[{"data":1,"prerenderedAt":4785},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/how-to-prevent-account-takeover-with-push":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"summary":1282,"title":1296,"subtitle":118,"metaTitle":1297,"synopsis":1298,"hashTags":118,"publishedDate":1299,"slug":1300,"ogImage":1301,"tagsCollection":1303,"authorsCollection":1313,"content":1321,"relatedBlogPostsCollection":2702,"_id":4780,"_type":4781,"_source":4782,"_file":4783,"_stem":4784,"_extension":4781},"/blog/how-to-prevent-account-takeover-with-push","blog",{"id":1280,"publishedAt":1281},"489LTCEVau7lh88tLgSPX5","2026-01-30T09:07:58.206Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1295},{},[1286],{"data":1287,"content":1288,"nodeType":1294},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"How Push controls stop attackers from using identity attack tools and techniques to compromise your employee user accounts. ","text","paragraph","document","Hackers don’t hack in, they log in: How to prevent account takeover with Push","Preventing account takeover with Push","How Push stops attackers from using identity attack tools and techniques to compromise your employee user accounts. ","2024-08-19T00:00:00.000Z","how-to-prevent-account-takeover-with-push",{"url":1302},"https://images.ctfassets.net/y1cdw1ablpvd/5K3kIkyFYdd3xFbOLAS7wd/ec2986c842a7c48a7b82e3bfcd19277d/Slide_16_9_-_40__1_.png",{"items":1304},[1305,1309],{"sys":1306,"name":1308},{"id":1307},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"sys":1310,"name":1312},{"id":1311},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"items":1314},[1315],{"fullName":1316,"firstName":1317,"jobTitle":1318,"profilePicture":1319},"Alex Henshall","Alex","Product Team",{"url":1320},"https://images.ctfassets.net/y1cdw1ablpvd/2rz3Pre3b1MexPIQ4hzPUe/0ef8a092b7e7df00fbce3f7d1ccb96d1/Alex_Henshall.jpeg",{"json":1322,"links":2568},{"nodeType":1295,"data":1323,"content":1324},{},[1325,1332,1354,1361,1370,1377,1410,1416,1422,1429,1436,1442,1449,1469,1477,1484,1490,1497,1504,1555,1575,1582,1589,1596,1602,1609,1616,1624,1631,1638,1645,1657,1663,1670,1689,1709,1716,1723,1743,1750,1768,1775,1828,1835,1854,1861,1867,1884,1903,1910,1930,1937,1943,1950,1969,1976,1983,1989,1996,2003,2010,2017,2023,2030,2037,2044,2051,2057,2064,2071,2083,2099,2106,2113,2181,2188,2195,2202,2209,2216,2223,2230,2237,2256,2263,2269,2276,2282,2289,2296,2303,2309,2316,2323,2330,2363,2370,2377,2384,2391,2398,2405,2412,2419,2467,2473,2480,2524,2530,2537,2556,2562],{"nodeType":1294,"data":1326,"content":1327},{},[1328],{"nodeType":1293,"value":1329,"marks":1330,"data":1331},"The last time “hacking” topped the attacker actions chart in a Verizon DBIR, Gamestop was being saved by Redditors, ChatGPT didn’t exist, and Will Smith was welcome at the Oscars. ",[],{},{"nodeType":1294,"data":1333,"content":1334},{},[1335,1339,1350],{"nodeType":1293,"value":1336,"marks":1337,"data":1338},"That’s right, it was back in the ",[],{},{"nodeType":1340,"data":1341,"content":1343},"hyperlink",{"uri":1342},"https://www.verizon.com/business/resources/reports/dbir/2021/masters-guide/",[1344],{"nodeType":1293,"value":1345,"marks":1346,"data":1349},"2021 DBIR",[1347],{"type":1348},"underline",{},{"nodeType":1293,"value":1351,"marks":1352,"data":1353}," that good old-fashioned hacking was the thing hackers did the most. ",[],{},{"nodeType":1294,"data":1355,"content":1356},{},[1357],{"nodeType":1293,"value":1358,"marks":1359,"data":1360},"In every report since, stolen credentials have been the most common “select way-in” (weird term, I know). In this year’s DBIR, stolen credentials accounted for roughly half of the breaches recorded. ",[],{},{"nodeType":1362,"data":1363,"content":1369},"embedded-entry-block",{"target":1364},{"sys":1365},{"id":1366,"type":1367,"linkType":1368},"16WQ5Siz92HZKCjDsxWBdr","Link","Entry",[],{"nodeType":1294,"data":1371,"content":1372},{},[1373],{"nodeType":1293,"value":1374,"marks":1375,"data":1376},"These stats, along with others like CrowdStrike’s widely cited “80% of attacks involve identity and compromised credentials,” continue to prove that “hackers don’t hack in, they log in.” ",[],{},{"nodeType":1294,"data":1378,"content":1379},{},[1380,1384,1393,1397,1406],{"nodeType":1293,"value":1381,"marks":1382,"data":1383},"In the last year, more stories behind those statistics have started to emerge with a series of high profile “no-hack” identity attacks hitting the headlines – the most recent being the ",[],{},{"nodeType":1340,"data":1385,"content":1387},{"uri":1386},"https://pushsecurity.com/resources/video/snowflake-the-tip-of-the-iceberg/",[1388],{"nodeType":1293,"value":1389,"marks":1390,"data":1392},"Snowflake incident",[1391],{"type":1348},{},{"nodeType":1293,"value":1394,"marks":1395,"data":1396},". You can read more about that breach and others in our repository of ",[],{},{"nodeType":1340,"data":1398,"content":1400},{"uri":1399},"https://pushsecurity.com/blog/identity-attacks-in-the-wild/",[1401],{"nodeType":1293,"value":1402,"marks":1403,"data":1405},"identity attacks in the wild",[1404],{"type":1348},{},{"nodeType":1293,"value":1407,"marks":1408,"data":1409}," where we take a deep dive into the techniques attackers have been using. ",[],{},{"nodeType":1362,"data":1411,"content":1415},{"target":1412},{"sys":1413},{"id":1414,"type":1367,"linkType":1368},"6QY3hnMLMJvnk6zYHYa6pf",[],{"nodeType":1362,"data":1417,"content":1421},{"target":1418},{"sys":1419},{"id":1420,"type":1367,"linkType":1368},"7oAUuhbwgEH5XnDZrm5Zk9",[],{"nodeType":1294,"data":1423,"content":1424},{},[1425],{"nodeType":1293,"value":1426,"marks":1427,"data":1428},"Why should they go to the effort of targeting hardened and well-monitored attack surfaces like networks and endpoints with 0-day exploits or EDR-evading malware, when they can instead simply take a set of stolen credentials and fire them at popular business apps to see which pop open?",[],{},{"nodeType":1294,"data":1430,"content":1431},{},[1432],{"nodeType":1293,"value":1433,"marks":1434,"data":1435},"Taking over an account is the equivalent of compromising an endpoint or getting a foothold on a web-facing server. From this point, an attacker can move laterally, escalate their privileges, and achieve their objective of deploying ransomware, stealing data or disrupting business-critical systems. ",[],{},{"nodeType":1362,"data":1437,"content":1441},{"target":1438},{"sys":1439},{"id":1440,"type":1367,"linkType":1368},"3vdbE3kqFxvhE145q2CwOy",[],{"nodeType":1294,"data":1443,"content":1444},{},[1445],{"nodeType":1293,"value":1446,"marks":1447,"data":1448},"The data shows that account takeover, whether it’s using stolen credentials or session tokens, is now the route of least resistance for attackers, and the #1 attack vector for security teams to defend against.",[],{},{"nodeType":1294,"data":1450,"content":1451},{},[1452,1456,1465],{"nodeType":1293,"value":1453,"marks":1454,"data":1455},"I’m sure you already use a number of tools to secure your workforce identities – MFA, SSO, EDR, etc., and all of them have an important role to play. That said, they also have limitations that attackers are exploiting. We’ve laid out some of the ",[],{},{"nodeType":1340,"data":1457,"content":1459},{"uri":1458},"https://pushsecurity.com/blog/5-reasons-why-push-security-shouldnt-exist/",[1460],{"nodeType":1293,"value":1461,"marks":1462,"data":1464},"typical misconceptions that can undermine an identity security strategy",[1463],{"type":1348},{},{"nodeType":1293,"value":1466,"marks":1467,"data":1468}," so you can avoid the common pitfalls and achieve defense in depth.",[],{},{"nodeType":1470,"data":1471,"content":1472},"heading-1",{},[1473],{"nodeType":1293,"value":1474,"marks":1475,"data":1476},"Push vs. account takeover techniques",[],{},{"nodeType":1294,"data":1478,"content":1479},{},[1480],{"nodeType":1293,"value":1481,"marks":1482,"data":1483},"In this article, we’re going to show you how to use Push to bolster your identity security strategy and prevent account takeover. More specifically, we’ll cover how Push prevents, detects, and blocks some of the common attack techniques seen in this account takeover attack chain:",[],{},{"nodeType":1362,"data":1485,"content":1489},{"target":1486},{"sys":1487},{"id":1488,"type":1367,"linkType":1368},"1FPMzCU0mBgpg1GMSz1sJH",[],{"nodeType":1294,"data":1491,"content":1492},{},[1493],{"nodeType":1293,"value":1494,"marks":1495,"data":1496},"Push uses browser data collected by our browser agent to either detect the attack techniques directly, or identify the vulnerabilities being exploited. Upon making a detection, the browser agent enforces a relevant security control to either block the attack or prevent the user from introducing a vulnerability.",[],{},{"nodeType":1294,"data":1498,"content":1499},{},[1500],{"nodeType":1293,"value":1501,"marks":1502,"data":1503},"If you’re wondering why we’ve opted to build our tool in the browser, the short answer is that being in the browser gives us:",[],{},{"nodeType":1505,"data":1506,"content":1507},"unordered-list",{},[1508,1525,1540],{"nodeType":1509,"data":1510,"content":1511},"list-item",{},[1512],{"nodeType":1294,"data":1513,"content":1514},{},[1515,1521],{"nodeType":1293,"value":1516,"marks":1517,"data":1520},"The broadest visibility",[1518],{"type":1519},"bold",{},{"nodeType":1293,"value":1522,"marks":1523,"data":1524}," across all workforce identities, including unmanaged identities outside your IdP.",[],{},{"nodeType":1509,"data":1526,"content":1527},{},[1528],{"nodeType":1294,"data":1529,"content":1530},{},[1531,1536],{"nodeType":1293,"value":1532,"marks":1533,"data":1535},"The best telemetry",[1534],{"type":1519},{},{"nodeType":1293,"value":1537,"marks":1538,"data":1539}," for detecting identity attack TTPs and tools.",[],{},{"nodeType":1509,"data":1541,"content":1542},{},[1543],{"nodeType":1294,"data":1544,"content":1545},{},[1546,1551],{"nodeType":1293,"value":1547,"marks":1548,"data":1550},"The perfect enforcement point",[1549],{"type":1519},{},{"nodeType":1293,"value":1552,"marks":1553,"data":1554}," for stopping attacker actions or risky employee actions in real time. ",[],{},{"nodeType":1294,"data":1556,"content":1557},{},[1558,1562,1571],{"nodeType":1293,"value":1559,"marks":1560,"data":1561},"If you want a more detailed technical explanation, you can read this article by Dan on ",[],{},{"nodeType":1340,"data":1563,"content":1565},{"uri":1564},"https://pushsecurity.com/blog/the-web-proxy-is-dead-long-live-the-browser-extension/",[1566],{"nodeType":1293,"value":1567,"marks":1568,"data":1570},"why browser data is a better source of telemetry for detecting identity attacks than network, IdP and app logs",[1569],{"type":1348},{},{"nodeType":1293,"value":1572,"marks":1573,"data":1574},".",[],{},{"nodeType":1294,"data":1576,"content":1577},{},[1578],{"nodeType":1293,"value":1579,"marks":1580,"data":1581},"Now we’ve cleared that up, let's look at some account takeover techniques.",[],{},{"nodeType":1470,"data":1583,"content":1584},{},[1585],{"nodeType":1293,"value":1586,"marks":1587,"data":1588},"Part 1: Phishing (including AitM and BitM toolkits)",[],{},{"nodeType":1294,"data":1590,"content":1591},{},[1592],{"nodeType":1293,"value":1593,"marks":1594,"data":1595},"Phishing has been around since forever and there’s a mature category of solutions that are designed to detect and prevent it. But despite solutions like security awareness training, phishing domain detection services and email filtering tools, phishing is still one of the top breach vectors. ",[],{},{"nodeType":1362,"data":1597,"content":1601},{"target":1598},{"sys":1599},{"id":1600,"type":1367,"linkType":1368},"4urh9lIuo0ePgVIJZNtP2B",[],{"nodeType":1294,"data":1603,"content":1604},{},[1605],{"nodeType":1293,"value":1606,"marks":1607,"data":1608},"We’ve all been conditioned to think about phishing as something that happens over email, but it’s actually the browser where most of the action happens, regardless of the initial delivery channel. Push’s position in the browser gives you the ideal vantage point for detecting and stopping phishing attacks.",[],{},{"nodeType":1294,"data":1610,"content":1611},{},[1612],{"nodeType":1293,"value":1613,"marks":1614,"data":1615},"The Push browser agent performs both passive observation and active interrogation in order to detect employees having their passwords harvested or visiting cloned app login pages or pages using AitM/BitM toolkits. Phishing attacks are detected in real time so Push blocks them before your employees can enter their credentials.",[],{},{"nodeType":1617,"data":1618,"content":1619},"heading-2",{},[1620],{"nodeType":1293,"value":1621,"marks":1622,"data":1623},"Detecting phishing through user behavior",[],{},{"nodeType":1294,"data":1625,"content":1626},{},[1627],{"nodeType":1293,"value":1628,"marks":1629,"data":1630},"Rather than trying to detect phishing websites and domains that constantly change, Push detects and blocks phishing attempts based on observing user behavior in the browser.",[],{},{"nodeType":1294,"data":1632,"content":1633},{},[1634],{"nodeType":1293,"value":1635,"marks":1636,"data":1637},"Push does this by observing all logins and generating a fingerprint (or technically a k-anonymized salted partial hash) of the user’s password. This fingerprint is then stored locally to allow Push to perform comparisons.",[],{},{"nodeType":1294,"data":1639,"content":1640},{},[1641],{"nodeType":1293,"value":1642,"marks":1643,"data":1644},"To detect potential phishing attacks, the browser agent compares the observed password fingerprint to known fingerprints for passwords that already exist in local storage.",[],{},{"nodeType":1294,"data":1646,"content":1647},{},[1648,1653],{"nodeType":1293,"value":1649,"marks":1650,"data":1652},"This means that it works even if that employee was the first person to get phished using a new attacker site: ",[1651],{"type":1519},{},{"nodeType":1293,"value":1654,"marks":1655,"data":1656},"Push still detects it and blocks it before your employee can submit their credentials. It also works regardless of the delivery vector used to get the phishing link to the intended victim.",[],{},{"nodeType":1362,"data":1658,"content":1662},{"target":1659},{"sys":1660},{"id":1661,"type":1367,"linkType":1368},"2V2My5IpdVUwh4QugqInUw",[],{"nodeType":1294,"data":1664,"content":1665},{},[1666],{"nodeType":1293,"value":1667,"marks":1668,"data":1669},"Once you’ve discovered a malicious site, you can use Push’s companion feature, URL blocking, to add the domain to a blocklist and prevent your other end-users from even visiting the site.",[],{},{"nodeType":1294,"data":1671,"content":1672},{},[1673,1677,1685],{"nodeType":1293,"value":1674,"marks":1675,"data":1676},"You can programmatically manage URL blocking as part of responding to an attempted phishing incident by using the ",[],{},{"nodeType":1340,"data":1678,"content":1680},{"uri":1679},"https://pushsecurity.redoc.ly/rest-v1/",[1681],{"nodeType":1293,"value":1682,"marks":1683,"data":1684},"Push REST API",[],{},{"nodeType":1293,"value":1686,"marks":1687,"data":1688}," to automatically add URLs to the blocklist or to sync with other threat intelligence sources of known-bad sites.",[],{},{"nodeType":1294,"data":1690,"content":1691},{},[1692,1696,1705],{"nodeType":1293,"value":1693,"marks":1694,"data":1695},"You can find out more about this control in this ",[],{},{"nodeType":1340,"data":1697,"content":1699},{"uri":1698},"https://pushsecurity.com/blog/introducing-sso-password-protection/",[1700],{"nodeType":1293,"value":1701,"marks":1702,"data":1704},"deep-dive article",[1703],{"type":1348},{},{"nodeType":1293,"value":1706,"marks":1707,"data":1708},". ",[],{},{"nodeType":1617,"data":1710,"content":1711},{},[1712],{"nodeType":1293,"value":1713,"marks":1714,"data":1715},"Detecting cloned login pages",[],{},{"nodeType":1294,"data":1717,"content":1718},{},[1719],{"nodeType":1293,"value":1720,"marks":1721,"data":1722},"It’s now very easy for attackers to create cloned login pages that appear to be legitimate, tricking users into providing their credentials. ",[],{},{"nodeType":1294,"data":1724,"content":1725},{},[1726,1730,1739],{"nodeType":1293,"value":1727,"marks":1728,"data":1729},"There’s a number of phishing kits that allow the attacker to simply copy the HTML code from a legitimate website and duplicate it on the malicious site, creating a virtually identical interface that tricks users into entering their credentials. A final sprinkle of typosquatting techniques completes the illusion of legitimacy. The Federal Communications Commission (FCC) ",[],{},{"nodeType":1340,"data":1731,"content":1733},{"uri":1732},"https://www.nextgov.com/cybersecurity/2024/03/fcc-staff-targeted-phishing-attack-cloned-agency-login-site/394609/",[1734],{"nodeType":1293,"value":1735,"marks":1736,"data":1738},"was a recent target",[1737],{"type":1348},{},{"nodeType":1293,"value":1740,"marks":1741,"data":1742}," of this kind of attack. ",[],{},{"nodeType":1294,"data":1744,"content":1745},{},[1746],{"nodeType":1293,"value":1747,"marks":1748,"data":1749},"Push’s cloned app detection feature detects fraudulent login pages by inspecting the resources and structure of pages users log into and fingerprinting them so they can be used to detect when that action occurs on the wrong domain. ",[],{},{"nodeType":1294,"data":1751,"content":1752},{},[1753,1757,1765],{"nodeType":1293,"value":1754,"marks":1755,"data":1756},"You can ",[],{},{"nodeType":1340,"data":1758,"content":1760},{"uri":1759},"https://pushsecurity.com/blog/introducing-cloned-login-page-detection/",[1761],{"nodeType":1293,"value":1762,"marks":1763,"data":1764},"read more about this feature here",[],{},{"nodeType":1293,"value":1572,"marks":1766,"data":1767},[],{},{"nodeType":1617,"data":1769,"content":1770},{},[1771],{"nodeType":1293,"value":1772,"marks":1773,"data":1774},"Detecting AitM and BitM toolkits",[],{},{"nodeType":1294,"data":1776,"content":1777},{},[1778,1782,1790,1794,1802,1805,1813,1817,1825],{"nodeType":1293,"value":1779,"marks":1780,"data":1781},"Adversary-in-the-Middle (AitM) phishing is a technique that uses dedicated tooling to act as a proxy between the target and a legitimate login portal for an application, principally to bypass MFA. As it’s a proxy to the real application, the page will appear exactly as the user expects, making this technique difficult to spot. Popular AitM toolkits include ",[],{},{"nodeType":1340,"data":1783,"content":1785},{"uri":1784},"https://github.com/drk1wi/Modlishka",[1786],{"nodeType":1293,"value":1787,"marks":1788,"data":1789},"Modlishka",[],{},{"nodeType":1293,"value":1791,"marks":1792,"data":1793},", ",[],{},{"nodeType":1340,"data":1795,"content":1797},{"uri":1796},"https://github.com/muraenateam/muraena",[1798],{"nodeType":1293,"value":1799,"marks":1800,"data":1801},"Muraena",[],{},{"nodeType":1293,"value":1791,"marks":1803,"data":1804},[],{},{"nodeType":1340,"data":1806,"content":1808},{"uri":1807},"https://github.com/kgretzky/evilginx2",[1809],{"nodeType":1293,"value":1810,"marks":1811,"data":1812},"Evilginx",[],{},{"nodeType":1293,"value":1814,"marks":1815,"data":1816}," and ",[],{},{"nodeType":1340,"data":1818,"content":1820},{"uri":1819},"https://www.bleepingcomputer.com/news/security/evilproxy-uses-indeedcom-open-redirect-for-microsoft-365-phishing/",[1821],{"nodeType":1293,"value":1822,"marks":1823,"data":1824},"Evilproxy",[],{},{"nodeType":1293,"value":1706,"marks":1826,"data":1827},[],{},{"nodeType":1294,"data":1829,"content":1830},{},[1831],{"nodeType":1293,"value":1832,"marks":1833,"data":1834},"Browser-in-the-Middle (BitM) toolkits are different to AitM toolkits because they don’t act as a reverse proxy. Instead, they trick their victim into directly controlling the attacker’s own browser using remote desktop screen sharing and control approaches — think of this like VNC or RDP but using the browser as a client. This is the virtual equivalent of an attacker handing their laptop to their victim, asking them to log in to an app for them, and then taking their laptop back afterwards.",[],{},{"nodeType":1294,"data":1836,"content":1837},{},[1838,1842,1851],{"nodeType":1293,"value":1839,"marks":1840,"data":1841},"We’ve conducted a lot of research into AitM and BitM toolkits recently. If you want to learn more about how they work and see a demo of them in action, ",[],{},{"nodeType":1340,"data":1843,"content":1845},{"uri":1844},"https://pushsecurity.com/resources/video/phishing-detecting-evilginx-evilnovnc-muraena-and-modlishka/",[1846],{"nodeType":1293,"value":1847,"marks":1848,"data":1850},"head over here",[1849],{"type":1348},{},{"nodeType":1293,"value":1706,"marks":1852,"data":1853},[],{},{"nodeType":1294,"data":1855,"content":1856},{},[1857],{"nodeType":1293,"value":1858,"marks":1859,"data":1860},"Push gives you a preconfigured set of detections for AitM and BitM toolkits, informed by our threat detection team’s research into their behavior. This phishing tool detection feature will automatically prevent users from accessing a site that’s running one of these malicious tools, and display a custom warning message to your end-users.",[],{},{"nodeType":1362,"data":1862,"content":1866},{"target":1863},{"sys":1864},{"id":1865,"type":1367,"linkType":1368},"4ixcEsEW4EyqckOTmP5Pbb",[],{"nodeType":1294,"data":1868,"content":1869},{},[1870,1874,1880],{"nodeType":1293,"value":1871,"marks":1872,"data":1873},"Administrators can also consume phishing tool detection events via the ",[],{},{"nodeType":1340,"data":1875,"content":1876},{"uri":1679},[1877],{"nodeType":1293,"value":1682,"marks":1878,"data":1879},[],{},{"nodeType":1293,"value":1881,"marks":1882,"data":1883}," into their SIEM or use Push’s webhooks to alert when a warn or block event has occurred.",[],{},{"nodeType":1294,"data":1885,"content":1886},{},[1887,1891,1900],{"nodeType":1293,"value":1888,"marks":1889,"data":1890},"You can read a full write-up of this feature if you want to ",[],{},{"nodeType":1340,"data":1892,"content":1894},{"uri":1893},"https://pushsecurity.com/blog/introducing-aitm-phishing-toolkit-detection-powered-by-the-push-browser/",[1895],{"nodeType":1293,"value":1896,"marks":1897,"data":1899},"learn more",[1898],{"type":1348},{},{"nodeType":1293,"value":1706,"marks":1901,"data":1902},[],{},{"nodeType":1470,"data":1904,"content":1905},{},[1906],{"nodeType":1293,"value":1907,"marks":1908,"data":1909},"Part 2: Infostealer malware",[],{},{"nodeType":1294,"data":1911,"content":1912},{},[1913,1917,1926],{"nodeType":1293,"value":1914,"marks":1915,"data":1916},"The recent ",[],{},{"nodeType":1340,"data":1918,"content":1920},{"uri":1919},"https://pushsecurity.com/blog/identity-attacks-in-the-wild/#id-snowflake-june-2024",[1921],{"nodeType":1293,"value":1922,"marks":1923,"data":1925},"Snowflake breach",[1924],{"type":1348},{},{"nodeType":1293,"value":1927,"marks":1928,"data":1929}," highlighted how infostealer malware is becoming a serious issue for security teams. As well as being able to steal credentials for account takeover, infostealers can also be used to steal session tokens which then allow the attacker to assume an already authorized session without needing to bypass MFA.   ",[],{},{"nodeType":1294,"data":1931,"content":1932},{},[1933],{"nodeType":1293,"value":1934,"marks":1935,"data":1936},"Nearly half of the malware detected last year by Sophos targeted victims’ data specifically, and the majority of that malware was classified as infostealers. ",[],{},{"nodeType":1362,"data":1938,"content":1942},{"target":1939},{"sys":1940},{"id":1941,"type":1367,"linkType":1368},"66B5MBFIhbmky7VuLGbuM3",[],{"nodeType":1294,"data":1944,"content":1945},{},[1946],{"nodeType":1293,"value":1947,"marks":1948,"data":1949},"Infostealers are primarily being used by Initial Access Brokers to harvest credentials and session tokens that they then sell to other threat actors intent on executing more penetrating attacks (e.g. ransomware).  ",[],{},{"nodeType":1294,"data":1951,"content":1952},{},[1953,1957,1966],{"nodeType":1293,"value":1954,"marks":1955,"data":1956},"EDR is seen as the go-to solution for defending against infostealer malware. However, attackers are always looking for ways to get around security controls by obfuscating malicious behavior and evading signature-based checks. For example, ",[],{},{"nodeType":1340,"data":1958,"content":1960},{"uri":1959},"https://thehackernews.com/2024/07/microsoft-defender-flaw-exploited-to.html",[1961],{"nodeType":1293,"value":1962,"marks":1963,"data":1965},"a flaw in Microsoft Defender SmartScreen was recently exploited to deliver infostealer malware",[1964],{"type":1348},{},{"nodeType":1293,"value":1572,"marks":1967,"data":1968},[],{},{"nodeType":1294,"data":1970,"content":1971},{},[1972],{"nodeType":1293,"value":1973,"marks":1974,"data":1975},"Getting total coverage across your endpoint estate is notoriously difficult, if not totally unrealistic. Unless the malware is stopped on execution, then data will inevitably be stolen, and will continue to be taken until stopped (or it self-terminates). And once an attacker has stolen employee credentials or sessions, the credential stuffing and session hijacking attacks that come next won’t touch the endpoint. ",[],{},{"nodeType":1294,"data":1977,"content":1978},{},[1979],{"nodeType":1293,"value":1980,"marks":1981,"data":1982},"For those reasons, you can’t rely on EDR as a single line of defense against infostealers. Push gives you those extra layers of defense to stop account takeover attempts that use stolen credentials and sessions.",[],{},{"nodeType":1362,"data":1984,"content":1988},{"target":1985},{"sys":1986},{"id":1987,"type":1367,"linkType":1368},"4YB6DLIE5TvaAsAAUoJd5v",[],{"nodeType":1617,"data":1990,"content":1991},{},[1992],{"nodeType":1293,"value":1993,"marks":1994,"data":1995},"Detecting stolen sessions ",[],{},{"nodeType":1294,"data":1997,"content":1998},{},[1999],{"nodeType":1293,"value":2000,"marks":2001,"data":2002},"Push uses its browser agent to inject a unique marker into the user agent string of sessions that occur in browsers enrolled in Push. You then add the list of domains where you wish to inject the marker into sessions, such as an identity provider like Okta or Microsoft. ",[],{},{"nodeType":1294,"data":2004,"content":2005},{},[2006],{"nodeType":1293,"value":2007,"marks":2008,"data":2009},"By analyzing logs from the IdP, you can identify activity from the same session that both has the Push marker and that lacks the marker. This can only ever happen when a session is extracted from a browser and maliciously imported into a different browser.",[],{},{"nodeType":1294,"data":2011,"content":2012},{},[2013],{"nodeType":1293,"value":2014,"marks":2015,"data":2016},"This is a high-fidelity signal that a stolen session token is being used by an attacker. It’s certainly a lot cleaner than relying on IP-based or geolocation-based signals, which result in frequent false positives.",[],{},{"nodeType":1362,"data":2018,"content":2022},{"target":2019},{"sys":2020},{"id":2021,"type":1367,"linkType":1368},"1XNNkaoW64t3PPvC54KGXF",[],{"nodeType":1617,"data":2024,"content":2025},{},[2026],{"nodeType":1293,"value":2027,"marks":2028,"data":2029},"Detecting stolen credentials being sold on the dark web",[],{},{"nodeType":1294,"data":2031,"content":2032},{},[2033],{"nodeType":1293,"value":2034,"marks":2035,"data":2036},"Push integrates stolen credential threat intelligence and alerts you when your employees’ credentials are being sold on the dark web. ",[],{},{"nodeType":1294,"data":2038,"content":2039},{},[2040],{"nodeType":1293,"value":2041,"marks":2042,"data":2043},"Commercial TI feeds of stolen credentials have been available for some time. But what we’ve found is that the false-positive rate is incredibly high and the vast majority of credentials are no longer in use.",[],{},{"nodeType":1294,"data":2045,"content":2046},{},[2047],{"nodeType":1293,"value":2048,"marks":2049,"data":2050},"Push validates that leaked credentials match those that are currently being used by your employees to authenticate on any apps they are using in the browser. That means that any alerts or automated actions generated by Push are actionable true positives, cutting out a huge amount of noise and saving your security team time. ",[],{},{"nodeType":1362,"data":2052,"content":2056},{"target":2053},{"sys":2054},{"id":2055,"type":1367,"linkType":1368},"3RnPM0ioGWi3CFMLkxQanO",[],{"nodeType":1470,"data":2058,"content":2059},{},[2060],{"nodeType":1293,"value":2061,"marks":2062,"data":2063},"Part 3: Credential stuffing",[],{},{"nodeType":1294,"data":2065,"content":2066},{},[2067],{"nodeType":1293,"value":2068,"marks":2069,"data":2070},"The previous sections looked at how Push detects and stops common techniques used for stealing and acquiring credentials. We’re now going to cover how Push stops stolen credentials from being used to access and take over employee accounts. ",[],{},{"nodeType":1294,"data":2072,"content":2073},{},[2074,2079],{"nodeType":1293,"value":2075,"marks":2076,"data":2078},"Credential stuffing ",[2077],{"type":1519},{},{"nodeType":1293,"value":2080,"marks":2081,"data":2082},"is when attackers use tools that automate the process of taking a list of stolen passwords and retargeting those credentials against different apps.",[],{},{"nodeType":1294,"data":2084,"content":2085},{},[2086,2090,2095],{"nodeType":1293,"value":2087,"marks":2088,"data":2089},"Closely related to credential stuffing is ",[],{},{"nodeType":1293,"value":2091,"marks":2092,"data":2094},"password spraying",[2093],{"type":1519},{},{"nodeType":1293,"value":2096,"marks":2097,"data":2098},". Instead of using stolen credentials, an attacker uses a list of commonly used usernames and passwords to attempt to compromise accounts. ",[],{},{"nodeType":1294,"data":2100,"content":2101},{},[2102],{"nodeType":1293,"value":2103,"marks":2104,"data":2105},"Both credential stuffing and password spraying are high-volume, automated attacks, and they are an unrelenting problem for most businesses. Microsoft observes 4,000 of them every second and nearly half of all login requests Auth0 receive each day are attempts at credential stuffing. ",[],{},{"nodeType":1294,"data":2107,"content":2108},{},[2109],{"nodeType":1293,"value":2110,"marks":2111,"data":2112},"The true scale of the problem is hard to grasp, as neither app vendors nor users have effective means of monitoring for unauthorized access. Typically these breaches are only detected when:",[],{},{"nodeType":1505,"data":2114,"content":2115},{},[2116,2136,2158],{"nodeType":1509,"data":2117,"content":2118},{},[2119],{"nodeType":1294,"data":2120,"content":2121},{},[2122,2126,2133],{"nodeType":1293,"value":2123,"marks":2124,"data":2125},"The attacker leaks the data they’ve stolen, like in the ",[],{},{"nodeType":1340,"data":2127,"content":2128},{"uri":1919},[2129],{"nodeType":1293,"value":1922,"marks":2130,"data":2132},[2131],{"type":1348},{},{"nodeType":1293,"value":1706,"marks":2134,"data":2135},[],{},{"nodeType":1509,"data":2137,"content":2138},{},[2139],{"nodeType":1294,"data":2140,"content":2141},{},[2142,2146,2155],{"nodeType":1293,"value":2143,"marks":2144,"data":2145},"The attacker deploys ransomware that results in business disruption, like that suffered by ",[],{},{"nodeType":1340,"data":2147,"content":2149},{"uri":2148},"https://pushsecurity.com/blog/identity-attacks-in-the-wild/#id-mgm-resorts-september-2023",[2150],{"nodeType":1293,"value":2151,"marks":2152,"data":2154},"MGM resorts",[2153],{"type":1348},{},{"nodeType":1293,"value":1572,"marks":2156,"data":2157},[],{},{"nodeType":1509,"data":2159,"content":2160},{},[2161],{"nodeType":1294,"data":2162,"content":2163},{},[2164,2168,2177],{"nodeType":1293,"value":2165,"marks":2166,"data":2167},"The attackers use a compromised account to do something deliberately in the public eye. For example, when the SEC’s X (formerly Twitter) account was compromised and ",[],{},{"nodeType":1340,"data":2169,"content":2171},{"uri":2170},"https://incyber.org/en/article/fake-sec-tweet-triggers-bitcoin-surge/#:~:text=The%20fake%20headline%20convinced%20a,an%20unauthorized%20tweet%20was%20posted.",[2172],{"nodeType":1293,"value":2173,"marks":2174,"data":2176},"sent out a message announcing the approval of Bitcoin ETF",[2175],{"type":1348},{},{"nodeType":1293,"value":2178,"marks":2179,"data":2180},".  ",[],{},{"nodeType":1294,"data":2182,"content":2183},{},[2184],{"nodeType":1293,"value":2185,"marks":2186,"data":2187},"Push gives you a number of controls to combat attacks using stolen and guessed passwords, both to prevent them from occurring, and detect them when they do.",[],{},{"nodeType":1617,"data":2189,"content":2190},{},[2191],{"nodeType":1293,"value":2192,"marks":2193,"data":2194},"Prevent employees using credentials that have already been stolen and leaked",[],{},{"nodeType":1294,"data":2196,"content":2197},{},[2198],{"nodeType":1293,"value":2199,"marks":2200,"data":2201},"First, let's stop your employees from using any credentials that have already been stolen and are available to attackers for use in a credential-stuffing attack. ",[],{},{"nodeType":1294,"data":2203,"content":2204},{},[2205],{"nodeType":1293,"value":2206,"marks":2207,"data":2208},"Push monitors stolen credential threat intelligence and compares it to the credentials employees are currently using to access their apps. ",[],{},{"nodeType":1294,"data":2210,"content":2211},{},[2212],{"nodeType":1293,"value":2213,"marks":2214,"data":2215},"You might be wondering, “Does that mean Push sees all our employees’ passwords!?” No. Rather, we use a fingerprint of each password and it's checked locally in the users’ browser and never leaves it. ",[],{},{"nodeType":1294,"data":2217,"content":2218},{},[2219],{"nodeType":1293,"value":2220,"marks":2221,"data":2222},"When we get a match – a stolen password that could successfully be used in a credential-stuffing attack – Push alerts you.",[],{},{"nodeType":1617,"data":2224,"content":2225},{},[2226],{"nodeType":1293,"value":2227,"marks":2228,"data":2229},"Enforce MFA on all employee accounts",[],{},{"nodeType":1294,"data":2231,"content":2232},{},[2233],{"nodeType":1293,"value":2234,"marks":2235,"data":2236},"Next step is to secure the accounts most vulnerable to a credential stuffing attack – those that only use a password for single-factor authentication. ",[],{},{"nodeType":1294,"data":2238,"content":2239},{},[2240,2244,2253],{"nodeType":1293,"value":2241,"marks":2242,"data":2243},"If you’re using SSO to access apps, then it’s easy to overlook instances where local accounts (e.g. username and password logins) are missing MFA – particularly if you’re relying on an IdP solution to audit and enforce MFA. ",[],{},{"nodeType":1340,"data":2245,"content":2247},{"uri":2246},"https://pushsecurity.com/blog/ghost-logins-when-forgotten-identities-come-back-to-haunt-you/",[2248],{"nodeType":1293,"value":2249,"marks":2250,"data":2252},"You can read more about this problem in our blog post on ghost logins",[2251],{"type":1348},{},{"nodeType":1293,"value":1706,"marks":2254,"data":2255},[],{},{"nodeType":1294,"data":2257,"content":2258},{},[2259],{"nodeType":1293,"value":2260,"marks":2261,"data":2262},"Push observes every login made by your employees (both inside and outside SSO) and inspects the authentication protocols used. Accounts that are missing MFA are identified and presented to you in the Push platform.",[],{},{"nodeType":1362,"data":2264,"content":2268},{"target":2265},{"sys":2266},{"id":2267,"type":1367,"linkType":1368},"4t1PHxzadoTBjtJua6dzuJ",[],{"nodeType":1294,"data":2270,"content":2271},{},[2272],{"nodeType":1293,"value":2273,"marks":2274,"data":2275},"You can then use Push to enforce MFA on employee accounts, or present them with in-browser guidance requesting that they enable it themselves.  ",[],{},{"nodeType":1362,"data":2277,"content":2281},{"target":2278},{"sys":2279},{"id":2280,"type":1367,"linkType":1368},"3JSTEJGtLT0hfwnkpLRP4K",[],{"nodeType":1617,"data":2283,"content":2284},{},[2285],{"nodeType":1293,"value":2286,"marks":2287,"data":2288},"Prevent multiple accounts being compromised by credential stuffing due to password reuse",[],{},{"nodeType":1294,"data":2290,"content":2291},{},[2292],{"nodeType":1293,"value":2293,"marks":2294,"data":2295},"The credential stuffing tools that attackers use will target a long list of popular business apps. If a password is reused across multiple apps and is breached, the blast radius is naturally increased – the attacker will be able to hijack multiple accounts, across numerous business applications.",[],{},{"nodeType":1294,"data":2297,"content":2298},{},[2299],{"nodeType":1293,"value":2300,"marks":2301,"data":2302},"Push detects when employees are trying to use the same password across multiple apps. When this happens, you can request that they change their password.",[],{},{"nodeType":1362,"data":2304,"content":2308},{"target":2305},{"sys":2306},{"id":2307,"type":1367,"linkType":1368},"7ARHp2JPiHeKRYHwa2jwIZ",[],{"nodeType":1617,"data":2310,"content":2311},{},[2312],{"nodeType":1293,"value":2313,"marks":2314,"data":2315},"Prevent password spraying breaches",[],{},{"nodeType":1294,"data":2317,"content":2318},{},[2319],{"nodeType":1293,"value":2320,"marks":2321,"data":2322},"To stop your employees’ accounts from being breached by password spraying attacks, Push checks every password to see if it is easily guessable for attackers.",[],{},{"nodeType":1294,"data":2324,"content":2325},{},[2326],{"nodeType":1293,"value":2327,"marks":2328,"data":2329},"To determine if a password is easily guessable, the Push browser agent automatically checks the password against:",[],{},{"nodeType":1505,"data":2331,"content":2332},{},[2333,2343,2353],{"nodeType":1509,"data":2334,"content":2335},{},[2336],{"nodeType":1294,"data":2337,"content":2338},{},[2339],{"nodeType":1293,"value":2340,"marks":2341,"data":2342},"A list of top 10,000 weak base passwords.",[],{},{"nodeType":1509,"data":2344,"content":2345},{},[2346],{"nodeType":1294,"data":2347,"content":2348},{},[2349],{"nodeType":1293,"value":2350,"marks":2351,"data":2352},"Number and special character variations on these weak base passwords, for example: Password1! or January2022.",[],{},{"nodeType":1509,"data":2354,"content":2355},{},[2356],{"nodeType":1294,"data":2357,"content":2358},{},[2359],{"nodeType":1293,"value":2360,"marks":2361,"data":2362},"Variations on these weak base passwords that replace letters with numerals (1337), for example: P455w0rd.",[],{},{"nodeType":1294,"data":2364,"content":2365},{},[2366],{"nodeType":1293,"value":2367,"marks":2368,"data":2369},"You can also add your own custom word list that employees and attackers will predictably try and use. Push will then stop those words being used as part of passwords.",[],{},{"nodeType":1617,"data":2371,"content":2372},{},[2373],{"nodeType":1293,"value":2374,"marks":2375,"data":2376},"Detect unauthorized sessions  ",[],{},{"nodeType":1294,"data":2378,"content":2379},{},[2380],{"nodeType":1293,"value":2381,"marks":2382,"data":2383},"Once you have enabled all the Push controls that prevent employees from creating and using accounts that can be easily compromised by credential stuffing and password spraying attacks, the next line of defense is to detect when accounts are taken over.",[],{},{"nodeType":1294,"data":2385,"content":2386},{},[2387],{"nodeType":1293,"value":2388,"marks":2389,"data":2390},"Push uses its browser agent to inject a unique marker into the user agent string of sessions that occur in browsers enrolled in Push. You then add the list of domains that you want to have injected with the session marker. ",[],{},{"nodeType":1294,"data":2392,"content":2393},{},[2394],{"nodeType":1293,"value":2395,"marks":2396,"data":2397},"By analyzing logs from the IdP, you can identify activity from the same session that both has the Push marker and that lacks the marker. This indicates that the session is not being used by the legitimate user (your employees) in their usual work browser, and could be an attacker using their account. ",[],{},{"nodeType":1617,"data":2399,"content":2400},{},[2401],{"nodeType":1293,"value":2402,"marks":2403,"data":2404},"Reduce your identity attack surface",[],{},{"nodeType":1294,"data":2406,"content":2407},{},[2408],{"nodeType":1293,"value":2409,"marks":2410,"data":2411},"Finally, you’ll likely want to reduce your attack surface that can be targeted by credential stuffing. In other words, reduce the number of username and password accounts your employees have. ",[],{},{"nodeType":1294,"data":2413,"content":2414},{},[2415],{"nodeType":1293,"value":2416,"marks":2417,"data":2418},"There are a few ways that Push can help you do this.",[],{},{"nodeType":1505,"data":2420,"content":2421},{},[2422,2437,2452],{"nodeType":1509,"data":2423,"content":2424},{},[2425],{"nodeType":1294,"data":2426,"content":2427},{},[2428,2433],{"nodeType":1293,"value":2429,"marks":2430,"data":2432},"Block access to unapproved apps",[2431],{"type":1519},{},{"nodeType":1293,"value":2434,"marks":2435,"data":2436},". Using Push, you can create a block list of apps that you don’t want your users to create accounts and identities on.",[],{},{"nodeType":1509,"data":2438,"content":2439},{},[2440],{"nodeType":1294,"data":2441,"content":2442},{},[2443,2448],{"nodeType":1293,"value":2444,"marks":2445,"data":2447},"Use app banners to stop users from creating local accounts",[2446],{"type":1519},{},{"nodeType":1293,"value":2449,"marks":2450,"data":2451},". When an employee goes to sign up to an app, Push will present an app banner that tells them to use their SSO identity and not to create a username and password account.",[],{},{"nodeType":1509,"data":2453,"content":2454},{},[2455],{"nodeType":1294,"data":2456,"content":2457},{},[2458,2463],{"nodeType":1293,"value":2459,"marks":2460,"data":2462},"Get existing accounts and apps behind SSO",[2461],{"type":1519},{},{"nodeType":1293,"value":2464,"marks":2465,"data":2466},". Push shows you how your employees are logging in to every account on every app, including whether they’re using SAML or OIDC SSO. Armed with this data, you can get your employees to use your preferred SSO solution on the apps where it’s already available, and look into whether other popular apps being used in the business offer SSO.",[],{},{"nodeType":1362,"data":2468,"content":2472},{"target":2469},{"sys":2470},{"id":2471,"type":1367,"linkType":1368},"3y8L55hbcQaRYPCdYYb3xA",[],{"nodeType":1470,"data":2474,"content":2475},{},[2476],{"nodeType":1293,"value":2477,"marks":2478,"data":2479},"Stop account takeover at the push of a button",[],{},{"nodeType":1294,"data":2481,"content":2482},{},[2483,2487,2495,2499,2504,2507,2512,2516,2520],{"nodeType":1293,"value":2484,"marks":2485,"data":2486},"We’ve described a lot of controls in this article. The good news is that they’re all pre-configured on the the ",[],{},{"nodeType":1340,"data":2488,"content":2490},{"uri":2489},"https://pushsecurity.com/help/audience/administrators/docs/manage-security-controls/#start",[2491],{"nodeType":1293,"value":2492,"marks":2493,"data":2494},"Controls",[],{},{"nodeType":1293,"value":2496,"marks":2497,"data":2498}," page in the Push platform. When you get started with Push, you can simply turn on all the controls you want, and decide whether you want them to work in ",[],{},{"nodeType":1293,"value":2500,"marks":2501,"data":2503},"monitor",[2502],{"type":1519},{},{"nodeType":1293,"value":1791,"marks":2505,"data":2506},[],{},{"nodeType":1293,"value":2508,"marks":2509,"data":2511},"warn",[2510],{"type":1519},{},{"nodeType":1293,"value":2513,"marks":2514,"data":2515}," mode or ",[],{},{"nodeType":1293,"value":138,"marks":2517,"data":2519},[2518],{"type":1519},{},{"nodeType":1293,"value":2521,"marks":2522,"data":2523}," mode.    ",[],{},{"nodeType":1362,"data":2525,"content":2529},{"target":2526},{"sys":2527},{"id":2528,"type":1367,"linkType":1368},"6FCuO78yQMNZvkcbcALmis",[],{"nodeType":1617,"data":2531,"content":2532},{},[2533],{"nodeType":1293,"value":2534,"marks":2535,"data":2536},"See it for yourself",[],{},{"nodeType":1294,"data":2538,"content":2539},{},[2540,2544,2552],{"nodeType":1293,"value":2541,"marks":2542,"data":2543},"To learn more, ",[],{},{"nodeType":1340,"data":2545,"content":2547},{"uri":2546},"https://pushsecurity.com/demo/",[2548],{"nodeType":1293,"value":2549,"marks":2550,"data":2551},"book a demo",[],{},{"nodeType":1293,"value":2553,"marks":2554,"data":2555},". We’ll be happy to show you these features, along with how we discover all the apps your employees are using, even the ones not behind SSO.",[],{},{"nodeType":1362,"data":2557,"content":2561},{"target":2558},{"sys":2559},{"id":2560,"type":1367,"linkType":1368},"4IRtR9zicpB7lXdz2RvIlK",[],{"nodeType":1294,"data":2563,"content":2564},{},[2565],{"nodeType":1293,"value":37,"marks":2566,"data":2567},[],{},{"entries":2569},{"hyperlink":2570,"inline":2571,"block":2572},[],[],[2573,2582,2590,2597,2605,2612,2620,2626,2634,2640,2645,2651,2659,2666,2673,2681,2689,2697],{"sys":2574,"__typename":2575,"title":2576,"caption":2577,"layoutMode":118,"file":2578},{"id":1366},"Image","DBIR stolen credentials graphic","Identity attack techniques were by far the most prevalent initial access vectors in this year's Verizon DBIR.",{"url":2579,"width":2580,"height":2581},"https://images.ctfassets.net/y1cdw1ablpvd/QCYpzmm2CKDnBI1KZXJv9/3b9b565137fc91fb447bf8c611db6d5e/Group_343.png",370,646,{"sys":2583,"__typename":2575,"title":2584,"caption":2585,"layoutMode":118,"file":2586},{"id":1414},"Identity breach timeline","The rise in identity attacks should come as no surprise to any of us. While attackers are bad people, they’re still mostly rational bad people who will take the easy road.",{"url":2587,"width":2588,"height":2589},"https://images.ctfassets.net/y1cdw1ablpvd/4EoLhIzCo8VythFPqt0tIA/460d6b2fdab727fe4036569a2505aedd/image1.png",1768,994,{"sys":2591,"__typename":2592,"type":2593,"ctaText":2594,"buttonLabel":2595,"buttonColour":2596,"buttonUrl":1399},{"id":1420},"CtaWidget","Custom","Learn more about the timeline of recent identity attacks in the wild.","Read the Blog","orange",{"sys":2598,"__typename":2575,"title":2599,"caption":2600,"layoutMode":118,"file":2601},{"id":1440},"Comparing attack paths for identity, network, and endpoint attacks. ","Attackers are now targeting identities to avoid established endpoint and network security controls. ",{"url":2602,"width":2603,"height":2604},"https://images.ctfassets.net/y1cdw1ablpvd/2ZleNOvt5jsBQ7RTds5BBN/f73fe9434abb44914ba339d2d94860e6/image10.png",1201,675,{"sys":2606,"__typename":2575,"title":2607,"caption":2608,"layoutMode":118,"file":2609},{"id":1488},"How Push prevents account takeover","Push prevents account takeover using controls aligned with each stage of the attack chain.",{"url":1302,"width":2610,"height":2611},1920,1080,{"sys":2613,"__typename":2575,"title":2614,"caption":2615,"layoutMode":118,"file":2616},{"id":1600},"Source: 2024 Trends in Identity Security - Identity Defined Security Alliance (IDSA)","Source: 2024 Trends in Identity Security – Identity Defined Security Alliance (IDSA)",{"url":2617,"width":2618,"height":2619},"https://images.ctfassets.net/y1cdw1ablpvd/4wcIXJu4Yhq7lHZuGbX1w0/b097fff859f61a0e853f8a10e2d838aa/image7.png",1730,782,{"sys":2621,"__typename":2575,"title":2622,"caption":2623,"layoutMode":118,"file":2624},{"id":1661},"SSO Password Protection","Push blocks malicious logins before the user can be phished.",{"url":2625,"width":2610,"height":2611},"https://images.ctfassets.net/y1cdw1ablpvd/NswNmrq9QBqinx9ssS2Fz/18b4cdf6c4bff3274c289a4185b4204f/image5.png",{"sys":2627,"__typename":2575,"title":2628,"caption":2629,"layoutMode":118,"file":2630},{"id":1865},"Phishing toolkit detection","Accessing pages running malicious phishing toolkits is automatically blocked. ",{"url":2631,"width":2632,"height":2633},"https://images.ctfassets.net/y1cdw1ablpvd/3ylgW0MDCCesBjQsoqjD4P/a8bc4df9a430aca6c725f913d2bc6444/image11.png",1440,767,{"sys":2635,"__typename":2575,"title":2636,"caption":2636,"layoutMode":118,"file":2637},{"id":1941},"The 2024 Sophos Threat Report shows the prevalence of info stealer malware.",{"url":2638,"width":40,"height":2639},"https://images.ctfassets.net/y1cdw1ablpvd/ntLmjUBbgKFILEraHAiLC/dbefc5df68c0260dd6301237af4ba49a/image3.png",432,{"sys":2641,"__typename":2592,"type":2593,"ctaText":2642,"buttonLabel":2595,"buttonColour":2643,"buttonUrl":2644},{"id":1987},"For more information on infostealers, check out our recent blog post.","sunny orange","https://pushsecurity.com/blog/what-the-rise-of-infostealers-says-about-identity-attacks/",{"sys":2646,"__typename":2575,"title":2647,"caption":2647,"layoutMode":118,"file":2648},{"id":2021},"Detecting stolen sessions running on attacker machines. ",{"url":2649,"width":2632,"height":2650},"https://images.ctfassets.net/y1cdw1ablpvd/3Pp4bDB2FkGlHbOEt35j0j/49a92cf3c2f805850eff23bacd43818c/image8.png",398,{"sys":2652,"__typename":2575,"title":2653,"caption":2654,"layoutMode":118,"file":2655},{"id":2055},"Stolen creds example","Viewing stolen credentials using the Push platform.",{"url":2656,"width":2657,"height":2658},"https://images.ctfassets.net/y1cdw1ablpvd/5BJQtkoIy6xBSgYRTzMhgh/121f277cdb6684b4441d8c0e98241077/stolen_creds_example.png",783,919,{"sys":2660,"__typename":2575,"title":2661,"caption":2662,"layoutMode":118,"file":2663},{"id":2267},"Identifying MFA gaps with Push","Identifying MFA gaps with Push.",{"url":2664,"width":2665,"height":2611},"https://images.ctfassets.net/y1cdw1ablpvd/xfT8Naxqz8UHj9NfMoB3c/205590adc81044c474f91e94ed1491ba/image2.png",1797,{"sys":2667,"__typename":2575,"title":2668,"caption":2669,"layoutMode":118,"file":2670},{"id":2280},"MFA enforcement banner","Push MFA enforcement banner.",{"url":2671,"width":2632,"height":2672},"https://images.ctfassets.net/y1cdw1ablpvd/3gU1uqYKTUcYnS86z5KNcf/8d91db345ab6bbfa36ae551a4709822d/mfa_enforcement_banner_web.png",809,{"sys":2674,"__typename":2575,"title":2675,"caption":2676,"layoutMode":118,"file":2677},{"id":2307},"Password reuse identified and reported","Password reuse identified and reported.",{"url":2678,"width":2679,"height":2680},"https://images.ctfassets.net/y1cdw1ablpvd/5gkK5ubIQzC7dAory22d7u/8d7a7791e376eae26bec69f0bc66f838/chatops_reused_password_finding_20230713.png",932,118,{"sys":2682,"__typename":2575,"title":2683,"caption":2684,"layoutMode":118,"file":2685},{"id":2471},"Preventing password logins where SSO is supported","Preventing password logins where SSO is supported. ",{"url":2686,"width":2687,"height":2688},"https://images.ctfassets.net/y1cdw1ablpvd/1epd5VHOflUX67ga5lZA7z/8f179c8621d9d60bd6a8879c9b0daea5/image9.png",1255,763,{"sys":2690,"__typename":2575,"title":2691,"caption":2692,"layoutMode":118,"file":2693},{"id":2528},"Controls page","Enable controls to stop account takeover with the push of a button.",{"url":2694,"width":2695,"height":2696},"https://images.ctfassets.net/y1cdw1ablpvd/7HVWDgFFdpHxzzNDpgcnLs/520e7c0a9c76bbafaa538d5f24720826/controls_page_20240808.png",3022,1716,{"sys":2698,"__typename":2592,"type":2593,"ctaText":2699,"buttonLabel":2595,"buttonColour":2700,"buttonUrl":2701},{"id":2560},"Learn more about our design philosophy and what makes our account takeover defenses uniquely effective.","sea blue","https://pushsecurity.com/blog/our-design-philosophy-detecting-what-matters/",{"items":2703},[2704,3376,3963],{"__typename":2705,"sys":2706,"content":2708,"title":3358,"synopsis":3359,"hashTags":118,"publishedDate":3360,"slug":3361,"tagsCollection":3362,"authorsCollection":3368},"BlogPosts",{"id":2707},"1qegIy4rMdm5XZXnIEoKpE",{"json":2709},{"nodeType":1295,"data":2710,"content":2711},{},[2712,2719,2726,2751,2757,2764,2771,2775,2782,2802,2808,2815,2857,2864,2871,2878,2885,2892,2899,2918,2926,2929,2936,2943,2950,2957,2964,2971,2978,3026,3033,3040,3047,3067,3074,3081,3088,3095,3102,3109,3116,3133,3151,3194,3201,3208,3271,3278,3281,3288,3304,3322,3329,3335,3341,3344,3351],{"nodeType":1294,"data":2713,"content":2714},{},[2715],{"nodeType":1293,"value":2716,"marks":2717,"data":2718},"The field of threat detection and security monitoring has changed significantly over the last decade. Security tools and product categories have been added and replaced, specialist disciplines established, and methodologies created. ",[],{},{"nodeType":1294,"data":2720,"content":2721},{},[2722],{"nodeType":1293,"value":2723,"marks":2724,"data":2725},"Naturally, defenders have had to mature their approach because of the changing nature of the threat facing organizations. Attackers have always looked for new ways to target their victims, and naturally, defenders have had to adapt, forcing attackers to change things up… it’s a cat and mouse game. ",[],{},{"nodeType":1294,"data":2727,"content":2728},{},[2729,2733,2742,2746],{"nodeType":1293,"value":2730,"marks":2731,"data":2732},"Blue teamers have used the concept of the ",[],{},{"nodeType":1340,"data":2734,"content":2736},{"uri":2735},"https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html",[2737],{"nodeType":1293,"value":2738,"marks":2739,"data":2741},"Pyramid of Pain",[2740],{"type":1348},{},{"nodeType":1293,"value":2743,"marks":2744,"data":2745}," for over a decade. The logic is simple: ",[],{},{"nodeType":1293,"value":2747,"marks":2748,"data":2750},"Focus on detecting and responding to indicators that are hard for attackers to change. ",[2749],{"type":1519},{},{"nodeType":1362,"data":2752,"content":2756},{"target":2753},{"sys":2754},{"id":2755,"type":1367,"linkType":1368},"6cG2fx3AikwptyEyXKrYCK",[],{"nodeType":1294,"data":2758,"content":2759},{},[2760],{"nodeType":1293,"value":2761,"marks":2762,"data":2763},"If an attacker only has to tweak a variable to get around your detection rule, like adding a space to change a hash value, it’s probably not a very good detection. It’s not going to remain effective for long and you’re always going to be one step behind the attacker – waiting for them to make their next move so you can react. This usually ends up meaning that attackers enjoy at least some success before they can be shut out again. ",[],{},{"nodeType":1294,"data":2765,"content":2766},{},[2767],{"nodeType":1293,"value":2768,"marks":2769,"data":2770},"The Pyramid of Pain – and the goal of implementing hard-to-bypass detections that hit attackers where it hurts – is central to our design philosophy. But before we get into how we apply this approach, and the types of controls we’ve created as a result, it’s useful to look at how IT and security have changed since the Pyramid was created more than a decade ago. ",[],{},{"nodeType":2772,"data":2773,"content":2774},"hr",{},[],{"nodeType":1470,"data":2776,"content":2777},{},[2778],{"nodeType":1293,"value":2779,"marks":2780,"data":2781},"A new era for cyber security",[],{},{"nodeType":1294,"data":2783,"content":2784},{},[2785,2789,2798],{"nodeType":1293,"value":2786,"marks":2787,"data":2788},"We’ve spoken a lot about how we’re in the midst of a new era in cybersecurity, in which identity is now the outermost digital perimeter for security teams to defend. (",[],{},{"nodeType":1340,"data":2790,"content":2792},{"uri":2791},"https://pushsecurity.com/resources/video/the-new-saas-cyber-kill-chain-so-con-2024/",[2793],{"nodeType":1293,"value":2794,"marks":2795,"data":2797},"You’ll be familiar with this if you’ve seen any of Luke’s talks on the New SaaS Cyber Kill Chain.",[2796],{"type":1348},{},{"nodeType":1293,"value":2799,"marks":2800,"data":2801},") ",[],{},{"nodeType":1362,"data":2803,"content":2807},{"target":2804},{"sys":2805},{"id":2806,"type":1367,"linkType":1368},"6nYSZAYpsbj78jKm0q75zs",[],{"nodeType":1294,"data":2809,"content":2810},{},[2811],{"nodeType":1293,"value":2812,"marks":2813,"data":2814},"This is primarily because modern working is no longer contained to a heavily centralized corporate network, and instead happens primarily in applications accessed over the internet via web browser.",[],{},{"nodeType":1294,"data":2816,"content":2817},{},[2818,2822,2830,2834,2841,2845,2853],{"nodeType":1293,"value":2819,"marks":2820,"data":2821},"In this new world, attacks don’t even have to touch the old perimeters, because all the data and functionality they could want exists on the public internet. As a result, we’re seeing more and more ",[],{},{"nodeType":1340,"data":2823,"content":2825},{"uri":2824},"https://pushsecurity.com/blog/saas-attack-techniques/",[2826],{"nodeType":1293,"value":2827,"marks":2828,"data":2829},"attacks targeting SaaS apps",[],{},{"nodeType":1293,"value":2831,"marks":2832,"data":2833},", with the entire attack chain being concluded outside customer networks, not touching any traditional endpoints or networks. The ",[],{},{"nodeType":1340,"data":2835,"content":2836},{"uri":1919},[2837],{"nodeType":1293,"value":2838,"marks":2839,"data":2840},"recent attacks on Snowflake customers",[],{},{"nodeType":1293,"value":2842,"marks":2843,"data":2844},", hailed ",[],{},{"nodeType":1340,"data":2846,"content":2848},{"uri":2847},"https://www.wired.com/story/snowflake-breach-advanced-auto-parts-lendingtree/",[2849],{"nodeType":1293,"value":2850,"marks":2851,"data":2852},"one of the biggest breaches in history",[],{},{"nodeType":1293,"value":2854,"marks":2855,"data":2856},", demonstrate this risk all too well. ",[],{},{"nodeType":1294,"data":2858,"content":2859},{},[2860],{"nodeType":1293,"value":2861,"marks":2862,"data":2863},"This creates a problem for security teams looking to detect and respond to these attacks. ",[],{},{"nodeType":1617,"data":2865,"content":2866},{},[2867],{"nodeType":1293,"value":2868,"marks":2869,"data":2870},"Attacks today are shorter and faster, but just as dangerous",[],{},{"nodeType":1294,"data":2872,"content":2873},{},[2874],{"nodeType":1293,"value":2875,"marks":2876,"data":2877},"Detecting and responding to identity attacks – phishing, credential stuffing, etc. – used to be just one possible method of initial access in quite a lengthy Kill Chain that stretched from the compromise of the user device, pivoting to internal network resources, escalating privileges, moving laterally, and finally achieving their objectives.",[],{},{"nodeType":1294,"data":2879,"content":2880},{},[2881],{"nodeType":1293,"value":2882,"marks":2883,"data":2884},"This meant that defenders could adopt an assumed compromise mentality and build layered detections, as well as proactively hunting for threats across these various stages and layers of the network. The more actions an attacker has to perform, the more opportunities for detection, and the higher the likelihood that they’ll be caught in the act before any real, lasting damage can be caused. ",[],{},{"nodeType":1294,"data":2886,"content":2887},{},[2888],{"nodeType":1293,"value":2889,"marks":2890,"data":2891},"Today, attackers have a lot of opportunities to cause significant damage for much less effort than before. For example, if the goal is to compromise an app like Snowflake and dump the data from it, the Kill Chain is way shorter than a traditional network-based attack. And all the great tools and security products you have, like EDR, don’t come into play. ",[],{},{"nodeType":1294,"data":2893,"content":2894},{},[2895],{"nodeType":1293,"value":2896,"marks":2897,"data":2898},"This means that the initial layer of anti-account takeover controls are much more important in this context. But, the historical detections in this space – email gateway security products, analyzing web pages for malicious content, and URL blocklisting – are either less relevant, or built upon easy to bypass detections toward the bottom of the Pyramid of Pain. ",[],{},{"nodeType":1294,"data":2900,"content":2901},{},[2902,2906,2914],{"nodeType":1293,"value":2903,"marks":2904,"data":2905},"As an example, ",[],{},{"nodeType":1340,"data":2907,"content":2909},{"uri":2908},"https://pushsecurity.com/blog/how-aitm-phishing-kits-evade-detection/",[2910],{"nodeType":1293,"value":2911,"marks":2912,"data":2913},"we recently published an article on all the ways that AitM phishing sites are evading detection",[],{},{"nodeType":1293,"value":2915,"marks":2916,"data":2917},". TL;DR – there are a lot, and they seem to be quite effective. But this is partly because the majority of the detections they're trying to avoid are built on shaky ground.   ",[],{},{"nodeType":1294,"data":2919,"content":2920},{},[2921],{"nodeType":1293,"value":2922,"marks":2923,"data":2925},"So what? Well, it’s clear that the controls that the industry has relied on in the past to stop identity attacks are too easy to bypass, and are no longer sufficient. ",[2924],{"type":1519},{},{"nodeType":2772,"data":2927,"content":2928},{},[],{"nodeType":1470,"data":2930,"content":2931},{},[2932],{"nodeType":1293,"value":2933,"marks":2934,"data":2935},"Building effective identity threat detection controls",[],{},{"nodeType":1294,"data":2937,"content":2938},{},[2939],{"nodeType":1293,"value":2940,"marks":2941,"data":2942},"Now we’ve covered the problem that we set out to solve, let’s look at what we’re doing differently. ",[],{},{"nodeType":1294,"data":2944,"content":2945},{},[2946],{"nodeType":1293,"value":2947,"marks":2948,"data":2949},"In order to climb the Pyramid toward the apex, you need to find ways to detect increasingly generic parts of an attack technique. So you want to avoid things like what a specific malware’s code looks like, or where it connects back to. But what the malware does, or what happens when it runs, is more generic, and therefore more interesting to us.  ",[],{},{"nodeType":1294,"data":2951,"content":2952},{},[2953],{"nodeType":1293,"value":2954,"marks":2955,"data":2956},"The shift from static code signatures and fuzzy hashes to dynamic analysis of what code does on a live system is at the heart of why EDR killed antivirus a decade ago. It proved at-scale the value of moving detections up the pyramid.",[],{},{"nodeType":1294,"data":2958,"content":2959},{},[2960],{"nodeType":1293,"value":2961,"marks":2962,"data":2963},"We’re always on the lookout for ways to move our detections up the pyramid as well. It’s easiest to explain how we’ve applied this by looking at an example. ",[],{},{"nodeType":1617,"data":2965,"content":2966},{},[2967],{"nodeType":1293,"value":2968,"marks":2969,"data":2970},"Scenario: Detecting a web-based phishing attack",[],{},{"nodeType":1294,"data":2972,"content":2973},{},[2974],{"nodeType":1293,"value":2975,"marks":2976,"data":2977},"Let’s break down the stages of a web-based phishing attack as an example. For a user to be successfully phished:",[],{},{"nodeType":1505,"data":2979,"content":2980},{},[2981,2996,3011],{"nodeType":1509,"data":2982,"content":2983},{},[2984],{"nodeType":1294,"data":2985,"content":2986},{},[2987,2992],{"nodeType":1293,"value":2988,"marks":2989,"data":2991},"Stage 1:",[2990],{"type":1519},{},{"nodeType":1293,"value":2993,"marks":2994,"data":2995}," The victim must be lured to visit a website.",[],{},{"nodeType":1509,"data":2997,"content":2998},{},[2999],{"nodeType":1294,"data":3000,"content":3001},{},[3002,3007],{"nodeType":1293,"value":3003,"marks":3004,"data":3006},"Stage 2:",[3005],{"type":1519},{},{"nodeType":1293,"value":3008,"marks":3009,"data":3010}," The website must somehow trick or convince the user that it’s legitimate and trustworthy, for example by mimicking a legitimate site.",[],{},{"nodeType":1509,"data":3012,"content":3013},{},[3014],{"nodeType":1294,"data":3015,"content":3016},{},[3017,3022],{"nodeType":1293,"value":3018,"marks":3019,"data":3021},"Stage 3:",[3020],{"type":1519},{},{"nodeType":1293,"value":3023,"marks":3024,"data":3025}," The user must enter their actual credentials into that website.",[],{},{"nodeType":1294,"data":3027,"content":3028},{},[3029],{"nodeType":1293,"value":3030,"marks":3031,"data":3032},"So, how might you go about detecting this attack? Let’s start from the bottom of the pyramid and work our way up.",[],{},{"nodeType":1617,"data":3034,"content":3035},{},[3036],{"nodeType":1293,"value":3037,"marks":3038,"data":3039},"Stage 1: Determining if a URL, IP, or domain is bad",[],{},{"nodeType":1294,"data":3041,"content":3042},{},[3043],{"nodeType":1293,"value":3044,"marks":3045,"data":3046},"You might start by looking for the lure – historically an email. You could look for links in emails, or links in attachments in an email and then check if they are bad (which is essentially what email security products do). You could look for known-bad URLs in emails, but these change for every phishing campaign. In modern attacks, every target can receive a unique email and link. Even just using a URL shortener can bypass this. It’s equivalent to a malware hash – trivial to change, and therefore not a great thing to pin your detections on. ",[],{},{"nodeType":1294,"data":3048,"content":3049},{},[3050,3054,3063],{"nodeType":1293,"value":3051,"marks":3052,"data":3053},"You could look at which IP address the user connects to, but these days it’s very simple for attackers to add a new IP to their cloud-hosted server. If a domain is flagged as known-bad, the attacker only has to register a new domain, or compromise a WordPress server on an already trusted domain. Both of these things are ",[],{},{"nodeType":1340,"data":3055,"content":3057},{"uri":3056},"https://www.bleepingcomputer.com/news/security/revolver-rabbit-gang-registers-500-000-domains-for-malware-campaigns/",[3058],{"nodeType":1293,"value":3059,"marks":3060,"data":3062},"happening on a massive scale",[3061],{"type":1348},{},{"nodeType":1293,"value":3064,"marks":3065,"data":3066}," as attackers pre-plan for the fact that their domains will be burned at some point. Attackers are more than happy to spend $10-$20 per new domain in the grand scheme of the potential proceeds of crime. ",[],{},{"nodeType":1294,"data":3068,"content":3069},{},[3070],{"nodeType":1293,"value":3071,"marks":3072,"data":3073},"But there’s a more fundamental flaw here – for defenders to know that a URL, IP, or domain name is bad, it needs to be reported first. When are things reported? Typically after being used in an attack – so unfortunately, someone always gets hurt.  ",[],{},{"nodeType":1617,"data":3075,"content":3076},{},[3077],{"nodeType":1293,"value":3078,"marks":3079,"data":3080},"Stage 2: Determining if a site is legitimate",[],{},{"nodeType":1294,"data":3082,"content":3083},{},[3084],{"nodeType":1293,"value":3085,"marks":3086,"data":3087},"So how can we detect a phishing website, on day-zero, the first time anyone runs into it? Well we can look at the second step – does the URL resemble a real website, does the HTML code for a page look similar to a legitimate login page for a known website, is it loading the same image files? This is not trivial to detect, but with the right fuzzy matches and image analysis it can be automated.",[],{},{"nodeType":1294,"data":3089,"content":3090},{},[3091],{"nodeType":1293,"value":3092,"marks":3093,"data":3094},"We’ve now moved up a level on the Pyramid – we’re detecting website artifacts. If we see a legitimate looking website on an unknown domain, it’s likely to be a malicious clone.",[],{},{"nodeType":1294,"data":3096,"content":3097},{},[3098],{"nodeType":1293,"value":3099,"marks":3100,"data":3101},"Unfortunately, the attacker’s website doesn’t need to send each visitor to the same website. It can change dynamically based on where the visitor is coming from – or even randomly, so that not all visitors are served the phishing page. This means that tools which resolve where the links in emails go to be able to analyze them (such as email security appliances) don’t necessarily see the same site the user is actually visiting – a fact that is commonly abused by attackers to bypass detection. It’s critical that detection happens on the actual web page that the victim sees.",[],{},{"nodeType":1617,"data":3103,"content":3104},{},[3105],{"nodeType":1293,"value":3106,"marks":3107,"data":3108},"Stage 3: Detecting the user entering their credentials",[],{},{"nodeType":1294,"data":3110,"content":3111},{},[3112],{"nodeType":1293,"value":3113,"marks":3114,"data":3115},"For a phishing attack to succeed, the victim must enter their actual credentials into the webpage. If you can stop the user entering their real password, there’s no attack. There’s no getting around it. ",[],{},{"nodeType":1294,"data":3117,"content":3118},{},[3119,3123,3130],{"nodeType":1293,"value":3120,"marks":3121,"data":3122},"So, this is exactly what we did: Earlier this year, we released a control which ",[],{},{"nodeType":1340,"data":3124,"content":3125},{"uri":1698},[3126],{"nodeType":1293,"value":3127,"marks":3128,"data":3129},"stops users from entering their password belonging to a particular login page anywhere else",[],{},{"nodeType":1293,"value":1572,"marks":3131,"data":3132},[],{},{"nodeType":1294,"data":3134,"content":3135},{},[3136,3140,3147],{"nodeType":1293,"value":3137,"marks":3138,"data":3139},"Seems simple, right? By focusing on this generic action, that always has to happen, you can essentially stop your users being phished altogether. This means, it doesn’t matter ",[],{},{"nodeType":1340,"data":3141,"content":3142},{"uri":2908},[3143],{"nodeType":1293,"value":3144,"marks":3145,"data":3146},"what the attacker does before that point",[],{},{"nodeType":1293,"value":3148,"marks":3149,"data":3150},":",[],{},{"nodeType":1505,"data":3152,"content":3153},{},[3154,3164,3174,3184],{"nodeType":1509,"data":3155,"content":3156},{},[3157],{"nodeType":1294,"data":3158,"content":3159},{},[3160],{"nodeType":1293,"value":3161,"marks":3162,"data":3163},"It doesn't matter if they run the site using Cloudflare Workers to block automatic analysis.",[],{},{"nodeType":1509,"data":3165,"content":3166},{},[3167],{"nodeType":1294,"data":3168,"content":3169},{},[3170],{"nodeType":1293,"value":3171,"marks":3172,"data":3173},"It doesn’t matter if they hack a WordPress blog to get a reputable domain.",[],{},{"nodeType":1509,"data":3175,"content":3176},{},[3177],{"nodeType":1294,"data":3178,"content":3179},{},[3180],{"nodeType":1293,"value":3181,"marks":3182,"data":3183},"It doesn’t matter if they use clever redirects and rotate the URLs delivered to the user.",[],{},{"nodeType":1509,"data":3185,"content":3186},{},[3187],{"nodeType":1294,"data":3188,"content":3189},{},[3190],{"nodeType":1293,"value":3191,"marks":3192,"data":3193},"It doesn’t matter if they randomize the HTML title for the web page. ",[],{},{"nodeType":1294,"data":3195,"content":3196},{},[3197],{"nodeType":1293,"value":3198,"marks":3199,"data":3200},"They can’t avoid the fact that a user is required to enter their credentials on the page for the attack to succeed. ",[],{},{"nodeType":1294,"data":3202,"content":3203},{},[3204],{"nodeType":1293,"value":3205,"marks":3206,"data":3207},"So, when you apply the Pyramid of Pain to some of the controls we’ve shipped this year, we get a clear feel for the value, from highest to lowest:",[],{},{"nodeType":1505,"data":3209,"content":3210},{},[3211,3231,3251],{"nodeType":1509,"data":3212,"content":3213},{},[3214],{"nodeType":1294,"data":3215,"content":3216},{},[3217,3221,3228],{"nodeType":1293,"value":3218,"marks":3219,"data":3220},"User Behavior: ",[],{},{"nodeType":1340,"data":3222,"content":3223},{"uri":1698},[3224],{"nodeType":1293,"value":3225,"marks":3226,"data":3227},"Detecting and blocking the user behavior of entering their password into any site that the password doesn’t belong to",[],{},{"nodeType":1293,"value":1706,"marks":3229,"data":3230},[],{},{"nodeType":1509,"data":3232,"content":3233},{},[3234],{"nodeType":1294,"data":3235,"content":3236},{},[3237,3241,3248],{"nodeType":1293,"value":3238,"marks":3239,"data":3240},"Tool Behavior: ",[],{},{"nodeType":1340,"data":3242,"content":3243},{"uri":1759},[3244],{"nodeType":1293,"value":3245,"marks":3246,"data":3247},"Detecting when a login page that you access is cloned from a legitimate page.",[],{},{"nodeType":1293,"value":37,"marks":3249,"data":3250},[],{},{"nodeType":1509,"data":3252,"content":3253},{},[3254],{"nodeType":1294,"data":3255,"content":3256},{},[3257,3261,3268],{"nodeType":1293,"value":3258,"marks":3259,"data":3260},"Tool Signature: ",[],{},{"nodeType":1340,"data":3262,"content":3263},{"uri":1893},[3264],{"nodeType":1293,"value":3265,"marks":3266,"data":3267},"Detecting and blocking access to a page with a known phishing kit signature present on the page",[],{},{"nodeType":1293,"value":1706,"marks":3269,"data":3270},[],{},{"nodeType":1294,"data":3272,"content":3273},{},[3274],{"nodeType":1293,"value":3275,"marks":3276,"data":3277},"Naturally, we want to continue focusing on the apex of the Pyramid – at TTPs and Tools – to ensure that the controls we build are as robust as possible, and can’t be bypassed by attackers. ",[],{},{"nodeType":2772,"data":3279,"content":3280},{},[],{"nodeType":1470,"data":3282,"content":3283},{},[3284],{"nodeType":1293,"value":3285,"marks":3286,"data":3287},"The power of the Push browser agent",[],{},{"nodeType":1294,"data":3289,"content":3290},{},[3291,3295,3300],{"nodeType":1293,"value":3292,"marks":3293,"data":3294},"You might ask: ",[],{},{"nodeType":1293,"value":3296,"marks":3297,"data":3299},"If it’s so simple, why hasn’t this been done yet?",[3298],{"type":1519},{},{"nodeType":1293,"value":3301,"marks":3302,"data":3303}," Well, before now, there was no good way of doing it! Teams simply didn’t have tools in the right place to be able to capture the level of data needed, or respond effectively (i.e. automatically, at the point of impact). ",[],{},{"nodeType":1294,"data":3305,"content":3306},{},[3307,3311,3318],{"nodeType":1293,"value":3308,"marks":3309,"data":3310},"This is where being in the browser comes into play. The browser is a great place to observe the behavior of a page in real time, without needing to reconstruct decrypted HTTP data post-TLS termination and try to guess what the rendered page in all its Javascript-infused glory actually does, ",[],{},{"nodeType":1340,"data":3312,"content":3313},{"uri":1564},[3314],{"nodeType":1293,"value":3315,"marks":3316,"data":3317},"as we’ve blogged about previously",[],{},{"nodeType":1293,"value":3319,"marks":3320,"data":3321},". As we’ve seen through the ability to not only detect but prevent phishing attacks, it’s also a great control enforcement point, as you’re able to intercept the user at the point of impact, and you sit as closely as possible to where their work typically happens – in the browser. ",[],{},{"nodeType":1294,"data":3323,"content":3324},{},[3325],{"nodeType":1293,"value":3326,"marks":3327,"data":3328},"To illustrate how crucial the browser is to implementing controls that sit at the apex of the Pyramid of Pain, we created a modified version designed specifically for identity attacks. ",[],{},{"nodeType":1362,"data":3330,"content":3334},{"target":3331},{"sys":3332},{"id":3333,"type":1367,"linkType":1368},"HrK2xQak6KfjInDbeSgv8",[],{"nodeType":1362,"data":3336,"content":3340},{"target":3337},{"sys":3338},{"id":3339,"type":1367,"linkType":1368},"7kLilJ8Y08smUI9ttM3BSO",[],{"nodeType":2772,"data":3342,"content":3343},{},[],{"nodeType":1470,"data":3345,"content":3346},{},[3347],{"nodeType":1293,"value":3348,"marks":3349,"data":3350},"Conclusion",[],{},{"nodeType":1294,"data":3352,"content":3353},{},[3354],{"nodeType":1293,"value":3355,"marks":3356,"data":3357},"Hopefully, this blog post has shone a light on why we do things the way we do here at Push. The goal of building generic detections that are difficult, painful, and costly for attackers to bypass is a key part of our design strategy, and we look forward to sharing many more controls with you that demonstrate this in the future.",[],{},"Our design philosophy: Detecting what matters","This is the first blog in a short series we’re putting together about the ‘why’ behind the ‘what’ at Push. This entry is focused on threat detection. ","2024-08-05T00:00:00.000Z","our-design-philosophy-detecting-what-matters",{"items":3363},[3364,3366],{"sys":3365,"name":1308},{"id":1307},{"sys":3367,"name":1312},{"id":1311},{"items":3369},[3370],{"fullName":3371,"firstName":3372,"jobTitle":3373,"profilePicture":3374},"Dan Green","Dan","Threat Research",{"url":3375},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"__typename":2705,"sys":3377,"content":3379,"title":3945,"synopsis":3946,"hashTags":118,"publishedDate":3947,"slug":3948,"tagsCollection":3949,"authorsCollection":3955},{"id":3378},"11C3shj5SlkS8sAd3AlYDp",{"json":3380},{"data":3381,"content":3382,"nodeType":1295},{},[3383,3402,3422,3429,3435,3442,3449,3456,3463,3472,3491,3498,3505,3512,3518,3525,3558,3565,3572,3579,3586,3592,3599,3606,3613,3644,3650,3657,3664,3695,3701,3708,3715,3722,3729,3735,3741,3748,3755,3762,3768,3775,3782,3789,3796,3815,3831,3837,3844,3851,3857,3864,3883,3889,3896,3923,3930,3937],{"data":3384,"content":3385,"nodeType":1294},{},[3386,3390,3398],{"data":3387,"marks":3388,"value":3389,"nodeType":1293},{},[],"It’s been well reported that ",{"data":3391,"content":3392,"nodeType":1340},{"uri":1399},[3393],{"data":3394,"marks":3395,"value":3397,"nodeType":1293},{},[3396],{"type":1348},"identity attacks are on the rise",{"data":3399,"marks":3400,"value":3401,"nodeType":1293},{},[],", and constantly evolving phishing tools and techniques are a big part of this. In particular, the increasing prevalence of MFA has led to AitM phishing attacks becoming much more common. The threat intelligence industry naturally wants to locate and shutdown all the phishing servers – but the phishers are fighting back.",{"data":3403,"content":3404,"nodeType":1294},{},[3405,3409,3418],{"data":3406,"marks":3407,"value":3408,"nodeType":1293},{},[],"Before we dive into how AitM phishing kits evade detection, you should check out our earlier blog post on ‘",{"data":3410,"content":3412,"nodeType":1340},{"uri":3411},"https://pushsecurity.com/blog/phishing-2-0-how-phishing-toolkits-are-evolving-with-aitm/",[3413],{"data":3414,"marks":3415,"value":3417,"nodeType":1293},{},[3416],{"type":1348},"Phishing 2.0 – how phishing toolkits are evolving with AitM",{"data":3419,"marks":3420,"value":3421,"nodeType":1293},{},[],"’ if you want to get up to speed with what these toolkits are, and why attackers are using them more regularly. ",{"data":3423,"content":3424,"nodeType":1294},{},[3425],{"data":3426,"marks":3427,"value":3428,"nodeType":1293},{},[],"In this blog post, we’re going to look at a recent instance of the NakedPages AitM phishing toolkit and some of the steps it takes to frustrate detection and analysis. In particular, we’ll look at how malicious activity is obfuscated through the use of legitimate SaaS services. NakedPages uses a range of different techniques and so serves as a good case study as to how AitM toolkits are being designed to evade detection.",{"data":3430,"content":3434,"nodeType":1362},{"target":3431},{"sys":3432},{"id":3433,"type":1367,"linkType":1368},"2Qcn2nNRXVkdqqxGO8lDZf",[],{"data":3436,"content":3437,"nodeType":1294},{},[3438],{"data":3439,"marks":3440,"value":3441,"nodeType":1293},{},[],"Before we dive in, it’s useful to keep in mind that while there is a lot of complication here, most of this happens in seconds and is transparent to the intended victim accessing from a real browser.",{"data":3443,"content":3444,"nodeType":1470},{},[3445],{"data":3446,"marks":3447,"value":3448,"nodeType":1293},{},[],"Step 1: Cloudflare Workers for the initial gateway",{"data":3450,"content":3451,"nodeType":1294},{},[3452],{"data":3453,"marks":3454,"value":3455,"nodeType":1293},{},[],"A key feature of the NakedPages kit is that it has several stages and redirections and, in order for it to operate as intended, the target has to arrive at the beginning. The first step involves visiting a URL that is simply a Cloudflare Worker. Cloudflare Workers are a serverless execution environment, a bit like AWS lambdas.",{"data":3457,"content":3458,"nodeType":1294},{},[3459],{"data":3460,"marks":3461,"value":3462,"nodeType":1293},{},[],"The benefit to the attacker is that this gives them a highly reputable primary domain as it is one owned and operated by Cloudflare. Flagging recently registered or uncategorized/rare domains for further analysis won’t work for this. For example, the URL used in this instance was the following:",{"data":3464,"content":3465,"nodeType":1294},{},[3466],{"data":3467,"marks":3468,"value":3471,"nodeType":1293},{},[3469],{"type":3470},"code","hxxps://226028cc.502f135e3e036e726fba22d4.workers.dev",{"data":3473,"content":3474,"nodeType":1294},{},[3475,3479,3488],{"data":3476,"marks":3477,"value":3478,"nodeType":1293},{},[],"For other examples of Cloudflare Workers being abused for phishing, ",{"data":3480,"content":3482,"nodeType":1340},{"uri":3481},"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/its-raining-phish-and-scams-how-cloudflare-pages-dev-and-workers-dev-domains-get-abused/",[3483],{"data":3484,"marks":3485,"value":3487,"nodeType":1293},{},[3486],{"type":1348},"check out this blog post from Trustwave",{"data":3489,"marks":3490,"value":1572,"nodeType":1293},{},[],{"data":3492,"content":3493,"nodeType":1470},{},[3494],{"data":3495,"marks":3496,"value":3497,"nodeType":1293},{},[],"Step 2: Cloudflare Turnstile for bot detection",{"data":3499,"content":3500,"nodeType":1294},{},[3501],{"data":3502,"marks":3503,"value":3504,"nodeType":1293},{},[],"The only purpose of the Cloudflare Worker is to act as a bot gateway to prevent automated analysis getting further than this point. For this it uses Cloudflare Turnstile. Turnstile is a highly effective tool for detecting the difference between bots and human users as a replacement for CAPTCHAs used by websites across the world. ",{"data":3506,"content":3507,"nodeType":1294},{},[3508],{"data":3509,"marks":3510,"value":3511,"nodeType":1293},{},[],"If it doesn’t work transparently then you’ll probably see something like this:",{"data":3513,"content":3517,"nodeType":1362},{"target":3514},{"sys":3515},{"id":3516,"type":1367,"linkType":1368},"4XNxLbiZf3xUK1WeFDjjxl",[],{"data":3519,"content":3520,"nodeType":1294},{},[3521],{"data":3522,"marks":3523,"value":3524,"nodeType":1293},{},[],"However, who else wants to keep out the bots? Well, phishers of course! There are many sandbox environments and other automated platforms out there, visiting every URL they come across in the search for malicious behavior. This stops many of them in their tracks as they never get past the Turnstile check. ",{"data":3526,"content":3527,"nodeType":1294},{},[3528,3532,3541,3545,3554],{"data":3529,"marks":3530,"value":3531,"nodeType":1293},{},[],"Malicious use of Turnstile use has become much more common now. Examples include other criminal kits ",{"data":3533,"content":3535,"nodeType":1340},{"uri":3534},"https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/",[3536],{"data":3537,"marks":3538,"value":3540,"nodeType":1293},{},[3539],{"type":1348},"such as Tycoon",{"data":3542,"marks":3543,"value":3544,"nodeType":1293},{},[],", as well as ",{"data":3546,"content":3548,"nodeType":1340},{"uri":3547},"https://fin3ss3g0d.net/index.php/2024/04/08/evilgophishs-approach-to-advanced-bot-detection-with-cloudflare-turnstile/",[3549],{"data":3550,"marks":3551,"value":3553,"nodeType":1293},{},[3552],{"type":1348},"open-source phishing tools focused on red teaming",{"data":3555,"marks":3556,"value":3557,"nodeType":1293},{},[],". ",{"data":3559,"content":3560,"nodeType":1470},{},[3561],{"data":3562,"marks":3563,"value":3564,"nodeType":1293},{},[],"Step 3: Required URL parameters and custom auth headers",{"data":3566,"content":3567,"nodeType":1294},{},[3568],{"data":3569,"marks":3570,"value":3571,"nodeType":1293},{},[],"If you get past Turnstile, then you’ll finally be redirected to a more conventionally suspicious domain. However, you’ll need to supply the correct URL parameters and headers, or that request might behave differently. ",{"data":3573,"content":3574,"nodeType":1294},{},[3575],{"data":3576,"marks":3577,"value":3578,"nodeType":1293},{},[],"Suspicious domains can be found and interrogated through other means, such as observing new domain registrations or certificate transparency logs. In this case, the phishers add other steps involving required URL parameters and custom headers. This means that a defender who knows the domain name can’t discover the malicious behavior just by making a simple HTTP(S) request to the domain.",{"data":3580,"content":3581,"nodeType":1294},{},[3582],{"data":3583,"marks":3584,"value":3585,"nodeType":1293},{},[],"The following code snippet shows how this operates. Bonus points for spotting how they actually forgot to implement their own RSA encryption function and instead send their “encrypted” user agents in clear text:",{"data":3587,"content":3591,"nodeType":1362},{"target":3588},{"sys":3589},{"id":3590,"type":1367,"linkType":1368},"45aif31bot9phquQPkz20p",[],{"data":3593,"content":3594,"nodeType":1470},{},[3595],{"data":3596,"marks":3597,"value":3598,"nodeType":1293},{},[],"Step 4: Requiring JavaScript execution",{"data":3600,"content":3601,"nodeType":1294},{},[3602],{"data":3603,"marks":3604,"value":3605,"nodeType":1293},{},[],"Another aspect of the previous step is that it requires JavaScript to execute. That means defensive techniques that simply make HTTP(S) requests and scrape content will not automatically be able to follow the link without allowing JavaScript execution. This forces the use of dynamic sandbox techniques that actually load a DOM, as it’s almost impossible for static analysis to generically solve this problem.",{"data":3607,"content":3608,"nodeType":1470},{},[3609],{"data":3610,"marks":3611,"value":3612,"nodeType":1293},{},[],"Step 5: Redirecting to legitimate domains",{"data":3614,"content":3615,"nodeType":1294},{},[3616,3620,3628,3632,3641],{"data":3617,"marks":3618,"value":3619,"nodeType":1293},{},[],"Attackers will also redirect to legitimate domains to mask their activity. Let’s say a defender has visited the attacker’s malicious domain without executing JavaScript or supplying the correct URL parameters. The attacker doesn’t want to activate their malicious phishing behavior at this point, so they need to do something benign instead. In this case, they simply redirect to ",{"data":3621,"content":3623,"nodeType":1340},{"uri":3622},"https://example.com",[3624],{"data":3625,"marks":3626,"value":3622,"nodeType":1293},{},[3627],{"type":1348},{"data":3629,"marks":3630,"value":3631,"nodeType":1293},{},[],". Interestingly, ",{"data":3633,"content":3635,"nodeType":1340},{"uri":3634},"https://www.youtube.com/watch?v=-W-LxcbUxI4&t=643s",[3636],{"data":3637,"marks":3638,"value":3640,"nodeType":1293},{},[3639],{"type":1348},"EvilProxy has also been seen redirecting to example.com too",{"data":3642,"marks":3643,"value":3148,"nodeType":1293},{},[],{"data":3645,"content":3649,"nodeType":1362},{"target":3646},{"sys":3647},{"id":3648,"type":1367,"linkType":1368},"450Y7W1uXVkKSps5y0xhBe",[],{"data":3651,"content":3652,"nodeType":1470},{},[3653],{"data":3654,"marks":3655,"value":3656,"nodeType":1293},{},[],"Step 6: HTTP referer header masking",{"data":3658,"content":3659,"nodeType":1294},{},[3660],{"data":3661,"marks":3662,"value":3663,"nodeType":1293},{},[],"Maintainers of legitimate websites often look at the HTTP referer header to see where they are being linked from. This is often a critical task for businesses, particularly for things like marketing. However, what if employees spot strange redirects coming in from suspicious looking domains like the ones used by this phishing kit? Perhaps they might investigate those domains and/or tip off relevant security vendors and organizations. ",{"data":3665,"content":3666,"nodeType":1294},{},[3667,3671,3679,3683,3691],{"data":3668,"marks":3669,"value":3670,"nodeType":1293},{},[],"Unless, of course, you were to use a service to mask the HTTP referrer – which is exactly what the phishing kit does in this case. NakedPages makes use of ",{"data":3672,"content":3674,"nodeType":1340},{"uri":3673},"https://href.li/",[3675],{"data":3676,"marks":3677,"value":3673,"nodeType":1293},{},[3678],{"type":1348},{"data":3680,"marks":3681,"value":3682,"nodeType":1293},{},[]," as a service to strip the referral to ensure the redirection is performed anonymously. Rather conveniently, it seems the default example that ",{"data":3684,"content":3686,"nodeType":1340},{"uri":3685},"https://href.li",[3687],{"data":3688,"marks":3689,"value":3685,"nodeType":1293},{},[3690],{"type":1348},{"data":3692,"marks":3693,"value":3694,"nodeType":1293},{},[]," uses is… example.com:",{"data":3696,"content":3700,"nodeType":1362},{"target":3697},{"sys":3698},{"id":3699,"type":1367,"linkType":1368},"78xFQwTG1r0YWGJ24iEdYP",[],{"data":3702,"content":3703,"nodeType":1470},{},[3704],{"data":3705,"marks":3706,"value":3707,"nodeType":1293},{},[],"Step 7: Loading balanced domains",{"data":3709,"content":3710,"nodeType":1294},{},[3711],{"data":3712,"marks":3713,"value":3714,"nodeType":1293},{},[],"You’re probably thinking: Step 7? Surely, if a victim’s browser has finally made it this far then the attackers would just serve up the malicious phishing content at this point, right? Well, we aren’t quite done yet. These initial gateway servers are one of the most important components to keep undetected, as existing phishing campaigns and (as yet unread) emails will be leading to them.",{"data":3716,"content":3717,"nodeType":1294},{},[3718],{"data":3719,"marks":3720,"value":3721,"nodeType":1293},{},[],"Once we get to the more obviously malicious phishing activity, there is a higher chance of detection and user reports. In this case the phishing kit actually retrieves a new URL to redirect to, along with a suitable JWT authentication parameter. The benefit of this is that when URLs/hostnames get flagged as malicious, blocked or otherwise taken down, the phishing kit can just redirect to other hostnames, and the attacker’s can keep updating with new URLs over time. ",{"data":3723,"content":3724,"nodeType":1294},{},[3725],{"data":3726,"marks":3727,"value":3728,"nodeType":1293},{},[],"Below we can see an example of the response containing a URL, with a JWT auth parameter:",{"data":3730,"content":3734,"nodeType":1362},{"target":3731},{"sys":3732},{"id":3733,"type":1367,"linkType":1368},"4NpH7V5oEdTASNNJsqCJ47",[],{"data":3736,"content":3740,"nodeType":1362},{"target":3737},{"sys":3738},{"id":3739,"type":1367,"linkType":1368},"7oqkrhNXtyOlJMEz0BZyLo",[],{"data":3742,"content":3743,"nodeType":1294},{},[3744],{"data":3745,"marks":3746,"value":3747,"nodeType":1293},{},[],"Automating this request in this example brings back around 20 different primary domains used for the final phishing attack. These domains are rotated over time as some are blocked and new ones are created.",{"data":3749,"content":3750,"nodeType":1470},{},[3751],{"data":3752,"marks":3753,"value":3754,"nodeType":1293},{},[],"Step 8: Breaking login page signatures",{"data":3756,"content":3757,"nodeType":1294},{},[3758],{"data":3759,"marks":3760,"value":3761,"nodeType":1293},{},[],"If all the previous checks have passed then a victim user is finally presented with a phishing page. The attacker has most closely emulated the sign-on page for live.com for Outlook in this case, though it also has some aspects from a business Microsoft login too, as we can see in the examples below:",{"data":3763,"content":3767,"nodeType":1362},{"target":3764},{"sys":3765},{"id":3766,"type":1367,"linkType":1368},"2Ez0fgAlmkrisdQGWfL6CV",[],{"data":3769,"content":3770,"nodeType":1294},{},[3771],{"data":3772,"marks":3773,"value":3774,"nodeType":1293},{},[],"However, one obvious change can be seen in the HTML title in the tab header. This normally says something like “Sign in to Outlook” or “Sign in to your account”. In this case, the phishing kit has randomized the HTML title. \n\nOne super easy way to detect websites pretending to be common login pages that have 1:1 cloned the website or are performing full reverse proxy AiTM techniques would be to search for obvious HTML content like this. Not many legitimate websites should have an HTML title of “Sign in to Outlook” other than Microsoft’s own legitimate domains for it, right?",{"data":3776,"content":3777,"nodeType":1294},{},[3778],{"data":3779,"marks":3780,"value":3781,"nodeType":1293},{},[],"Taking a closer look, we’ll see that the HTML, DOM and JavaScript etc. differ quite significantly from the true login pages, even if the visual appearance is very similar. One reason for this is to make it harder for defenders to simply signature on specific aspects of commonly spoofed login pages.",{"data":3783,"content":3784,"nodeType":1470},{},[3785],{"data":3786,"marks":3787,"value":3788,"nodeType":1293},{},[],"Step 9: B2B targeting",{"data":3790,"content":3791,"nodeType":1294},{},[3792],{"data":3793,"marks":3794,"value":3795,"nodeType":1293},{},[],"The final interesting aspect of this particular example is that it modifies its behavior during the login process depending on whether a personal Microsoft account or an organization account is used.",{"data":3797,"content":3798,"nodeType":1294},{},[3799,3803,3811],{"data":3800,"marks":3801,"value":3802,"nodeType":1293},{},[],"When entering an email address associated with a personal Microsoft account, or picking ‘personal account’ when prompted after entering an email address that is used for both purposes, the server will return a 302 redirect and send the user to ",{"data":3804,"content":3806,"nodeType":1340},{"uri":3805},"https://login.live.com/",[3807],{"data":3808,"marks":3809,"value":3805,"nodeType":1293},{},[3810],{"type":1348},{"data":3812,"marks":3813,"value":3814,"nodeType":1293},{},[]," where they can then re-enter their credentials and login to Microsoft legitimately if they continue. This reduces the potential for detection further as no AitM phishing login will actually occur.",{"data":3816,"content":3817,"nodeType":1294},{},[3818,3822,3827],{"data":3819,"marks":3820,"value":3821,"nodeType":1293},{},[],"On the other hand, when using an organization account the phishing process continues as expected. ",{"data":3823,"marks":3824,"value":3826,"nodeType":1293},{},[3825],{"type":1519},"This phishing campaign is exclusively targeting corp accounts",{"data":3828,"marks":3829,"value":3830,"nodeType":1293},{},[]," and you could almost say it has a B2B (or is that A2B?) rather than B2C business model.  ",{"data":3832,"content":3833,"nodeType":1470},{},[3834],{"data":3835,"marks":3836,"value":3348,"nodeType":1293},{},[],{"data":3838,"content":3839,"nodeType":1294},{},[3840],{"data":3841,"marks":3842,"value":3843,"nodeType":1293},{},[],"As you may have guessed from the extremely suspicious domains in use and examples of sloppy coding (like forgetting to implement an encryption function) the NakedPages kit is far from sophisticated. Despite this, the tricks that attackers are using to make detection and analysis more difficult seem to be quite effective when used in a layered model. ",{"data":3845,"content":3846,"nodeType":1294},{},[3847],{"data":3848,"marks":3849,"value":3850,"nodeType":1293},{},[],"For example, at the time of writing this particular Worker had been up for at least two days and was currently only triggering 1 detection on VirusTotal. ",{"data":3852,"content":3856,"nodeType":1362},{"target":3853},{"sys":3854},{"id":3855,"type":1367,"linkType":1368},"1mIOpDtmgcMasK6dEhRHsm",[],{"data":3858,"content":3859,"nodeType":1294},{},[3860],{"data":3861,"marks":3862,"value":3863,"nodeType":1293},{},[],"One key takeaway is that it’s near impossible to stay on top of all the phishing servers on the internet. Even the untargeted mass campaigns will initially be missed by TI feeds, let alone the targeted ones. ",{"data":3865,"content":3866,"nodeType":1294},{},[3867,3871,3879],{"data":3868,"marks":3869,"value":3870,"nodeType":1293},{},[],"The best foot forward for resilience against these attacks is through the use of domain-bound MFA methods like WebAuthn. Common MFA methods like OTPs, SMS, push notifications etc. are routinely bypassed using ",{"data":3872,"content":3873,"nodeType":1340},{"uri":3411},[3874],{"data":3875,"marks":3876,"value":3878,"nodeType":1293},{},[3877],{"type":1348},"AitM techniques that proxy the MFA authentication as well",{"data":3880,"marks":3881,"value":3882,"nodeType":1293},{},[],". Even if you are one of the few who use phishing-resistant MFA methods like WebAuthn or other passkeys, the devil is in the detail and we’ve seen MFA downgrade attacks being used to bypass them by choosing a phishable method that’s also active.",{"data":3884,"content":3888,"nodeType":1362},{"target":3885},{"sys":3886},{"id":3887,"type":1367,"linkType":1368},"17lSgRFD6fDzRUn9eOHJg6",[],{"data":3890,"content":3891,"nodeType":1470},{},[3892],{"data":3893,"marks":3894,"value":3895,"nodeType":1293},{},[],"P.S. How did we detect this?",{"data":3897,"content":3898,"nodeType":1294},{},[3899,3903,3908,3912,3920],{"data":3900,"marks":3901,"value":3902,"nodeType":1293},{},[],"After all that, you might be wondering how we managed to automate a process to generically pass through all these detection evasion techniques – ",{"data":3904,"marks":3905,"value":3907,"nodeType":1293},{},[3906],{"type":1519},"well the short answer is: We didn’t.",{"data":3909,"marks":3910,"value":3911,"nodeType":1293},{},[]," Instead, we detected the act of an employee ",{"data":3913,"content":3914,"nodeType":1340},{"uri":1698},[3915],{"data":3916,"marks":3917,"value":3919,"nodeType":1293},{},[3918],{"type":1348},"attempting to put their Microsoft password into a website that wasn’t Microsoft",{"data":3921,"marks":3922,"value":1572,"nodeType":1293},{},[],{"data":3924,"content":3925,"nodeType":1294},{},[3926],{"data":3927,"marks":3928,"value":3929,"nodeType":1293},{},[],"The TTP for phishing is effectively “trick someone into putting their valid credentials into the wrong site” – so detecting that behavior directly (the action of entering a legit password into the wrong site) can be a lot simpler and more effective than playing the cat-and-mouse detection → detection-evasion game.",{"data":3931,"content":3932,"nodeType":1294},{},[3933],{"data":3934,"marks":3935,"value":3936,"nodeType":1293},{},[],"Having said that, if you’re interested, here are the domain IOCs for this campaign:",{"data":3938,"content":3939,"nodeType":1294},{},[3940],{"data":3941,"marks":3942,"value":3944,"nodeType":1293},{},[3943],{"type":3470},"226028cc[.]502f135e3e036e726fba22d4[.]workers[.]dev\nacevoorgukmembership[.]buzz\nalerteditorroyalsocietyorgnz[.]buzz\nandymarshallsgeniuslocidigestghostiomghostio[.]buzz\nblogresponseinsperitycom[.]buzz\ncampaigneventbritecomnoreply[.]buzz\ncharityexcellencer1technologytrustnewsorg[.]buzz\nclerkenwelldesignweekcomnoreply[.]buzz\nconfirminfothetrainlinecomauto[.]buzz\nhealthestatejournalcomnoreply[.]buzz\nmentalhealthdesignandbuildcomnoreply[.]buzz\nnoreplynotificationswhoopcom[.]buzz\nstepexhibitionscomeventsupport[.]buzz\ntheathletice1theathleticcom[.]buzz\nthekakahoonssubstackcom[.]buzz","How AitM phishing kits evade detection","Taking a closer look at the steps that AitM phishing kits take to hide from the prying eyes of security teams and threat intelligence vendors.","2024-07-23T00:00:00.000Z","how-aitm-phishing-kits-evade-detection",{"items":3950},[3951,3953],{"sys":3952,"name":1308},{"id":1307},{"sys":3954,"name":1312},{"id":1311},{"items":3956},[3957],{"fullName":3958,"firstName":3959,"jobTitle":3960,"profilePicture":3961},"Luke Jennings","Luke","Vice President, R&D",{"url":3962},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg",{"__typename":2705,"sys":3964,"content":3966,"title":4762,"synopsis":4763,"hashTags":118,"publishedDate":4764,"slug":4765,"tagsCollection":4766,"authorsCollection":4772},{"id":3965},"6VZQJzQ2FNetGNMEjiuXB2",{"json":3967},{"nodeType":1295,"data":3968,"content":3969},{},[3970,3977,3984,3991,3998,4005,4012,4018,4037,4044,4089,4096,4103,4148,4168,4175,4182,4189,4209,4229,4236,4269,4276,4296,4303,4310,4342,4362,4369,4375,4382,4389,4396,4403,4410,4417,4424,4431,4438,4445,4452,4459,4475,4482,4553,4560,4567,4596,4611,4618,4625,4632,4665,4685,4692,4699,4706,4713,4732,4750,4756],{"nodeType":1294,"data":3971,"content":3972},{},[3973],{"nodeType":1293,"value":3974,"marks":3975,"data":3976},"Our goal at Push is simple — to stop identity attacks. Today, the vast majority of identity vulnerabilities exist in the context of SaaS apps. ",[],{},{"nodeType":1294,"data":3978,"content":3979},{},[3980],{"nodeType":1293,"value":3981,"marks":3982,"data":3983},"The reasons for this are clear: Security teams have reduced central oversight and control over SaaS apps than they are used to, these apps exist in large numbers per company, and the identities that are used to access these apps are... complicated, to say the least. Securing hundreds of apps, with thousands of associated identities, is therefore no mean feat. ",[],{},{"nodeType":1294,"data":3985,"content":3986},{},[3987],{"nodeType":1293,"value":3988,"marks":3989,"data":3990},"Securing SaaS use means building controls that are easy to use, easy to understand — and ultimately effective. Not just effective against the hand-wavy concept of “SaaS attacks,” but specific techniques — the most common techniques that are likely to cause real damage.",[],{},{"nodeType":1294,"data":3992,"content":3993},{},[3994],{"nodeType":1293,"value":3995,"marks":3996,"data":3997},"To talk about this, we need to have a shared understanding of what these techniques are. To get that conversation going, we’ve pulled together all the techniques we're aware of, and our research team has even added a bunch of new ones.",[],{},{"nodeType":1470,"data":3999,"content":4000},{},[4001],{"nodeType":1293,"value":4002,"marks":4003,"data":4004},"The SaaS attack matrix",[],{},{"nodeType":1294,"data":4006,"content":4007},{},[4008],{"nodeType":1293,"value":4009,"marks":4010,"data":4011},"We’ve taken inspiration from the MITRE ATT&CK framework (certainly intended as the sincerest form of flattery), but wanted to make a conscious break away from the endpoint-focused ATT&CK techniques and instead focus on techniques that are SaaS-specific. In fact, these techniques don’t touch endpoints (so they bypass EDR) or customer networks (so they bypass network detection) — so we’re calling them networkless attacks.",[],{},{"nodeType":1362,"data":4013,"content":4017},{"target":4014},{"sys":4015},{"id":4016,"type":1367,"linkType":1368},"768Zv5gTVHyu5rbzJAzL4F",[],{"nodeType":1294,"data":4019,"content":4020},{},[4021,4025,4034],{"nodeType":1293,"value":4022,"marks":4023,"data":4024},"You can find more detailed descriptions of these techniques (and hopefully PRs for some we missed) on ",[],{},{"nodeType":1340,"data":4026,"content":4028},{"uri":4027},"https://github.com/pushsecurity/saas-attacks",[4029],{"nodeType":1293,"value":4030,"marks":4031,"data":4033},"GitHub",[4032],{"type":1348},{},{"nodeType":1293,"value":1572,"marks":4035,"data":4036},[],{},{"nodeType":1294,"data":4038,"content":4039},{},[4040],{"nodeType":1293,"value":4041,"marks":4042,"data":4043},"Since we’re not targeting endpoints, let’s talk about the new targets: The accounts/identities on SaaS apps. We found it was useful to think about these identities not as standalone isolated islands — but much more like a graph; less a single web-server on the internet and more like many Windows endpoints on an Active Directory. ",[],{},{"nodeType":1294,"data":4045,"content":4046},{},[4047,4051,4060,4063,4072,4076,4085],{"nodeType":1293,"value":4048,"marks":4049,"data":4050},"You can leverage this access to an identity on a trusted platform to target (so laterally move or escalate privilege to) other users or identities. For example, attacks like using access to SaaS apps to ",[],{},{"nodeType":1340,"data":4052,"content":4054},{"uri":4053},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/in-app_phishing/description.md",[4055],{"nodeType":1293,"value":4056,"marks":4057,"data":4059},"phish other employees through comments",[4058],{"type":1348},{},{"nodeType":1293,"value":1814,"marks":4061,"data":4062},[],{},{"nodeType":1340,"data":4064,"content":4066},{"uri":4065},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/im_user_spoofing/description.md",[4067],{"nodeType":1293,"value":4068,"marks":4069,"data":4071},"spoofing users on IM platforms",[4070],{"type":1348},{},{"nodeType":1293,"value":4073,"marks":4074,"data":4075}," to social engineer them there — or perhaps ",[],{},{"nodeType":1340,"data":4077,"content":4079},{"uri":4078},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/link_backdooring/description.md",[4080],{"nodeType":1293,"value":4081,"marks":4082,"data":4084},"backdooring links",[4083],{"type":1348},{},{"nodeType":1293,"value":4086,"marks":4087,"data":4088}," in documents.",[],{},{"nodeType":1294,"data":4090,"content":4091},{},[4092],{"nodeType":1293,"value":4093,"marks":4094,"data":4095},"In this case, unusually, it’s not the data in these hundreds of SaaS apps that create risk, and you need to consider low-risk (from a data perspective) apps as a vector to pivot to higher-risk apps in your estate.",[],{},{"nodeType":1617,"data":4097,"content":4098},{},[4099],{"nodeType":1293,"value":4100,"marks":4101,"data":4102},"Initial access and poisoned tenants",[],{},{"nodeType":1294,"data":4104,"content":4105},{},[4106,4110,4119,4122,4131,4135,4144],{"nodeType":1293,"value":4107,"marks":4108,"data":4109},"Attacks like ",[],{},{"nodeType":1340,"data":4111,"content":4113},{"uri":4112},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/credential_stuffing/description.md",[4114],{"nodeType":1293,"value":4115,"marks":4116,"data":4118},"credential stuffing",[4117],{"type":1348},{},{"nodeType":1293,"value":1814,"marks":4120,"data":4121},[],{},{"nodeType":1340,"data":4123,"content":4125},{"uri":4124},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/email_phishing/description.md",[4126],{"nodeType":1293,"value":4127,"marks":4128,"data":4130},"email phishing",[4129],{"type":1348},{},{"nodeType":1293,"value":4132,"marks":4133,"data":4134}," that get you initial access to SaaS apps are fairly well known — because they work and are widely used. We’re also starting to see tools and attacks that suggest that ",[],{},{"nodeType":1340,"data":4136,"content":4138},{"uri":4137},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/im_phishing/description.md",[4139],{"nodeType":1293,"value":4140,"marks":4141,"data":4143},"phishing employees through these IM apps",[4142],{"type":1348},{},{"nodeType":1293,"value":4145,"marks":4146,"data":4147}," is about to go mainstream.",[],{},{"nodeType":1294,"data":4149,"content":4150},{},[4151,4155,4164],{"nodeType":1293,"value":4152,"marks":4153,"data":4154},"Another interesting attack is a spin on the classic waterhole attack called a ",[],{},{"nodeType":1340,"data":4156,"content":4158},{"uri":4157},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/poisoned_tenants/description.md",[4159],{"nodeType":1293,"value":4160,"marks":4161,"data":4163},"poisoned tenant",[4162],{"type":1348},{},{"nodeType":1293,"value":4165,"marks":4166,"data":4167},". Rather than attacking a customer tenant for a SaaS app, the attacker lures employees into joining an attacker-controlled tenant. ",[],{},{"nodeType":1294,"data":4169,"content":4170},{},[4171],{"nodeType":1293,"value":4172,"marks":4173,"data":4174},"SaaS apps allow anyone to name app tenants (a.k.a. spaces, teams, or instances) anything they like — including your company name. Attackers send invites to your employees from within the app with a customized message explaining why they should join this new tenant (or sign up to the app if they are not already a user). ",[],{},{"nodeType":1294,"data":4176,"content":4177},{},[4178],{"nodeType":1293,"value":4179,"marks":4180,"data":4181},"Attackers might even pay for premium licenses in the app to further entice employees to join. The attacker then waits for the employee to upload sensitive data or create integrations with other company apps containing crown jewels.",[],{},{"nodeType":1617,"data":4183,"content":4184},{},[4185],{"nodeType":1293,"value":4186,"marks":4187,"data":4188},"Living-off-the-(SaaS)-land to persist and avoid detection",[],{},{"nodeType":1294,"data":4190,"content":4191},{},[4192,4196,4205],{"nodeType":1293,"value":4193,"marks":4194,"data":4195},"In the endpoint world, a favorite technique is the use of legit OS utilities or ",[],{},{"nodeType":1340,"data":4197,"content":4199},{"uri":4198},"https://lolbas-project.github.io",[4200],{"nodeType":1293,"value":4201,"marks":4202,"data":4204},"LOLBaS",[4203],{"type":1348},{},{"nodeType":1293,"value":4206,"marks":4207,"data":4208}," (Living-Off-the-Land Binaries and Scripts), which are often signed Microsoft utilities. Perhaps the most well-known example is executing scripts through PowerShell rather than building custom malware. That isn’t as useful these days, but there was a time when PowerShell was routinely used to bypass AV, EDR, and even app allow-listing.",[],{},{"nodeType":1294,"data":4210,"content":4211},{},[4212,4216,4225],{"nodeType":1293,"value":4213,"marks":4214,"data":4215},"In that same living-off-the-land mindset, an attacker trying to maintain access to each SaaS app they compromise using custom OAuth integration apps might instead choose to use legit SaaS apps that specialize in workflow automation to create ",[],{},{"nodeType":1340,"data":4217,"content":4219},{"uri":4218},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/shadow_workflows/description.md",[4220],{"nodeType":1293,"value":4221,"marks":4222,"data":4224},"shadow workflows",[4223],{"type":1348},{},{"nodeType":1293,"value":4226,"marks":4227,"data":4228},". Utilizing legit SaaS apps also means they can hide in plain sight from incident responders, instead of having to rely on unverified or unpublished integrations.",[],{},{"nodeType":1294,"data":4230,"content":4231},{},[4232],{"nodeType":1293,"value":4233,"marks":4234,"data":4235},"Perhaps the best example here is using a well-known automation app like Zapier, which claims to have more than 5,000 integrations. These integrations are often verified, approved, and connected to a trusted vendor (Zapier). An attacker might create workflows to:",[],{},{"nodeType":1505,"data":4237,"content":4238},{},[4239,4249,4259],{"nodeType":1509,"data":4240,"content":4241},{},[4242],{"nodeType":1294,"data":4243,"content":4244},{},[4245],{"nodeType":1293,"value":4246,"marks":4247,"data":4248},"Do daily data exfiltration from a victim’s data lake.",[],{},{"nodeType":1509,"data":4250,"content":4251},{},[4252],{"nodeType":1294,"data":4253,"content":4254},{},[4255],{"nodeType":1293,"value":4256,"marks":4257,"data":4258},"Configure a webhook that adds malicious accounts to a Github repo on demand.",[],{},{"nodeType":1509,"data":4260,"content":4261},{},[4262],{"nodeType":1294,"data":4263,"content":4264},{},[4265],{"nodeType":1293,"value":4266,"marks":4267,"data":4268},"Automatically find and replace bank account numbers in emails to the finance team.",[],{},{"nodeType":1294,"data":4270,"content":4271},{},[4272],{"nodeType":1293,"value":4273,"marks":4274,"data":4275},"All appear as legitimate Zapier integrations. But, before you put in alerts specifically for Zapier, know that it’s one of dozens of apps that support these kinds of offensive workflows.",[],{},{"nodeType":1294,"data":4277,"content":4278},{},[4279,4283,4292],{"nodeType":1293,"value":4280,"marks":4281,"data":4282},"A sneaky attacker might go further and use an ",[],{},{"nodeType":1340,"data":4284,"content":4286},{"uri":4285},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/evil_twin_integrations/description.md",[4287],{"nodeType":1293,"value":4288,"marks":4289,"data":4291},"evil twin integration",[4290],{"type":1348},{},{"nodeType":1293,"value":4293,"marks":4294,"data":4295}," to make another instance of an existing integration — making this backdoor almost impossible to discover.",[],{},{"nodeType":1617,"data":4297,"content":4298},{},[4299],{"nodeType":1293,"value":4300,"marks":4301,"data":4302},"Features or vulnerabilities?",[],{},{"nodeType":1294,"data":4304,"content":4305},{},[4306],{"nodeType":1293,"value":4307,"marks":4308,"data":4309},"When looking for attack techniques, you’re typically going after features that have weaknesses you can abuse rather than bugs in a single app that will be patched. ",[],{},{"nodeType":1294,"data":4311,"content":4312},{},[4313,4317,4326,4329,4338],{"nodeType":1293,"value":4314,"marks":4315,"data":4316},"It’s pretty common for SaaS apps to skip email verification or allow multiple simultaneous authentication methods. Both of these are conscious design choices in the name of lowering the friction of account creation and reducing customer support. However, these features make techniques like ",[],{},{"nodeType":1340,"data":4318,"content":4320},{"uri":4319},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/account_ambushing/description.md",[4321],{"nodeType":1293,"value":4322,"marks":4323,"data":4325},"account ambushing",[4324],{"type":1348},{},{"nodeType":1293,"value":1814,"marks":4327,"data":4328},[],{},{"nodeType":1340,"data":4330,"content":4332},{"uri":4331},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/ghost_logins/description.md",[4333],{"nodeType":1293,"value":4334,"marks":4335,"data":4337},"ghost logins",[4336],{"type":1348},{},{"nodeType":1293,"value":4339,"marks":4340,"data":4341}," possible. If these attacks become widespread, these might come to be seen more as bugs rather than a positive feature for users.",[],{},{"nodeType":1294,"data":4343,"content":4344},{},[4345,4349,4358],{"nodeType":1293,"value":4346,"marks":4347,"data":4348},"In other cases, the bugs are serious enough and hard enough to patch that they’re worth noting as a technique. The recently disclosed (and perfectly named) ",[],{},{"nodeType":1340,"data":4350,"content":4352},{"uri":4351},"https://www.descope.com/blog/post/noauth",[4353],{"nodeType":1293,"value":4354,"marks":4355,"data":4357},"nOAuth",[4356],{"type":1348},{},{"nodeType":1293,"value":4359,"marks":4360,"data":4361}," bug fits this bill. ",[],{},{"nodeType":1294,"data":4363,"content":4364},{},[4365],{"nodeType":1293,"value":4366,"marks":4367,"data":4368},"The bug arises from a confusion between an email identity and email metadata field in Microsoft integrations and without a central fix from MS (the fix isn’t trivial), these bugs are likely to be discovered and re-occur on third-party OAuth apps for a while to come.",[],{},{"nodeType":1362,"data":4370,"content":4374},{"target":4371},{"sys":4372},{"id":4373,"type":1367,"linkType":1368},"6iKFd9Qys2SSuNqKVQB7ka",[],{"nodeType":1470,"data":4376,"content":4377},{},[4378],{"nodeType":1293,"value":4379,"marks":4380,"data":4381},"The SaaS market is driving these offensive techniques",[],{},{"nodeType":1294,"data":4383,"content":4384},{},[4385],{"nodeType":1293,"value":4386,"marks":4387,"data":4388},"SaaS apps are basically web apps that are run in the cloud and accessed from endpoints, so then WebApp, endpoint, and cloud security should cover all of SaaS, right? ",[],{},{"nodeType":1294,"data":4390,"content":4391},{},[4392],{"nodeType":1293,"value":4393,"marks":4394,"data":4395},"That was our assumption when we started, but what we found instead was that SaaS marketing practices are driving a lot of pretty interesting techniques that you don’t run into in standalone web apps.",[],{},{"nodeType":1617,"data":4397,"content":4398},{},[4399],{"nodeType":1293,"value":4400,"marks":4401,"data":4402},"Modern SaaS is easy to adopt, easy to use, low friction, low cost, low overhead",[],{},{"nodeType":1294,"data":4404,"content":4405},{},[4406],{"nodeType":1293,"value":4407,"marks":4408,"data":4409},"Making apps easy to sign up for and low effort to support means you need to make some interesting choices when it comes to designing account creation and recovery flows. ",[],{},{"nodeType":1294,"data":4411,"content":4412},{},[4413],{"nodeType":1293,"value":4414,"marks":4415,"data":4416},"Many apps allow users to sign into apps using multiple methods, easily invite collaborators (internal and external) and avoid any additional friction during the signup process. ",[],{},{"nodeType":1294,"data":4418,"content":4419},{},[4420],{"nodeType":1293,"value":4421,"marks":4422,"data":4423},"For example, many apps avoid verifying new account email addresses. This is not laziness, these are conscious design choices — not driven by security clearly, but not accidents.",[],{},{"nodeType":1617,"data":4425,"content":4426},{},[4427],{"nodeType":1293,"value":4428,"marks":4429,"data":4430},"Modern SaaS is highly integrated",[],{},{"nodeType":1294,"data":4432,"content":4433},{},[4434],{"nodeType":1293,"value":4435,"marks":4436,"data":4437},"Most SaaS apps are trying to build app marketplaces or perform well in other apps' marketplaces (often both), and it’s rare these days to find apps that don’t integrate with other apps. ",[],{},{"nodeType":1294,"data":4439,"content":4440},{},[4441],{"nodeType":1293,"value":4442,"marks":4443,"data":4444},"OAuth has become the de facto standard protocol for doing this, and most users have become quite used to approving OAuth2.0 consent flows. These integrations have opened up lots of incredibly useful doors for attackers to persist access and move laterally across SaaS apps that few incident response teams have run into yet. These tokens don’t expire when you reset passwords, aren’t protected by MFA, and actions they performed are rarely logged. ",[],{},{"nodeType":1294,"data":4446,"content":4447},{},[4448],{"nodeType":1293,"value":4449,"marks":4450,"data":4451},"These are not bugs or oversights but rather a consequence of how these APIs are intended to be used (by machines, not human adversaries).",[],{},{"nodeType":1470,"data":4453,"content":4454},{},[4455],{"nodeType":1293,"value":4456,"marks":4457,"data":4458},"Problems with observing SaaS attacks ",[],{},{"nodeType":1294,"data":4460,"content":4461},{},[4462,4466,4471],{"nodeType":1293,"value":4463,"marks":4464,"data":4465},"This research begs one question above others: ",[],{},{"nodeType":1293,"value":4467,"marks":4468,"data":4470},"“Are we seeing these attacks in the wild?",[4469],{"type":312},{},{"nodeType":1293,"value":4472,"marks":4473,"data":4474},"” ",[],{},{"nodeType":1617,"data":4476,"content":4477},{},[4478],{"nodeType":1293,"value":4479,"marks":4480,"data":4481},"Yes, definitely",[],{},{"nodeType":1294,"data":4483,"content":4484},{},[4485,4489,4498,4501,4510,4514,4523,4527,4536,4540,4549],{"nodeType":1293,"value":4486,"marks":4487,"data":4488},"For some of the better-known techniques, like credential stuffing and email phishing, the answer is an easy yes. Stats from ",[],{},{"nodeType":1340,"data":4490,"content":4492},{"uri":4491},"https://www.microsoft.com/en-us/security/blog/2023/05/04/how-microsoft-can-help-you-go-passwordless-this-world-password-day/",[4493],{"nodeType":1293,"value":4494,"marks":4495,"data":4497},"Microsoft (1,287 password attacks every second)",[4496],{"type":1348},{},{"nodeType":1293,"value":1814,"marks":4499,"data":4500},[],{},{"nodeType":1340,"data":4502,"content":4504},{"uri":4503},"https://auth0.com/blog/top-insights-from-our-2022-state-of-secure-identity-report/",[4505],{"nodeType":1293,"value":4506,"marks":4507,"data":4509},"Auth0 (a third of their traffic is credential stuffing)",[4508],{"type":1348},{},{"nodeType":1293,"value":4511,"marks":4512,"data":4513}," speaks volumes. Other sources like the ",[],{},{"nodeType":1340,"data":4515,"content":4517},{"uri":4516},"https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2022/cyber-security-breaches-survey-2022",[4518],{"nodeType":1293,"value":4519,"marks":4520,"data":4522},"NCSC's Cyber Security Breaches Survey 2022",[4521],{"type":1348},{},{"nodeType":1293,"value":4524,"marks":4525,"data":4526}," and the ",[],{},{"nodeType":1340,"data":4528,"content":4530},{"uri":4529},"https://www.verizon.com/business/resources/reports/dbir/",[4531],{"nodeType":1293,"value":4532,"marks":4533,"data":4535},"Verizon 2023 Data Breach Investigations Report",[4534],{"type":1348},{},{"nodeType":1293,"value":4537,"marks":4538,"data":4539}," suggest that phishing is also a major cause of SaaS breaches. Anecdotal reports from colleagues in the Incident Response field suggest that malicious mail forwarding rules are seen a lot, something which is supported by the ",[],{},{"nodeType":1340,"data":4541,"content":4543},{"uri":4542},"https://expel.com/expel-quarterly-threat-report/",[4544],{"nodeType":1293,"value":4545,"marks":4546,"data":4548},"Expel Quarterly Threat Report for Q1 2023",[4547],{"type":1348},{},{"nodeType":1293,"value":4550,"marks":4551,"data":4552}," (see page 6).",[],{},{"nodeType":1294,"data":4554,"content":4555},{},[4556],{"nodeType":1293,"value":4557,"marks":4558,"data":4559},"The takeaway is that the current focus for defenders should be to ensure users have good phishing-resistant account security in place — make sure you have basics like strong unique passwords and MFA in place across your entire SaaS estate.",[],{},{"nodeType":1617,"data":4561,"content":4562},{},[4563],{"nodeType":1293,"value":4564,"marks":4565,"data":4566},"For newer OAuth attacks, it’s a lot less clear …",[],{},{"nodeType":1294,"data":4568,"content":4569},{},[4570,4574,4579,4583,4592],{"nodeType":1293,"value":4571,"marks":4572,"data":4573},"Other techniques like consent phishing have been discussed in some breach disclosures like the ",[],{},{"nodeType":1293,"value":4575,"marks":4576,"data":4578},"2020 SANS breach",[4577],{"type":1348},{},{"nodeType":1293,"value":4580,"marks":4581,"data":4582},". These OAuth techniques also pop up in the news (for example, the ",[],{},{"nodeType":1340,"data":4584,"content":4586},{"uri":4585},"https://www.bleepingcomputer.com/news/security/github-how-stolen-oauth-tokens-helped-breach-dozens-of-orgs/",[4587],{"nodeType":1293,"value":4588,"marks":4589,"data":4591},"2022 Github/Heroku/Travis-CI breach",[4590],{"type":1348},{},{"nodeType":1293,"value":4593,"marks":4594,"data":4595}," where GitHub accounts were breached using stolen Heroku and Travis-CI OAuth tokens). ",[],{},{"nodeType":1294,"data":4597,"content":4598},{},[4599,4603,4608],{"nodeType":1293,"value":4600,"marks":4601,"data":4602},"That said, none of these techniques come up as frequently as their usefulness would suggest. This means one of two things: ",[],{},{"nodeType":1293,"value":4604,"marks":4605,"data":4607},"Either attackers aren’t yet using them widely, or they are and we aren’t detecting them",[4606],{"type":312},{},{"nodeType":1293,"value":1572,"marks":4609,"data":4610},[],{},{"nodeType":1294,"data":4612,"content":4613},{},[4614],{"nodeType":1293,"value":4615,"marks":4616,"data":4617},"There is certainly a case to be made that attackers simply don’t need these newer techniques yet. Many organizations don’t have a way of discovering SaaS use in their organization yet, never mind breached accounts, so new persistence techniques might be a bit more than necessary at the moment.",[],{},{"nodeType":1617,"data":4619,"content":4620},{},[4621],{"nodeType":1293,"value":4622,"marks":4623,"data":4624},"But would we know if it was happening?",[],{},{"nodeType":1294,"data":4626,"content":4627},{},[4628],{"nodeType":1293,"value":4629,"marks":4630,"data":4631},"On the other hand, there is certainly the possibility that these attacks are increasingly used, but are simply not being discovered. A strong argument in favor of this view is the difficulty in investigating these attacks. Very few SaaS apps provide enough logging capability to discover these attacks as a customer. This is true even for the biggest, most mature apps like Office 365 and Google Workspace unless you are on top license tiers. This is doubly true for attacks that use OAuth, with many apps providing no insight or details into actions made using OAuth-authenticated APIs. ",[],{},{"nodeType":1294,"data":4633,"content":4634},{},[4635,4639,4648,4652,4661],{"nodeType":1293,"value":4636,"marks":4637,"data":4638},"This suggests only the SaaS providers for these apps are really in a position to discover and investigate them. This does ring true when you consider that ",[],{},{"nodeType":1340,"data":4640,"content":4642},{"uri":4641},"https://blog.heroku.com/april-2022-incident-review",[4643],{"nodeType":1293,"value":4644,"marks":4645,"data":4647},"Heroku",[4646],{"type":1348},{},{"nodeType":1293,"value":4649,"marks":4650,"data":4651}," relied heavily on Github during the investigation (and in one case even the detection of) their 2022 breaches, and the same seems true for a similar breach affecting ",[],{},{"nodeType":1340,"data":4653,"content":4655},{"uri":4654},"https://circleci.com/blog/jan-4-2023-incident-report/",[4656],{"nodeType":1293,"value":4657,"marks":4658,"data":4660},"CircleCI",[4659],{"type":1348},{},{"nodeType":1293,"value":4662,"marks":4663,"data":4664}," later that year. Github and CircleCI’s customers prompted the investigation after seeing strange behavior, but Github had access to the logs to investigate. It’s difficult to imagine that most or even many SaaS vendors have the resources or inclination to run these investigations effectively as GitHub appears to have.",[],{},{"nodeType":1294,"data":4666,"content":4667},{},[4668,4672,4682],{"nodeType":1293,"value":4669,"marks":4670,"data":4671},"So, are these attacks happening in the real world? My best guess is it’s a little bit of column A and a little bit of column B — there are likely not so many of these attacks happening yet, and when they do, I suspect the vast majority go undetected. ",[],{},{"nodeType":1340,"data":4673,"content":4675},{"uri":4674},"https://www.youtube.com/watch?v=j95kNwZw8YY",[4676],{"nodeType":1293,"value":4677,"marks":4678,"data":4681},"But that’s just like my opinion, man.",[4679,4680],{"type":1348},{"type":312},{},{"nodeType":1293,"value":37,"marks":4683,"data":4684},[],{},{"nodeType":1294,"data":4686,"content":4687},{},[4688],{"nodeType":1293,"value":4689,"marks":4690,"data":4691},"This is part of the reason we think enabling red teamers to try these techniques in anger is useful — this is the time-proven way to understand these risks.",[],{},{"nodeType":1470,"data":4693,"content":4694},{},[4695],{"nodeType":1293,"value":4696,"marks":4697,"data":4698},"What’s next?",[],{},{"nodeType":1294,"data":4700,"content":4701},{},[4702],{"nodeType":1293,"value":4703,"marks":4704,"data":4705},"We’ve barely scratched the surface, but perhaps there is enough here to get the discussion going. From past experience, discussion may not be enough, and it’s likely that live offensive work like penetration tests or more likely red team exercises will be required to make the risks of using these techniques real for the wider security community. ",[],{},{"nodeType":1294,"data":4707,"content":4708},{},[4709],{"nodeType":1293,"value":4710,"marks":4711,"data":4712},"After all, seeing is believing. We think some more practical examples and tools to help red  teamers use these techniques on engagements will help drive awareness forward, so we’ll be looking to build out this content.",[],{},{"nodeType":1294,"data":4714,"content":4715},{},[4716,4720,4729],{"nodeType":1293,"value":4717,"marks":4718,"data":4719},"We’ve started with pure networkless attacks that don’t touch customer networks or endpoints, but there are many useful techniques to connect the old endpoint world to the SaaS world. Consider stealing OAuth tokens from a thick client on an endpoint, or using a ",[],{},{"nodeType":1340,"data":4721,"content":4723},{"uri":4722},"https://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/",[4724],{"nodeType":1293,"value":4725,"marks":4726,"data":4728},"backdoored GitHub repo to get code execution on endpoints",[4727],{"type":1348},{},{"nodeType":1293,"value":1572,"marks":4730,"data":4731},[],{},{"nodeType":1294,"data":4733,"content":4734},{},[4735,4739,4746],{"nodeType":1293,"value":4736,"marks":4737,"data":4738},"Help us all better understand how widespread these attacks are by sharing some war stories. We’d love some comments, discussions, or PRs on ",[],{},{"nodeType":1340,"data":4740,"content":4741},{"uri":4027},[4742],{"nodeType":1293,"value":4030,"marks":4743,"data":4745},[4744],{"type":1348},{},{"nodeType":1293,"value":4747,"marks":4748,"data":4749},"!",[],{},{"nodeType":1362,"data":4751,"content":4755},{"target":4752},{"sys":4753},{"id":4754,"type":1367,"linkType":1368},"2y0INxqAi594O7rCAVKhTI",[],{"nodeType":1294,"data":4757,"content":4758},{},[4759],{"nodeType":1293,"value":37,"marks":4760,"data":4761},[],{},"Let’s talk about SaaS attack techniques","Offensive security drives defensive security. We're sharing a collection of SaaS attack techniques to help defenders understand the threats they face.","2023-07-27T00:00:00.000Z","saas-attack-techniques",{"items":4767},[4768,4770],{"sys":4769,"name":1312},{"id":1311},{"sys":4771,"name":1308},{"id":1307},{"items":4773},[4774],{"fullName":4775,"firstName":4776,"jobTitle":4777,"profilePicture":4778},"Jacques Louw","Jacques","Co-founder / CRO",{"url":4779},"https://images.ctfassets.net/y1cdw1ablpvd/39m8bektV23lnCRcEq0G8h/2a08f6276a50744f1a4b499b273f6bb2/Push_Founders_at_Cahoots_October_28_2022_by_Doug_Coombe-21.jpg","content:blog:how-to-prevent-account-takeover-with-push.json","json","content","blog/how-to-prevent-account-takeover-with-push.json","blog/how-to-prevent-account-takeover-with-push",1776359987802]