,"content":3484},{},[3485],{"nodeType":1293,"value":3486,"marks":3487,"data":3488},"Correlated context from urlscan.io",[],{},{"nodeType":1294,"data":3490,"content":3491},{},[3492],{"nodeType":1293,"value":3493,"marks":3494,"data":3495},"Finally, through an integration with urlscan.io, Push is able to provide additional context about the domains involved in a detection event, including:",[],{},{"nodeType":2159,"data":3497,"content":3498},{},[3499,3509,3519,3529],{"nodeType":2125,"data":3500,"content":3501},{},[3502],{"nodeType":1294,"data":3503,"content":3504},{},[3505],{"nodeType":1293,"value":3506,"marks":3507,"data":3508},"When they were created",[],{},{"nodeType":2125,"data":3510,"content":3511},{},[3512],{"nodeType":1294,"data":3513,"content":3514},{},[3515],{"nodeType":1293,"value":3516,"marks":3517,"data":3518},"How many times they have previously been scanned",[],{},{"nodeType":2125,"data":3520,"content":3521},{},[3522],{"nodeType":1294,"data":3523,"content":3524},{},[3525],{"nodeType":1293,"value":3526,"marks":3527,"data":3528},"When they were last scanned",[],{},{"nodeType":2125,"data":3530,"content":3531},{},[3532],{"nodeType":1294,"data":3533,"content":3534},{},[3535],{"nodeType":1293,"value":3536,"marks":3537,"data":3538},"If urlscan has marked them as suspicious",[],{},{"nodeType":1401,"data":3540,"content":3544},{"target":3541},{"sys":3542},{"id":3543,"type":1398,"linkType":1399},"2AKpAk65XdmaGBfe2V4qZ5",[],{"nodeType":1346,"data":3546,"content":3547},{},[],{"nodeType":1356,"data":3549,"content":3550},{},[3551],{"nodeType":1293,"value":3552,"marks":3553,"data":3555},"Check out our latest webinar for practical guidance in real-world scenarios",[3554],{"type":1354},{},{"nodeType":1294,"data":3557,"content":3558},{},[3559,3563,3572,3575],{"nodeType":1293,"value":3560,"marks":3561,"data":3562},"For practical advice and applied examples of how to use Push data in incident response — as well as some bonus examples of automated response and remediation use cases — ",[],{},{"nodeType":1388,"data":3564,"content":3566},{"uri":3565},"https://pushsecurity.com/webinar/identity-detection-response",[3567],{"nodeType":1293,"value":3568,"marks":3569,"data":3571},"join us live on August 13 for our webinar",[3570],{"type":1386},{},{"nodeType":1293,"value":2508,"marks":3573,"data":3574},[],{},{"nodeType":1293,"value":3576,"marks":3577,"data":3579},"“Identity attacks have changed — have your IR playbooks?”",[3578],{"type":1354},{},{"nodeType":1346,"data":3581,"content":3582},{},[],{"nodeType":1356,"data":3584,"content":3585},{},[3586],{"nodeType":1293,"value":2557,"marks":3587,"data":3589},[3588],{"type":1354},{},{"nodeType":1294,"data":3591,"content":3592},{},[3593],{"nodeType":1293,"value":2583,"marks":3594,"data":3595},[],{},{"nodeType":1294,"data":3597,"content":3598},{},[3599],{"nodeType":1293,"value":2590,"marks":3600,"data":3601},[],{},{"nodeType":1294,"data":3603,"content":3604},{},[3605,3608,3615],{"nodeType":1293,"value":2597,"marks":3606,"data":3607},[],{},{"nodeType":1388,"data":3609,"content":3610},{"uri":2600},[3611],{"nodeType":1293,"value":2606,"marks":3612,"data":3614},[3613],{"type":1386},{},{"nodeType":1293,"value":37,"marks":3616,"data":3617},[],{},"Introducing Push Detections: Equipping SecOps and IR teams to stop browser-based attacks","We’re launching a new Detections capability, enabling security teams to more effectively investigate and triage alerts, and build more effective workflows. ","2025-07-29T00:00:00.000Z","introducing-push-detections",{"items":3623},[3624,3626],{"sys":3625,"name":1305},{"id":1304},{"sys":3627,"name":1309},{"id":1308},{"items":3629},[3630],{"fullName":3631,"firstName":3632,"jobTitle":3633,"profilePicture":3634},"Kelly Davenport","Kelly","Product Team",{"url":3635},"https://images.ctfassets.net/y1cdw1ablpvd/1hi8bEuVfn5sF57LivAq6d/9a3b82426c697d765e2e450e33a18424/kelly_profile_pic.jpeg",{"items":3637},[3638],{"fullName":1994,"firstName":1995,"jobTitle":1996,"profilePicture":3639},{"url":1998},{"json":3641,"links":4179},{"nodeType":1295,"data":3642,"content":3643},{},[3644,3650,3657,3664,3671,3674,3682,3689,3709,3715,3722,3728,3735,3742,3748,3764,3770,3777,3783,3786,3794,3801,3809,3829,3836,3843,3851,3871,3879,3899,3907,3927,3932,3935,3943,3950,3993,4000,4007,4010,4018,4025,4069,4072,4079,4086,4130,4156,4163],{"nodeType":1401,"data":3645,"content":3649},{"target":3646},{"sys":3647},{"id":3648,"type":1398,"linkType":1399},"2pi21QGUvtdsDTbZYIF5Pr",[],{"nodeType":1294,"data":3651,"content":3652},{},[3653],{"nodeType":1293,"value":3654,"marks":3655,"data":3656},"Push recently detected and blocked a high-risk phishing attack targeting a company executive's Google Workspace account. ",[],{},{"nodeType":1294,"data":3658,"content":3659},{},[3660],{"nodeType":1293,"value":3661,"marks":3662,"data":3663},"This attack demonstrated a range of advanced detection evasion techniques designed to circumvent traditional detection controls. ",[],{},{"nodeType":1294,"data":3665,"content":3666},{},[3667],{"nodeType":1293,"value":3668,"marks":3669,"data":3670},"Given this was a highly targeted attack against a company executive, the impact of a successful phish would have been extremely high. Push’s browser-based detection and response solution intercepted and blocked the phish in real-time, preventing the Microsoft session or credentials being captured by the attacker.",[],{},{"nodeType":1346,"data":3672,"content":3673},{},[],{"nodeType":1356,"data":3675,"content":3676},{},[3677],{"nodeType":1293,"value":3678,"marks":3679,"data":3681},"What happened",[3680],{"type":1354},{},{"nodeType":1294,"data":3683,"content":3684},{},[3685],{"nodeType":1293,"value":3686,"marks":3687,"data":3688},"A Push customer’s exec was targeted on LinkedIn via a direct message from another exec about an investment opportunity. The sender’s account had been compromised and used to approach high-value targets. ",[],{},{"nodeType":1294,"data":3690,"content":3691},{},[3692,3696,3705],{"nodeType":1293,"value":3693,"marks":3694,"data":3695},"The victim was sent a link to a basic page hosted on ",[],{},{"nodeType":1388,"data":3697,"content":3699},{"uri":3698},"http://sites.google.com",[3700],{"nodeType":1293,"value":3701,"marks":3702,"data":3704},"sites.google.com",[3703],{"type":1386},{},{"nodeType":1293,"value":3706,"marks":3707,"data":3708},", styled as a landing page for a private equity fund investment opportunity. The page had buttons to handle both Microsoft and Google users. ",[],{},{"nodeType":1401,"data":3710,"content":3714},{"target":3711},{"sys":3712},{"id":3713,"type":1398,"linkType":1399},"1cEvEzLdKIuj6zuGn9aWJB",[],{"nodeType":1294,"data":3716,"content":3717},{},[3718],{"nodeType":1293,"value":3719,"marks":3720,"data":3721},"Upon clicking a button, Google Search was used as a redirect before taking the victim to a second page hosted on Microsoft Dynamics. This page was styled to look like Google Drive, where the victim was prompted to enter their last name and email into the form. ",[],{},{"nodeType":1401,"data":3723,"content":3727},{"target":3724},{"sys":3725},{"id":3726,"type":1398,"linkType":1399},"4fJ3JUdGcuRTa2Nza9QhkU",[],{"nodeType":1294,"data":3729,"content":3730},{},[3731],{"nodeType":1293,"value":3732,"marks":3733,"data":3734},"Upon entering their details and clicking submit, the victim was finally sent to an  Attacker-in-the-Middle (AitM) phishing page. ",[],{},{"nodeType":1294,"data":3736,"content":3737},{},[3738],{"nodeType":1293,"value":3739,"marks":3740,"data":3741},"To access the page, the victim had to solve a custom CAPTCHA challenge, which we’ve observed in a number of recent phishing attacks that we’ve linked to the Tycoon 2FA phishing kit.  ",[],{},{"nodeType":1401,"data":3743,"content":3747},{"target":3744},{"sys":3745},{"id":3746,"type":1398,"linkType":1399},"4Yu36QHTzSBZSg00QpbD1o",[],{"nodeType":1294,"data":3749,"content":3750},{},[3751,3755,3760],{"nodeType":1293,"value":3752,"marks":3753,"data":3754},"Because the customer had configured Push’s ",[],{},{"nodeType":1293,"value":3756,"marks":3757,"data":3759},"phishing tool detection control",[3758],{"type":1354},{},{"nodeType":1293,"value":3761,"marks":3762,"data":3763}," in block mode, the Push browser agent flagged the page as malicious to the user and prevented the attack from continuing. ",[],{},{"nodeType":1401,"data":3765,"content":3769},{"target":3766},{"sys":3767},{"id":3768,"type":1398,"linkType":1399},"6LfBXkDKqh1ogCMxaxyV6x",[],{"nodeType":1294,"data":3771,"content":3772},{},[3773],{"nodeType":1293,"value":3774,"marks":3775,"data":3776},"This detection was hooked by the customer’s security lake to trigger their security incident response workflow for further investigation. Push’s timelines feature ensured that the full chain of URLs accessed and actions performed on different pages could be analyzed by the security team. ",[],{},{"nodeType":1401,"data":3778,"content":3782},{"target":3779},{"sys":3780},{"id":3781,"type":1398,"linkType":1399},"4S8J7zmi6Q5wOt9vQHUe6l",[],{"nodeType":1346,"data":3784,"content":3785},{},[],{"nodeType":1356,"data":3787,"content":3788},{},[3789],{"nodeType":1293,"value":3790,"marks":3791,"data":3793},"Notable techniques",[3792],{"type":1354},{},{"nodeType":1294,"data":3795,"content":3796},{},[3797],{"nodeType":1293,"value":3798,"marks":3799,"data":3800},"This attack featured a number of notable attacker techniques designed to evade common phishing detection controls. ",[],{},{"nodeType":1469,"data":3802,"content":3803},{},[3804],{"nodeType":1293,"value":3805,"marks":3806,"data":3808},"Delivering the phishing lure via LinkedIn",[3807],{"type":1354},{},{"nodeType":1294,"data":3810,"content":3811},{},[3812,3816,3825],{"nodeType":1293,"value":3813,"marks":3814,"data":3815},"Using ",[],{},{"nodeType":1388,"data":3817,"content":3819},{"uri":3818},"https://phishing-techniques.pushsecurity.com/techniques/social-media/",[3820],{"nodeType":1293,"value":3821,"marks":3822,"data":3824},"social media sites like LinkedIn",[3823],{"type":1386},{},{"nodeType":1293,"value":3826,"marks":3827,"data":3828}," to deliver a phishing message has a number of advantages for the attacker. Generally, users are less alert to phishing attempts on social platforms, particularly those like LinkedIn which are used for personal as well as work purposes. ",[],{},{"nodeType":1294,"data":3830,"content":3831},{},[3832],{"nodeType":1293,"value":3833,"marks":3834,"data":3835},"However, the primary benefit of delivering phishing over LinkedIn is to evade email-based detection controls. With modern email security tools conducting various stages of analysis, such as analysing the URL, attempting to inspect the page in a web sandbox, and analyzing the written content of an email for possible malicious intent, it can be easier for attackers to simply bypass email altogether. ",[],{},{"nodeType":1294,"data":3837,"content":3838},{},[3839],{"nodeType":1293,"value":3840,"marks":3841,"data":3842},"With modern work communications now happening over several platforms, sites like LinkedIn where users can be directly messaged by people outside the organization, but are often accessed from work devices, are a prime target. ",[],{},{"nodeType":1469,"data":3844,"content":3845},{},[3846],{"nodeType":1293,"value":3847,"marks":3848,"data":3850},"Using legitimate, trusted sites to host links",[3849],{"type":1354},{},{"nodeType":1294,"data":3852,"content":3853},{},[3854,3858,3867],{"nodeType":1293,"value":3855,"marks":3856,"data":3857},"Attackers are increasingly ",[],{},{"nodeType":1388,"data":3859,"content":3861},{"uri":3860},"https://phishing-techniques.pushsecurity.com/techniques/trusted-website-hosting/",[3862],{"nodeType":1293,"value":3863,"marks":3864,"data":3866},"using legitimate sites to host their phishing links",[3865],{"type":1386},{},{"nodeType":1293,"value":3868,"marks":3869,"data":3870}," and perform redirections. Fronting phishing attacks with pages hosted on legitimate sites, in combination with lengthy redirect chains, can make it harder for security tools which rely on analysing the initial page served to the victim. In this example, Google Sites, Google Search, and Microsoft Dynamics were used. ",[],{},{"nodeType":1469,"data":3872,"content":3873},{},[3874],{"nodeType":1293,"value":3875,"marks":3876,"data":3878},"Using bot protection to defeat sandbox analysis tools",[3877],{"type":1354},{},{"nodeType":1294,"data":3880,"content":3881},{},[3882,3886,3895],{"nodeType":1293,"value":3883,"marks":3884,"data":3885},"Email and proxy security tools rely on loading a page in a web sandbox to analyze it for properties matching their detection signatures. However, dynamic elements that require user interaction to proceed are known to break these sandboxes. The most common way of attackers doing this is by ",[],{},{"nodeType":1388,"data":3887,"content":3889},{"uri":3888},"https://phishing-techniques.pushsecurity.com/techniques/bot-protection/",[3890],{"nodeType":1293,"value":3891,"marks":3892,"data":3894},"using legitimate bot protection",[3893],{"type":1386},{},{"nodeType":1293,"value":3896,"marks":3897,"data":3898}," technologies such as CAPTCHA and CloudFlare Turnstile. ",[],{},{"nodeType":1469,"data":3900,"content":3901},{},[3902],{"nodeType":1293,"value":3903,"marks":3904,"data":3906},"Performing layered redirects at different stages",[3905],{"type":1354},{},{"nodeType":1294,"data":3908,"content":3909},{},[3910,3914,3923],{"nodeType":1293,"value":3911,"marks":3912,"data":3913},"As already mentioned, the ",[],{},{"nodeType":1388,"data":3915,"content":3917},{"uri":3916},"https://phishing-techniques.pushsecurity.com/techniques/domain-rotation-redirection/",[3918],{"nodeType":1293,"value":3919,"marks":3920,"data":3922},"chain of redirects",[3921],{"type":1386},{},{"nodeType":1293,"value":3924,"marks":3925,"data":3926}," across different sites was particularly notable in this case (you can see this in the timeline screenshot provided above). To maximize the lifespan of a malicious domain, attackers are known to use various redirection tricks (often though legit sites that are often excluded from scanning tools). Using several redirections before serving the malicious page to break referrer-based checks that are common in proxy solutions and prevent the initial URLs seeded out from being discovered. By obfuscating the initial URL delivered to victims, and both masking and rotating the phishing URLs, it is much harder for organizations to blocklist known-bad sites effectively.",[],{},{"nodeType":1401,"data":3928,"content":3931},{"target":3929},{"sys":3930},{"id":2432,"type":1398,"linkType":1399},[],{"nodeType":1346,"data":3933,"content":3934},{},[],{"nodeType":1356,"data":3936,"content":3937},{},[3938],{"nodeType":1293,"value":3939,"marks":3940,"data":3942},"Indicators of Compromise",[3941],{"type":1354},{},{"nodeType":1294,"data":3944,"content":3945},{},[3946],{"nodeType":1293,"value":3947,"marks":3948,"data":3949},"Static IoCs are of limited value in this case due to the use of disposable pages designed to be used once and then rotated. In this case, the page hosting the malicious AITM kit has now been flagged by Google after being reported. This makes blocking specific malicious subdomains hosted on otherwise legitimate sites difficult. However, we have observed a consistent pattern in the attacks identified by Push:",[],{},{"nodeType":2159,"data":3951,"content":3952},{},[3953,3963,3973,3983],{"nodeType":2125,"data":3954,"content":3955},{},[3956],{"nodeType":1294,"data":3957,"content":3958},{},[3959],{"nodeType":1293,"value":3960,"marks":3961,"data":3962},"Phishing lure delivered over LinkedIn",[],{},{"nodeType":2125,"data":3964,"content":3965},{},[3966],{"nodeType":1294,"data":3967,"content":3968},{},[3969],{"nodeType":1293,"value":3970,"marks":3971,"data":3972},"Link to sites.google.com page (e.g. sites.google.com/view/\u003CINVESTMENTCOMPANY>-ai/home)",[],{},{"nodeType":2125,"data":3974,"content":3975},{},[3976],{"nodeType":1294,"data":3977,"content":3978},{},[3979],{"nodeType":1293,"value":3980,"marks":3981,"data":3982},"Link to Microsoft Dynamics page (e.g. [assets-usa.mkt].dynamics.com/...)",[],{},{"nodeType":2125,"data":3984,"content":3985},{},[3986],{"nodeType":1294,"data":3987,"content":3988},{},[3989],{"nodeType":1293,"value":3990,"marks":3991,"data":3992},"Link to (*).sa.com phishing page",[],{},{"nodeType":1294,"data":3994,"content":3995},{},[3996],{"nodeType":1293,"value":3997,"marks":3998,"data":3999},"Given the targeted nature of the attack, we recommend hunting for executive-level users accessing some combination of these URLs (and variants) in a short timespan.",[],{},{"nodeType":1294,"data":4001,"content":4002},{},[4003],{"nodeType":1293,"value":4004,"marks":4005,"data":4006},"We also recommend informing your executive team about the rise in LinkedIn phishing attacks and the specific nature of the investment opportunity lure.",[],{},{"nodeType":1346,"data":4008,"content":4009},{},[],{"nodeType":1356,"data":4011,"content":4012},{},[4013],{"nodeType":1293,"value":4014,"marks":4015,"data":4017},"Impact analysis",[4016],{"type":1354},{},{"nodeType":1294,"data":4019,"content":4020},{},[4021],{"nodeType":1293,"value":4022,"marks":4023,"data":4024},"There aren’t many more valuable accounts than those belonging to your company executives. Compromising a Google Workspace account doesn’t just give the attacker access to the Workspace tenant, emails, chat, etc. — it also grants access to any accounts on downstream apps configured for SSO. The blast radius of such a compromise is pretty widespread, giving plenty of scope for further exploitation for an attacker with a clear idea of what they want to achieve. ",[],{},{"nodeType":1294,"data":4026,"content":4027},{},[4028,4032,4041,4044,4053,4057,4065],{"nodeType":1293,"value":4029,"marks":4030,"data":4031},"In short, stopping this attack at the earliest opportunity was a significant benefit. Even if the attack had been later stopped following the compromise and the stolen account reset, unpicking the web of potentially compromised downstream accounts that may have been accessed and backdoored by the attacker (such as by configuring stealthy persistence mechanisms like ",[],{},{"nodeType":1388,"data":4033,"content":4035},{"uri":4034},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/evil_twin_integrations/description.md",[4036],{"nodeType":1293,"value":4037,"marks":4038,"data":4040},"evil twin integrations",[4039],{"type":1386},{},{"nodeType":1293,"value":2508,"marks":4042,"data":4043},[],{},{"nodeType":1388,"data":4045,"content":4047},{"uri":4046},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/api_keys/description.md",[4048],{"nodeType":1293,"value":4049,"marks":4050,"data":4052},"API keys",[4051],{"type":1386},{},{"nodeType":1293,"value":4054,"marks":4055,"data":4056}," or other ",[],{},{"nodeType":1388,"data":4058,"content":4059},{"uri":3073},[4060],{"nodeType":1293,"value":4061,"marks":4062,"data":4064},"ghost login",[4063],{"type":1386},{},{"nodeType":1293,"value":4066,"marks":4067,"data":4068}," methods) presents a sizable overhead for the security team.     ",[],{},{"nodeType":1346,"data":4070,"content":4071},{},[],{"nodeType":1356,"data":4073,"content":4074},{},[4075],{"nodeType":1293,"value":2557,"marks":4076,"data":4078},[4077],{"type":1354},{},{"nodeType":1294,"data":4080,"content":4081},{},[4082],{"nodeType":1293,"value":4083,"marks":4084,"data":4085},"Two key features played a part in this detection, which you can read more about below:",[],{},{"nodeType":2159,"data":4087,"content":4088},{},[4089,4110],{"nodeType":2125,"data":4090,"content":4091},{},[4092],{"nodeType":1294,"data":4093,"content":4094},{},[4095,4098,4107],{"nodeType":1293,"value":37,"marks":4096,"data":4097},[],{},{"nodeType":1388,"data":4099,"content":4101},{"uri":4100},"https://pushsecurity.com/blog/detecting-and-blocking-phishing-attacks-in-the-browser/",[4102],{"nodeType":1293,"value":4103,"marks":4104,"data":4106},"Phishing attack detection",[4105],{"type":1386},{},{"nodeType":1293,"value":37,"marks":4108,"data":4109},[],{},{"nodeType":2125,"data":4111,"content":4112},{},[4113],{"nodeType":1294,"data":4114,"content":4115},{},[4116,4119,4127],{"nodeType":1293,"value":37,"marks":4117,"data":4118},[],{},{"nodeType":1388,"data":4120,"content":4121},{"uri":2056},[4122],{"nodeType":1293,"value":4123,"marks":4124,"data":4126},"Push detection and response capabilities inc. timeline visibility ",[4125],{"type":1386},{},{"nodeType":1293,"value":37,"marks":4128,"data":4129},[],{},{"nodeType":1294,"data":4131,"content":4132},{},[4133,4137,4142,4146,4153],{"nodeType":1293,"value":4134,"marks":4135,"data":4136},"Push doesn’t detect the redirect tricks or rely on outdated domain TI feeds. The reason we detect these attacks (which make it through all the other layers of phishing protection) is that ",[],{},{"nodeType":1293,"value":4138,"marks":4139,"data":4141},"Push sees what your users see",[4140],{"type":1354},{},{"nodeType":1293,"value":4143,"marks":4144,"data":4145},". It doesn’t matter what ",[],{},{"nodeType":1388,"data":4147,"content":4148},{"uri":2567},[4149],{"nodeType":1293,"value":2572,"marks":4150,"data":4152},[4151],{"type":1386},{},{"nodeType":1293,"value":2576,"marks":4154,"data":4155},[],{},{"nodeType":1294,"data":4157,"content":4158},{},[4159],{"nodeType":1293,"value":4160,"marks":4161,"data":4162},"This isn’t all we do: Push’s browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks browser-based attacks like AiTM phishing, credential stuffing, password spraying and session hijacking using stolen session tokens. You don’t need to wait until it all goes wrong — you can also use Push to find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, risky OAuth integrations, and more to harden your identity attack surface.",[],{},{"nodeType":1294,"data":4164,"content":4165},{},[4166,4169,4176],{"nodeType":1293,"value":1968,"marks":4167,"data":4168},[],{},{"nodeType":1388,"data":4170,"content":4171},{"uri":2600},[4172],{"nodeType":1293,"value":1977,"marks":4173,"data":4175},[4174],{"type":1386},{},{"nodeType":1293,"value":1613,"marks":4177,"data":4178},[],{},{"entries":4180},{"hyperlink":4181,"inline":4182,"block":4183},[],[],[4184,4207,4215,4221,4226,4231,4239],{"sys":4185,"__typename":4186,"content":4187,"name":4206,"title":118},{"id":3648},"InsightTextBlockComponent",{"json":4188},{"nodeType":1295,"data":4189,"content":4190},{},[4191,4199],{"nodeType":1294,"data":4192,"content":4193},{},[4194],{"nodeType":1293,"value":4195,"marks":4196,"data":4198},"Update 15th September:",[4197],{"type":1354},{},{"nodeType":1294,"data":4200,"content":4201},{},[4202],{"nodeType":1293,"value":4203,"marks":4204,"data":4205},"Since releasing this article we have observed further attacks using almost identical TTPs across a number of Push customers, specifically targeting technology firm executives. We've also had a number of people that aren't Push customers reach out to us after seeing attacks that are clearly part of the same campaign. So, we've added some additional information to help other security teams to investigate whether they have also been targeted. ",[],{},"Linkedin phishing attack insight box",{"sys":4208,"__typename":4209,"title":4210,"caption":4210,"layoutMode":118,"file":4211},{"id":3713},"Image","Google Sites page styled to look like a private equity fund opportunity.",{"url":4212,"width":4213,"height":4214},"https://images.ctfassets.net/y1cdw1ablpvd/1HGAL4CypIZ0BRlUT3jn74/b9f6144ee6d3c4b93868ff0b3236a3e8/Group_555.png",3444,2066,{"sys":4216,"__typename":4209,"title":4217,"caption":4217,"layoutMode":118,"file":4218},{"id":3726},"Microsoft Dynamics page designed to look like a Google Drive form.",{"url":4219,"width":4220,"height":363},"https://images.ctfassets.net/y1cdw1ablpvd/5TotEj06E6rZiR8jhY4QY1/7d8cf413dac2d0c5e078553f24ddb929/image4.png",1999,{"sys":4222,"__typename":4209,"title":4223,"caption":4223,"layoutMode":118,"file":4224},{"id":3746},"Custom CAPTCHA pages are becoming increasingly common.",{"url":4225,"width":4220,"height":363},"https://images.ctfassets.net/y1cdw1ablpvd/4yiniKsw5THFJNG7djVUmp/4fc66a46477fe249a5506521dd80d4a2/image1.png",{"sys":4227,"__typename":4209,"title":4228,"caption":4228,"layoutMode":118,"file":4229},{"id":3768},"The AitM phishing page presented as a standard Google login page.",{"url":4230,"width":4220,"height":363},"https://images.ctfassets.net/y1cdw1ablpvd/5SgufpH8y8W1GunlFzkVDp/68d702ffb904b2e5732b8fecfdda3b37/image5.png",{"sys":4232,"__typename":4209,"title":4233,"caption":4234,"layoutMode":118,"file":4235},{"id":3781},"Phishing incident timeline","A large number of redirects were used across different sites to obfuscate the phishing link and prevent the phishing URL being linked to the original URL delivered to the victim.",{"url":4236,"width":4237,"height":4238},"https://images.ctfassets.net/y1cdw1ablpvd/6Xbed976bd7yltgfbAp9GK/3a040bf988330617690d53716fe3bd7a/Frame_627926__2_.png",3660,4200,{"sys":4240,"__typename":4241,"type":4242,"ctaText":4243,"buttonLabel":4244,"buttonColour":4245,"buttonUrl":4246},{"id":2432},"CtaWidget","Custom","Learn how phishing evolved in 2025, showcasing the most sophisticated attacks and key trends uncovered by Push researchers","Register Now","sunny orange","https://pushsecurity.com/webinar/phishing-2025-review","content:blog:how-push-stopped-a-high-risk-linkedin-spear-phishing-attack.json","json","content","blog/how-push-stopped-a-high-risk-linkedin-spear-phishing-attack.json","blog/how-push-stopped-a-high-risk-linkedin-spear-phishing-attack",1776359983433]