[{"data":1,"prerenderedAt":3561},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/introducing-malicious-copy-paste-detection":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"ogImage":118,"summary":1282,"title":1296,"subtitle":1297,"metaTitle":1298,"synopsis":1299,"hashTags":118,"publishedDate":1300,"slug":1301,"tagsCollection":1302,"relatedBlogPostsCollection":1312,"authorsCollection":2854,"content":2862,"_id":3556,"_type":3557,"_source":3558,"_file":3559,"_stem":3560,"_extension":3557},"/blog/introducing-malicious-copy-paste-detection","blog",{"id":1280,"publishedAt":1281},"1u8RJxC00HbBhCBVxcDnkK","2025-10-09T13:59:03.248Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1295},{},[1286],{"data":1287,"content":1288,"nodeType":1294},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"ClickFix, FileFix, fake CAPTCHA — whatever you call it, users interacting with malicious scripts in their web browser is a fast-growing source of security breaches. To tackle this threat, Push now detects malware delivery in the browser, supporting a layered defense against endpoint attacks. ","text","paragraph","document","Introducing malicious copy and paste detection","Detect ClickFix-style attacks where users copy malicious scripts from their browser.","Detect ClickFix-style attacks in the browser","Push now detects malware delivery in the browser, supporting a layered defense against endpoint attacks. ","2025-10-09T00:00:00.000Z","introducing-malicious-copy-paste-detection",{"items":1303},[1304,1308],{"sys":1305,"name":1307},{"id":1306},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"sys":1309,"name":1311},{"id":1310},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"items":1313},[1314,1666,2339],{"__typename":1315,"sys":1316,"content":1318,"title":1648,"synopsis":1649,"hashTags":118,"publishedDate":1650,"slug":1651,"tagsCollection":1652,"authorsCollection":1658},"BlogPosts",{"id":1317},"4bYO5rVy9n2OO3vtMVQeda",{"json":1319},{"nodeType":1295,"data":1320,"content":1321},{},[1322,1330,1352,1368,1375,1382,1386,1394,1401,1456,1463,1472,1475,1482,1489,1496,1503,1510,1528,1534,1541,1548,1565,1571,1578,1585,1592,1599,1606,1609,1616,1636,1642],{"nodeType":1323,"data":1324,"content":1325},"heading-1",{},[1326],{"nodeType":1293,"value":1327,"marks":1328,"data":1329},"All phishing eventually leads to the browser",[],{},{"nodeType":1294,"data":1331,"content":1332},{},[1333,1337,1348],{"nodeType":1293,"value":1334,"marks":1335,"data":1336},"The best attack detection methods are those that focus on ",[],{},{"nodeType":1338,"data":1339,"content":1341},"hyperlink",{"uri":1340},"https://pushsecurity.com/blog/our-design-philosophy-detecting-what-matters/",[1342],{"nodeType":1293,"value":1343,"marks":1344,"data":1347},"detecting indicators that are difficult for attackers to change or obfuscate",[1345],{"type":1346},"underline",{},{"nodeType":1293,"value":1349,"marks":1350,"data":1351},". ",[],{},{"nodeType":1294,"data":1353,"content":1354},{},[1355,1359,1364],{"nodeType":1293,"value":1356,"marks":1357,"data":1358},"For a credential phishing attack to succeed, the victim ",[],{},{"nodeType":1293,"value":1360,"marks":1361,"data":1363},"has",[1362],{"type":1346},{},{"nodeType":1293,"value":1365,"marks":1366,"data":1367}," to enter their password into a webpage. There’s no two-ways about it, attackers cannot change this. ",[],{},{"nodeType":1294,"data":1369,"content":1370},{},[1371],{"nodeType":1293,"value":1372,"marks":1373,"data":1374},"So it stands to reason that, if you can detect this user behavior, and block them from entering their password, then you can stop phishing. ",[],{},{"nodeType":1294,"data":1376,"content":1377},{},[1378],{"nodeType":1293,"value":1379,"marks":1380,"data":1381},"This is exactly what Push does.",[],{},{"nodeType":1383,"data":1384,"content":1385},"hr",{},[],{"nodeType":1387,"data":1388,"content":1389},"heading-2",{},[1390],{"nodeType":1293,"value":1391,"marks":1392,"data":1393},"Most anti-phishing tools are easily bypassed",[],{},{"nodeType":1294,"data":1395,"content":1396},{},[1397],{"nodeType":1293,"value":1398,"marks":1399,"data":1400},"Other anti-phishing tools rely on detecting elements of the attack that attackers can change and hide, such as domains or the webpage contents. Attackers use tricks to evade these detection, like:",[],{},{"nodeType":1402,"data":1403,"content":1404},"unordered-list",{},[1405,1416,1426,1436,1446],{"nodeType":1406,"data":1407,"content":1408},"list-item",{},[1409],{"nodeType":1294,"data":1410,"content":1411},{},[1412],{"nodeType":1293,"value":1413,"marks":1414,"data":1415},"Using Cloudflare Workers to block automatic analysis of their phishing site",[],{},{"nodeType":1406,"data":1417,"content":1418},{},[1419],{"nodeType":1294,"data":1420,"content":1421},{},[1422],{"nodeType":1293,"value":1423,"marks":1424,"data":1425},"Hacking a Wordpress blog to get a reputable domain that passes domain checks ",[],{},{"nodeType":1406,"data":1427,"content":1428},{},[1429],{"nodeType":1294,"data":1430,"content":1431},{},[1432],{"nodeType":1293,"value":1433,"marks":1434,"data":1435},"Using redirects and rotating the URLs delivered to the victim to bypass link analysis",[],{},{"nodeType":1406,"data":1437,"content":1438},{},[1439],{"nodeType":1294,"data":1440,"content":1441},{},[1442],{"nodeType":1293,"value":1443,"marks":1444,"data":1445},"Randomizing the HTML title for the web page to bypass blocklists ",[],{},{"nodeType":1406,"data":1447,"content":1448},{},[1449],{"nodeType":1294,"data":1450,"content":1451},{},[1452],{"nodeType":1293,"value":1453,"marks":1454,"data":1455},"One-time phishing links that only work the first time they are clicked",[],{},{"nodeType":1294,"data":1457,"content":1458},{},[1459],{"nodeType":1293,"value":1460,"marks":1461,"data":1462},"Push is putting an end to this game of cat and mouse, by keeping it really simple; you can’t phish someone who can’t put their password into a phishing page. ",[],{},{"nodeType":1464,"data":1465,"content":1471},"embedded-entry-block",{"target":1466},{"sys":1467},{"id":1468,"type":1469,"linkType":1470},"6AwOZSpqaChmeksnj4SyWE","Link","Entry",[],{"nodeType":1383,"data":1473,"content":1474},{},[],{"nodeType":1387,"data":1476,"content":1477},{},[1478],{"nodeType":1293,"value":1479,"marks":1480,"data":1481},"Domain-binding passwords",[],{},{"nodeType":1294,"data":1483,"content":1484},{},[1485],{"nodeType":1293,"value":1486,"marks":1487,"data":1488},"If you’re familiar with how passkeys are domain-bound, then think of what Push does as domain-binding passwords. We pin the password to its legitimate domain(s) and then don’t allow it to be entered into any webpage on any other domain. ",[],{},{"nodeType":1294,"data":1490,"content":1491},{},[1492],{"nodeType":1293,"value":1493,"marks":1494,"data":1495},"But just because you’ve stopped your users from being phished doesn’t mean you don’t want to know when attackers are attempting to phish your users and how. ",[],{},{"nodeType":1294,"data":1497,"content":1498},{},[1499],{"nodeType":1293,"value":1500,"marks":1501,"data":1502},"Push still inspects webpages to see if attackers are rendering cloned app login pages in the browser or if known AitM and BitM toolkits are being used. This way you don’t lose visibility of the unsuccessful attacks that are targeting your users. Think of it as a handy second and third layer of defense.",[],{},{"nodeType":1294,"data":1504,"content":1505},{},[1506],{"nodeType":1293,"value":1507,"marks":1508,"data":1509},"Lets run through a quick before and after example:",[],{},{"nodeType":1387,"data":1511,"content":1512},{},[1513,1517,1524],{"nodeType":1293,"value":1514,"marks":1515,"data":1516},"Scenario 1: An attacker attempts to phish an employee that ",[],{},{"nodeType":1293,"value":1518,"marks":1519,"data":1523},"doesn’t",[1520,1521],{"type":1346},{"type":1522},"bold",{},{"nodeType":1293,"value":1525,"marks":1526,"data":1527}," have Push deployed to their browser.",[],{},{"nodeType":1464,"data":1529,"content":1533},{"target":1530},{"sys":1531},{"id":1532,"type":1469,"linkType":1470},"2CbGMUSJsP1mNeHkmpLl6N",[],{"nodeType":1294,"data":1535,"content":1536},{},[1537],{"nodeType":1293,"value":1538,"marks":1539,"data":1540},"Here, an attacker hacks a Wordpress blog to get a reputable domain and then runs a phishing toolkit on the webpage. They email one of your employees a link to it. Your SWG / email scanning solution inspects it in a sandbox but the phish kit detects this and redirects to a benign site so that it passes the inspection. ",[],{},{"nodeType":1294,"data":1542,"content":1543},{},[1544],{"nodeType":1293,"value":1545,"marks":1546,"data":1547},"Your user gets the email with the link and is now free to interact with the phishing page. They enter their credentials plus MFA code into the page and voila! The attacker steals them and is able to compromise the user’s account.  ",[],{},{"nodeType":1387,"data":1549,"content":1550},{},[1551,1555,1561],{"nodeType":1293,"value":1552,"marks":1553,"data":1554},"Scenario 2: An attacker attempts to phish an employee that ",[],{},{"nodeType":1293,"value":1556,"marks":1557,"data":1560},"does",[1558,1559],{"type":1346},{"type":1522},{},{"nodeType":1293,"value":1562,"marks":1563,"data":1564}," have Push deployed to their browser. ",[],{},{"nodeType":1464,"data":1566,"content":1570},{"target":1567},{"sys":1568},{"id":1569,"type":1469,"linkType":1470},"77smnID1woCfFJrJPyTvKY",[],{"nodeType":1294,"data":1572,"content":1573},{},[1574],{"nodeType":1293,"value":1575,"marks":1576,"data":1577},"This time, the attacker uses the same phishing toolkit and domain from the first example. But in reality, they don’t have to send it to your employee using email, instead, they could use LinkedIn messenger, Slack, Teams, or any application that allows employees to communicate with each other. ",[],{},{"nodeType":1294,"data":1579,"content":1580},{},[1581],{"nodeType":1293,"value":1582,"marks":1583,"data":1584},"Like before, the user receives the link, opens it and starts to enter their credentials into the webpage. This time though, the Push browser extension inspects the webpage running in the user's browser. Push observes that the webpage is a login page and the user is entering their password into the page.",[],{},{"nodeType":1294,"data":1586,"content":1587},{},[1588],{"nodeType":1293,"value":1589,"marks":1590,"data":1591},"The first detection Push makes is checking that the password the user is entering matches the domain that password is pinned to. Since it doesn't match, based on this detection alone the user is automatically redirected to a blocking page. An important point to make here is that the password never leaves the user’s browser and the check is made using a shortened salted hash of the password.   ",[],{},{"nodeType":1294,"data":1593,"content":1594},{},[1595],{"nodeType":1293,"value":1596,"marks":1597,"data":1598},"The second detection Push makes is that the rendered web app is using a cloned app login page. The third detection is that a phishing toolkit is running in the web app code. ",[],{},{"nodeType":1294,"data":1600,"content":1601},{},[1602],{"nodeType":1293,"value":1603,"marks":1604,"data":1605},"In this particular scenario these second and third detections serve as useful context for understanding the nature of the phishing attack. But both will still redirect to a blocking page if they are triggered in isolation of the other phishing detections. ",[],{},{"nodeType":1383,"data":1607,"content":1608},{},[],{"nodeType":1323,"data":1610,"content":1611},{},[1612],{"nodeType":1293,"value":1613,"marks":1614,"data":1615},"We don’t just stop phishing attacks",[],{},{"nodeType":1294,"data":1617,"content":1618},{},[1619,1623,1632],{"nodeType":1293,"value":1620,"marks":1621,"data":1622},"We also detect other identity-related attack techniques used to compromise user accounts. That includes credential stuffing, password spraying and session hijacking using stolen session tokens. If you want to learn more about how Push helps you to detect and defeat common identity attack techniques, ",[],{},{"nodeType":1338,"data":1624,"content":1626},{"uri":1625},"https://pushsecurity.com/demo/",[1627],{"nodeType":1293,"value":1628,"marks":1629,"data":1631},"book some time with one of our team",[1630],{"type":1346},{},{"nodeType":1293,"value":1633,"marks":1634,"data":1635},".  ",[],{},{"nodeType":1464,"data":1637,"content":1641},{"target":1638},{"sys":1639},{"id":1640,"type":1469,"linkType":1470},"2JSmYDaiAciOx7Z1MRuJlA",[],{"nodeType":1294,"data":1643,"content":1644},{},[1645],{"nodeType":1293,"value":37,"marks":1646,"data":1647},[],{},"Detecting and blocking phishing attacks in the browser","How Push detects and blocks phishing attempts in the browser – explained in less than two minutes. ","2024-10-23T00:00:00.000Z","detecting-and-blocking-phishing-attacks-in-the-browser",{"items":1653},[1654,1656],{"sys":1655,"name":1311},{"id":1310},{"sys":1657,"name":1307},{"id":1306},{"items":1659},[1660],{"fullName":1661,"firstName":1662,"jobTitle":1663,"profilePicture":1664},"Alex Henshall","Alex","Product Team",{"url":1665},"https://images.ctfassets.net/y1cdw1ablpvd/2rz3Pre3b1MexPIQ4hzPUe/0ef8a092b7e7df00fbce3f7d1ccb96d1/Alex_Henshall.jpeg",{"__typename":1315,"sys":1667,"content":1669,"title":2320,"synopsis":2321,"hashTags":118,"publishedDate":2322,"slug":2323,"tagsCollection":2324,"authorsCollection":2332},{"id":1668},"wikyVxlHwKUOKM9xo19eP",{"json":1670},{"nodeType":1295,"data":1671,"content":1672},{},[1673,1679,1682,1689,1712,1744,1755,1775,1782,1788,1795,1811,1818,1821,1828,1835,1855,1862,1908,1915,1921,1927,1934,1967,1981,1984,1991,1998,2005,2012,2019,2026,2033,2141,2147,2162,2169,2184,2217,2233,2240,2255,2261,2268,2275,2281,2288,2294,2301],{"nodeType":1464,"data":1674,"content":1678},{"target":1675},{"sys":1676},{"id":1677,"type":1469,"linkType":1470},"1hUpsNwuhEXwSPijvRflTq",[],{"nodeType":1383,"data":1680,"content":1681},{},[],{"nodeType":1294,"data":1683,"content":1684},{},[1685],{"nodeType":1293,"value":1686,"marks":1687,"data":1688},"There are two things every security operations engineer can agree on:",[],{},{"nodeType":1402,"data":1690,"content":1691},{},[1692,1702],{"nodeType":1406,"data":1693,"content":1694},{},[1695],{"nodeType":1294,"data":1696,"content":1697},{},[1698],{"nodeType":1293,"value":1699,"marks":1700,"data":1701},"Get MFA on every account on every app.",[],{},{"nodeType":1406,"data":1703,"content":1704},{},[1705],{"nodeType":1294,"data":1706,"content":1707},{},[1708],{"nodeType":1293,"value":1709,"marks":1710,"data":1711},"This is stupidly harder to achieve than it seems.",[],{},{"nodeType":1294,"data":1713,"content":1714},{},[1715,1719,1728,1732,1740],{"nodeType":1293,"value":1716,"marks":1717,"data":1718},"The penalties for failing to solve this hard simple problem are abundantly clear. Stolen credentials accounted for roughly half of the initial access methods observed this year across 30,000+ attacks, according to Verizon’s 2024 ",[],{},{"nodeType":1338,"data":1720,"content":1722},{"uri":1721},"https://www.verizon.com/business/resources/reports/dbir/",[1723],{"nodeType":1293,"value":1724,"marks":1725,"data":1727},"Data Breach Investigations Report",[1726],{"type":1346},{},{"nodeType":1293,"value":1729,"marks":1730,"data":1731},". And ",[],{},{"nodeType":1338,"data":1733,"content":1735},{"uri":1734},"https://pushsecurity.com/blog/2024-identity-breaches/",[1736],{"nodeType":1293,"value":1737,"marks":1738,"data":1739},"in a review of 30 publicly disclosed breaches involving identity attacks",[],{},{"nodeType":1293,"value":1741,"marks":1742,"data":1743}," in 2024, we found that 73% (almost three-quarters) were the result of compromised credentials, with the rest the result of phishing. ",[],{},{"nodeType":1745,"data":1746,"content":1747},"blockquote",{},[1748],{"nodeType":1294,"data":1749,"content":1750},{},[1751],{"nodeType":1293,"value":1752,"marks":1753,"data":1754},"Three-quarters of publicly disclosed breaches involving identity attacks in 2024 involved compromised credentials and missing MFA.",[],{},{"nodeType":1294,"data":1756,"content":1757},{},[1758,1762,1771],{"nodeType":1293,"value":1759,"marks":1760,"data":1761},"In the case of the ",[],{},{"nodeType":1338,"data":1763,"content":1765},{"uri":1764},"https://pushsecurity.com/blog/snowflake-retro/",[1766],{"nodeType":1293,"value":1767,"marks":1768,"data":1770},"Snowflake incident",[1769],{"type":1346},{},{"nodeType":1293,"value":1772,"marks":1773,"data":1774}," earlier this year, a lack of MFA meant the difference between an enormous and murky firefight to clean up accounts breached with legitimate credentials, and a decent night’s sleep. The result was hundreds of millions of breached customer records, nine publicly named victims, and at least one ransom paid.",[],{},{"nodeType":1294,"data":1776,"content":1777},{},[1778],{"nodeType":1293,"value":1779,"marks":1780,"data":1781},"“Do you know how many accounts we have on this third-party service, who owns them, how many tenants, whether those creds are shared elsewhere, and their security posture?” is not a fun question to answer on a Friday. ",[],{},{"nodeType":1464,"data":1783,"content":1787},{"target":1784},{"sys":1785},{"id":1786,"type":1469,"linkType":1470},"6hg6PLXWMZaEDnGekHEzmD",[],{"nodeType":1294,"data":1789,"content":1790},{},[1791],{"nodeType":1293,"value":1792,"marks":1793,"data":1794},"For SecOps teams we’ve helped here at Push that responded to incidents affecting third-party apps (like Snowflake), the first item on the recovery plan is to finally solve that hard simple problem: No more MFA gaps.",[],{},{"nodeType":1294,"data":1796,"content":1797},{},[1798,1802,1807],{"nodeType":1293,"value":1799,"marks":1800,"data":1801},"With our latest feature release, ",[],{},{"nodeType":1293,"value":1803,"marks":1804,"data":1806},"MFA enforcement",[1805],{"type":1522},{},{"nodeType":1293,"value":1808,"marks":1809,"data":1810},", this is so much easier. With MFA enforcement, Push administrators can configure a control to prompt employees to enroll in MFA whenever Push detects that they’re not registered — even on apps that don’t natively provide any administrative enforcement option for MFA. This capability is made possible by the Push browser extension, which uses in-browser messaging and simple workflows to guide users right where they work.",[],{},{"nodeType":1294,"data":1812,"content":1813},{},[1814],{"nodeType":1293,"value":1815,"marks":1816,"data":1817},"In this article, we’ll cover how Push helps you identify and close MFA gaps, how our new enforcement feature is one part of that solution, and how you can test the platform yourself.",[],{},{"nodeType":1383,"data":1819,"content":1820},{},[],{"nodeType":1323,"data":1822,"content":1823},{},[1824],{"nodeType":1293,"value":1825,"marks":1826,"data":1827},"Shining a light on MFA gaps",[],{},{"nodeType":1294,"data":1829,"content":1830},{},[1831],{"nodeType":1293,"value":1832,"marks":1833,"data":1834},"There’s no question that the rise of ubiquitous multi-factor authentication has been an enormous advance for defenders in cybersecurity. ",[],{},{"nodeType":1294,"data":1836,"content":1837},{},[1838,1842,1851],{"nodeType":1293,"value":1839,"marks":1840,"data":1841},"Yet several years into this journey, the problem of verifying and enforcing MFA coverage across an organization remains a bit of a ",[],{},{"nodeType":1338,"data":1843,"content":1845},{"uri":1844},"https://en.wikipedia.org/wiki/Puzzle_box",[1846],{"nodeType":1293,"value":1847,"marks":1848,"data":1850},"puzzle box",[1849],{"type":1346},{},{"nodeType":1293,"value":1852,"marks":1853,"data":1854},".",[],{},{"nodeType":1294,"data":1856,"content":1857},{},[1858],{"nodeType":1293,"value":1859,"marks":1860,"data":1861},"Why is this?",[],{},{"nodeType":1402,"data":1863,"content":1864},{},[1865,1875,1885],{"nodeType":1406,"data":1866,"content":1867},{},[1868],{"nodeType":1294,"data":1869,"content":1870},{},[1871],{"nodeType":1293,"value":1872,"marks":1873,"data":1874},"Complex overlapping (and occasionally contradictory) configurations for enterprise MFA solutions can result in entire employee groups not registered for MFA, and other critical missing pieces.",[],{},{"nodeType":1406,"data":1876,"content":1877},{},[1878],{"nodeType":1294,"data":1879,"content":1880},{},[1881],{"nodeType":1293,"value":1882,"marks":1883,"data":1884},"With a sprawling ecosystem of both SSO-managed and unmanaged self-adopted SaaS, MFA coverage ends up looking more like a patchwork than a unified layer of protection. Security teams lack visibility of freemium and self-purchased apps, and when signup is simple, many users will naturally skip MFA registration to remove a layer of friction. The end result is often a suite of core apps managed via SSO that enforce MFA — and a lot of other unmanaged apps that don’t (true nightmare fodder).",[],{},{"nodeType":1406,"data":1886,"content":1887},{},[1888],{"nodeType":1294,"data":1889,"content":1890},{},[1891,1895,1904],{"nodeType":1293,"value":1892,"marks":1893,"data":1894},"Another annoying piece of the puzzle box: Even in organizations with a high adoption rate of phishing-resistant MFA methods, having backup MFA methods (and a lack of total visibility into all of those registered methods) can create situations where ",[],{},{"nodeType":1338,"data":1896,"content":1898},{"uri":1897},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/mfa_downgrade/description.md",[1899],{"nodeType":1293,"value":1900,"marks":1901,"data":1903},"MFA downgrade attacks",[1902],{"type":1346},{},{"nodeType":1293,"value":1905,"marks":1906,"data":1907}," are still possible. In MFA downgrade attacks, backup MFA methods that are less secure such as SMS or TOTP can be exploited, effectively bypassing more phishing-resistant methods.",[],{},{"nodeType":1294,"data":1909,"content":1910},{},[1911],{"nodeType":1293,"value":1912,"marks":1913,"data":1914},"The challenges of solving this puzzle are evident. ",[],{},{"nodeType":1464,"data":1916,"content":1920},{"target":1917},{"sys":1918},{"id":1919,"type":1469,"linkType":1470},"2BBiFx8pHjSCeLTlP6n6da",[],{"nodeType":1464,"data":1922,"content":1926},{"target":1923},{"sys":1924},{"id":1925,"type":1469,"linkType":1470},"2QnWVpPYRyJQaQ5TuKSSLp",[],{"nodeType":1294,"data":1928,"content":1929},{},[1930],{"nodeType":1293,"value":1931,"marks":1932,"data":1933},"To shine a light on MFA gaps, then, security teams need three things:",[],{},{"nodeType":1402,"data":1935,"content":1936},{},[1937,1947,1957],{"nodeType":1406,"data":1938,"content":1939},{},[1940],{"nodeType":1294,"data":1941,"content":1942},{},[1943],{"nodeType":1293,"value":1944,"marks":1945,"data":1946},"A full accounting of their identity attack surface, including accounts on unmanaged and freemium apps not on SSO.",[],{},{"nodeType":1406,"data":1948,"content":1949},{},[1950],{"nodeType":1294,"data":1951,"content":1952},{},[1953],{"nodeType":1293,"value":1954,"marks":1955,"data":1956},"A trustworthy out-of-band method for verifying MFA coverage, beyond the tangle of conditional access rules.",[],{},{"nodeType":1406,"data":1958,"content":1959},{},[1960],{"nodeType":1294,"data":1961,"content":1962},{},[1963],{"nodeType":1293,"value":1964,"marks":1965,"data":1966},"Visibility into which MFA methods are registered to a given account.",[],{},{"nodeType":1294,"data":1968,"content":1969},{},[1970,1974,1978],{"nodeType":1293,"value":1971,"marks":1972,"data":1973},"You can get all three with the Push platform. The missing piece we’ve now added is a way to automatically prompt employees to add MFA wherever it’s missing. Enter ",[],{},{"nodeType":1293,"value":1803,"marks":1975,"data":1977},[1976],{"type":1522},{},{"nodeType":1293,"value":1852,"marks":1979,"data":1980},[],{},{"nodeType":1383,"data":1982,"content":1983},{},[],{"nodeType":1323,"data":1985,"content":1986},{},[1987],{"nodeType":1293,"value":1988,"marks":1989,"data":1990},"How Push helps you ensure MFA coverage",[],{},{"nodeType":1294,"data":1992,"content":1993},{},[1994],{"nodeType":1293,"value":1995,"marks":1996,"data":1997},"Let’s take a look at a hypothetical incident response scenario to see how Push’s identity visibility and security controls help you ensure MFA coverage.",[],{},{"nodeType":1294,"data":1999,"content":2000},{},[2001],{"nodeType":1293,"value":2002,"marks":2003,"data":2004},"We’ll assume that prior to this incident, you had already deployed the Push browser extension, which you can install and enforce using any MDM solution, on all major browsers.",[],{},{"nodeType":1294,"data":2006,"content":2007},{},[2008],{"nodeType":1293,"value":2009,"marks":2010,"data":2011},"It’s a Friday afternoon (sorry).",[],{},{"nodeType":1294,"data":2013,"content":2014},{},[2015],{"nodeType":1293,"value":2016,"marks":2017,"data":2018},"News breaks that there’s been a suspected breach at a popular enterprise SaaS service.",[],{},{"nodeType":1294,"data":2020,"content":2021},{},[2022],{"nodeType":1293,"value":2023,"marks":2024,"data":2025},"You’re familiar with the service, but you don’t believe it’s a core managed app at your organization. Unfortunately, that does not mean you don’t have accounts (sorry again).",[],{},{"nodeType":1294,"data":2027,"content":2028},{},[2029],{"nodeType":1293,"value":2030,"marks":2031,"data":2032},"Using Push, you can:",[],{},{"nodeType":1402,"data":2034,"content":2035},{},[2036,2055,2065,2092,2119],{"nodeType":1406,"data":2037,"content":2038},{},[2039],{"nodeType":1294,"data":2040,"content":2041},{},[2042,2046,2051],{"nodeType":1293,"value":2043,"marks":2044,"data":2045},"Immediately check whether the Push extension has observed employee usage of the breached app. It will appear on the ",[],{},{"nodeType":1293,"value":2047,"marks":2048,"data":2050},"Apps",[2049],{"type":1522},{},{"nodeType":1293,"value":2052,"marks":2053,"data":2054}," table. From this overview, you can see how many accounts Push has seen on that app and how they are accessing it (SSO vs. other methods, such as local password login).",[],{},{"nodeType":1406,"data":2056,"content":2057},{},[2058],{"nodeType":1294,"data":2059,"content":2060},{},[2061],{"nodeType":1293,"value":2062,"marks":2063,"data":2064},"For those accounts on the breached app, you can quickly see whether they have MFA, and which methods are registered. To determine MFA status, the Push extension uses the existing user’s active session on an app to query that account’s MFA registration status using the app’s own API, providing a trustworthy verification. ",[],{},{"nodeType":1406,"data":2066,"content":2067},{},[2068],{"nodeType":1294,"data":2069,"content":2070},{},[2071,2075,2080,2084,2089],{"nodeType":1293,"value":2072,"marks":2073,"data":2074},"You can also see whether the users’ passwords have any security issues, such as a verified stolen credential, or a password that’s weak or reused by filtering the ",[],{},{"nodeType":1293,"value":2076,"marks":2077,"data":2079},"Accounts",[2078],{"type":1522},{},{"nodeType":1293,"value":2081,"marks":2082,"data":2083}," list for ",[],{},{"nodeType":1293,"value":2085,"marks":2086,"data":2088},"Findings",[2087],{"type":1522},{},{"nodeType":1293,"value":1852,"marks":2090,"data":2091},[],{},{"nodeType":1406,"data":2093,"content":2094},{},[2095],{"nodeType":1294,"data":2096,"content":2097},{},[2098,2102,2106,2110,2115],{"nodeType":1293,"value":2099,"marks":2100,"data":2101},"For accounts that lack MFA, you can then configure the ",[],{},{"nodeType":1293,"value":1803,"marks":2103,"data":2105},[2104],{"type":1522},{},{"nodeType":1293,"value":2107,"marks":2108,"data":2109}," control from the ",[],{},{"nodeType":1293,"value":2111,"marks":2112,"data":2114},"Controls",[2113],{"type":1522},{},{"nodeType":1293,"value":2116,"marks":2117,"data":2118}," page. This will prompt employees who lack MFA to set it up whenever they next use the app. In parallel, you can reach out to affected employees through your preferred comms channel and ask them to immediately register for MFA and change their password on the app. ",[],{},{"nodeType":1406,"data":2120,"content":2121},{},[2122],{"nodeType":1294,"data":2123,"content":2124},{},[2125,2129,2138],{"nodeType":1293,"value":2126,"marks":2127,"data":2128},"Then use Push’s webhooks to monitor for MFA registrations and password changes to roll in, by querying the ",[],{},{"nodeType":1338,"data":2130,"content":2132},{"uri":2131},"https://pushsecurity.redoc.ly/webhooks-v1#operation/login-event",[2133],{"nodeType":1293,"value":2134,"marks":2135,"data":2137},"Login event",[2136],{"type":1346},{},{"nodeType":1293,"value":1852,"marks":2139,"data":2140},[],{},{"nodeType":1464,"data":2142,"content":2146},{"target":2143},{"sys":2144},{"id":2145,"type":1469,"linkType":1470},"4OVJU6FRSVU9j1WB9NGyJ4",[],{"nodeType":1294,"data":2148,"content":2149},{},[2150,2154,2158],{"nodeType":1293,"value":2151,"marks":2152,"data":2153},"By combining visibility of your workforce identities — including granular context on their MFA registration status, MFA methods, and password security, even on unmanaged apps — with in-browser controls like ",[],{},{"nodeType":1293,"value":1803,"marks":2155,"data":2157},[2156],{"type":1522},{},{"nodeType":1293,"value":2159,"marks":2160,"data":2161},", Push helps security teams respond quickly and with assurance that they have the right information and tools to remediate the issue.",[],{},{"nodeType":1323,"data":2163,"content":2164},{},[2165],{"nodeType":1293,"value":2166,"marks":2167,"data":2168},"A closer look at MFA enforcement",[],{},{"nodeType":1294,"data":2170,"content":2171},{},[2172,2176,2180],{"nodeType":1293,"value":2173,"marks":2174,"data":2175},"With the in-browser ",[],{},{"nodeType":1293,"value":1803,"marks":2177,"data":2179},[2178],{"type":1522},{},{"nodeType":1293,"value":2181,"marks":2182,"data":2183}," control, we chose this approach to close the loop on missing MFA issues because:",[],{},{"nodeType":1402,"data":2185,"content":2186},{},[2187,2197,2207],{"nodeType":1406,"data":2188,"content":2189},{},[2190],{"nodeType":1294,"data":2191,"content":2192},{},[2193],{"nodeType":1293,"value":2194,"marks":2195,"data":2196},"It meets users where they are, in the most relevant context where they can successfully address the issue.",[],{},{"nodeType":1406,"data":2198,"content":2199},{},[2200],{"nodeType":1294,"data":2201,"content":2202},{},[2203],{"nodeType":1293,"value":2204,"marks":2205,"data":2206},"It solves the problem of enforcing MFA on apps that are outside of administrative control — or that don’t provide any administrative controls to enforce MFA registration natively.",[],{},{"nodeType":1406,"data":2208,"content":2209},{},[2210],{"nodeType":1294,"data":2211,"content":2212},{},[2213],{"nodeType":1293,"value":2214,"marks":2215,"data":2216},"It’s tenant-agnostic. That means that you can enforce MFA for a given app on all tenants of that app, even those free-tier or test tenants that you don’t know about and have no control over.",[],{},{"nodeType":1294,"data":2218,"content":2219},{},[2220,2224,2229],{"nodeType":1293,"value":2221,"marks":2222,"data":2223},"As a happy side effect, your compliance team will thank you for finally allowing them to attest to where MFA is ",[],{},{"nodeType":1293,"value":2225,"marks":2226,"data":2228},"actually",[2227],{"type":312},{},{"nodeType":1293,"value":2230,"marks":2231,"data":2232}," enforced — with verified results, visible at the account level in Push’s admin reporting — across your environment.",[],{},{"nodeType":1294,"data":2234,"content":2235},{},[2236],{"nodeType":1293,"value":2237,"marks":2238,"data":2239},"Here’s a closer look at how it works:",[],{},{"nodeType":1294,"data":2241,"content":2242},{},[2243,2247,2251],{"nodeType":1293,"value":2244,"marks":2245,"data":2246},"To enable MFA enforcement, use the configuration tile on the ",[],{},{"nodeType":1293,"value":2111,"marks":2248,"data":2250},[2249],{"type":1522},{},{"nodeType":1293,"value":2252,"marks":2253,"data":2254}," page of the Push admin console and select which apps should require MFA registration. The control currently works with ~90 high-value apps, including Postman, Retool, Datadog, Atlassian, Okta, and others.",[],{},{"nodeType":1464,"data":2256,"content":2260},{"target":2257},{"sys":2258},{"id":2259,"type":1469,"linkType":1470},"2sDbYZL4oJDxLMbYErJfIN",[],{"nodeType":1294,"data":2262,"content":2263},{},[2264],{"nodeType":1293,"value":2265,"marks":2266,"data":2267},"You can then customize the message the employees will see.",[],{},{"nodeType":1294,"data":2269,"content":2270},{},[2271],{"nodeType":1293,"value":2272,"marks":2273,"data":2274},"On the end-user side, employees will see a banner with your message as soon as they use an app where they lack MFA. ",[],{},{"nodeType":1464,"data":2276,"content":2280},{"target":2277},{"sys":2278},{"id":2279,"type":1469,"linkType":1470},"37aH1maXXkF8DxgjUod5dn",[],{"nodeType":1294,"data":2282,"content":2283},{},[2284],{"nodeType":1293,"value":2285,"marks":2286,"data":2287},"To complete MFA registration, the user can go directly to the app’s MFA registration page from a link in the banner (Push provides this link automatically, where one exists). The extension will query the user’s MFA status regularly in the background and when MFA registration is completed, the banner will disappear and the Push platform will clear the “No MFA” security finding for that account.",[],{},{"nodeType":1464,"data":2289,"content":2293},{"target":2290},{"sys":2291},{"id":2292,"type":1469,"linkType":1470},"3yb4KjhH3AbvvSnfMbNONr",[],{"nodeType":1323,"data":2295,"content":2296},{},[2297],{"nodeType":1293,"value":2298,"marks":2299,"data":2300},"Find out more",[],{},{"nodeType":1294,"data":2302,"content":2303},{},[2304,2308,2316],{"nodeType":1293,"value":2305,"marks":2306,"data":2307},"To test our MFA visibility and control features, ",[],{},{"nodeType":1338,"data":2309,"content":2311},{"uri":2310},"/demo",[2312],{"nodeType":1293,"value":2313,"marks":2314,"data":2315},"request a demo",[],{},{"nodeType":1293,"value":2317,"marks":2318,"data":2319}," from our team. We look forward to helping you finally turn the challenge of MFA coverage into a simple problem, easily solved.",[],{},"No more hard simple problems: Enforce MFA on third-party apps with Push","Using Push to enforce MFA on third-party apps in the browser — even where MFA enforcement isn't supported by the app itself.","2025-01-16T00:00:00.000Z","enforce-mfa-on-third-party-apps",{"items":2325},[2326,2330],{"sys":2327,"name":2329},{"id":2328},"3pjES4THCIfSAwhGdNwBcy","Identity security",{"sys":2331,"name":1307},{"id":1306},{"items":2333},[2334],{"fullName":2335,"firstName":2336,"jobTitle":1663,"profilePicture":2337},"Kelly Davenport","Kelly",{"url":2338},"https://images.ctfassets.net/y1cdw1ablpvd/1hi8bEuVfn5sF57LivAq6d/9a3b82426c697d765e2e450e33a18424/kelly_profile_pic.jpeg",{"__typename":1315,"sys":2340,"content":2342,"title":2836,"synopsis":2837,"hashTags":118,"publishedDate":2838,"slug":2839,"tagsCollection":2840,"authorsCollection":2846},{"id":2341},"6jYmU1ROpwI41mmzk7ioKd",{"json":2343},{"nodeType":1295,"data":2344,"content":2345},{},[2346,2353,2360,2363,2370,2404,2416,2441,2448,2451,2458,2465,2472,2478,2485,2517,2523,2530,2550,2556,2563,2569,2572,2579,2615,2622,2665,2672,2678,2685,2692,2695,2702,2709,2716,2736,2742,2749,2756,2763,2769,2776,2782,2785,2792,2799,2806],{"nodeType":1294,"data":2347,"content":2348},{},[2349],{"nodeType":1293,"value":2350,"marks":2351,"data":2352},"After more than two decades in cybersecurity, I’ve witnessed the evolution (and at times, devolution) of detection and response capabilities. I’ve sat in countless SOCs watching analysts drown in a sea of alerts, spent hours chasing false positives, and seen talented security professionals burn out from the relentless noise of low-fidelity detection systems. ",[],{},{"nodeType":1294,"data":2354,"content":2355},{},[2356],{"nodeType":1293,"value":2357,"marks":2358,"data":2359},"It’s a problem that’s reached crisis proportions, and it’s exactly why our approach to browser security represents not just a technological shift, but a philosophical one.",[],{},{"nodeType":1383,"data":2361,"content":2362},{},[],{"nodeType":1323,"data":2364,"content":2365},{},[2366],{"nodeType":1293,"value":2367,"marks":2368,"data":2369},"The alert fatigue epidemic",[],{},{"nodeType":1294,"data":2371,"content":2372},{},[2373,2377,2382,2386,2391,2395,2400],{"nodeType":1293,"value":2374,"marks":2375,"data":2376},"Early in my career, getting ",[],{},{"nodeType":1293,"value":2378,"marks":2379,"data":2381},"any",[2380],{"type":312},{},{"nodeType":1293,"value":2383,"marks":2384,"data":2385}," alert felt like a victory. We were flying blind outside of our small windows of network traffic. But as the industry matured, something troubling happened: we began equating ",[],{},{"nodeType":1293,"value":2387,"marks":2388,"data":2390},"volume",[2389],{"type":1522},{},{"nodeType":1293,"value":2392,"marks":2393,"data":2394}," with ",[],{},{"nodeType":1293,"value":2396,"marks":2397,"data":2399},"value",[2398],{"type":1522},{},{"nodeType":1293,"value":2401,"marks":2402,"data":2403},". Vendors started competing on how many alerts they could generate, how much data they could collect, and how comprehensive their “visibility” could be. ",[],{},{"nodeType":1294,"data":2405,"content":2406},{},[2407,2411],{"nodeType":1293,"value":2408,"marks":2409,"data":2410},"Security teams followed suit with operational metrics that captured how many alerts they’d resolved, how many “attacks” they’d stopped, and how many tickets they’d opened and closed in a given work cycle. But as many teams have now realized, ",[],{},{"nodeType":1293,"value":2412,"marks":2413,"data":2415},"volume is a vanity metric; fidelity is what keeps you safe.",[2414],{"type":1522},{},{"nodeType":1294,"data":2417,"content":2418},{},[2419,2423,2432,2436],{"nodeType":1293,"value":2420,"marks":2421,"data":2422},"In my course on ",[],{},{"nodeType":1338,"data":2424,"content":2426},{"uri":2425},"https://www.sans.org/cyber-security-courses/building-leading-security-operations-centers",[2427],{"nodeType":1293,"value":2428,"marks":2429,"data":2431},"Building and Leading Security Operations teams",[2430],{"type":1346},{},{"nodeType":1293,"value":2433,"marks":2434,"data":2435},", we discuss the importance of analytic outcomes and addressing ineffective alerts to continuously improve fidelity. My students often find it hard to believe how much time and effort it takes to audit alert quality and implement continuous improvements on a large scale. This isn’t just an operational problem — it’s an existential threat to effective security. ",[],{},{"nodeType":1293,"value":2437,"marks":2438,"data":2440},"When everything is an alert, nothing is. ",[2439],{"type":1522},{},{"nodeType":1294,"data":2442,"content":2443},{},[2444],{"nodeType":1293,"value":2445,"marks":2446,"data":2447},"And while we have been busy focusing on more (and occasionally, better) detections at the endpoint and network layers, attackers have shifted to infrastructure that isn’t as well-instrumented: SaaS and the browser.",[],{},{"nodeType":1383,"data":2449,"content":2450},{},[],{"nodeType":1323,"data":2452,"content":2453},{},[2454],{"nodeType":1293,"value":2455,"marks":2456,"data":2457},"The browser: a new frontier in detection and response",[],{},{"nodeType":1294,"data":2459,"content":2460},{},[2461],{"nodeType":1293,"value":2462,"marks":2463,"data":2464},"Today, the browser is the place where most cyber attacks happen. It’s where users interact with the applications that your business runs on, handle sensitive data, and unfortunately, where they encounter sophisticated phishing campaigns, credential harvesting attacks, and malicious downloads. ",[],{},{"nodeType":1294,"data":2466,"content":2467},{},[2468],{"nodeType":1293,"value":2469,"marks":2470,"data":2471},"Yet for most security teams, the browser remains a black box, obscured from the view from the network and the endpoint. Even worse, attack models often applied to detection engineering for endpoint or network-centric threats don’t really apply; modern identity attacks skip entire phases of the attack chain, eliminating many detection opportunities along the way. The modern attack path doesn’t need to touch the endpoint or your network at all — it can happen entirely over the internet. ",[],{},{"nodeType":1464,"data":2473,"content":2477},{"target":2474},{"sys":2475},{"id":2476,"type":1469,"linkType":1470},"4wYYgbKmmVAZTF7niXJEGc",[],{"nodeType":1387,"data":2479,"content":2480},{},[2481],{"nodeType":1293,"value":2482,"marks":2483,"data":2484},"Attackers are exploiting the detection gap",[],{},{"nodeType":1294,"data":2486,"content":2487},{},[2488,2492,2500,2504,2513],{"nodeType":1293,"value":2489,"marks":2490,"data":2491},"You only need to look at in-the-wild breaches such as last year’s ",[],{},{"nodeType":1338,"data":2493,"content":2494},{"uri":1764},[2495],{"nodeType":1293,"value":2496,"marks":2497,"data":2499},"Snowflake",[2498],{"type":1346},{},{"nodeType":1293,"value":2501,"marks":2502,"data":2503}," attacks, or the recent ",[],{},{"nodeType":1338,"data":2505,"content":2507},{"uri":2506},"https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/",[2508],{"nodeType":1293,"value":2509,"marks":2510,"data":2512},"Salesforce",[2511],{"type":1346},{},{"nodeType":1293,"value":2514,"marks":2515,"data":2516}," breaches to see the impact that attackers can have by executing attacks entirely over the internet, without touching traditional network devices or user endpoints. ",[],{},{"nodeType":1464,"data":2518,"content":2522},{"target":2519},{"sys":2520},{"id":2521,"type":1469,"linkType":1470},"VfTps3SGKJDlhFcmh42d9",[],{"nodeType":1294,"data":2524,"content":2525},{},[2526],{"nodeType":1293,"value":2527,"marks":2528,"data":2529},"But even in the context of more “conventional” attacks (e.g. the classic route of compromising an endpoint, moving laterally through an environment, taking control of a domain, and deploying ransomware), most of the time, these attacks begin in the browser with identities and cloud apps rather than exploit-driven initial access — such as with the recent attacks on Marks & Spencer, Co-op, and Jaguar Land Rover. ",[],{},{"nodeType":1294,"data":2531,"content":2532},{},[2533,2537,2546],{"nodeType":1293,"value":2534,"marks":2535,"data":2536},"While the ",[],{},{"nodeType":1338,"data":2538,"content":2540},{"uri":2539},"https://cloud.google.com/security/resources/insights/targeted-attack-lifecycle",[2541],{"nodeType":1293,"value":2542,"marks":2543,"data":2545},"attack cycle",[2544],{"type":1346},{},{"nodeType":1293,"value":2547,"marks":2548,"data":2549}," and similar mental models are valuable for planning in-depth detections of sophisticated, multi-stage attacks, focusing too heavily on them can lead to overlooked scenarios. These high-profile incidents have demonstrated the opportunity cost of neglecting visibility into attacks that don't perfectly align with these models. ",[],{},{"nodeType":1464,"data":2551,"content":2555},{"target":2552},{"sys":2553},{"id":2554,"type":1469,"linkType":1470},"3TsKtoWuxQMFl1xd3w1j86",[],{"nodeType":1294,"data":2557,"content":2558},{},[2559],{"nodeType":1293,"value":2560,"marks":2561,"data":2562},"Just as endpoint detection and response revolutionized host-based security by providing visibility and control directly at the point of attack, browser-based security platforms can do the same for web-borne threats. It’s an important addition to the detection and response stack that illuminates a “missing middle” in modern attack investigations, and intervenes in real time, much like traditional EDR did for the endpoint years ago.",[],{},{"nodeType":1464,"data":2564,"content":2568},{"target":2565},{"sys":2566},{"id":2567,"type":1469,"linkType":1470},"1eCXGC6U6SdzHmOH1gv24O",[],{"nodeType":1383,"data":2570,"content":2571},{},[],{"nodeType":1323,"data":2573,"content":2574},{},[2575],{"nodeType":1293,"value":2576,"marks":2577,"data":2578},"High-fidelity detection: quality over quantity",[],{},{"nodeType":1294,"data":2580,"content":2581},{},[2582,2586,2593,2597,2602,2606,2611],{"nodeType":1293,"value":2583,"marks":2584,"data":2585},"Our ",[],{},{"nodeType":1338,"data":2587,"content":2588},{"uri":1340},[2589],{"nodeType":1293,"value":2590,"marks":2591,"data":2592},"design philosophy",[],{},{"nodeType":1293,"value":2594,"marks":2595,"data":2596}," centers on a principle often overlooked in the security industry: prioritizing actionable problems for security teams. This involves differentiating between \"",[],{},{"nodeType":1293,"value":2598,"marks":2599,"data":2601},"events",[2600],{"type":1522},{},{"nodeType":1293,"value":2603,"marks":2604,"data":2605},"\" – environment data that may or may not be useful – and \"",[],{},{"nodeType":1293,"value":2607,"marks":2608,"data":2610},"detections",[2609],{"type":1522},{},{"nodeType":1293,"value":2612,"marks":2613,"data":2614},"\" – high-fidelity, actionable signals with a negligible false positive rate. We also empower our customers with the ability to intervene in real-time when there are high-confidence indicators of an attack. We focus on detecting not atomic indicators, but on attacker tooling and behaviors.",[],{},{"nodeType":1294,"data":2616,"content":2617},{},[2618],{"nodeType":1293,"value":2619,"marks":2620,"data":2621},"Compare this to traditional approaches that might generate alerts for:",[],{},{"nodeType":1402,"data":2623,"content":2624},{},[2625,2635,2645,2655],{"nodeType":1406,"data":2626,"content":2627},{},[2628],{"nodeType":1294,"data":2629,"content":2630},{},[2631],{"nodeType":1293,"value":2632,"marks":2633,"data":2634},"Visiting domains with low reputation scores (but not necessarily malicious)",[],{},{"nodeType":1406,"data":2636,"content":2637},{},[2638],{"nodeType":1294,"data":2639,"content":2640},{},[2641],{"nodeType":1293,"value":2642,"marks":2643,"data":2644},"Downloading files that match certain heuristics (but may be legitimate)",[],{},{"nodeType":1406,"data":2646,"content":2647},{},[2648],{"nodeType":1294,"data":2649,"content":2650},{},[2651],{"nodeType":1293,"value":2652,"marks":2653,"data":2654},"Accessing new web applications (that may be approved, or tacitly allowed, shadow IT)",[],{},{"nodeType":1406,"data":2656,"content":2657},{},[2658],{"nodeType":1294,"data":2659,"content":2660},{},[2661],{"nodeType":1293,"value":2662,"marks":2663,"data":2664},"Employee usernames, passwords, and email addresses for sale on the dark web (which may no longer be valid)",[],{},{"nodeType":1294,"data":2666,"content":2667},{},[2668],{"nodeType":1293,"value":2669,"marks":2670,"data":2671},"These low-fidelity alerts create work without providing solutions. They force analysts to become investigators rather than responders, spending precious time determining whether an alert represents a genuine threat rather than focusing on mitigation and recovery. ",[],{},{"nodeType":1464,"data":2673,"content":2677},{"target":2674},{"sys":2675},{"id":2676,"type":1469,"linkType":1470},"4MydcqvHnWsziCOPUNC3YS",[],{"nodeType":1294,"data":2679,"content":2680},{},[2681],{"nodeType":1293,"value":2682,"marks":2683,"data":2684},"Poor quality detections also present an easy opportunity for security teams to commit a cardinal sin: disrupting users and business processes without a clear justification for doing so. User trust and support should always be treated as a finite resource, and every account locked, website blocked, and laptop reimaged chips away at that resource. ",[],{},{"nodeType":1294,"data":2686,"content":2687},{},[2688],{"nodeType":1293,"value":2689,"marks":2690,"data":2691},"Likewise, the more disruptive, the more likely users will look for ways around said controls. If your users are actively working against you, and feel you are preventing them from doing their jobs, they’ll always find new and unexpected ways around security blocks. ",[],{},{"nodeType":1383,"data":2693,"content":2694},{},[],{"nodeType":1323,"data":2696,"content":2697},{},[2698],{"nodeType":1293,"value":2699,"marks":2700,"data":2701},"The SOC analyst's perspective",[],{},{"nodeType":1294,"data":2703,"content":2704},{},[2705],{"nodeType":1293,"value":2706,"marks":2707,"data":2708},"The most successful SOC analysts share a common trait: they’re extraordinarily good at quickly distinguishing signal from noise. But this skill shouldn’t be required! It’s a failure of our detection systems that we’re forcing human analysts to perform pattern matching that our technology should handle. ",[],{},{"nodeType":1294,"data":2710,"content":2711},{},[2712],{"nodeType":1293,"value":2713,"marks":2714,"data":2715},"But even for the most skilled analyst, it’s a tall order to ask your security team to also be experts in every cloud app your business relies on, making it even harder than normal to build context-driven alerts. Most of the time, the information required simply doesn't exist, with logs simply not available (generally, or at your product tier) or the work required to extract the logs and turn them into context-driven alerts hasn’t happened yet. If your team is under-resourced and drowning in low-fidelity alerts already, then realistically it might never happen. ",[],{},{"nodeType":1294,"data":2717,"content":2718},{},[2719,2723,2732],{"nodeType":1293,"value":2720,"marks":2721,"data":2722},"Effective browser security changes this dynamic. Instead of presenting analysts with hundreds of “suspicious web activity” alerts that require investigation, ",[],{},{"nodeType":1338,"data":2724,"content":2726},{"uri":2725},"https://pushsecurity.com/blog/detecting-and-blocking-phishing-attacks-in-the-browser/",[2727],{"nodeType":1293,"value":2728,"marks":2729,"data":2731},"our platform focuses on high-reliability indicators",[2730],{"type":1346},{},{"nodeType":1293,"value":2733,"marks":2734,"data":2735}," like whether a phishing kit was observed running on the page, or whether the page was cloned from a legitimate site. We even detect user behaviors that could indicate a risk in the context of a phishing attack, like when a user attempts to authenticate with credentials that have been previously used on another page — either a sign of credential reuse (bad) or a phishing attack (even worse) — at which point Push can be set to block the attack in real time. ",[],{},{"nodeType":1464,"data":2737,"content":2741},{"target":2738},{"sys":2739},{"id":2740,"type":1469,"linkType":1470},"3998Iy2kp9MW0HFeqmo900",[],{"nodeType":1387,"data":2743,"content":2744},{},[2745],{"nodeType":1293,"value":2746,"marks":2747,"data":2748},"Browser security provides a new layer of protection, reducing the risk of breach",[],{},{"nodeType":1294,"data":2750,"content":2751},{},[2752],{"nodeType":1293,"value":2753,"marks":2754,"data":2755},"Attack detection has always been a cat-and-mouse game. For years, attackers have grappled with endpoint and network security vendors. And sometimes, the attackers win. The fact is that a lot of attacker innovation has gone into sandbox aware malware, breaking detection signatures, disabling security tools, and so on.    ",[],{},{"nodeType":1294,"data":2757,"content":2758},{},[2759],{"nodeType":1293,"value":2760,"marks":2761,"data":2762},"But with so many attacks now passing through the browser, defending it enables badness to be filtered out before it reaches the endpoint or network controls that attackers are looking to consciously evade. By preventing malware being delivered, or identities from being compromised, attacks otherwise crafted to evade traditional security controls can be intercepted early — making the crucial difference in whether a breach happens or not.",[],{},{"nodeType":1464,"data":2764,"content":2768},{"target":2765},{"sys":2766},{"id":2767,"type":1469,"linkType":1470},"4Bh7uOkeguNJFmJ1XUQ317",[],{"nodeType":1294,"data":2770,"content":2771},{},[2772],{"nodeType":1293,"value":2773,"marks":2774,"data":2775},"And when it comes to the cloud-centric attacks that attackers are finding so much success with today, this is in effect a net new capability. ",[],{},{"nodeType":1464,"data":2777,"content":2781},{"target":2778},{"sys":2779},{"id":2780,"type":1469,"linkType":1470},"4JdaY8I3f6Ub2Kifc9Rsj9",[],{"nodeType":1383,"data":2783,"content":2784},{},[],{"nodeType":1323,"data":2786,"content":2787},{},[2788],{"nodeType":1293,"value":2789,"marks":2790,"data":2791},"Learn more about Push Security",[],{},{"nodeType":1294,"data":2793,"content":2794},{},[2795],{"nodeType":1293,"value":2796,"marks":2797,"data":2798},"The browser represents one of the most significant opportunities in cybersecurity today. As we continue to expand our browser-based security capabilities, we remain committed to this high-fidelity approach. We’re building features that not only detect and prevent attacks but also provide security teams with the rich telemetry they need to develop custom queries and detections.",[],{},{"nodeType":1294,"data":2800,"content":2801},{},[2802],{"nodeType":1293,"value":2803,"marks":2804,"data":2805},"Push Security’s browser-based security platform provides comprehensive detection and response capabilities against techniques like AiTM phishing, credential stuffing, ClickFixing, malicious browser extensions, and session hijacking using stolen session tokens. You can also use Push to find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, risky OAuth integrations, and more to harden your identity attack surface.",[],{},{"nodeType":1294,"data":2807,"content":2808},{},[2809,2813,2821,2825,2833],{"nodeType":1293,"value":2810,"marks":2811,"data":2812},"To learn more about Push, ",[],{},{"nodeType":1338,"data":2814,"content":2816},{"uri":2815},"https://pushsecurity.com/resources/product-brochure",[2817],{"nodeType":1293,"value":2818,"marks":2819,"data":2820},"check out our latest product overview",[],{},{"nodeType":1293,"value":2822,"marks":2823,"data":2824}," or ",[],{},{"nodeType":1338,"data":2826,"content":2828},{"uri":2827},"https://pushsecurity.com/demo",[2829],{"nodeType":1293,"value":2830,"marks":2831,"data":2832},"book some time with one of our team for a live demo",[],{},{"nodeType":1293,"value":1852,"marks":2834,"data":2835},[],{},"Fixing SecOps alert fatigue with browser telemetry","How browser data can improve detection fidelity and reduce alert fatigue, enabling SecOps teams to save time and detect more attacks.","2025-10-07T00:00:00.000Z","fixing-secops-alert-fatigue-with-browser-telemetry",{"items":2841},[2842,2844],{"sys":2843,"name":1307},{"id":1306},{"sys":2845,"name":1311},{"id":1310},{"items":2847},[2848],{"fullName":2849,"firstName":2850,"jobTitle":2851,"profilePicture":2852},"Mark Orlando","Mark","Field CTO",{"url":2853},"https://images.ctfassets.net/y1cdw1ablpvd/592PMwIQQFaa24k5SKBEKF/a33090d0ad95d1e3081f5d16a46ba826/image__68_.png",{"items":2855},[2856],{"fullName":2857,"firstName":2858,"jobTitle":2859,"profilePicture":2860},"Dan Green","Dan","Threat Research",{"url":2861},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"json":2863,"links":3488},{"nodeType":1295,"data":2864,"content":2865},{},[2866,2912,2970,2986,2992,2999,3002,3010,3017,3024,3031,3051,3058,3064,3083,3089,3092,3100,3107,3115,3135,3142,3149,3156,3164,3171,3178,3184,3191,3224,3230,3238,3257,3264,3287,3294,3301,3307,3314,3317,3325,3339,3359,3366,3373,3380,3385,3393,3412,3415,3423,3430,3437,3444,3451,3477,3482],{"nodeType":1294,"data":2867,"content":2868},{},[2869,2873,2882,2886,2895,2899,2908],{"nodeType":1293,"value":2870,"marks":2871,"data":2872},"One of the biggest security trends in the past year has been the emergence of the attack technique known as ",[],{},{"nodeType":1338,"data":2874,"content":2876},{"uri":2875},"https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/",[2877],{"nodeType":1293,"value":2878,"marks":2879,"data":2881},"ClickFix",[2880],{"type":1346},{},{"nodeType":1293,"value":2883,"marks":2884,"data":2885},". Various reports indicate that ClickFix is fast becoming one of the most prevalent attack techniques this year, with ",[],{},{"nodeType":1338,"data":2887,"content":2889},{"uri":2888},"https://www.scworld.com/news/clickfix-phishing-links-increased-nearly-400-in-12-months-report-says",[2890],{"nodeType":1293,"value":2891,"marks":2892,"data":2894},"one study",[2893],{"type":1346},{},{"nodeType":1293,"value":2896,"marks":2897,"data":2898}," reporting that email-based ClickFix attacks have increased by 400% YOY, and ",[],{},{"nodeType":1338,"data":2900,"content":2902},{"uri":2901},"https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h12025.pdf",[2903],{"nodeType":1293,"value":2904,"marks":2905,"data":2907},"another",[2906],{"type":1346},{},{"nodeType":1293,"value":2909,"marks":2910,"data":2911}," highlighting a 517% increase in the past 6 months. ",[],{},{"nodeType":1294,"data":2913,"content":2914},{},[2915,2919,2928,2932,2941,2944,2953,2957,2966],{"nodeType":1293,"value":2916,"marks":2917,"data":2918},"ClickFix is known to be regularly used by the Interlock ransomware group and other prolific threat actors. A number of recent public data breaches have been linked to ClickFix attacks as the attack vector, such as ",[],{},{"nodeType":1338,"data":2920,"content":2922},{"uri":2921},"https://www.bleepingcomputer.com/news/security/kettering-health-confirms-interlock-ransomware-behind-cyberattack/",[2923],{"nodeType":1293,"value":2924,"marks":2925,"data":2927},"Kettering Health",[2926],{"type":1346},{},{"nodeType":1293,"value":2929,"marks":2930,"data":2931},", ",[],{},{"nodeType":1338,"data":2933,"content":2935},{"uri":2934},"https://www.bleepingcomputer.com/news/security/interlock-ransomware-claims-davita-attack-leaks-stolen-data/",[2936],{"nodeType":1293,"value":2937,"marks":2938,"data":2940},"DaVita",[2939],{"type":1346},{},{"nodeType":1293,"value":2929,"marks":2942,"data":2943},[],{},{"nodeType":1338,"data":2945,"content":2947},{"uri":2946},"https://www.infosecurity-magazine.com/news/st-paul-mayor-interlock-data-leak/",[2948],{"nodeType":1293,"value":2949,"marks":2950,"data":2952},"City of St. Paul, Minnesota",[2951],{"type":1346},{},{"nodeType":1293,"value":2954,"marks":2955,"data":2956},", and the ",[],{},{"nodeType":1338,"data":2958,"content":2960},{"uri":2959},"https://www.blackfog.com/texas-tech-cyberattack-1-4m-records-compromised/",[2961],{"nodeType":1293,"value":2962,"marks":2963,"data":2965},"Texas Tech University Health Sciences Centers",[2964],{"type":1346},{},{"nodeType":1293,"value":2967,"marks":2968,"data":2969}," (with many more breaches likely to involve ClickFix where the attack vector wasn’t known or disclosed).",[],{},{"nodeType":1294,"data":2971,"content":2972},{},[2973,2977,2982],{"nodeType":1293,"value":2974,"marks":2975,"data":2976},"Push’s latest feature, ",[],{},{"nodeType":1293,"value":2978,"marks":2979,"data":2981},"malicious copy and paste detection",[2980],{"type":1522},{},{"nodeType":1293,"value":2983,"marks":2984,"data":2985},", tackles ClickFix-style attacks at the earliest opportunity through browser-based detection, with a universally effective control that works regardless of the lure delivery channel, or page style and structure. ",[],{},{"nodeType":1464,"data":2987,"content":2991},{"target":2988},{"sys":2989},{"id":2990,"type":1469,"linkType":1470},"sALkMt8UbTZ2f34hKvGLj",[],{"nodeType":1294,"data":2993,"content":2994},{},[2995],{"nodeType":1293,"value":2996,"marks":2997,"data":2998},"Before we get into the specifics of the feature, let’s take a look at what ClickFix is and why it poses a detection and response challenge to security teams.",[],{},{"nodeType":1383,"data":3000,"content":3001},{},[],{"nodeType":1323,"data":3003,"content":3004},{},[3005],{"nodeType":1293,"value":3006,"marks":3007,"data":3009},"ClickFix 101",[3008],{"type":1522},{},{"nodeType":1294,"data":3011,"content":3012},{},[3013],{"nodeType":1293,"value":3014,"marks":3015,"data":3016},"ClickFix attacks prompt the user to solve some kind of problem or challenge in the browser — most commonly a CAPTCHA, but also things like fixing an error on a webpage. The name is a little misleading though — the key factor in the attack is that they trick users into running malicious commands on their device by copying malicious code from the page clipboard and running it locally. (For simplicity we’ll keep calling it ClickFix, but we’re not happy about it.)",[],{},{"nodeType":1294,"data":3018,"content":3019},{},[3020],{"nodeType":1293,"value":3021,"marks":3022,"data":3023},"The copy action is either performed manually by the user, or automatically by the page. Manual copies typically include additional social engineering to lure the victim into hitting CTRL+C, while automatic copies are performed using JavaScript running on the page. Most ClickFix pages we've seen are automatic copies, which makes sense — fewer steps means the user is more likely to follow the instruction.",[],{},{"nodeType":1294,"data":3025,"content":3026},{},[3027],{"nodeType":1293,"value":3028,"marks":3029,"data":3030},"Most commonly, these attacks are used to deliver remote access software or infostealer malware using stolen session cookies and credentials to facilitate attacks on business apps and services. From there, the attacker simply dumps the data and holds the victim to ransom for its deletion — often dropping ransomware afterwards for double the extortion. ",[],{},{"nodeType":1294,"data":3032,"content":3033},{},[3034,3038,3047],{"nodeType":1293,"value":3035,"marks":3036,"data":3037},"The attack gives the victim instructions that involve clicking prompts and copying, pasting, and running commands directly in the Windows Run dialog box, Terminal, or PowerShell in order to “fix” the fake problem that they’re experiencing. Variants such as ",[],{},{"nodeType":1338,"data":3039,"content":3041},{"uri":3040},"https://mrd0x.com/filefix-clickfix-alternative/",[3042],{"nodeType":1293,"value":3043,"marks":3044,"data":3046},"FileFix",[3045],{"type":1346},{},{"nodeType":1293,"value":3048,"marks":3049,"data":3050}," have also emerged which instead use the File Explorer Address Bar to execute OS commands.",[],{},{"nodeType":1294,"data":3052,"content":3053},{},[3054],{"nodeType":1293,"value":3055,"marks":3056,"data":3057},"Links to malicious ClickFix pages are distributed over various delivery channels, with attacks shifting from traditional email-based delivery to social media, instant messaging apps, malicious ads in places like Google Search, and using in-app notifications and messages across numerous SaaS services. ",[],{},{"nodeType":1464,"data":3059,"content":3063},{"target":3060},{"sys":3061},{"id":3062,"type":1469,"linkType":1470},"1I9ERDY2tuspw5zVMV5DbY",[],{"nodeType":1294,"data":3065,"content":3066},{},[3067,3071,3079],{"nodeType":1293,"value":3068,"marks":3069,"data":3070},"ClickFix comes in a variety of lures, including impersonating CAPTCHA, Cloudflare Turnstile, simulating an error loading a webpage, and many more. They have also been observed targeting a ",[],{},{"nodeType":1338,"data":3072,"content":3074},{"uri":3073},"https://mhaggis.github.io/ClickGrab/techniques.html",[3075],{"nodeType":1293,"value":3076,"marks":3077,"data":3078},"wide range of services",[],{},{"nodeType":1293,"value":3080,"marks":3081,"data":3082}," to execute code. ",[],{},{"nodeType":1464,"data":3084,"content":3088},{"target":3085},{"sys":3086},{"id":3087,"type":1469,"linkType":1470},"1SG52ta1hcBZ3gYDsSJvsm",[],{"nodeType":1383,"data":3090,"content":3091},{},[],{"nodeType":1323,"data":3093,"content":3094},{},[3095],{"nodeType":1293,"value":3096,"marks":3097,"data":3099},"Why are ClickFix attacks so effective?",[3098],{"type":1522},{},{"nodeType":1294,"data":3101,"content":3102},{},[3103],{"nodeType":1293,"value":3104,"marks":3105,"data":3106},"To understand the effectiveness of ClickFix-style attacks, we need to look more closely at the mechanisms that security teams have at their disposal to counter these attacks. ",[],{},{"nodeType":1387,"data":3108,"content":3109},{},[3110],{"nodeType":1293,"value":3111,"marks":3112,"data":3114},"Detection challenges during delivery",[3113],{"type":1522},{},{"nodeType":1294,"data":3116,"content":3117},{},[3118,3122,3131],{"nodeType":1293,"value":3119,"marks":3120,"data":3121},"We’ve written extensively about ",[],{},{"nodeType":1338,"data":3123,"content":3125},{"uri":3124},"https://pushsecurity.com/blog/phishing-detection-evasion-launch/",[3126],{"nodeType":1293,"value":3127,"marks":3128,"data":3130},"the evolution in phishing techniques and tooling",[3129],{"type":1346},{},{"nodeType":1293,"value":3132,"marks":3133,"data":3134},", and what this means for the reliability of traditional detections at the network and endpoint layer. ",[],{},{"nodeType":1294,"data":3136,"content":3137},{},[3138],{"nodeType":1293,"value":3139,"marks":3140,"data":3141},"The latest generation of phishing pages are dynamically obfuscating the code that loads the web page, implementing custom bot protection (e.g. CAPTCHA or Cloudflare Turnstile), using runtime anti-analysis features, and using legitimate SaaS and cloud services to host and deliver phishing links to cover their tracks.",[],{},{"nodeType":1294,"data":3143,"content":3144},{},[3145],{"nodeType":1293,"value":3146,"marks":3147,"data":3148},"This means that traditional anti-phishing tools at the email and network layer are struggling to keep up, with many attacks evading email-based detections (or bypassing email altogether). At the same time, proxy-based solutions now see a garbled mess of JavaScript code without the necessary context of what is actually happening in the browser to be able to piece it together effectively. Even if they don’t realize it, this means many organizations are now relying solely on blocking known-bad sites and hosts — a wildly ineffective solution in 2025 with the rate that attackers refresh and rotate their phishing infrastructure. ",[],{},{"nodeType":1294,"data":3150,"content":3151},{},[3152],{"nodeType":1293,"value":3153,"marks":3154,"data":3155},"In addition to the fact that ClickFix page styles and content can vary significantly, this means that detecting ClickFix delivery using traditional tooling is highly unreliable. ",[],{},{"nodeType":1387,"data":3157,"content":3158},{},[3159],{"nodeType":1293,"value":3160,"marks":3161,"data":3163},"Detection challenges during execution",[3162],{"type":1522},{},{"nodeType":1294,"data":3165,"content":3166},{},[3167],{"nodeType":1293,"value":3168,"marks":3169,"data":3170},"Most of the detection heavy lifting is being done at the endpoint, looking for user-level code execution and malware running on a device. ",[],{},{"nodeType":1294,"data":3172,"content":3173},{},[3174],{"nodeType":1293,"value":3175,"marks":3176,"data":3177},"However, the number of ClickFix-related headlines in the news would indicate that endpoint controls are being routinely bypassed, or perhaps evaded altogether by targeting personal or BYOD devices. ",[],{},{"nodeType":1464,"data":3179,"content":3183},{"target":3180},{"sys":3181},{"id":3182,"type":1469,"linkType":1470},"pocty4OhER5EXr8BDwdzo",[],{"nodeType":1294,"data":3185,"content":3186},{},[3187],{"nodeType":1293,"value":3188,"marks":3189,"data":3190},"There are a number of reasons that endpoint-level ClickFix detections can be bypassed:",[],{},{"nodeType":1402,"data":3192,"content":3193},{},[3194,3204,3214],{"nodeType":1406,"data":3195,"content":3196},{},[3197],{"nodeType":1294,"data":3198,"content":3199},{},[3200],{"nodeType":1293,"value":3201,"marks":3202,"data":3203},"The step of downloading a file from the web is bypassed altogether. In a ClickFix/FileFix attack, the initial “dropper” is essentially a command string provided by the attacker and executed by legitimate system utilities. There is often no new executable file written to disk when the user runs the command. The final payload may be loaded directly into memory or injected into trusted programs (using living-off-the-land techniques). Without a file to quarantine, there's no \"Mark of the Web\" to make it appear suspicious. ",[],{},{"nodeType":1406,"data":3205,"content":3206},{},[3207],{"nodeType":1294,"data":3208,"content":3209},{},[3210],{"nodeType":1293,"value":3211,"marks":3212,"data":3213},"From the EDR’s point of view, a trusted parent process is launching a script – which might not immediately be judged as malicious, especially if the command is obfuscated or uses allowed system functions. Since the action is initiated by the user, it blends in with normal user-driven administration tasks. ",[],{},{"nodeType":1406,"data":3215,"content":3216},{},[3217],{"nodeType":1294,"data":3218,"content":3219},{},[3220],{"nodeType":1293,"value":3221,"marks":3222,"data":3223},"The PowerShell commands themselves might be obfuscated or broken into stages to avoid easy detection by heuristic rules. EDR telemetry might record that a PowerShell process ran, but without a known bad signature or a clear policy violation, it may not flag it immediately. ",[],{},{"nodeType":1464,"data":3225,"content":3229},{"target":3226},{"sys":3227},{"id":3228,"type":1469,"linkType":1470},"6djGsqBFTHlLLITpTK7IMk",[],{"nodeType":1387,"data":3231,"content":3232},{},[3233],{"nodeType":1293,"value":3234,"marks":3235,"data":3237},"Accessing ClickFix-style capabilities is easier than ever",[3236],{"type":1522},{},{"nodeType":1294,"data":3239,"content":3240},{},[3241,3245,3253],{"nodeType":1293,"value":3242,"marks":3243,"data":3244},"This capability is increasingly available to all levels of threat actor, with ",[],{},{"nodeType":1338,"data":3246,"content":3247},{"uri":2875},[3248],{"nodeType":1293,"value":3249,"marks":3250,"data":3252},"off-the-shelf options available",[3251],{"type":1346},{},{"nodeType":1293,"value":3254,"marks":3255,"data":3256}," in the form of ClickFix builders (also called “Win + R”) on popular hacker forums since late 2024. ",[],{},{"nodeType":1294,"data":3258,"content":3259},{},[3260],{"nodeType":1293,"value":3261,"marks":3262,"data":3263},"Attackers are bundling ClickFix builders into their existing kits to:",[],{},{"nodeType":1402,"data":3265,"content":3266},{},[3267,3277],{"nodeType":1406,"data":3268,"content":3269},{},[3270],{"nodeType":1294,"data":3271,"content":3272},{},[3273],{"nodeType":1293,"value":3274,"marks":3275,"data":3276},"Use pre-canned landing pages with various lures including Cloudflare. ",[],{},{"nodeType":1406,"data":3278,"content":3279},{},[3280],{"nodeType":1294,"data":3281,"content":3282},{},[3283],{"nodeType":1293,"value":3284,"marks":3285,"data":3286},"Offer construction of malicious commands that users will paste into the Windows Run dialog. ",[],{},{"nodeType":1294,"data":3288,"content":3289},{},[3290],{"nodeType":1293,"value":3291,"marks":3292,"data":3293},"These kits claim to guarantee antivirus and web protection bypass (some even promise that they can bypass Microsoft Defender SmartScreen), as well as payload persistence. The cost of subscription to such a service might be between US$200 to US$1,500 per month. ",[],{},{"nodeType":1294,"data":3295,"content":3296},{},[3297],{"nodeType":1293,"value":3298,"marks":3299,"data":3300},"In short, these capabilities are increasingly accessible to the general population of hackers, and it is increasingly in the interests of malware developers to offer premium hacker tools designed to bypass current detections. ",[],{},{"nodeType":1464,"data":3302,"content":3306},{"target":3303},{"sys":3304},{"id":3305,"type":1469,"linkType":1470},"5hkRsOBZCOABAShCo8RjJg",[],{"nodeType":1294,"data":3308,"content":3309},{},[3310],{"nodeType":1293,"value":3311,"marks":3312,"data":3313},"In any case, relying on just-in-time detection at the point of execution is increasingly unreliable and will always be at the mercy of the cat-and-mouse game between attackers and defenders. Organizations employing custom detections looking for specific malware behavior are likely to have better success than those relying on out-of-the-box EDR configs, but this requires continual maintenance to be effective. ",[],{},{"nodeType":1383,"data":3315,"content":3316},{},[],{"nodeType":1323,"data":3318,"content":3319},{},[3320],{"nodeType":1293,"value":3321,"marks":3322,"data":3324},"Solving ClickFix detection in the browser with Push",[3323],{"type":1522},{},{"nodeType":1294,"data":3326,"content":3327},{},[3328,3331,3335],{"nodeType":1293,"value":2974,"marks":3329,"data":3330},[],{},{"nodeType":1293,"value":2978,"marks":3332,"data":3334},[3333],{"type":1522},{},{"nodeType":1293,"value":3336,"marks":3337,"data":3338},", tackles ClickFix-style attacks at the earliest opportunity through browser-based detection and blocking, with a universally effective control that works regardless of the lure delivery channel, page style and structure, or the specifics of the malware type and execution.",[],{},{"nodeType":1294,"data":3340,"content":3341},{},[3342,3346,3355],{"nodeType":1293,"value":3343,"marks":3344,"data":3345},"A key part of our design philosophy is to find ways to universally detect attacker TTPs by analyzing generic attacker actions that can’t be avoided by the attacker. One of our best prior examples of this is with our ",[],{},{"nodeType":1338,"data":3347,"content":3349},{"uri":3348},"https://pushsecurity.com/blog/introducing-sso-password-protection/",[3350],{"nodeType":1293,"value":3351,"marks":3352,"data":3354},"password protection feature",[3353],{"type":1346},{},{"nodeType":1293,"value":3356,"marks":3357,"data":3358},", which detects and blocks phishing attacks by triggering when a user attempts to enter a password that belongs to one domain on a different domain. ",[],{},{"nodeType":1294,"data":3360,"content":3361},{},[3362],{"nodeType":1293,"value":3363,"marks":3364,"data":3365},"In the case of ClickFix, every attack involves copying a malicious script from a page — a behavior the attacker can’t avoid.",[],{},{"nodeType":1294,"data":3367,"content":3368},{},[3369],{"nodeType":1293,"value":3370,"marks":3371,"data":3372},"Unlike heavy-handed DLP solutions that block copy-paste altogether, Push protects your employees without disrupting their user experience or hampering productivity. ",[],{},{"nodeType":1294,"data":3374,"content":3375},{},[3376],{"nodeType":1293,"value":3377,"marks":3378,"data":3379},"Check out the video below to see Push in action. ",[],{},{"nodeType":1464,"data":3381,"content":3384},{"target":3382},{"sys":3383},{"id":2990,"type":1469,"linkType":1470},[],{"nodeType":1387,"data":3386,"content":3387},{},[3388],{"nodeType":1293,"value":3389,"marks":3390,"data":3392},"Enable ClickFix detection in just a few clicks",[3391],{"type":1522},{},{"nodeType":1294,"data":3394,"content":3395},{},[3396,3400,3408],{"nodeType":1293,"value":3397,"marks":3398,"data":3399},"Check out the ",[],{},{"nodeType":1338,"data":3401,"content":3403},{"uri":3402},"https://pushsecurity.com/help/10141/#start",[3404],{"nodeType":1293,"value":3405,"marks":3406,"data":3407},"help article",[],{},{"nodeType":1293,"value":3409,"marks":3410,"data":3411}," for step-by-step instructions on how to enable the control. ",[],{},{"nodeType":1383,"data":3413,"content":3414},{},[],{"nodeType":1323,"data":3416,"content":3417},{},[3418],{"nodeType":1293,"value":3419,"marks":3420,"data":3422},"Learn more about Push",[3421],{"type":1522},{},{"nodeType":1294,"data":3424,"content":3425},{},[3426],{"nodeType":1293,"value":3427,"marks":3428,"data":3429},"Push provides last mile protection against browser-based attacks, adding a net-new layer of technical protection in the browser. ",[],{},{"nodeType":1294,"data":3431,"content":3432},{},[3433],{"nodeType":1293,"value":3434,"marks":3435,"data":3436},"Right now, most organizations are left relying on user awareness. Faced with increasingly novel attack types, encountered all over the internet, users are being caught unawares — further reducing the efficacy of an already fragile control. ",[],{},{"nodeType":1294,"data":3438,"content":3439},{},[3440],{"nodeType":1293,"value":3441,"marks":3442,"data":3443},"By seeing what the user sees in the browser, as they see it, as well as monitoring for risky behaviors, Push provides a strong backstop against an ever-expanding landscape of browser-based exploits. ",[],{},{"nodeType":1294,"data":3445,"content":3446},{},[3447],{"nodeType":1293,"value":3448,"marks":3449,"data":3450},"Push’s browser-based security platform provides comprehensive identity attack detection and response capabilities against techniques like AiTM phishing, credential stuffing, ClickFixing, malicious browser extensions, and session hijacking using stolen session tokens. You can also use Push to find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, risky OAuth integrations, and more to harden your identity attack surface.",[],{},{"nodeType":1294,"data":3452,"content":3453},{},[3454,3457,3464,3467,3474],{"nodeType":1293,"value":2810,"marks":3455,"data":3456},[],{},{"nodeType":1338,"data":3458,"content":3459},{"uri":2815},[3460],{"nodeType":1293,"value":2818,"marks":3461,"data":3463},[3462],{"type":1346},{},{"nodeType":1293,"value":2822,"marks":3465,"data":3466},[],{},{"nodeType":1338,"data":3468,"content":3469},{"uri":2827},[3470],{"nodeType":1293,"value":2830,"marks":3471,"data":3473},[3472],{"type":1346},{},{"nodeType":1293,"value":1852,"marks":3475,"data":3476},[],{},{"nodeType":1464,"data":3478,"content":3481},{"target":3479},{"sys":3480},{"id":3228,"type":1469,"linkType":1470},[],{"nodeType":1294,"data":3483,"content":3484},{},[3485],{"nodeType":1293,"value":37,"marks":3486,"data":3487},[],{},{"entries":3489},{"hyperlink":3490,"inline":3491,"block":3492},[],[],[3493,3499,3507,3514,3542,3550],{"sys":3494,"__typename":3495,"title":3496,"arcadeDemoUrl":3497,"playText":3498},{"id":2990},"ArcadeDemo","ClickFix Feature Release","https://demo.arcade.software/qhzGMAx2q3b6IRlHqBsB?embed","2 mins",{"sys":3500,"__typename":3501,"title":3502,"caption":3502,"layoutMode":118,"file":3503},{"id":3062},"Image","Phishing delivery channels have significantly expanded from the days of email-based phishing attacks",{"url":3504,"width":3505,"height":3506},"https://images.ctfassets.net/y1cdw1ablpvd/4l0xLRs8Z1w3aXMbzzyFPL/9cb4721c53379da31a4019371072a7ef/image1.png",1696,986,{"sys":3508,"__typename":3501,"title":3509,"caption":3509,"layoutMode":118,"file":3510},{"id":3087},"Examples of ClickFix lures used by attackers in the wild.",{"url":3511,"width":3512,"height":3513},"https://images.ctfassets.net/y1cdw1ablpvd/7AH10e5YpESPdIBIH4YjHO/e7d5553657b6b0f20d6ed563d69af1e4/image3.png",1999,1955,{"sys":3515,"__typename":3516,"content":3517,"name":3541,"title":118},{"id":3182},"InsightTextBlockComponent",{"json":3518},{"nodeType":1295,"data":3519,"content":3520},{},[3521],{"nodeType":1294,"data":3522,"content":3523},{},[3524,3528,3537],{"nodeType":1293,"value":3525,"marks":3526,"data":3527},"Attacks on BYOD or personal devices are increasingly leading to corporate breaches where email accounts are being used to sign into corporate browser profiles. This results in corporate credentials inadvertently saved and synced across devices being exposed in the breach (the most well-known example of this being in ",[],{},{"nodeType":1338,"data":3529,"content":3531},{"uri":3530},"https://sec.okta.com/articles/2023/11/unauthorized-access-oktas-support-case-management-system-root-cause/?utm_source=chatgpt.com",[3532],{"nodeType":1293,"value":3533,"marks":3534,"data":3536},"Okta’s 2023 support case management system breach",[3535],{"type":1346},{},{"nodeType":1293,"value":3538,"marks":3539,"data":3540},").",[],{},"clickfix insight box 1",{"sys":3543,"__typename":3544,"type":3545,"ctaText":3546,"buttonLabel":3547,"buttonColour":3548,"buttonUrl":3549},{"id":3228},"CtaWidget","Custom","Register for our webinar to learn more about the latest developments in ClickFix attacks and why they're so effective.","Register Now","sea blue","https://pushsecurity.com/webinar/clickfix",{"sys":3551,"__typename":3501,"title":3552,"caption":3552,"layoutMode":118,"file":3553},{"id":3305},"ClickFix builder screenshots. Source: Microsoft",{"url":3554,"width":3512,"height":3555},"https://images.ctfassets.net/y1cdw1ablpvd/2adTEIfv1YmEkXzzKA5UFC/47fd4025b72923dd0a1a16eb736e8980/image2.png",540,"content:blog:introducing-malicious-copy-paste-detection.json","json","content","blog/introducing-malicious-copy-paste-detection.json","blog/introducing-malicious-copy-paste-detection",1776359983104]