[{"data":1,"prerenderedAt":4568},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/introducing-strong-password-enforcement":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"summary":1282,"title":1296,"subtitle":118,"metaTitle":1297,"synopsis":1298,"hashTags":118,"publishedDate":1299,"slug":1300,"tagsCollection":1301,"relatedBlogPostsCollection":1311,"ogImage":3495,"authorsCollection":3497,"content":3505,"_id":4563,"_type":4564,"_source":4565,"_file":4566,"_stem":4567,"_extension":4564},"/blog/introducing-strong-password-enforcement","blog",{"id":1280,"publishedAt":1281},"5aB5x5VXrMv7PDmH0iiK0c","2026-01-30T09:14:57.737Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1295},{},[1286],{"data":1287,"content":1288,"nodeType":1294},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"Our latest feature release, strong password enforcement, detects when employees have weak, reused, or stolen passwords and then guides them to update their password using in-browser messaging — even on apps that don’t natively support administrative control of password posture.","text","paragraph","document","Introducing Push password enforcement — for when weak passwords are still plaguing you","Enforce strong passwords at the point of login","Detects when employees have weak, reused, or stolen passwords and guide them to update their password using in-browser messaging on any app. ","2025-03-25T00:00:00.000Z","introducing-strong-password-enforcement",{"items":1302},[1303,1307],{"sys":1304,"name":1306},{"id":1305},"3pjES4THCIfSAwhGdNwBcy","Identity security",{"sys":1308,"name":1310},{"id":1309},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"items":1312},[1313,2046,2855],{"__typename":1314,"sys":1315,"content":1317,"title":2027,"synopsis":2028,"hashTags":118,"publishedDate":1299,"slug":2029,"tagsCollection":2030,"authorsCollection":2038},"BlogPosts",{"id":1316},"gANCbeL9AnxmbGAE5HhyG",{"json":1318},{"nodeType":1295,"data":1319,"content":1320},{},[1321,1338,1347,1353,1359,1363,1372,1379,1474,1480,1487,1494,1497,1505,1514,1521,1574,1582,1601,1632,1639,1647,1654,1660,1679,1695,1701,1708,1737,1744,1751,1784,1791,1798,1818,1821,1829,1836,1843,1850,1858,1878,1884,1892,1911,1929,1935,1943,1950,1970,1977,1983,1986,1994,2001,2008],{"nodeType":1294,"data":1322,"content":1323},{},[1324,1328,1334],{"nodeType":1293,"value":1325,"marks":1326,"data":1327},"Since late 2024, attackers have been targeting organizations using Jira, the project management tool, taking over user accounts using compromised credentials. This has resulted in ",[],{},{"nodeType":1293,"value":1329,"marks":1330,"data":1333},"six public breaches in five months",[1331],{"type":1332},"bold",{},{"nodeType":1293,"value":1335,"marks":1336,"data":1337}," where criminals made off with sensitive data and documentation, profiting by extorting the victims and selling the data on criminal forums. ",[],{},{"nodeType":1339,"data":1340,"content":1346},"embedded-entry-block",{"target":1341},{"sys":1342},{"id":1343,"type":1344,"linkType":1345},"3QJBi8NiId1CccFmJrp8pu","Link","Entry",[],{"nodeType":1294,"data":1348,"content":1349},{},[1350],{"nodeType":1293,"value":37,"marks":1351,"data":1352},[],{},{"nodeType":1339,"data":1354,"content":1358},{"target":1355},{"sys":1356},{"id":1357,"type":1344,"linkType":1345},"79uXXgsAuOK9dKwYQFb0d1",[],{"nodeType":1360,"data":1361,"content":1362},"hr",{},[],{"nodeType":1364,"data":1365,"content":1366},"heading-1",{},[1367],{"nodeType":1293,"value":1368,"marks":1369,"data":1371},"What happened?",[1370],{"type":1332},{},{"nodeType":1294,"data":1373,"content":1374},{},[1375],{"nodeType":1293,"value":1376,"marks":1377,"data":1378},"Six attacks where stolen credentials were used to compromise the victim’s Jira tenant have been reported since November 2024, all attributed to operators belonging to the HELLCAT threat group. ",[],{},{"nodeType":1380,"data":1381,"content":1382},"unordered-list",{},[1383,1399,1414,1429,1444,1459],{"nodeType":1384,"data":1385,"content":1386},"list-item",{},[1387],{"nodeType":1294,"data":1388,"content":1389},{},[1390,1395],{"nodeType":1293,"value":1391,"marks":1392,"data":1394},"Affinitiv (March 2025): ",[1393],{"type":1332},{},{"nodeType":1293,"value":1396,"marks":1397,"data":1398},"Attackers stole a database containing over 470k unique emails and 780k records from marketing data analytics provider Affinitiv. ",[],{},{"nodeType":1384,"data":1400,"content":1401},{},[1402],{"nodeType":1294,"data":1403,"content":1404},{},[1405,1410],{"nodeType":1293,"value":1406,"marks":1407,"data":1409},"Ascom (March 2025):",[1408],{"type":1332},{},{"nodeType":1293,"value":1411,"marks":1412,"data":1413}," Attackers stole 44GB of data including source code for multiple products, details about various projects, invoices, confidential documents, and issues from the ticketing system from global telecommunications provider Ascom.",[],{},{"nodeType":1384,"data":1415,"content":1416},{},[1417],{"nodeType":1294,"data":1418,"content":1419},{},[1420,1425],{"nodeType":1293,"value":1421,"marks":1422,"data":1424},"Jaguar Land Rover (March 2025):",[1423],{"type":1332},{},{"nodeType":1293,"value":1426,"marks":1427,"data":1428}," Attackers leaked ~700 internal documents totalling several GBs of data, including proprietary documents, source code, and employee and partner data, from vehicle manufacturer Jaguar Land Rover. The breach was linked to credentials stolen by infostealers in 2021. A second threat actor is now alleged to have re-compromized Jaguar using the same credentials and achieved a much bigger breach of ~350GB. ",[],{},{"nodeType":1384,"data":1430,"content":1431},{},[1432],{"nodeType":1294,"data":1433,"content":1434},{},[1435,1440],{"nodeType":1293,"value":1436,"marks":1437,"data":1439},"Orange (February 2025):",[1438],{"type":1332},{},{"nodeType":1293,"value":1441,"marks":1442,"data":1443}," Attackers stole almost 12,000 files totaling close to 6.5GB, which includes 380k unique email addresses, source code, invoices, contracts, customer and employee information, from telecommunications provider Orange. The attacker allegedly had access to the systems for over a month before exfiltrating company data.",[],{},{"nodeType":1384,"data":1445,"content":1446},{},[1447],{"nodeType":1294,"data":1448,"content":1449},{},[1450,1455],{"nodeType":1293,"value":1451,"marks":1452,"data":1454},"Telefonica (January 2025): ",[1453],{"type":1332},{},{"nodeType":1293,"value":1456,"marks":1457,"data":1458},"Attackers stole 2.3GB of documents, tickets, and various data from telecommunications provider Telefonica. ",[],{},{"nodeType":1384,"data":1460,"content":1461},{},[1462],{"nodeType":1294,"data":1463,"content":1464},{},[1465,1470],{"nodeType":1293,"value":1466,"marks":1467,"data":1469},"Schneider Electric (November 2024): ",[1468],{"type":1332},{},{"nodeType":1293,"value":1471,"marks":1472,"data":1473},"Attackers stole 40GB of data including 75k unique email addresses, from manufacturing provider Schneider Electric, demanding a ransom payment of $125k. ",[],{},{"nodeType":1339,"data":1475,"content":1479},{"target":1476},{"sys":1477},{"id":1478,"type":1344,"linkType":1345},"1Hm5x8QlQnJsUPgFyCkeFO",[],{"nodeType":1294,"data":1481,"content":1482},{},[1483],{"nodeType":1293,"value":1484,"marks":1485,"data":1486},"So, hundreds of gigabytes of data and thousands of breached records — all from logging in with a single set of stolen credentials for each victim. There are clear signs that these attacks are ramping up in frequency and impact too, with three of the breaches occurring in March alone. ",[],{},{"nodeType":1294,"data":1488,"content":1489},{},[1490],{"nodeType":1293,"value":1491,"marks":1492,"data":1493},"These attacks all follow the same pattern, revolving around initial access to Jira accounts using compromised credentials. Once inside, the attacker has been reported to use integrated Atlassian tools like MiniOrange to scrape customer and employee data. After dumping the data, they attempt to extort a ransom payment for the deletion of the data, and when that fails, sell it on criminal marketplaces such as dark web forums and Telegram channels. HELLCAT is also responsible for a Ransomware-as-a-Service (RaaS) offering using a custom ransomware strain. ",[],{},{"nodeType":1360,"data":1495,"content":1496},{},[],{"nodeType":1364,"data":1498,"content":1499},{},[1500],{"nodeType":1293,"value":1501,"marks":1502,"data":1504},"Why are attackers targeting Jira?",[1503],{"type":1332},{},{"nodeType":1506,"data":1507,"content":1508},"heading-2",{},[1509],{"nodeType":1293,"value":1510,"marks":1511,"data":1513},"It’s a goldmine for attackers",[1512],{"type":1332},{},{"nodeType":1294,"data":1515,"content":1516},{},[1517],{"nodeType":1293,"value":1518,"marks":1519,"data":1520},"Apps like Jira are a goldmine for cyber attackers. For organizations using it, Jira is a central technology that underpins core business workflows. It’s used for pretty much all aspects of project management across functions, meaning it:",[],{},{"nodeType":1380,"data":1522,"content":1523},{},[1524,1534,1544,1554,1564],{"nodeType":1384,"data":1525,"content":1526},{},[1527],{"nodeType":1294,"data":1528,"content":1529},{},[1530],{"nodeType":1293,"value":1531,"marks":1532,"data":1533},"Stores huge amounts of sensitive data, from strategic business initiatives to sensitive customer data. ",[],{},{"nodeType":1384,"data":1535,"content":1536},{},[1537],{"nodeType":1294,"data":1538,"content":1539},{},[1540],{"nodeType":1293,"value":1541,"marks":1542,"data":1543},"Contains detailed information on IT infrastructure and architecture. It often acts as an issue tracker for vulnerabilities, and frequently contains credentials and secrets accidentally pasted into tickets, enabling lateral movement and further exploitation. ",[],{},{"nodeType":1384,"data":1545,"content":1546},{},[1547],{"nodeType":1294,"data":1548,"content":1549},{},[1550],{"nodeType":1293,"value":1551,"marks":1552,"data":1553},"Has deep integrations with other Cloud and DevOps technologies like GitHub repos (also a frequent target for attackers), Bitbucket, Jenkins, CircleCI, AWS, Azure, etc. ",[],{},{"nodeType":1384,"data":1555,"content":1556},{},[1557],{"nodeType":1294,"data":1558,"content":1559},{},[1560],{"nodeType":1293,"value":1561,"marks":1562,"data":1563},"Can be exploited using native functionality by, for example, creating automated workflows containing malicious scripts or deployments, or inserting malicious links into tickets to phish users in-app. ",[],{},{"nodeType":1384,"data":1565,"content":1566},{},[1567],{"nodeType":1294,"data":1568,"content":1569},{},[1570],{"nodeType":1293,"value":1571,"marks":1572,"data":1573},"Also provides access to the broader Atlassian suite through a compromised Jira account, e.g. Confluence, Bitbucket, Trello, Opsgenie, etc. ",[],{},{"nodeType":1506,"data":1575,"content":1576},{},[1577],{"nodeType":1293,"value":1578,"marks":1579,"data":1581},"Compromised credentials are waiting to be exploited",[1580],{"type":1332},{},{"nodeType":1294,"data":1583,"content":1584},{},[1585,1588,1597],{"nodeType":1293,"value":37,"marks":1586,"data":1587},[],{},{"nodeType":1589,"data":1590,"content":1592},"hyperlink",{"uri":1591},"https://www.verizon.com/business/resources/reports/dbir/",[1593],{"nodeType":1293,"value":1594,"marks":1595,"data":1596},"Stolen credentials were the #1 attacker action in 2023/24",[],{},{"nodeType":1293,"value":1598,"marks":1599,"data":1600},", and the breach vector for 80% of web app attacks. Not surprising when you consider the fact that billions of leaked credentials are in circulation online, and attackers can pick up the latest drop for as little as $10 on criminal forums. ",[],{},{"nodeType":1294,"data":1602,"content":1603},{},[1604,1608,1616,1620,1628],{"nodeType":1293,"value":1605,"marks":1606,"data":1607},"The criminal marketplace for stolen credentials is booming, fuelled by an unprecedented rise in infostealer activity as attackers look to replicate the success of ",[],{},{"nodeType":1589,"data":1609,"content":1611},{"uri":1610},"https://pushsecurity.com/resources/2024-identity-attacks",[1612],{"nodeType":1293,"value":1613,"marks":1614,"data":1615},"high profile breaches in 2024",[],{},{"nodeType":1293,"value":1617,"marks":1618,"data":1619}," such as the attacks on ",[],{},{"nodeType":1589,"data":1621,"content":1623},{"uri":1622},"https://pushsecurity.com/blog/snowflake-retro/",[1624],{"nodeType":1293,"value":1625,"marks":1626,"data":1627},"Snowflake",[],{},{"nodeType":1293,"value":1629,"marks":1630,"data":1631}," customers — where 165 customer tenants and hundreds of millions of breached records were compromised using credentials dating found in infostealer credential dumps dating as far back as 2020.",[],{},{"nodeType":1294,"data":1633,"content":1634},{},[1635],{"nodeType":1293,"value":1636,"marks":1637,"data":1638},"Like Snowflake, attackers have clearly noticed that compromised credentials are a reliable way to access Jira accounts. And the more these attacks succeed, the stronger the signal for other attackers to look for insecure identities. ",[],{},{"nodeType":1506,"data":1640,"content":1641},{},[1642],{"nodeType":1293,"value":1643,"marks":1644,"data":1646},"But wait: This isn’t just a Jira problem",[1645],{"type":1332},{},{"nodeType":1294,"data":1648,"content":1649},{},[1650],{"nodeType":1293,"value":1651,"marks":1652,"data":1653},"If an organization isn’t relying on Jira, they’re probably using a product with similar functionality such as ServiceNow, Asana, Zendesk, Notion, Oracle, etc. These alternatives are an equally viable target for attackers. ",[],{},{"nodeType":1339,"data":1655,"content":1659},{"target":1656},{"sys":1657},{"id":1658,"type":1344,"linkType":1345},"4hgYhQiAykupZ6n7Js2zJA",[],{"nodeType":1294,"data":1661,"content":1662},{},[1663,1667,1675],{"nodeType":1293,"value":1664,"marks":1665,"data":1666},"Jira and many apps like it, fall into a category where it’s a core business app, but isn’t as well-secured (or can’t be configured as securely) as full enterprise cloud platforms — increasing the likelihood that accounts are using weak, breached, or reused credentials, and have gaps in MFA coverage. Again, there are clear similarities with the attacks on Snowflake customers last year. And more recently, breaches like ",[],{},{"nodeType":1589,"data":1668,"content":1670},{"uri":1669},"https://www.bleepingcomputer.com/news/security/oracle-denies-data-breach-after-hacker-claims-theft-of-6-million-data-records/",[1671],{"nodeType":1293,"value":1672,"marks":1673,"data":1674},"the theft of 6 million Oracle records",[],{},{"nodeType":1293,"value":1676,"marks":1677,"data":1678}," (including  passwords) provide plenty of fuel for attackers looking to take advantage of unsecured accounts. ",[],{},{"nodeType":1294,"data":1680,"content":1681},{},[1682,1686,1691],{"nodeType":1293,"value":1683,"marks":1684,"data":1685},"Using Push data, we compared the posture of accounts that ",[],{},{"nodeType":1293,"value":1687,"marks":1688,"data":1690},"use a password to log in",[1689],{"type":1332},{},{"nodeType":1293,"value":1692,"marks":1693,"data":1694}," when organizations first begin using our platform.",[],{},{"nodeType":1339,"data":1696,"content":1700},{"target":1697},{"sys":1698},{"id":1699,"type":1344,"linkType":1345},"4xOUAqait2RG4IH00vh2RM",[],{"nodeType":1294,"data":1702,"content":1703},{},[1704],{"nodeType":1293,"value":1705,"marks":1706,"data":1707},"Clearly, this isn’t just a Jira problem — and it won’t be long before attackers take advantage. ",[],{},{"nodeType":1294,"data":1709,"content":1710},{},[1711,1714,1724,1728,1733],{"nodeType":1293,"value":37,"marks":1712,"data":1713},[],{},{"nodeType":1589,"data":1715,"content":1717},{"uri":1716},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have/",[1718],{"nodeType":1293,"value":1719,"marks":1720,"data":1723},"These stats are in the ballpark of our average findings from across all apps",[1721],{"type":1722},"underline",{},{"nodeType":1293,"value":1725,"marks":1726,"data":1727}," — with 2 in 5 identities using a password to log in AND missing MFA, rising to 4 in 5 when a password is the sole login method. Considering the fact that organizations are using hundreds of apps (220+ on average), ",[],{},{"nodeType":1293,"value":1729,"marks":1730,"data":1732},"there are many, many more apps that can be targeted in a similar way to Jira",[1731],{"type":1332},{},{"nodeType":1293,"value":1734,"marks":1735,"data":1736},". ",[],{},{"nodeType":1364,"data":1738,"content":1739},{},[1740],{"nodeType":1293,"value":1741,"marks":1742,"data":1743},"Preventing account takeover with stolen credentials",[],{},{"nodeType":1294,"data":1745,"content":1746},{},[1747],{"nodeType":1293,"value":1748,"marks":1749,"data":1750},"To ensure that your workforce identities can’t be compromised using stolen credentials, you need to:",[],{},{"nodeType":1380,"data":1752,"content":1753},{},[1754,1764,1774],{"nodeType":1384,"data":1755,"content":1756},{},[1757],{"nodeType":1294,"data":1758,"content":1759},{},[1760],{"nodeType":1293,"value":1761,"marks":1762,"data":1763},"Ensure MFA is configured for all user accounts. ",[],{},{"nodeType":1384,"data":1765,"content":1766},{},[1767],{"nodeType":1294,"data":1768,"content":1769},{},[1770],{"nodeType":1293,"value":1771,"marks":1772,"data":1773},"Ensure employees are not using weak, breached, or stolen passwords. ",[],{},{"nodeType":1384,"data":1775,"content":1776},{},[1777],{"nodeType":1294,"data":1778,"content":1779},{},[1780],{"nodeType":1293,"value":1781,"marks":1782,"data":1783},"Where possible, ensure users are using SSO to log in via your preferred identity provider (IdP).",[],{},{"nodeType":1294,"data":1785,"content":1786},{},[1787],{"nodeType":1293,"value":1788,"marks":1789,"data":1790},"This is a tricky problem to solve in Jira itself. Jira doesn’t provide the capabilities to enforce these controls — to get access to some of the required functionality, like being able to require MFA for all users within your tenant, enforce SSO logins, or see if a user has MFA enabled, you need Atlassian Access — a separate tier of identity management product for Atlassian. Even then, you can’t do things like centrally administer password resets. ",[],{},{"nodeType":1294,"data":1792,"content":1793},{},[1794],{"nodeType":1293,"value":1795,"marks":1796,"data":1797},"And as we’ve pointed out — this isn’t just a Jira problem. Very few apps provide this level of identity visibility and control (even at the premium tier) — so what about when the next app hits the headlines? ",[],{},{"nodeType":1294,"data":1799,"content":1800},{},[1801,1805,1814],{"nodeType":1293,"value":1802,"marks":1803,"data":1804},"You could ingest a compromised credential TI feed to get some visibility of what’s out there, but then you’re relying on asking every user with a breached password to change it (not really reliable or enforceable!). When we ",[],{},{"nodeType":1589,"data":1806,"content":1808},{"uri":1807},"https://pushsecurity.com/blog/verified-stolen-credential-detection/",[1809],{"nodeType":1293,"value":1810,"marks":1811,"data":1813},"recently reviewed a range of TI feeds against our identity data set",[1812],{"type":1722},{},{"nodeType":1293,"value":1815,"marks":1816,"data":1817},", we found that less than 1% of the data was valid — like looking for a needle in a haystack. ",[],{},{"nodeType":1360,"data":1819,"content":1820},{},[],{"nodeType":1364,"data":1822,"content":1823},{},[1824],{"nodeType":1293,"value":1825,"marks":1826,"data":1828},"Prevent account takeover with Push",[1827],{"type":1332},{},{"nodeType":1294,"data":1830,"content":1831},{},[1832],{"nodeType":1293,"value":1833,"marks":1834,"data":1835},"Thankfully, there’s a better way. Push provides layered controls to harden your workforce identities against credential attacks, as well as other methods of account takeover like MFA-bypass phishing and session hijacking. Our lightweight, browser-based solution can be deployed in minutes across your entire user base. ",[],{},{"nodeType":1294,"data":1837,"content":1838},{},[1839],{"nodeType":1293,"value":1840,"marks":1841,"data":1842},"So when a core business app like Jira comes under fire, you can quickly take action to prevent account takeover.  ",[],{},{"nodeType":1294,"data":1844,"content":1845},{},[1846],{"nodeType":1293,"value":1847,"marks":1848,"data":1849},"Here’s how Push users can protect themselves against the threat of stolen credentials:",[],{},{"nodeType":1506,"data":1851,"content":1852},{},[1853],{"nodeType":1293,"value":1854,"marks":1855,"data":1857},"Step 1: Deploy MFA across all accounts",[1856],{"type":1332},{},{"nodeType":1294,"data":1859,"content":1860},{},[1861,1865,1874],{"nodeType":1293,"value":1862,"marks":1863,"data":1864},"Whenever an application comes under heavy scrutiny from attackers, it’s a good idea to deploy MFA across all accounts as a first response action. ",[],{},{"nodeType":1589,"data":1866,"content":1868},{"uri":1867},"https://pushsecurity.com/blog/enforce-mfa-on-third-party-apps/",[1869],{"nodeType":1293,"value":1870,"marks":1871,"data":1873},"Push enables you to quickly find and close MFA gaps",[1872],{"type":1722},{},{"nodeType":1293,"value":1875,"marks":1876,"data":1877}," by prompting the user to configure MFA when they log in to the app. ",[],{},{"nodeType":1339,"data":1879,"content":1883},{"target":1880},{"sys":1881},{"id":1882,"type":1344,"linkType":1345},"4OVJU6FRSVU9j1WB9NGyJ4",[],{"nodeType":1506,"data":1885,"content":1886},{},[1887],{"nodeType":1293,"value":1888,"marks":1889,"data":1891},"Step 2: Detect when accounts are using stolen credentials and trigger a password change",[1890],{"type":1332},{},{"nodeType":1294,"data":1893,"content":1894},{},[1895,1899,1907],{"nodeType":1293,"value":1896,"marks":1897,"data":1898},"Push integrates with commercial TI feeds to see ",[],{},{"nodeType":1589,"data":1900,"content":1901},{"uri":1807},[1902],{"nodeType":1293,"value":1903,"marks":1904,"data":1906},"when your employees are actually using a breached password to log in to one of their accounts",[1905],{"type":1722},{},{"nodeType":1293,"value":1908,"marks":1909,"data":1910},", eliminating manual triage. You can also bring your own TI feed to maximize its value. ",[],{},{"nodeType":1294,"data":1912,"content":1913},{},[1914,1918,1926],{"nodeType":1293,"value":1915,"marks":1916,"data":1917},"When a stolen credential (or any other password vulnerability) is found, the next time they log into the app they will be prompted to change it via the ",[],{},{"nodeType":1589,"data":1919,"content":1921},{"uri":1920},"https://pushsecurity.com/blog/introducing-strong-password-enforcement/",[1922],{"nodeType":1293,"value":1923,"marks":1924,"data":1925},"strong password enforcement feature",[],{},{"nodeType":1293,"value":1734,"marks":1927,"data":1928},[],{},{"nodeType":1339,"data":1930,"content":1934},{"target":1931},{"sys":1932},{"id":1933,"type":1344,"linkType":1345},"shpVOAMlk7OE1mWrE9h8S",[],{"nodeType":1506,"data":1936,"content":1937},{},[1938],{"nodeType":1293,"value":1939,"marks":1940,"data":1942},"Step 3: Ensure employees are using SSO (and remediate ghost logins)",[1941],{"type":1332},{},{"nodeType":1294,"data":1944,"content":1945},{},[1946],{"nodeType":1293,"value":1947,"marks":1948,"data":1949},"Once you’ve secured your accounts against the risk of immediate account takeover, you can harden them further by ensuring that accounts are using your preferred SSO method and IdP. ",[],{},{"nodeType":1294,"data":1951,"content":1952},{},[1953,1957,1966],{"nodeType":1293,"value":1954,"marks":1955,"data":1956},"[Insight box: It’s not enough to have users adopt SSO, however. Local username and password accounts can continue to exist and be used alongside SSO unless specifically configured (and configurable) within the app. These local accounts are a form of ",[],{},{"nodeType":1589,"data":1958,"content":1960},{"uri":1959},"https://pushsecurity.com/blog/ghost-logins-when-forgotten-identities-come-back-to-haunt-you/",[1961],{"nodeType":1293,"value":1962,"marks":1963,"data":1965},"ghost login",[1964],{"type":1722},{},{"nodeType":1293,"value":1967,"marks":1968,"data":1969},", providing backdoor access to your business apps without needing to breach your locked-down IdP accounts used for SSO. This is why it’s important to have MFA set at the application level if local accounts are used — you can’t just rely on your IdP being securely configured.] ",[],{},{"nodeType":1294,"data":1971,"content":1972},{},[1973],{"nodeType":1293,"value":1974,"marks":1975,"data":1976},"Once you’ve migrated to SSO, it’s best practice to have your employees remove these local accounts so they don’t lie dormant for attackers to take advantage of in the future. You can set an app banner for all users accessing the app, instructing them to log in using SSO, and to disable their local password once they’ve done so.",[],{},{"nodeType":1339,"data":1978,"content":1982},{"target":1979},{"sys":1980},{"id":1981,"type":1344,"linkType":1345},"606mt5mVoJGaMmk82mLIFH",[],{"nodeType":1360,"data":1984,"content":1985},{},[],{"nodeType":1364,"data":1987,"content":1988},{},[1989],{"nodeType":1293,"value":1990,"marks":1991,"data":1993},"Protect and defend your entire identity attack surface",[1992],{"type":1332},{},{"nodeType":1294,"data":1995,"content":1996},{},[1997],{"nodeType":1293,"value":1998,"marks":1999,"data":2000},"Push provides comprehensive identity attack detection and response capabilities across every app and workforce identity.    ",[],{},{"nodeType":1294,"data":2002,"content":2003},{},[2004],{"nodeType":1293,"value":2005,"marks":2006,"data":2007},"We stop attacks like MFA-bypass phishing, credential stuffing, password spraying and session hijacking using stolen session tokens. You can also use Push to find and fix identity vulnerabilities across every app that your employees use like: ghost logins; SSO coverage gaps; MFA gaps; weak, breached and reused passwords; risky OAuth integrations; and more. ",[],{},{"nodeType":1294,"data":2009,"content":2010},{},[2011,2015,2023],{"nodeType":1293,"value":2012,"marks":2013,"data":2014},"If you want to learn more about how Push helps you to detect and defeat common identity attack techniques, ",[],{},{"nodeType":1589,"data":2016,"content":2018},{"uri":2017},"https://pushsecurity.com/demo?utm_campaign=9983377-FY25Q1_Bleeping-Computer-Organic-Article&utm_source=bleepingcomputer&utm_medium=sponsored-content&utm_content=organic%20article",[2019],{"nodeType":1293,"value":2020,"marks":2021,"data":2022},"book some time with one of our team",[],{},{"nodeType":1293,"value":2024,"marks":2025,"data":2026}," for a live demo. ",[],{},"6 breaches in 5 months: Why attackers are targeting Jira with stolen credentials","Attackers are persistently targeting Jira accounts with stolen credentials. What can we learn from this trend?","why-attackers-are-targeting-jira-with-stolen-credentials",{"items":2031},[2032,2034],{"sys":2033,"name":1310},{"id":1309},{"sys":2035,"name":2037},{"id":2036},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":2039},[2040],{"fullName":2041,"firstName":2042,"jobTitle":2043,"profilePicture":2044},"Dan Green","Dan","Threat Research",{"url":2045},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"__typename":1314,"sys":2047,"content":2049,"title":2843,"synopsis":2844,"hashTags":118,"publishedDate":2845,"slug":2846,"tagsCollection":2847,"authorsCollection":2851},{"id":2048},"PAPJPr3CIB6J20udYyy1r",{"json":2050},{"data":2051,"content":2052,"nodeType":1295},{},[2053,2059,2079,2086,2093,2099,2102,2110,2117,2136,2148,2155,2162,2169,2262,2265,2273,2356,2362,2365,2373,2381,2388,2395,2403,2421,2428,2436,2443,2450,2458,2465,2472,2492,2498,2501,2509,2517,2524,2628,2635,2643,2650,2657,2663,2671,2678,2685,2692,2700,2707,2714,2721,2728,2734,2737,2745,2752,2785,2792,2811,2831,2837],{"data":2054,"content":2058,"nodeType":1339},{"target":2055},{"sys":2056},{"id":2057,"type":1344,"linkType":1345},"1eBClNW4NOR66F0tl9h6lD",[],{"data":2060,"content":2061,"nodeType":1294},{},[2062,2066,2075],{"data":2063,"marks":2064,"value":2065,"nodeType":1293},{},[],"The attacks on Snowflake customers in 2024 collectively constituted the biggest cyber security event of the year in terms of the number of organizations and individuals affected (at least, if you exclude CrowdStrike causing a worldwide outage in July) — certainly, it was the largest perpetrated by a criminal group against commercial enterprises. It has been touted by some news outlets as ‘",{"data":2067,"content":2069,"nodeType":1589},{"uri":2068},"https://www.wired.com/story/snowflake-breach-advanced-auto-parts-lendingtree/",[2070],{"data":2071,"marks":2072,"value":2074,"nodeType":1293},{},[2073],{"type":1722},"one of the biggest breaches ever",{"data":2076,"marks":2077,"value":2078,"nodeType":1293},{},[],"’.  ",{"data":2080,"content":2081,"nodeType":1294},{},[2082],{"data":2083,"marks":2084,"value":2085,"nodeType":1293},{},[],"Snowflake was a watershed moment that signalled the significant opportunity presented by identity attacks on cloud services. It demonstrated how comparatively unsophisticated methods (logging in to user accounts with stolen credentials and dumping the data) can have the same or greater impact as a traditional network or endpoint based cyber attack involving vulnerability exploitation, malware deployment, ransomware, etc. ",{"data":2087,"content":2088,"nodeType":1294},{},[2089],{"data":2090,"marks":2091,"value":2092,"nodeType":1293},{},[],"Here’s everything you need to know about the Snowflake attacks — and what you can do to protect yourself against the next Snowflake in the future.",{"data":2094,"content":2098,"nodeType":1339},{"target":2095},{"sys":2096},{"id":2097,"type":1344,"linkType":1345},"4QoPUiP5q6Mwj1eWUZT15Q",[],{"data":2100,"content":2101,"nodeType":1360},{},[],{"data":2103,"content":2104,"nodeType":1364},{},[2105],{"data":2106,"marks":2107,"value":2109,"nodeType":1293},{},[2108],{"type":1332},"Snowflake: The facts",{"data":2111,"content":2112,"nodeType":1294},{},[2113],{"data":2114,"marks":2115,"value":2116,"nodeType":1293},{},[],"Cyber criminals associated with the threat group known as ShinyHunters claimed responsibility for breaching multiple organizations using Snowflake, a cloud-based data warehousing and analytics platform. ",{"data":2118,"content":2119,"nodeType":1294},{},[2120,2124,2133],{"data":2121,"marks":2122,"value":2123,"nodeType":1293},{},[],"ShinyHunters associates targeted ~165 organizations that were subjected to account takeover attacks using stolen credentials harvested from historical infostealer infections dating back as far as 2020, ",{"data":2125,"content":2127,"nodeType":1589},{"uri":2126},"https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion",[2128],{"data":2129,"marks":2130,"value":2132,"nodeType":1293},{},[2131],{"type":1722},"according to Mandiant’s investigation",{"data":2134,"marks":2135,"value":1734,"nodeType":1293},{},[],{"data":2137,"content":2138,"nodeType":2147},{},[2139],{"data":2140,"content":2141,"nodeType":1294},{},[2142],{"data":2143,"marks":2144,"value":2146,"nodeType":1293},{},[2145],{"type":1332},">80% of the compromised accounts belonging to Snowflake customers had prior credential exposure. ","blockquote",{"data":2149,"content":2150,"nodeType":1294},{},[2151],{"data":2152,"marks":2153,"value":2154,"nodeType":1293},{},[],"The impacted accounts lacked MFA, meaning successful authentication only required a valid username and password. As the Snowflake credentials found in infostealer malware credential dumps had not been rotated or updated, they remained valid and could be used to authenticate to user accounts on Snowflake tenants belonging to various customers.",{"data":2156,"content":2157,"nodeType":1294},{},[2158],{"data":2159,"marks":2160,"value":2161,"nodeType":1293},{},[],"As a data warehousing platform integrated with a range of connected cloud services, access to a customer’s Snowflake tenant provided attackers with large quantities of sensitive commercial and personal data that could be stolen and monetized by attackers in a variety of ways — such as by ransoming the victim organization, extorting individual end-customers, and selling the data on to other criminal organizations. ",{"data":2163,"content":2164,"nodeType":1294},{},[2165],{"data":2166,"marks":2167,"value":2168,"nodeType":1293},{},[],"In total, 9 public victims were named following the breach, collectively impacting hundreds of millions of people. ",{"data":2170,"content":2171,"nodeType":1380},{},[2172,2182,2192,2202,2212,2222,2232,2242,2252],{"data":2173,"content":2174,"nodeType":1384},{},[2175],{"data":2176,"content":2177,"nodeType":1294},{},[2178],{"data":2179,"marks":2180,"value":2181,"nodeType":1293},{},[],"Lending Tree: Sensitive data for over 190 million people available online including customer details, partial credit card numbers, insurance quotes and other information, being sold for $2m.",{"data":2183,"content":2184,"nodeType":1384},{},[2185],{"data":2186,"content":2187,"nodeType":1294},{},[2188],{"data":2189,"marks":2190,"value":2191,"nodeType":1293},{},[],"Truist Bank: Information belonging to 65,000 employees being sold online for $1m",{"data":2193,"content":2194,"nodeType":1384},{},[2195],{"data":2196,"content":2197,"nodeType":1294},{},[2198],{"data":2199,"marks":2200,"value":2201,"nodeType":1293},{},[],"Advance Auto Parts: 3TB of data for sale for $1.5 million. Affected 2.3 million people, as well as current and former employees and job applicants.",{"data":2203,"content":2204,"nodeType":1384},{},[2205],{"data":2206,"content":2207,"nodeType":1294},{},[2208],{"data":2209,"marks":2210,"value":2211,"nodeType":1293},{},[],"Pure Storage: Workspace with 11k customer records including company, email, LDAP username and software version numbers.",{"data":2213,"content":2214,"nodeType":1384},{},[2215],{"data":2216,"content":2217,"nodeType":1294},{},[2218],{"data":2219,"marks":2220,"value":2221,"nodeType":1293},{},[],"Los Angeles Unified: Student data, disability information, discipline details, and parent information, being sold online for $150k.",{"data":2223,"content":2224,"nodeType":1384},{},[2225],{"data":2226,"content":2227,"nodeType":1294},{},[2228],{"data":2229,"marks":2230,"value":2231,"nodeType":1293},{},[],"Neiman Marcus: 31m email addresses exposed alongside various personal information.",{"data":2233,"content":2234,"nodeType":1384},{},[2235],{"data":2236,"content":2237,"nodeType":1294},{},[2238],{"data":2239,"marks":2240,"value":2241,"nodeType":1293},{},[],"Santander: 30 million customer details for sale relating to customers of Santander Chile, Spain, and Uruguay.",{"data":2243,"content":2244,"nodeType":1384},{},[2245],{"data":2246,"content":2247,"nodeType":1294},{},[2248],{"data":2249,"marks":2250,"value":2251,"nodeType":1293},{},[],"Ticketmaster: 560 million customer details for sale, disruption to events and ticketing worldwide, increasing in scam ticket production.",{"data":2253,"content":2254,"nodeType":1384},{},[2255],{"data":2256,"content":2257,"nodeType":1294},{},[2258],{"data":2259,"marks":2260,"value":2261,"nodeType":1293},{},[],"AT&T: Call logs stolen for approximately 109 million customers (nearly all of its mobile customers). AT&T paid an undisclosed ransom fee. ",{"data":2263,"content":2264,"nodeType":1360},{},[],{"data":2266,"content":2267,"nodeType":1364},{},[2268],{"data":2269,"marks":2270,"value":2272,"nodeType":1293},{},[2271],{"type":1332},"The Snowflake attacks step-by-step",{"data":2274,"content":2275,"nodeType":1380},{},[2276,2286,2296,2306,2316,2326,2336,2346],{"data":2277,"content":2278,"nodeType":1384},{},[2279],{"data":2280,"content":2281,"nodeType":1294},{},[2282],{"data":2283,"marks":2284,"value":2285,"nodeType":1293},{},[],"Snowflake users were infected with infostealer malware that harvested credentials from user devices over an extended period via several infostealer malware variants, including; VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA and METASTEALER.",{"data":2287,"content":2288,"nodeType":1384},{},[2289],{"data":2290,"content":2291,"nodeType":1294},{},[2292],{"data":2293,"marks":2294,"value":2295,"nodeType":1293},{},[],"Credentials appeared on criminal marketplaces e.g. dark web forums and Telegram channels.",{"data":2297,"content":2298,"nodeType":1384},{},[2299],{"data":2300,"content":2301,"nodeType":1294},{},[2302],{"data":2303,"marks":2304,"value":2305,"nodeType":1293},{},[],"ShinyHunters saw the potential in targeting Snowflake users, based on the availability of credentials, number of customer organizations, and the value of the data that can be accessed in Snowflake. ",{"data":2307,"content":2308,"nodeType":1384},{},[2309],{"data":2310,"content":2311,"nodeType":1294},{},[2312],{"data":2313,"marks":2314,"value":2315,"nodeType":1293},{},[],"ShinyHunters embarked on a large-scale campaign targeting Snowflake customer accounts using previously breached credentials. ",{"data":2317,"content":2318,"nodeType":1384},{},[2319],{"data":2320,"content":2321,"nodeType":1294},{},[2322],{"data":2323,"marks":2324,"value":2325,"nodeType":1293},{},[],"ShinyHunters accessed user accounts that lacked MFA, belonging to approximately 165 Snowflake customers. ",{"data":2327,"content":2328,"nodeType":1384},{},[2329],{"data":2330,"content":2331,"nodeType":1294},{},[2332],{"data":2333,"marks":2334,"value":2335,"nodeType":1293},{},[],"ShinyHunters used SQL-based reconnaissance, staging, and data exfiltration techniques, expedited by custom hacker tooling developed specifically for Snowflake, to conduct attacks at scale.",{"data":2337,"content":2338,"nodeType":1384},{},[2339],{"data":2340,"content":2341,"nodeType":1294},{},[2342],{"data":2343,"marks":2344,"value":2345,"nodeType":1293},{},[],"ShinyHunters acquired massive quantities of Snowflake data based on the information that each customer stored in Snowflake or connected apps. ",{"data":2347,"content":2348,"nodeType":1384},{},[2349],{"data":2350,"content":2351,"nodeType":1294},{},[2352],{"data":2353,"marks":2354,"value":2355,"nodeType":1293},{},[],"ShinyHunters began attempts to extort Snowflake and end-customers using the data acquired.",{"data":2357,"content":2361,"nodeType":1339},{"target":2358},{"sys":2359},{"id":2360,"type":1344,"linkType":1345},"2J92gFLs1wAAGC4nQTaiWu",[],{"data":2363,"content":2364,"nodeType":1360},{},[],{"data":2366,"content":2367,"nodeType":1364},{},[2368],{"data":2369,"marks":2370,"value":2372,"nodeType":1293},{},[2371],{"type":1332},"Why did the Snowflake breaches happen?",{"data":2374,"content":2375,"nodeType":1506},{},[2376],{"data":2377,"marks":2378,"value":2380,"nodeType":1293},{},[2379],{"type":1332},"Stolen credentials remained valid for years",{"data":2382,"content":2383,"nodeType":1294},{},[2384],{"data":2385,"marks":2386,"value":2387,"nodeType":1293},{},[],"The credentials used to access Snowflake accounts from historical infostealer infections had not been changed or rotated despite dating back as far as 2020, and remained valid. ",{"data":2389,"content":2390,"nodeType":1294},{},[2391],{"data":2392,"marks":2393,"value":2394,"nodeType":1293},{},[],"This highlights the potential risk of breached credentials already in the public domain, particularly in the case of cloud services like Snowflake that may not be subject to the same levels of credential hygiene as other traditional enterprise domain accounts. ",{"data":2396,"content":2397,"nodeType":1506},{},[2398],{"data":2399,"marks":2400,"value":2402,"nodeType":1293},{},[2401],{"type":1332},"Local logins lacked MFA ",{"data":2404,"content":2405,"nodeType":1294},{},[2406,2410,2418],{"data":2407,"marks":2408,"value":2409,"nodeType":1293},{},[],"Even where organizations were primarily encouraging employees to use SSO to access their Snowflake tenant, previously created local logins with a username and password continue to exist even after introducing SSO-based logins. Further, MFA was not globally enforceable at the application level, meaning that MFA was only set when logging into an IdP account for SSO, but not for local logins. We call this problem ",{"data":2411,"content":2412,"nodeType":1589},{"uri":1959},[2413],{"data":2414,"marks":2415,"value":2417,"nodeType":1293},{},[2416],{"type":1722},"ghost logins",{"data":2419,"marks":2420,"value":1734,"nodeType":1293},{},[],{"data":2422,"content":2423,"nodeType":1294},{},[2424],{"data":2425,"marks":2426,"value":2427,"nodeType":1293},{},[],"This meant that attackers were able to take over Snowflake accounts with only a single authentication factor (username & password). ",{"data":2429,"content":2430,"nodeType":1506},{},[2431],{"data":2432,"marks":2433,"value":2435,"nodeType":1293},{},[2434],{"type":1332},"Snowflake was a high-value target used by many organizations",{"data":2437,"content":2438,"nodeType":1294},{},[2439],{"data":2440,"marks":2441,"value":2442,"nodeType":1293},{},[],"As a data warehousing platform used by a vast number of organizations, Snowflake represented a high-value target based on the data typically stored within it, and the repeatable way in which Snowflake users could be targeted. ",{"data":2444,"content":2445,"nodeType":1294},{},[2446],{"data":2447,"marks":2448,"value":2449,"nodeType":1293},{},[],"The attacker followed a near identical process when targeting Snowflake victims, meaning it could be scripted and executed at scale, with attacks taking a matter of minutes. ",{"data":2451,"content":2452,"nodeType":1506},{},[2453],{"data":2454,"marks":2455,"value":2457,"nodeType":1293},{},[2456],{"type":1332},"Infostealer infections are driving credential availability",{"data":2459,"content":2460,"nodeType":1294},{},[2461],{"data":2462,"marks":2463,"value":2464,"nodeType":1293},{},[],"Infostealers are often seen as a low-priority issue, but are the primary source of stolen credentials used in campaigns like this one. ",{"data":2466,"content":2467,"nodeType":1294},{},[2468],{"data":2469,"marks":2470,"value":2471,"nodeType":1293},{},[],"EDR is a strong protection but is often bypassed by infostealers as attackers continually modify them to bypass security controls. Further, unmanaged devices such as those used by third-party contractors or BYOD employees often lack the robust controls applied to company-managed devices and are naturally more susceptible to infostealer attacks. And since browser profiles can be synced across devices, even personal device compromises can result in the capture of corporate credentials.  ",{"data":2473,"content":2474,"nodeType":1294},{},[2475,2479,2488],{"data":2476,"marks":2477,"value":2478,"nodeType":1293},{},[],"There is some suggestion that targeting key third-party suppliers – ",{"data":2480,"content":2482,"nodeType":1589},{"uri":2481},"https://www.wired.com/story/epam-snowflake-ticketmaster-breach-shinyhunters/",[2483],{"data":2484,"marks":2485,"value":2487,"nodeType":1293},{},[2486],{"type":1722},"such as EPAM Systems, a software engineering firm and Snowflake ‘Elite Tier Partner’",{"data":2489,"marks":2490,"value":2491,"nodeType":1293},{},[]," – provided some of the access to Snowflake customers needed. It’s unclear what came first, but it’s possible (likely, even) that EPAM was identified as a target specifically because of its lucrative customer base and Snowflake credentials — adding another indicator that Snowflake was potentially a premeditated attack inspired by the availability of Snowflake credentials online.",{"data":2493,"content":2497,"nodeType":1339},{"target":2494},{"sys":2495},{"id":2496,"type":1344,"linkType":1345},"4D0gjt5oJLNKJH8GzjP8Je",[],{"data":2499,"content":2500,"nodeType":1360},{},[],{"data":2502,"content":2503,"nodeType":1364},{},[2504],{"data":2505,"marks":2506,"value":2508,"nodeType":1293},{},[2507],{"type":1332},"Key takeaways from the Snowflake attacks",{"data":2510,"content":2511,"nodeType":1506},{},[2512],{"data":2513,"marks":2514,"value":2516,"nodeType":1293},{},[2515],{"type":1332},"Securing your IdP accounts is not enough",{"data":2518,"content":2519,"nodeType":1294},{},[2520],{"data":2521,"marks":2522,"value":2523,"nodeType":1293},{},[],"SSO can help reduce your identity attack surface, but it's not feasible to get every workforce identity behind it.",{"data":2525,"content":2526,"nodeType":1380},{},[2527,2550,2572,2606],{"data":2528,"content":2529,"nodeType":1384},{},[2530],{"data":2531,"content":2532,"nodeType":1294},{},[2533,2537,2546],{"data":2534,"marks":2535,"value":2536,"nodeType":1293},{},[],"Only 1 in 3 apps support SAML SSO, and those that offer it often charge more for it; the “",{"data":2538,"content":2540,"nodeType":1589},{"uri":2539},"https://ssotax.org/",[2541],{"data":2542,"marks":2543,"value":2545,"nodeType":1293},{},[2544],{"type":1722},"SSO tax",{"data":2547,"marks":2548,"value":2549,"nodeType":1293},{},[],"”.",{"data":2551,"content":2552,"nodeType":1384},{},[2553],{"data":2554,"content":2555,"nodeType":1294},{},[2556,2560,2568],{"data":2557,"marks":2558,"value":2559,"nodeType":1293},{},[],"Many apps are self-adopted by employees, leaving security teams unaware and unable to enforce SSO.  The typical organization has ",{"data":2561,"content":2562,"nodeType":1589},{"uri":1716},[2563],{"data":2564,"marks":2565,"value":2567,"nodeType":1293},{},[2566],{"type":1722},"hundreds of apps and thousands of unmanaged identities outside of SSO",{"data":2569,"marks":2570,"value":2571,"nodeType":1293},{},[],".",{"data":2573,"content":2574,"nodeType":1384},{},[2575],{"data":2576,"content":2577,"nodeType":1294},{},[2578,2582,2589,2593,2602],{"data":2579,"marks":2580,"value":2581,"nodeType":1293},{},[],"Most apps do not prevent users from creating additional \"",{"data":2583,"content":2584,"nodeType":1589},{"uri":1959},[2585],{"data":2586,"marks":2587,"value":1962,"nodeType":1293},{},[2588],{"type":1722},{"data":2590,"marks":2591,"value":2592,"nodeType":1293},{},[],"\" methods outside of SSO (especially by default), accounting for around ",{"data":2594,"content":2596,"nodeType":1589},{"uri":2595},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have/#id-identity-configurations-and-how-they-can-be-exploited_id-many-accounts-lack-the-most-basic-protections",[2597],{"data":2598,"marks":2599,"value":2601,"nodeType":1293},{},[2600],{"type":1722},"10% of all identities",{"data":2603,"marks":2604,"value":2605,"nodeType":1293},{},[]," observed by Push. ",{"data":2607,"content":2608,"nodeType":1384},{},[2609],{"data":2610,"content":2611,"nodeType":1294},{},[2612,2616,2624],{"data":2613,"marks":2614,"value":2615,"nodeType":1293},{},[],"In total, we identified that ",{"data":2617,"content":2618,"nodeType":1589},{"uri":1716},[2619],{"data":2620,"marks":2621,"value":2623,"nodeType":1293},{},[2622],{"type":1722},"37% (2 in 5) accounts have a password login set with no MFA",{"data":2625,"marks":2626,"value":2627,"nodeType":1293},{},[],", while 9% have no MFA AND a weak, breached, or reused password.",{"data":2629,"content":2630,"nodeType":1294},{},[2631],{"data":2632,"marks":2633,"value":2634,"nodeType":1293},{},[],"So, relying on locked-down IdP accounts and maximising the use of SSO is an important pillar of an effective identity security strategy, but there will always be gaps. Unless you recognize this, you may be blindsided by attackers finding them before you do. ",{"data":2636,"content":2637,"nodeType":1506},{},[2638],{"data":2639,"marks":2640,"value":2642,"nodeType":1293},{},[2641],{"type":1332},"The threat of infostealers and stolen credentials needs to be taken seriously",{"data":2644,"content":2645,"nodeType":1294},{},[2646],{"data":2647,"marks":2648,"value":2649,"nodeType":1293},{},[],"Breached credentials appearing online is not always seen as a top priority for security teams, particularly when there’s so much noise from all of the outdated or simply erroneous findings (anyone that’s ever subscribed to a credential TI feed knows the pain of this). ",{"data":2651,"content":2652,"nodeType":1294},{},[2653],{"data":2654,"marks":2655,"value":2656,"nodeType":1293},{},[],"But Snowflake serves as a stark reminder that despite all the false positives, stolen credentials are sometimes valid — and when weaponized at-scale they can be a powerful tool for attackers. ",{"data":2658,"content":2662,"nodeType":1339},{"target":2659},{"sys":2660},{"id":2661,"type":1344,"linkType":1345},"4EODpwKsqNivpvP2yMtZCd",[],{"data":2664,"content":2665,"nodeType":1506},{},[2666],{"data":2667,"marks":2668,"value":2670,"nodeType":1293},{},[2669],{"type":1332},"Don’t rely on third-parties to protect your identities for you",{"data":2672,"content":2673,"nodeType":1294},{},[2674],{"data":2675,"marks":2676,"value":2677,"nodeType":1293},{},[],"Snowflake came under fire following the attacks for not enabling MFA by default, or giving security teams sufficient tools to deal with the incident. ",{"data":2679,"content":2680,"nodeType":1294},{},[2681],{"data":2682,"marks":2683,"value":2684,"nodeType":1293},{},[],"This is perhaps justifiable, but is hardly the exception. Very few apps enforce MFA by default or provide a global MFA enforcement mechanism. Most don’t even provide audit logs (and when they do, the scope of logging is pretty limited). And we regularly encounter apps that don’t give you any information about account configuration as an admin — like which accounts have MFA, or the login methods that they’re using (e.g. SSO via SAML, SSO via OIDC, password, which IdPs are being used…) which is essential information to be able to secure your identity attack surface. ",{"data":2686,"content":2687,"nodeType":1294},{},[2688],{"data":2689,"marks":2690,"value":2691,"nodeType":1293},{},[],"Yes, it would be great if app vendors put security first and made controls available by default, for all customers (not just the premium ones). But in the absence of an industrywide shift toward security-first product development, it’s important that organizations don’t just point the finger at service providers — and take matters into their own hands when it comes to securing their user identities. ",{"data":2693,"content":2694,"nodeType":1506},{},[2695],{"data":2696,"marks":2697,"value":2699,"nodeType":1293},{},[2698],{"type":1332},"This isn’t a specific Snowflake problem — it could have been any application",{"data":2701,"content":2702,"nodeType":1294},{},[2703],{"data":2704,"marks":2705,"value":2706,"nodeType":1293},{},[],"While Snowflake was admittedly a high-value target because of the data it collected, apps with sensitive data (or with integrations connecting them to data collected in adjacent apps) are not in short supply. ",{"data":2708,"content":2709,"nodeType":1294},{},[2710],{"data":2711,"marks":2712,"value":2713,"nodeType":1293},{},[],"If we accept that many other apps are similarly desirable targets, then we should also consider that it’s unlikely that Snowflake is the only app that has valid credentials sitting around on the internet, waiting to be weaponized by criminals. Equally, it’s not the only app that doesn’t require mandatory MFA for user accounts, as we discussed above. The next Snowflake is likely to lurk in the same breached datasets, possibly even using the same credentials.",{"data":2715,"content":2716,"nodeType":1294},{},[2717],{"data":2718,"marks":2719,"value":2720,"nodeType":1293},{},[],"There’s been a clear increase in the number of infostealer and stolen credential related breaches and news stories since Snowflake as attackers wise up to the potential opportunity and start seeing the dollar signs. It would be naive to think that this was a one off event — the next Snowflake is probably not too far away. ",{"data":2722,"content":2723,"nodeType":1294},{},[2724],{"data":2725,"marks":2726,"value":2727,"nodeType":1293},{},[],"For a deep-dive analysis of the impact of Snowflake, check out our on-demand webinar from earlier this year.",{"data":2729,"content":2733,"nodeType":1339},{"target":2730},{"sys":2731},{"id":2732,"type":1344,"linkType":1345},"7LkU5DqE9HJ1PQu9BTg6Mw",[],{"data":2735,"content":2736,"nodeType":1360},{},[],{"data":2738,"content":2739,"nodeType":1364},{},[2740],{"data":2741,"marks":2742,"value":2744,"nodeType":1293},{},[2743],{"type":1332},"How to protect yourself from the next Snowflake using Push",{"data":2746,"content":2747,"nodeType":1294},{},[2748],{"data":2749,"marks":2750,"value":2751,"nodeType":1293},{},[],"Organizations looking to reduce their exposure to account takeover using stolen credentials should look to:",{"data":2753,"content":2754,"nodeType":1380},{},[2755,2765,2775],{"data":2756,"content":2757,"nodeType":1384},{},[2758],{"data":2759,"content":2760,"nodeType":1294},{},[2761],{"data":2762,"marks":2763,"value":2764,"nodeType":1293},{},[],"Identify the apps being used across the business and locate vulnerable workforce identities using weak, breached, or reused credentials, and missing MFA. Where SSO is the preferred login method, local username & password logins should ideally be removed. ",{"data":2766,"content":2767,"nodeType":1384},{},[2768],{"data":2769,"content":2770,"nodeType":1294},{},[2771],{"data":2772,"marks":2773,"value":2774,"nodeType":1293},{},[],"Where credentials appear in third-party data breaches, verify where they are still valid and ensure that the credentials are changed. ",{"data":2776,"content":2777,"nodeType":1384},{},[2778],{"data":2779,"content":2780,"nodeType":1294},{},[2781],{"data":2782,"marks":2783,"value":2784,"nodeType":1293},{},[],"Detect unauthorized access to workforce identities where sessions are initiated or resumed from unusual or unexpected locations. It should be noted that while this is a fairly common feature for larger enterprise cloud platforms with configurable access control policies, this is not typically possible for most SaaS applications.  ",{"data":2786,"content":2787,"nodeType":1294},{},[2788],{"data":2789,"marks":2790,"value":2791,"nodeType":1293},{},[],"All of these use cases can be achieved using Push. The Push browser extension detects all logins performed in employee browsers, capturing granular information about the login method and MFA types used, and enriching this data by integrating with your preferred IdP.",{"data":2793,"content":2794,"nodeType":1294},{},[2795,2799,2807],{"data":2796,"marks":2797,"value":2798,"nodeType":1293},{},[],"Push’s ",{"data":2800,"content":2802,"nodeType":1589},{"uri":2801},"https://pushsecurity.com/blog/verified-stolen-credential-detection",[2803],{"data":2804,"marks":2805,"value":2806,"nodeType":1293},{},[],"verified stolen credential detection feature",{"data":2808,"marks":2809,"value":2810,"nodeType":1293},{},[]," compares a k-anonymized hash of user passwords observed with stolen credential TI feeds to cut through the noise and identify where stolen credentials appearing online represent a genuine vulnerability.   ",{"data":2812,"content":2813,"nodeType":1294},{},[2814,2818,2827],{"data":2815,"marks":2816,"value":2817,"nodeType":1293},{},[],"On top of this, all logins made in browsers protected by the Push extension, across every app, are verified by ",{"data":2819,"content":2821,"nodeType":1589},{"uri":2820},"https://pushsecurity.com/blog/introducing-session-token-theft-detection-why-browser-is-best/",[2822],{"data":2823,"marks":2824,"value":2826,"nodeType":1293},{},[2825],{"type":1722},"adding a unique marker to the user agent string of the session",{"data":2828,"marks":2829,"value":2830,"nodeType":1293},{},[],", which will then appear in your IdP logs. This means that any session occurring outside of the Push-protected estate can be flagged to your security team via SIEM alert — including where an attacker uses stolen credentials to log into an app from a browser without the Push extension running. ",{"data":2832,"content":2836,"nodeType":1339},{"target":2833},{"sys":2834},{"id":2835,"type":1344,"linkType":1345},"3tqVk7Vr7pYLOEVukIJM2g",[],{"data":2838,"content":2839,"nodeType":1294},{},[2840],{"data":2841,"marks":2842,"value":37,"nodeType":1293},{},[],"Snowflake: Looking back on 2024’s landmark security event","165 Snowflake customers were targeted by criminals using stolen credentials from infostealer infections, impacting hundreds of millions of people. ","2024-11-29T00:00:00.000Z","snowflake-retro",{"items":2848},[2849],{"sys":2850,"name":1310},{"id":1309},{"items":2852},[2853],{"fullName":2041,"firstName":2042,"jobTitle":2043,"profilePicture":2854},{"url":2045},{"__typename":1314,"sys":2856,"content":2858,"title":3481,"synopsis":3482,"hashTags":118,"publishedDate":3483,"slug":3484,"tagsCollection":3485,"authorsCollection":3491},{"id":2857},"4UgGUvlZNqkJtx9nNprKg0",{"json":2859},{"nodeType":1295,"data":2860,"content":2861},{},[2862,2869,2901,2907,2914,2917,2925,2932,2939,2972,2979,2986,2993,2996,3004,3023,3030,3037,3043,3050,3057,3060,3068,3075,3082,3088,3095,3115,3148,3155,3158,3166,3173,3180,3186,3193,3200,3207,3213,3220,3226,3233,3236,3244,3251,3258,3261,3269,3276,3283,3290,3293,3301,3308,3315,3322,3329,3336,3342,3349,3356,3362,3369,3402,3409,3421,3441,3447,3450,3458,3465],{"nodeType":1294,"data":2863,"content":2864},{},[2865],{"nodeType":1293,"value":2866,"marks":2867,"data":2868},"Most organizations today have invested in an email security solution of some description. But even the most premium tools have significant limitations when it comes to modern phishing attacks. ",[],{},{"nodeType":1294,"data":2870,"content":2871},{},[2872,2876,2885,2889,2898],{"nodeType":1293,"value":2873,"marks":2874,"data":2875},"The data speaks for itself — phishing remains as big a problem as it ever was (if not bigger!) despite enormous investment in security products and training. In 2024, identity-based attack vectors involving a human element (phishing and stolen credentials) accounted for 80% of the initial access observed by ",[],{},{"nodeType":1589,"data":2877,"content":2879},{"uri":2878},"https://www.verizon.com/business/en-gb/resources/reports/dbir/",[2880],{"nodeType":1293,"value":2881,"marks":2882,"data":2884},"Verizon",[2883],{"type":1722},{},{"nodeType":1293,"value":2886,"marks":2887,"data":2888},", while 69% of organizations experienced a phishing incident in 2024 according to ",[],{},{"nodeType":1589,"data":2890,"content":2892},{"uri":2891},"https://www.idsalliance.org/white-paper/2024-trends-in-securing-digital-identities/",[2893],{"nodeType":1293,"value":2894,"marks":2895,"data":2897},"IDSA",[2896],{"type":1722},{},{"nodeType":1293,"value":1734,"marks":2899,"data":2900},[],{},{"nodeType":1339,"data":2902,"content":2906},{"target":2903},{"sys":2904},{"id":2905,"type":1344,"linkType":1345},"4urh9lIuo0ePgVIJZNtP2B",[],{"nodeType":1294,"data":2908,"content":2909},{},[2910],{"nodeType":1293,"value":2911,"marks":2912,"data":2913},"So, why are phishing attacks still so effective for attackers? ",[],{},{"nodeType":1360,"data":2915,"content":2916},{},[],{"nodeType":1364,"data":2918,"content":2919},{},[2920],{"nodeType":1293,"value":2921,"marks":2922,"data":2924},"Modern phishing attacks are evading established controls",[2923],{"type":1332},{},{"nodeType":1294,"data":2926,"content":2927},{},[2928],{"nodeType":1293,"value":2929,"marks":2930,"data":2931},"Let’s start with the lay of the land: What controls and capabilities do organizations typically rely on when it comes to blocking credential phishing?  ",[],{},{"nodeType":1294,"data":2933,"content":2934},{},[2935],{"nodeType":1293,"value":2936,"marks":2937,"data":2938},"If you’re using an email security solution, you’re relying on the following core capabilities when it comes to detecting malicious phishing pages:",[],{},{"nodeType":1380,"data":2940,"content":2941},{},[2942,2957],{"nodeType":1384,"data":2943,"content":2944},{},[2945],{"nodeType":1294,"data":2946,"content":2947},{},[2948,2953],{"nodeType":1293,"value":2949,"marks":2950,"data":2952},"Known-bad blocklists:",[2951],{"type":1332},{},{"nodeType":1293,"value":2954,"marks":2955,"data":2956}," Block users from accessing known-bad or unapproved domains/URLs, and block traffic from known-bad malicious IPs, using Threat Intelligence (TI) feeds.",[],{},{"nodeType":1384,"data":2958,"content":2959},{},[2960],{"nodeType":1294,"data":2961,"content":2962},{},[2963,2968],{"nodeType":1293,"value":2964,"marks":2965,"data":2967},"Malicious webpage detection:",[2966],{"type":1332},{},{"nodeType":1293,"value":2969,"marks":2970,"data":2971}," Inspect webpages by loading them in a sandbox to detect malicious elements.",[],{},{"nodeType":1294,"data":2973,"content":2974},{},[2975],{"nodeType":1293,"value":2976,"marks":2977,"data":2978},"This also applies to other solutions that rely on these capabilities, such as web-based content filtering (e.g. Google Safe Browsing), CASB, SASE, SWG, etc. ",[],{},{"nodeType":1294,"data":2980,"content":2981},{},[2982],{"nodeType":1293,"value":2983,"marks":2984,"data":2985},"But, attackers are now using specific tactics, techniques, procedures (TTPs) and tooling designed to defeat these solutions. ",[],{},{"nodeType":1294,"data":2987,"content":2988},{},[2989],{"nodeType":1293,"value":2990,"marks":2991,"data":2992},"Let’s look at where these controls are falling short. ",[],{},{"nodeType":1360,"data":2994,"content":2995},{},[],{"nodeType":1364,"data":2997,"content":2998},{},[2999],{"nodeType":1293,"value":3000,"marks":3001,"data":3003},"Attackers are innovating with new tooling and techniques",[3002],{"type":1332},{},{"nodeType":1294,"data":3005,"content":3006},{},[3007,3011,3020],{"nodeType":1293,"value":3008,"marks":3009,"data":3010},"The vast majority of phishing attacks today are executed using ",[],{},{"nodeType":1589,"data":3012,"content":3014},{"uri":3013},"https://pushsecurity.com/blog/phishing-2-0-how-phishing-toolkits-are-evolving-with-aitm/?utm_campaign=9983377-FY25Q1_Bleeping-Computer-Organic-Article&utm_source=bleepingcomputer&utm_medium=sponsored-content&utm_content=organic%20article",[3015],{"nodeType":1293,"value":3016,"marks":3017,"data":3019},"AitM phishing kits — otherwise known as “MFA bypass” kits",[3018],{"type":1722},{},{"nodeType":1293,"value":2571,"marks":3021,"data":3022},[],{},{"nodeType":1294,"data":3024,"content":3025},{},[3026],{"nodeType":1293,"value":3027,"marks":3028,"data":3029},"These kits use dedicated tooling to act as a proxy between the target and a legitimate login portal for an application. This allows the target to log in successfully with a legitimate service they use and even continue to interact with it. ",[],{},{"nodeType":1294,"data":3031,"content":3032},{},[3033],{"nodeType":1293,"value":3034,"marks":3035,"data":3036},"As it’s a proxy to the real application, the page will appear exactly as the user expects, because they are logging into the legitimate site – just taking a detour via the attacker’s device. However, because the attacker is sitting in the middle of this connection, they are able to observe all interactions, intercept authentication material like credentials, MFA codes, and session tokens to take control of the authenticated session and gain control of the user account. ",[],{},{"nodeType":1339,"data":3038,"content":3042},{"target":3039},{"sys":3040},{"id":3041,"type":1344,"linkType":1345},"3ZAawfzPVfhb8cmvWNZEVK",[],{"nodeType":1294,"data":3044,"content":3045},{},[3046],{"nodeType":1293,"value":3047,"marks":3048,"data":3049},"MFA was once widely regarded as the silver bullet for phishing (we all remember the Microsoft stat “MFA prevents over 99% of identity-based attacks”) but this is no longer the case. ",[],{},{"nodeType":1294,"data":3051,"content":3052},{},[3053],{"nodeType":1293,"value":3054,"marks":3055,"data":3056},"Not only are these kits incredibly effective at bypassing other anti-phishing controls like MFA, attackers are building them specifically to evade common detection tooling and techniques. ",[],{},{"nodeType":1360,"data":3058,"content":3059},{},[],{"nodeType":1506,"data":3061,"content":3062},{},[3063],{"nodeType":1293,"value":3064,"marks":3065,"data":3067},"Known-bad blocklists can’t keep up",[3066],{"type":1332},{},{"nodeType":1294,"data":3069,"content":3070},{},[3071],{"nodeType":1293,"value":3072,"marks":3073,"data":3074},"The fundamental limitation with known-bad blocklists is that they focus on indicators that are easy for attackers to change, in turn making detections based on them easy to bypass. ",[],{},{"nodeType":1294,"data":3076,"content":3077},{},[3078],{"nodeType":1293,"value":3079,"marks":3080,"data":3081},"Attackers have gotten pretty good at disguising and rotating these elements. In modern phishing attacks, every target can receive a unique email and link. Even just using a URL shortener can bypass this. It’s equivalent to a malware hash – trivial to change, and therefore not a great thing to pin your detections on. The kind of detection that sits right at the bottom of the Pyramid of Pain. ",[],{},{"nodeType":1339,"data":3083,"content":3087},{"target":3084},{"sys":3085},{"id":3086,"type":1344,"linkType":1345},"6cG2fx3AikwptyEyXKrYCK",[],{"nodeType":1294,"data":3089,"content":3090},{},[3091],{"nodeType":1293,"value":3092,"marks":3093,"data":3094},"You could look at which IP address the user connects to, but these days it’s very simple for attackers to add a new IP to their cloud-hosted server. If a domain is flagged as known-bad, the attacker only has to register a new domain, or compromise a WordPress server on an already trusted domain. Both of these things are happening on a massive scale as attackers pre-plan for the fact that their domains will be burned at some point. Attackers are more than happy to spend $10-$20 per new domain in the grand scheme of the potential proceeds of crime. ",[],{},{"nodeType":1294,"data":3096,"content":3097},{},[3098,3102,3111],{"nodeType":1293,"value":3099,"marks":3100,"data":3101},"For example, ",[],{},{"nodeType":1589,"data":3103,"content":3105},{"uri":3104},"https://pushsecurity.com/blog/how-aitm-phishing-kits-evade-detection/?utm_campaign=9983377-FY25Q1_Bleeping-Computer-Organic-Article&utm_source=bleepingcomputer&utm_medium=sponsored-content&utm_content=organic%20article",[3106],{"nodeType":1293,"value":3107,"marks":3108,"data":3110},"recent examples of Adversary-in-the-Middle phishing kits",[3109],{"type":1722},{},{"nodeType":1293,"value":3112,"marks":3113,"data":3114}," including Tycoon, Nakedpages, Evilginx were seen to rotate the URLs they resolve to (from a continually refreshed pool of URLs), mask the HTTP Referer header to disguise suspicious redirects, and redirect to benign (legitimate) domains if anyone but the intended victims attempted to visit the page. ",[],{},{"nodeType":1294,"data":3116,"content":3117},{},[3118,3122,3131,3135,3144],{"nodeType":1293,"value":3119,"marks":3120,"data":3121},"And in many cases, attackers are ",[],{},{"nodeType":1589,"data":3123,"content":3125},{"uri":3124},"https://www.bleepingcomputer.com/news/security/campaign-abusing-hubspot-targets-20-000-microsoft-azure-accounts/",[3126],{"nodeType":1293,"value":3127,"marks":3128,"data":3130},"leveraging legitimate SaaS services",[3129],{"type":1722},{},{"nodeType":1293,"value":3132,"marks":3133,"data":3134}," to conduct their campaigns (",[],{},{"nodeType":1589,"data":3136,"content":3138},{"uri":3137},"https://www.bleepingcomputer.com/news/security/proofpoint-settings-exploited-to-send-millions-of-phishing-emails-daily/",[3139],{"nodeType":1293,"value":3140,"marks":3141,"data":3143},"sometimes even using email protection services themselves!",[3142],{"type":1722},{},{"nodeType":1293,"value":3145,"marks":3146,"data":3147},") making it even harder to filter genuine from harmful links. ",[],{},{"nodeType":1294,"data":3149,"content":3150},{},[3151],{"nodeType":1293,"value":3152,"marks":3153,"data":3154},"But there’s a bigger issue here – for defenders to know that a URL, IP, or domain name is bad, it needs to be reported first. When are things reported? Typically after being used in an attack — so unfortunately, someone always gets hurt. ",[],{},{"nodeType":1360,"data":3156,"content":3157},{},[],{"nodeType":1506,"data":3159,"content":3160},{},[3161],{"nodeType":1293,"value":3162,"marks":3163,"data":3165},"Malicious webpage detections are failing",[3164],{"type":1332},{},{"nodeType":1294,"data":3167,"content":3168},{},[3169],{"nodeType":1293,"value":3170,"marks":3171,"data":3172},"Attackers are using various tricks to prevent security tools and bots from reaching their phishing pages to analyse them. ",[],{},{"nodeType":1294,"data":3174,"content":3175},{},[3176],{"nodeType":1293,"value":3177,"marks":3178,"data":3179},"Using legitimate services to host their domains is increasingly common, with services like Cloudflare Workers used for the initial gateway, and Cloudflare Turnstile to prevent security bots from advancing to the page. ",[],{},{"nodeType":1339,"data":3181,"content":3185},{"target":3182},{"sys":3183},{"id":3184,"type":1344,"linkType":1345},"4XNxLbiZf3xUK1WeFDjjxl",[],{"nodeType":1294,"data":3187,"content":3188},{},[3189],{"nodeType":1293,"value":3190,"marks":3191,"data":3192},"Even if you can get past Turnstile, then you’ll need to supply the correct URL parameters and headers, and execute JavaScript, to be served the malicious page. This means that a defender who knows the domain name can’t discover the malicious behavior just by making a simple HTTP(S) request to the domain.",[],{},{"nodeType":1294,"data":3194,"content":3195},{},[3196],{"nodeType":1293,"value":3197,"marks":3198,"data":3199},"And if all this wasn’t enough, they’re also obfuscating both visual and DOM elements to prevent signature-based detections from picking them up — so even if you can land on the page, there’s a high chance that your detections won’t trigger. ",[],{},{"nodeType":1294,"data":3201,"content":3202},{},[3203],{"nodeType":1293,"value":3204,"marks":3205,"data":3206},"By changing the DOM structure, attackers are loading functionally equivalent pages that look very different under the hood.",[],{},{"nodeType":1339,"data":3208,"content":3212},{"target":3209},{"sys":3210},{"id":3211,"type":1344,"linkType":1345},"2dN8np5odBecf7r1vBr69K",[],{"nodeType":1294,"data":3214,"content":3215},{},[3216],{"nodeType":1293,"value":3217,"marks":3218,"data":3219},"They’re also randomizing page titles, dynamically decoding text, changing the size and name of image elements, using different favicons, blurring backgrounds, substituting logos, and more… all to defeat common detections. ",[],{},{"nodeType":1339,"data":3221,"content":3225},{"target":3222},{"sys":3223},{"id":3224,"type":1344,"linkType":1345},"3hlzM3qIqaZHy3qxtnRS5x",[],{"nodeType":1294,"data":3227,"content":3228},{},[3229],{"nodeType":1293,"value":3230,"marks":3231,"data":3232},"With all this, it’s no surprise that defenders can’t keep up. ",[],{},{"nodeType":1360,"data":3234,"content":3235},{},[],{"nodeType":1364,"data":3237,"content":3238},{},[3239],{"nodeType":1293,"value":3240,"marks":3241,"data":3243},"The verdict",[3242],{"type":1332},{},{"nodeType":1294,"data":3245,"content":3246},{},[3247],{"nodeType":1293,"value":3248,"marks":3249,"data":3250},"Historically, the industry has seen email security solutions and anti-phishing as the same thing. But it’s clear that email-based phishing protection isn’t really cutting it when it comes to modern credential phishing attacks (the most common and impactful phishing variant today). ",[],{},{"nodeType":1294,"data":3252,"content":3253},{},[3254],{"nodeType":1293,"value":3255,"marks":3256,"data":3257},"This isn’t to say that email-based solutions have no value — far from it. But relying on email scanners to detect phishing pages as a single line of defense isn’t enough anymore. ",[],{},{"nodeType":1360,"data":3259,"content":3260},{},[],{"nodeType":1364,"data":3262,"content":3263},{},[3264],{"nodeType":1293,"value":3265,"marks":3266,"data":3268},"Building better phishing controls",[3267],{"type":1332},{},{"nodeType":1294,"data":3270,"content":3271},{},[3272],{"nodeType":1293,"value":3273,"marks":3274,"data":3275},"The key to solving this problem is, put simply, building better controls. But to do this, we need to move away from email as being the primary (or often the only) place where phishing attacks can be stopped. ",[],{},{"nodeType":1294,"data":3277,"content":3278},{},[3279],{"nodeType":1293,"value":3280,"marks":3281,"data":3282},"While email is the main delivery vector for phishing attacks (at least, according to the data we have, which comes primarily from email security solutions) it’s not the only one. Phishing links are increasingly delivered to victims over IM platforms, social media — and generally over the internet. ",[],{},{"nodeType":1294,"data":3284,"content":3285},{},[3286],{"nodeType":1293,"value":3287,"marks":3288,"data":3289},"A better solution to the problem would therefore be able to follow the user across the sites they use, and see the actual phishing pages as the user sees them, as opposed to a sandbox (which, as we’ve discussed, attackers are well prepared for). ",[],{},{"nodeType":1360,"data":3291,"content":3292},{},[],{"nodeType":1506,"data":3294,"content":3295},{},[3296],{"nodeType":1293,"value":3297,"marks":3298,"data":3300},"Is browser-based phishing protection the solution?",[3299],{"type":1332},{},{"nodeType":1294,"data":3302,"content":3303},{},[3304],{"nodeType":1293,"value":3305,"marks":3306,"data":3307},"While we’ve been conditioned to think about phishing as something that happens over email, it’s actually the browser where most of the action happens, regardless of the initial delivery channel.",[],{},{"nodeType":1294,"data":3309,"content":3310},{},[3311],{"nodeType":1293,"value":3312,"marks":3313,"data":3314},"And while it’s tempting to view the delivery of a phishing link as the attack itself, the phish can’t succeed unless the victim enters their genuine credentials on the malicious page. ",[],{},{"nodeType":1294,"data":3316,"content":3317},{},[3318],{"nodeType":1293,"value":3319,"marks":3320,"data":3321},"Push provides a browser-based identity security solution that stops phishing attacks where they happen — in employee browsers. ",[],{},{"nodeType":1294,"data":3323,"content":3324},{},[3325],{"nodeType":1293,"value":3326,"marks":3327,"data":3328},"Being in the browser delivers a lot of advantages when it comes to detecting and intercepting phishing attacks. You see the live webpage that the user sees, meaning you have much better visibility of malicious elements running on the page. It also means that you can implement real-time controls that kick in when a malicious element is detected. ",[],{},{"nodeType":1294,"data":3330,"content":3331},{},[3332],{"nodeType":1293,"value":3333,"marks":3334,"data":3335},"There’s a clear difference when you compare a phishing attack with and without Push. ",[],{},{"nodeType":1339,"data":3337,"content":3341},{"target":3338},{"sys":3339},{"id":3340,"type":1344,"linkType":1345},"2CbGMUSJsP1mNeHkmpLl6N",[],{"nodeType":1294,"data":3343,"content":3344},{},[3345],{"nodeType":1293,"value":3346,"marks":3347,"data":3348},"Here, an attacker hacks a WordPress blog to get a reputable domain and then runs a phishing toolkit on the webpage. They email one of your employees a link to it. Your SWG or email scanning solution inspects it in a sandbox but the phish kit detects this and redirects to a benign site so that it passes the inspection. ",[],{},{"nodeType":1294,"data":3350,"content":3351},{},[3352],{"nodeType":1293,"value":3353,"marks":3354,"data":3355},"Your user gets the email with the link and is now free to interact with the phishing page. They enter their credentials plus MFA code into the page and voila! The attacker steals the authenticated session and takes over the user’s account.  ",[],{},{"nodeType":1339,"data":3357,"content":3361},{"target":3358},{"sys":3359},{"id":3360,"type":1344,"linkType":1345},"77smnID1woCfFJrJPyTvKY",[],{"nodeType":1294,"data":3363,"content":3364},{},[3365],{"nodeType":1293,"value":3366,"marks":3367,"data":3368},"But with Push, our browser extension inspects the webpage running in the user's browser. Push observes that the webpage is a login page and the user is entering their password into the page, detecting that:",[],{},{"nodeType":1380,"data":3370,"content":3371},{},[3372,3382,3392],{"nodeType":1384,"data":3373,"content":3374},{},[3375],{"nodeType":1294,"data":3376,"content":3377},{},[3378],{"nodeType":1293,"value":3379,"marks":3380,"data":3381},"The password the user is entering matches the domain that password is pinned to. Since it doesn't match, based on this detection alone the user is automatically redirected to a blocking page. ",[],{},{"nodeType":1384,"data":3383,"content":3384},{},[3385],{"nodeType":1294,"data":3386,"content":3387},{},[3388],{"nodeType":1293,"value":3389,"marks":3390,"data":3391},"The rendered web app is using a cloned app login page.",[],{},{"nodeType":1384,"data":3393,"content":3394},{},[3395],{"nodeType":1294,"data":3396,"content":3397},{},[3398],{"nodeType":1293,"value":3399,"marks":3400,"data":3401},"A phishing toolkit is running on the web page. ",[],{},{"nodeType":1294,"data":3403,"content":3404},{},[3405],{"nodeType":1293,"value":3406,"marks":3407,"data":3408},"As a result, the user is blocked from interacting with the phishing site and prevented from continuing. ",[],{},{"nodeType":1294,"data":3410,"content":3411},{},[3412,3416],{"nodeType":1293,"value":3413,"marks":3414,"data":3415},"These are good examples of detections that are difficult (or impossible) for an attacker to evade — ",[],{},{"nodeType":1293,"value":3417,"marks":3418,"data":3420},"you can’t phish a victim if they can’t enter their credentials into your phishing site! ",[3419],{"type":1332},{},{"nodeType":1294,"data":3422,"content":3423},{},[3424,3428,3437],{"nodeType":1293,"value":3425,"marks":3426,"data":3427},"If we look at the Pyramid of Pain again, we can see that these are much harder detections for attackers to get around, ",[],{},{"nodeType":1589,"data":3429,"content":3431},{"uri":3430},"https://pushsecurity.com/blog/shifting-detection-left-for-more-effective-itdr/?utm_campaign=9983377-FY25Q1_Bleeping-Computer-Organic-Article&utm_source=bleepingcomputer&utm_medium=sponsored-content&utm_content=organic%20article",[3432],{"nodeType":1293,"value":3433,"marks":3434,"data":3436},"enabling earlier detection and interception of account takeover ",[3435],{"type":1722},{},{"nodeType":1293,"value":3438,"marks":3439,"data":3440},"when compared to static, TI-driven blocklists — stopping attacks before anyone gets hurt.",[],{},{"nodeType":1339,"data":3442,"content":3446},{"target":3443},{"sys":3444},{"id":3445,"type":1344,"linkType":1345},"6q8H7vA8k7mLrSsr5R0TZ1",[],{"nodeType":1360,"data":3448,"content":3449},{},[],{"nodeType":1364,"data":3451,"content":3452},{},[3453],{"nodeType":1293,"value":3454,"marks":3455,"data":3457},"We don’t just stop phishing attacks",[3456],{"type":1332},{},{"nodeType":1294,"data":3459,"content":3460},{},[3461],{"nodeType":1293,"value":3462,"marks":3463,"data":3464},"It doesn’t stop there — Push provides comprehensive identity attack detection and response capabilities against techniques like credential stuffing, password spraying and session hijacking using stolen session tokens. You can also use Push to find and fix identity vulnerabilities across every app that your employees use like: ghost logins; SSO coverage gaps; MFA gaps; weak, breached and reused passwords; risky OAuth integrations; and more. ",[],{},{"nodeType":1294,"data":3466,"content":3467},{},[3468,3471,3478],{"nodeType":1293,"value":2012,"marks":3469,"data":3470},[],{},{"nodeType":1589,"data":3472,"content":3473},{"uri":2017},[3474],{"nodeType":1293,"value":2020,"marks":3475,"data":3477},[3476],{"type":1722},{},{"nodeType":1293,"value":2024,"marks":3479,"data":3480},[],{},"Why it's time for phishing prevention to move beyond email","Modern MFA-bypass phishing attacks are routinely defeating primarily email-based security controls. Why are controls failing and what can we do about it? ","2025-03-20T00:00:00.000Z","why-its-time-for-phishing-prevention-to-move-beyond-email",{"items":3486},[3487,3489],{"sys":3488,"name":1310},{"id":1309},{"sys":3490,"name":2037},{"id":2036},{"items":3492},[3493],{"fullName":2041,"firstName":2042,"jobTitle":2043,"profilePicture":3494},{"url":2045},{"url":3496},"https://images.ctfassets.net/y1cdw1ablpvd/2R3y1Vz94cVhq3HoDTc4XJ/4969af758b586dfee340169ea0d620a5/Kelly_Product_Video_Thumbnail__7_.jpg",{"items":3498},[3499],{"fullName":3500,"firstName":3501,"jobTitle":3502,"profilePicture":3503},"Kelly Davenport","Kelly","Product Team",{"url":3504},"https://images.ctfassets.net/y1cdw1ablpvd/1hi8bEuVfn5sF57LivAq6d/9a3b82426c697d765e2e450e33a18424/kelly_profile_pic.jpeg",{"json":3506,"links":4499},{"nodeType":1295,"data":3507,"content":3508},{},[3509,3529,3536,3543,3550,3557,3563,3570,3586,3589,3596,3603,3610,3617,3627,3634,3641,3648,3656,3663,3735,3747,3754,3762,3769,3827,3839,3846,3852,3860,3867,3900,3923,3930,3940,3943,3950,3970,3977,4010,4017,4024,4031,4037,4040,4047,4054,4062,4069,4076,4092,4098,4106,4113,4119,4127,4147,4154,4187,4207,4213,4233,4253,4261,4268,4275,4281,4300,4303,4311,4326,4333,4340,4390,4395,4402,4409,4452,4455,4463,4470,4473,4480],{"nodeType":1294,"data":3510,"content":3511},{},[3512,3516,3525],{"nodeType":1293,"value":3513,"marks":3514,"data":3515},"It wasn’t supposed to be like this. Passwords were supposed to be dead (just ask ",[],{},{"nodeType":1589,"data":3517,"content":3519},{"uri":3518},"https://www.cnet.com/news/privacy/gates-predicts-death-of-the-password/",[3520],{"nodeType":1293,"value":3521,"marks":3522,"data":3524},"Bill Gates",[3523],{"type":1722},{},{"nodeType":1293,"value":3526,"marks":3527,"data":3528},").",[],{},{"nodeType":1294,"data":3530,"content":3531},{},[3532],{"nodeType":1293,"value":3533,"marks":3534,"data":3535},"Instead, hardworking security pros are left to sit around in community center basements drinking mediocre coffee and commiserating.",[],{},{"nodeType":1294,"data":3537,"content":3538},{},[3539],{"nodeType":1293,"value":3540,"marks":3541,"data":3542},"“I admit it. My users still use passwords.”",[],{},{"nodeType":1294,"data":3544,"content":3545},{},[3546],{"nodeType":1293,"value":3547,"marks":3548,"data":3549},"“Yeah, mine too. I’ve been telling people we’re rolling out passkeys for three years now. I’m not sure how much longer I can keep this up …”",[],{},{"nodeType":1294,"data":3551,"content":3552},{},[3553],{"nodeType":1293,"value":3554,"marks":3555,"data":3556},"Somber nodding all around. Hugs. A few chocolate-chip cookies on paper napkins.",[],{},{"nodeType":1339,"data":3558,"content":3562},{"target":3559},{"sys":3560},{"id":3561,"type":1344,"linkType":1345},"4Wt29DxSSczFt5THWkuIiS",[],{"nodeType":1294,"data":3564,"content":3565},{},[3566],{"nodeType":1293,"value":3567,"marks":3568,"data":3569},"This is a no-judgment zone here at Push Security. So let’s take a look at why we’re still stuck with passwords, how attackers are increasingly exploiting weak credentials to infiltrate organizations, and how Push can help you get visibility and control of all your workforce identities.",[],{},{"nodeType":1294,"data":3571,"content":3572},{},[3573,3577,3582],{"nodeType":1293,"value":3574,"marks":3575,"data":3576},"We’ll also cover how you can use Push’s latest feature, ",[],{},{"nodeType":1293,"value":3578,"marks":3579,"data":3581},"Strong password enforcement",[3580],{"type":1332},{},{"nodeType":1293,"value":3583,"marks":3584,"data":3585},", to require that employees use strong, unique passwords. Push automatically detects when employees have weak, reused, or stolen passwords and then guides them to update their password using in-browser messaging — even on apps that don’t natively support administrative control of password posture.",[],{},{"nodeType":1360,"data":3587,"content":3588},{},[],{"nodeType":1364,"data":3590,"content":3591},{},[3592],{"nodeType":1293,"value":3593,"marks":3594,"data":3595},"3 reasons why we’re still stuck with passwords",[],{},{"nodeType":1294,"data":3597,"content":3598},{},[3599],{"nodeType":1293,"value":3600,"marks":3601,"data":3602},"At the risk of preaching to the choir, let’s review why we’re still stuck with passwords. ",[],{},{"nodeType":1294,"data":3604,"content":3605},{},[3606],{"nodeType":1293,"value":3607,"marks":3608,"data":3609},"It’s worth stating the Push perspective up front: We’re not here to push the narrative that you must completely get rid of passwords. To begin with, it’s not easy to get rid of them. Like the imaginary scene from the passwordless support group, we’ve lived the reality of this.",[],{},{"nodeType":1294,"data":3611,"content":3612},{},[3613],{"nodeType":1293,"value":3614,"marks":3615,"data":3616},"What we observe across our install base for the Push browser agent reinforces this reality. For the last 1 million or so logins that Push recorded, more than a quarter (26%) were password logins.",[],{},{"nodeType":2147,"data":3618,"content":3619},{},[3620],{"nodeType":1294,"data":3621,"content":3622},{},[3623],{"nodeType":1293,"value":3624,"marks":3625,"data":3626},"For the last 1M+ logins that the Push browser agent observed, more than a quarter were password logins.",[],{},{"nodeType":1294,"data":3628,"content":3629},{},[3630],{"nodeType":1293,"value":3631,"marks":3632,"data":3633},"Of those password logins, 18% had a security issue with the password — reused, easily guessable, already leaked in a public breach list, or actively for sale in criminal forums.",[],{},{"nodeType":1294,"data":3635,"content":3636},{},[3637],{"nodeType":1293,"value":3638,"marks":3639,"data":3640},"Yet when strong, unique passwords are used in conjunction with MFA, they can provide a powerful line of defense. Indeed, in cases where onboarding an app to SSO isn’t possible (for reasons we’ll cover below), a strong, unique password plus MFA is the most pragmatic solution you can achieve.",[],{},{"nodeType":1294,"data":3642,"content":3643},{},[3644],{"nodeType":1293,"value":3645,"marks":3646,"data":3647},"Here’s why bad passwords persist, and why it matters.",[],{},{"nodeType":1506,"data":3649,"content":3650},{},[3651],{"nodeType":1293,"value":3652,"marks":3653,"data":3655},"Systemic reasons",[3654],{"type":1332},{},{"nodeType":1294,"data":3657,"content":3658},{},[3659],{"nodeType":1293,"value":3660,"marks":3661,"data":3662},"If we zoom out, there are several systemic reasons that contribute to the persistence of password security issues:",[],{},{"nodeType":1380,"data":3664,"content":3665},{},[3666,3693,3720],{"nodeType":1384,"data":3667,"content":3668},{},[3669],{"nodeType":1294,"data":3670,"content":3671},{},[3672,3677,3681,3689],{"nodeType":1293,"value":3673,"marks":3674,"data":3676},"Self-adoption of work apps",[3675],{"type":1332},{},{"nodeType":1293,"value":3678,"marks":3679,"data":3680}," makes it extremely difficult to know all the workforce identities that exist across your environment, let alone whether they’re using a secure authentication method, or the strength or uniqueness of their password. Push’s ",[],{},{"nodeType":1589,"data":3682,"content":3683},{"uri":1716},[3684],{"nodeType":1293,"value":3685,"marks":3686,"data":3688},"own research",[3687],{"type":1722},{},{"nodeType":1293,"value":3690,"marks":3691,"data":3692}," shows that for an average organization, each employee has 15 identities.",[],{},{"nodeType":1384,"data":3694,"content":3695},{},[3696],{"nodeType":1294,"data":3697,"content":3698},{},[3699,3704,3708,3716],{"nodeType":1293,"value":3700,"marks":3701,"data":3703},"Apps optimize signups for low friction, not security.",[3702],{"type":1332},{},{"nodeType":1293,"value":3705,"marks":3706,"data":3707}," That often results in multiple authentication methods tied to any given account because local password accounts can still persist even after SSO onboarding — a phenomenon that we call ",[],{},{"nodeType":1589,"data":3709,"content":3711},{"uri":3710},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/ghost_logins/description.md",[3712],{"nodeType":1293,"value":2417,"marks":3713,"data":3715},[3714],{"type":1722},{},{"nodeType":1293,"value":3717,"marks":3718,"data":3719}," because they provide attackers with a way around a company’s enterprise SSO solution. These local accounts represent a significant risk, and most are invisible. Which brings us to …",[],{},{"nodeType":1384,"data":3721,"content":3722},{},[3723],{"nodeType":1294,"data":3724,"content":3725},{},[3726,3731],{"nodeType":1293,"value":3727,"marks":3728,"data":3730},"Many apps provide very little information to admins about the posture of accounts",[3729],{"type":1332},{},{"nodeType":1293,"value":3732,"marks":3733,"data":3734}," on that service, and even fewer offer management options to address security issues on those accounts. Some services provide no information at all about which accounts can even access a given tenant.",[],{},{"nodeType":1294,"data":3736,"content":3737},{},[3738,3743],{"nodeType":1293,"value":3739,"marks":3740,"data":3742},"The impact: ",[3741],{"type":1332},{},{"nodeType":1293,"value":3744,"marks":3745,"data":3746},"These systemic factors contribute to what we see many organizations grappling with: Known visibility gaps in their workforce identities, which are scattered across many more third-party apps than they imagine, and unknown account security risks for both managed and unmanaged apps.",[],{},{"nodeType":1294,"data":3748,"content":3749},{},[3750],{"nodeType":1293,"value":3751,"marks":3752,"data":3753},"These gaps open up a large attack surface for organizations. The 2024 Verizon DBIR found that 79% of web application compromises were the result of breached creds, and researchers at IBM reported last year that they observed a 71% year-over-year increase in cyberattacks using stolen or compromised credentials.",[],{},{"nodeType":1506,"data":3755,"content":3756},{},[3757],{"nodeType":1293,"value":3758,"marks":3759,"data":3761},"Technical reasons",[3760],{"type":1332},{},{"nodeType":1294,"data":3763,"content":3764},{},[3765],{"nodeType":1293,"value":3766,"marks":3767,"data":3768},"There are also several technical reasons why bad passwords persist:",[],{},{"nodeType":1380,"data":3770,"content":3771},{},[3772,3800],{"nodeType":1384,"data":3773,"content":3774},{},[3775],{"nodeType":1294,"data":3776,"content":3777},{},[3778,3781,3791,3796],{"nodeType":1293,"value":37,"marks":3779,"data":3780},[],{},{"nodeType":1589,"data":3782,"content":3784},{"uri":3783},"https://www.ncsc.gov.uk/blog-post/passkeys-not-perfect-getting-better",[3785],{"nodeType":1293,"value":3786,"marks":3787,"data":3790},"Going passwordless is hard",[3788,3789],{"type":1722},{"type":1332},{},{"nodeType":1293,"value":3792,"marks":3793,"data":3795}," ",[3794],{"type":1332},{},{"nodeType":1293,"value":3797,"marks":3798,"data":3799},"because it requires a large investment of time, money, and training for end-users. In environments with a mix of older and newer infrastructure, it can be challenging to get complete coverage, and employees may struggle with the transition to device-based authentication (especially when they lose their device and aren’t familiar with how to regain account access).",[],{},{"nodeType":1384,"data":3801,"content":3802},{},[3803],{"nodeType":1294,"data":3804,"content":3805},{},[3806,3811,3815,3823],{"nodeType":1293,"value":3807,"marks":3808,"data":3810},"Many apps do not even provide a SAML option",[3809],{"type":1332},{},{"nodeType":1293,"value":3812,"marks":3813,"data":3814},", making it difficult to onboard every business app to SSO even once you know about them all. Last we checked, only about 30% of commonly used work apps supported SAML. Even when apps do provide the option, many charge the infamous “",[],{},{"nodeType":1589,"data":3816,"content":3818},{"uri":3817},"https://sso.tax/",[3819],{"nodeType":1293,"value":2545,"marks":3820,"data":3822},[3821],{"type":1722},{},{"nodeType":1293,"value":3824,"marks":3825,"data":3826},",” putting the feature behind enterprise plans.",[],{},{"nodeType":1294,"data":3828,"content":3829},{},[3830,3835],{"nodeType":1293,"value":3831,"marks":3832,"data":3834},"The impact:",[3833],{"type":1332},{},{"nodeType":1293,"value":3836,"marks":3837,"data":3838}," What ends up happening in many organizations is a patchwork of login methods, including passwords, passkeys, OIDC, and SAML. Looking at data from Push’s install base, we see on average around 15,000 accounts per 1,000 users, with 5,900+ outside of SSO — about 40%. ",[],{},{"nodeType":1294,"data":3840,"content":3841},{},[3842],{"nodeType":1293,"value":3843,"marks":3844,"data":3845},"That means more — not less — for a security and IT team to manage, often without the visibility or control they need to do so effectively.",[],{},{"nodeType":1339,"data":3847,"content":3851},{"target":3848},{"sys":3849},{"id":3850,"type":1344,"linkType":1345},"2QnWVpPYRyJQaQ5TuKSSLp",[],{"nodeType":1506,"data":3853,"content":3854},{},[3855],{"nodeType":1293,"value":3856,"marks":3857,"data":3859},"Human reasons",[3858],{"type":1332},{},{"nodeType":1294,"data":3861,"content":3862},{},[3863],{"nodeType":1293,"value":3864,"marks":3865,"data":3866},"Finally, there are a lot of human reasons why poor passwords persist, all of them familiar and intractable:",[],{},{"nodeType":1380,"data":3868,"content":3869},{},[3870,3885],{"nodeType":1384,"data":3871,"content":3872},{},[3873],{"nodeType":1294,"data":3874,"content":3875},{},[3876,3881],{"nodeType":1293,"value":3877,"marks":3878,"data":3880},"Password change fatigue",[3879],{"type":1332},{},{"nodeType":1293,"value":3882,"marks":3883,"data":3884},", resulting in weak and reused passwords — often driven by incomplete adoption of enterprise password managers or outdated password security policies that require users to rotate passwords frequently. ",[],{},{"nodeType":1384,"data":3886,"content":3887},{},[3888],{"nodeType":1294,"data":3889,"content":3890},{},[3891,3896],{"nodeType":1293,"value":3892,"marks":3893,"data":3895},"Shortcuts that busy humans take",[3894],{"type":1332},{},{"nodeType":1293,"value":3897,"marks":3898,"data":3899}," to get work done on a daily basis, including reusing passwords across personal and corporate accounts, storing passwords insecurely, and using easier-to-remember passwords over secure, complex ones.  ",[],{},{"nodeType":1294,"data":3901,"content":3902},{},[3903,3907,3911,3919],{"nodeType":1293,"value":3831,"marks":3904,"data":3906},[3905],{"type":1332},{},{"nodeType":1293,"value":3908,"marks":3909,"data":3910}," When there’s a large, complex, and largely invisible attack surface made up of these online corporate identities, adversaries profit. Just look at any of the ",[],{},{"nodeType":1589,"data":3912,"content":3913},{"uri":1610},[3914],{"nodeType":1293,"value":3915,"marks":3916,"data":3918},"major identity attacks",[3917],{"type":1722},{},{"nodeType":1293,"value":3920,"marks":3921,"data":3922}," of the past year, some of which used password-spraying and credential-stuffing techniques to compromise accounts and pivot to high-value systems and data.",[],{},{"nodeType":1294,"data":3924,"content":3925},{},[3926],{"nodeType":1293,"value":3927,"marks":3928,"data":3929},"Password reuse also extends the blast radius for any account takeover incident when MFA is missing — a gap that occurs more often than you may think. Typically, 37% of logins observed by Push upon initial deployment into a new customer environment do not use any form of MFA.",[],{},{"nodeType":2147,"data":3931,"content":3932},{},[3933],{"nodeType":1294,"data":3934,"content":3935},{},[3936],{"nodeType":1293,"value":3937,"marks":3938,"data":3939},"2 in 5 logins observed by Push upon initial deployment into a new customer environment do not use any form of MFA.",[],{},{"nodeType":1360,"data":3941,"content":3942},{},[],{"nodeType":1364,"data":3944,"content":3945},{},[3946],{"nodeType":1293,"value":3947,"marks":3948,"data":3949},"Why identity posture matters more in a SaaS-first world",[],{},{"nodeType":1294,"data":3951,"content":3952},{},[3953,3957,3966],{"nodeType":1293,"value":3954,"marks":3955,"data":3956},"When most work now happens via the browser on web-based applications, the stakes are even higher for preventing account takeover. That’s because the way that attacks occur in a SaaS environment is ",[],{},{"nodeType":1589,"data":3958,"content":3960},{"uri":3959},"https://pushsecurity.com/blog/shifting-detection-left-for-more-effective-itdr/",[3961],{"nodeType":1293,"value":3962,"marks":3963,"data":3965},"very different",[3964],{"type":1722},{},{"nodeType":1293,"value":3967,"marks":3968,"data":3969}," from traditional network attacks, and there are few effective ways to detect and respond post-account compromise.",[],{},{"nodeType":1294,"data":3971,"content":3972},{},[3973],{"nodeType":1293,"value":3974,"marks":3975,"data":3976},"The average SaaS attack path looks like this:",[],{},{"nodeType":1380,"data":3978,"content":3979},{},[3980,3990,4000],{"nodeType":1384,"data":3981,"content":3982},{},[3983],{"nodeType":1294,"data":3984,"content":3985},{},[3986],{"nodeType":1293,"value":3987,"marks":3988,"data":3989},"Attackers gain control of legitimate employee accounts using stolen credentials or via password-spraying or credential-stuffing techniques.",[],{},{"nodeType":1384,"data":3991,"content":3992},{},[3993],{"nodeType":1294,"data":3994,"content":3995},{},[3996],{"nodeType":1293,"value":3997,"marks":3998,"data":3999},"Attackers exfiltrate data.",[],{},{"nodeType":1384,"data":4001,"content":4002},{},[4003],{"nodeType":1294,"data":4004,"content":4005},{},[4006],{"nodeType":1293,"value":4007,"marks":4008,"data":4009},"The end.",[],{},{"nodeType":1294,"data":4011,"content":4012},{},[4013],{"nodeType":1293,"value":4014,"marks":4015,"data":4016},"Compare that to traditional network or enterprise cloud attacks, which usually involve more complex lateral movement, privilege escalation, and defense evasion.",[],{},{"nodeType":1294,"data":4018,"content":4019},{},[4020],{"nodeType":1293,"value":4021,"marks":4022,"data":4023},"With limited log data and few response capabilities provided by most SaaS apps, security teams also have few good options to stop the damage of an account takeover once one has occurred. ",[],{},{"nodeType":1294,"data":4025,"content":4026},{},[4027],{"nodeType":1293,"value":4028,"marks":4029,"data":4030},"That’s why at Push, we advocate for “shifting left,” and preventing account takeover before it happens.",[],{},{"nodeType":1339,"data":4032,"content":4036},{"target":4033},{"sys":4034},{"id":4035,"type":1344,"linkType":1345},"6wIzMu3jBhaas9jtpV48bz",[],{"nodeType":1360,"data":4038,"content":4039},{},[],{"nodeType":1364,"data":4041,"content":4042},{},[4043],{"nodeType":1293,"value":4044,"marks":4045,"data":4046},"How Push helps you ensure strong passwords",[],{},{"nodeType":1294,"data":4048,"content":4049},{},[4050],{"nodeType":1293,"value":4051,"marks":4052,"data":4053},"There are four capabilities that security teams need in order to regain control over password security issues across their corporate accounts. Here’s how Push accomplishes each one.",[],{},{"nodeType":1506,"data":4055,"content":4056},{},[4057],{"nodeType":1293,"value":4058,"marks":4059,"data":4061},"1. A reliable inventory of all the apps that employees are using, including work apps and internal apps.",[4060],{"type":1332},{},{"nodeType":1294,"data":4063,"content":4064},{},[4065],{"nodeType":1293,"value":4066,"marks":4067,"data":4068},"Push achieves this by deploying a browser agent to employee browsers that can directly observe their login activity, which feeds the data back into an admin console (or your SIEM/SOAR or other third-party system). You can enforce the installation of the agent using any MDM solution, on all major browsers.",[],{},{"nodeType":1294,"data":4070,"content":4071},{},[4072],{"nodeType":1293,"value":4073,"marks":4074,"data":4075},"Once the agent is activated, it begins immediately capturing employee logins and produces a real-time inventory of all your work and internal apps. Because Push observes the login directly in the browser, it can identify all the apps and accounts being used by your employees — both managed and unmanaged (shadow IT).",[],{},{"nodeType":1294,"data":4077,"content":4078},{},[4079,4083,4088],{"nodeType":1293,"value":4080,"marks":4081,"data":4082},"You can also configure Push to monitor ",[],{},{"nodeType":1293,"value":4084,"marks":4085,"data":4087},"any",[4086],{"type":312},{},{"nodeType":1293,"value":4089,"marks":4090,"data":4091}," login to a work app, regardless of the associated email domain of the employee. This means you can monitor personal account logins to apps that are commonly used for work.",[],{},{"nodeType":1339,"data":4093,"content":4097},{"target":4094},{"sys":4095},{"id":4096,"type":1344,"linkType":1345},"4ctCB7kBscj12BnfHhk3ro",[],{"nodeType":1506,"data":4099,"content":4100},{},[4101],{"nodeType":1293,"value":4102,"marks":4103,"data":4105},"2. A way to identify the login methods an account is using, whether that’s SAML, OIDC, or password.",[4104],{"type":1332},{},{"nodeType":1294,"data":4107,"content":4108},{},[4109],{"nodeType":1293,"value":4110,"marks":4111,"data":4112},"Again, because Push observes the login event, it can analyze the authentication method or methods in use by a given account. Push tells you which SSO accounts still have passwords associated with them, and which authentication methods are being actively used.",[],{},{"nodeType":1339,"data":4114,"content":4118},{"target":4115},{"sys":4116},{"id":4117,"type":1344,"linkType":1345},"pVD238hZ331gjWalDTM1q",[],{"nodeType":1506,"data":4120,"content":4121},{},[4122],{"nodeType":1293,"value":4123,"marks":4124,"data":4126},"3. A method for analyzing whether an employee is using secure passwords on all their accounts.",[4125],{"type":1332},{},{"nodeType":1294,"data":4128,"content":4129},{},[4130,4134,4143],{"nodeType":1293,"value":4131,"marks":4132,"data":4133},"Using Push, you can also check the posture of all your employee accounts. The browser agent accomplishes this by ",[],{},{"nodeType":1589,"data":4135,"content":4137},{"uri":4136},"https://pushsecurity.com/help/10065#start",[4138],{"nodeType":1293,"value":4139,"marks":4140,"data":4142},"creating a salted hash",[4141],{"type":1722},{},{"nodeType":1293,"value":4144,"marks":4145,"data":4146}," of a user’s observed password and then taking the first 8 characters of that hash to store locally in the browser.",[],{},{"nodeType":1294,"data":4148,"content":4149},{},[4150],{"nodeType":1293,"value":4151,"marks":4152,"data":4153},"This allows Push to analyze whether the password is weak (comparing the hash to a list of 10,000 common basewords and common permutations); or reused across accounts.",[],{},{"nodeType":1294,"data":4155,"content":4156},{},[4157,4161,4170,4174,4183],{"nodeType":1293,"value":4158,"marks":4159,"data":4160},"Push can also identify when employee passwords have ",[],{},{"nodeType":1589,"data":4162,"content":4164},{"uri":4163},"https://pushsecurity.com/help/10066#start",[4165],{"nodeType":1293,"value":4166,"marks":4167,"data":4169},"appeared in a public breach list",[4168],{"type":1722},{},{"nodeType":1293,"value":4171,"marks":4172,"data":4173}," using the Have I Been Pwned service, using a k-anonymized hash. Using similar secure methods, Push can detect when employees are sharing account credentials, whether they’re using a ",[],{},{"nodeType":1589,"data":4175,"content":4177},{"uri":4176},"https://pushsecurity.com/help/10085/#start",[4178],{"nodeType":1293,"value":4179,"marks":4180,"data":4182},"password manager",[4181],{"type":1722},{},{"nodeType":1293,"value":4184,"marks":4185,"data":4186},", and which one.",[],{},{"nodeType":1294,"data":4188,"content":4189},{},[4190,4194,4203],{"nodeType":1293,"value":4191,"marks":4192,"data":4193},"Using Push’s ",[],{},{"nodeType":1589,"data":4195,"content":4196},{"uri":1807},[4197],{"nodeType":1293,"value":4198,"marks":4199,"data":4202},"Stolen credentials detection",[4200,4201],{"type":1722},{"type":1332},{},{"nodeType":1293,"value":4204,"marks":4205,"data":4206}," feature, you can also get alerted when an employee is using credentials that match those for sale in criminal forums. Push integrates with commercial threat intelligence sources to perform these matches, and you can also bring your own TI using the Push REST API to perform additional checks for in-use stolen creds. This check still happens locally in the browser, so no hashes are sent to third-party systems.",[],{},{"nodeType":1339,"data":4208,"content":4212},{"target":4209},{"sys":4210},{"id":4211,"type":1344,"linkType":1345},"6wfLCTzvHeMzagyuEWGyJg",[],{"nodeType":1294,"data":4214,"content":4215},{},[4216,4220,4229],{"nodeType":1293,"value":4217,"marks":4218,"data":4219},"If you configure Push to also monitor for employees who are logging in to work apps using ",[],{},{"nodeType":1589,"data":4221,"content":4223},{"uri":4222},"https://pushsecurity.com/help/10105#start",[4224],{"nodeType":1293,"value":4225,"marks":4226,"data":4228},"personal email addresses",[4227],{"type":1722},{},{"nodeType":1293,"value":4230,"marks":4231,"data":4232}," or any non-corporate email, Push can identify when personal accounts and work accounts are reusing passwords for the same work application.",[],{},{"nodeType":1294,"data":4234,"content":4235},{},[4236,4240,4249],{"nodeType":1293,"value":4237,"marks":4238,"data":4239},"Using the Push ",[],{},{"nodeType":1589,"data":4241,"content":4243},{"uri":4242},"https://pushsecurity.com/help/audience/administrators/docs/getting-started/#api-and-webhooks",[4244],{"nodeType":1293,"value":4245,"marks":4246,"data":4248},"REST API and webhooks",[4247],{"type":1722},{},{"nodeType":1293,"value":4250,"marks":4251,"data":4252},", you can get alerted when Push raises a security finding for an account, and when a finding is resolved.",[],{},{"nodeType":1506,"data":4254,"content":4255},{},[4256],{"nodeType":1293,"value":4257,"marks":4258,"data":4260},"4. The ability to solve any issues at scale, including remediating bad passwords and enforcing MFA, even on apps where the security team doesn’t have administrative control.",[4259],{"type":1332},{},{"nodeType":1294,"data":4262,"content":4263},{},[4264],{"nodeType":1293,"value":4265,"marks":4266,"data":4267},"Finally, you can enforce self-remediation workflows using Push’s position in the browser, right where employees are working. ",[],{},{"nodeType":1294,"data":4269,"content":4270},{},[4271],{"nodeType":1293,"value":4272,"marks":4273,"data":4274},"Push recently released a new in-browser control to enforce strong passwords. It works by detecting when an employee has a password security issue, and then prompting them to update their password by displaying a customizable banner message when they log in to the affected account.",[],{},{"nodeType":1339,"data":4276,"content":4280},{"target":4277},{"sys":4278},{"id":4279,"type":1344,"linkType":1345},"4IfBLaE66CJSsb5h44vSNp",[],{"nodeType":1294,"data":4282,"content":4283},{},[4284,4288,4296],{"nodeType":1293,"value":4285,"marks":4286,"data":4287},"This control complements an existing ",[],{},{"nodeType":1589,"data":4289,"content":4290},{"uri":1867},[4291],{"nodeType":1293,"value":4292,"marks":4293,"data":4295},"MFA enforcement",[4294],{"type":1722},{},{"nodeType":1293,"value":4297,"marks":4298,"data":4299}," guardrail, which uses a similar workflow to prompt employees to register for MFA on apps where it’s missing.",[],{},{"nodeType":1360,"data":4301,"content":4302},{},[],{"nodeType":1364,"data":4304,"content":4305},{},[4306],{"nodeType":1293,"value":4307,"marks":4308,"data":4310},"A closer look at password enforcement",[4309],{"type":1332},{},{"nodeType":1294,"data":4312,"content":4313},{},[4314,4318,4322],{"nodeType":1293,"value":4315,"marks":4316,"data":4317},"In the spirit of helping users do the right thing, we designed the",[],{},{"nodeType":1293,"value":3792,"marks":4319,"data":4321},[4320],{"type":1332},{},{"nodeType":1293,"value":4323,"marks":4324,"data":4325},"password enforcement control to meet users where they are, in the most relevant context where they can fix the problem. ",[],{},{"nodeType":1294,"data":4327,"content":4328},{},[4329],{"nodeType":1293,"value":4330,"marks":4331,"data":4332},"Because this control is powered by the Push browser agent, security teams don’t need administrative control over every app where password accounts exist — which often isn’t practical for all the reasons we reviewed earlier. Instead, they can use Push to prompt employees to fix the issue themselves.",[],{},{"nodeType":1294,"data":4334,"content":4335},{},[4336],{"nodeType":1293,"value":4337,"marks":4338,"data":4339},"Here’s a closer look at how it works:",[],{},{"nodeType":1380,"data":4341,"content":4342},{},[4343,4370,4380],{"nodeType":1384,"data":4344,"content":4345},{},[4346],{"nodeType":1294,"data":4347,"content":4348},{},[4349,4353,4357,4361,4366],{"nodeType":1293,"value":4350,"marks":4351,"data":4352},"You can enable ",[],{},{"nodeType":1293,"value":3578,"marks":4354,"data":4356},[4355],{"type":1332},{},{"nodeType":1293,"value":4358,"marks":4359,"data":4360}," from the tile on the ",[],{},{"nodeType":1293,"value":4362,"marks":4363,"data":4365},"Controls",[4364],{"type":1332},{},{"nodeType":1293,"value":4367,"marks":4368,"data":4369}," page of the Push admin console. ",[],{},{"nodeType":1384,"data":4371,"content":4372},{},[4373],{"nodeType":1294,"data":4374,"content":4375},{},[4376],{"nodeType":1293,"value":4377,"marks":4378,"data":4379},"Using the rule editor, select whether you want to apply the control for all employees, or just specific groups or individuals, and which apps it should apply to. You can also select which types of password security issues you want to prompt users about.",[],{},{"nodeType":1384,"data":4381,"content":4382},{},[4383],{"nodeType":1294,"data":4384,"content":4385},{},[4386],{"nodeType":1293,"value":4387,"marks":4388,"data":4389},"Then customize the message that employees will see. Push will then automatically display the banner based on your criteria. Where possible, Push will include a link in the banner that takes employees directly to the page in the app where they can change their password — or you can add a link yourself.",[],{},{"nodeType":1339,"data":4391,"content":4394},{"target":4392},{"sys":4393},{"id":1933,"type":1344,"linkType":1345},[],{"nodeType":1294,"data":4396,"content":4397},{},[4398],{"nodeType":1293,"value":4399,"marks":4400,"data":4401},"Once the password has been changed and Push verifies that the new password is strong, you’ll see the security finding cleared from the account record in the admin console and the banner will no longer display to the end-user.",[],{},{"nodeType":1294,"data":4403,"content":4404},{},[4405],{"nodeType":1293,"value":4406,"marks":4407,"data":4408},"Push also sends webhook events when:",[],{},{"nodeType":1380,"data":4410,"content":4411},{},[4412,4422,4432,4442],{"nodeType":1384,"data":4413,"content":4414},{},[4415],{"nodeType":1294,"data":4416,"content":4417},{},[4418],{"nodeType":1293,"value":4419,"marks":4420,"data":4421},"A banner is displayed",[],{},{"nodeType":1384,"data":4423,"content":4424},{},[4425],{"nodeType":1294,"data":4426,"content":4427},{},[4428],{"nodeType":1293,"value":4429,"marks":4430,"data":4431},"A user clicks the link in the banner to take action",[],{},{"nodeType":1384,"data":4433,"content":4434},{},[4435],{"nodeType":1294,"data":4436,"content":4437},{},[4438],{"nodeType":1293,"value":4439,"marks":4440,"data":4441},"A password is updated",[],{},{"nodeType":1384,"data":4443,"content":4444},{},[4445],{"nodeType":1294,"data":4446,"content":4447},{},[4448],{"nodeType":1293,"value":4449,"marks":4450,"data":4451},"A password security finding is resolved",[],{},{"nodeType":1360,"data":4453,"content":4454},{},[],{"nodeType":1364,"data":4456,"content":4457},{},[4458],{"nodeType":1293,"value":4459,"marks":4460,"data":4462},"Where to begin",[4461],{"type":1332},{},{"nodeType":1294,"data":4464,"content":4465},{},[4466],{"nodeType":1293,"value":4467,"marks":4468,"data":4469},"Most organizations we work with deploy the Push agent first to get an initial understanding of their attack surface and account posture issues. Then we recommend enabling the one-two punch of MFA and strong password enforcement guardrails. You can use both controls in tandem, and Push will first seek to resolve the password issues on a given account, and then prompt the user to register for MFA.",[],{},{"nodeType":1360,"data":4471,"content":4472},{},[],{"nodeType":1364,"data":4474,"content":4475},{},[4476],{"nodeType":1293,"value":4477,"marks":4478,"data":4479},"Find out more",[],{},{"nodeType":1294,"data":4481,"content":4482},{},[4483,4487,4496],{"nodeType":1293,"value":4484,"marks":4485,"data":4486},"If you want to learn more about how Push helps you to detect and defeat common identity attack techniques like AiTM phishing, credential stuffing, and session hijacking while improving your workforce identity posture, book some time with one of our team for a ",[],{},{"nodeType":1589,"data":4488,"content":4490},{"uri":4489},"https://pushsecurity.com/demo/",[4491],{"nodeType":1293,"value":4492,"marks":4493,"data":4495},"live demo",[4494],{"type":1722},{},{"nodeType":1293,"value":2571,"marks":4497,"data":4498},[],{},{"entries":4500},{"hyperlink":4501,"inline":4502,"block":4503},[],[],[4504,4513,4520,4527,4534,4541,4549,4557],{"sys":4505,"__typename":4506,"title":4507,"caption":4508,"layoutMode":118,"file":4509},{"id":3561},"Image","Password users support group","The weekly passwordless support group meet-up",{"url":4510,"width":4511,"height":4512},"https://images.ctfassets.net/y1cdw1ablpvd/2Hnrt8xKG7RFyaHupm9ZkU/b630a7bc7bba8b5ad2c05eac57893fba/image__47_.png",1620,1080,{"sys":4514,"__typename":4506,"title":4515,"caption":4516,"layoutMode":118,"file":4517},{"id":3850},"Sankey","How identity vulnerabilities are introduced based on account authentication methods, and how they can be exploited using different attack techniques.",{"url":4518,"width":4519,"height":4519},"https://images.ctfassets.net/y1cdw1ablpvd/55oogXnSqSaDWXvUS0QhES/9e14e2456093c868881578a02d925e29/Sankey_chart_-_Final.png",4320,{"sys":4521,"__typename":4506,"title":4522,"caption":4522,"layoutMode":118,"file":4523},{"id":4035},"The average SaaS attack path involves direct in-app compromise following account takeover",{"url":4524,"width":4525,"height":4526},"https://images.ctfassets.net/y1cdw1ablpvd/3DOQd2fcWYdjMSVBZZvHHU/2cd487cb316aef8acd77e14a1960c391/SaaS_attack_path.png",1362,458,{"sys":4528,"__typename":4506,"title":4529,"caption":4529,"layoutMode":118,"file":4530},{"id":4096},"Push can find all the apps your employees are accessing, whether or not you know about them.",{"url":4531,"width":4532,"height":4533},"https://images.ctfassets.net/y1cdw1ablpvd/5A4DDagLgRbT0na0zoplPA/27e3bbae558e27090952f97c506e1620/image9.png",1528,826,{"sys":4535,"__typename":4506,"title":4536,"caption":4536,"layoutMode":118,"file":4537},{"id":4117},"Many apps allow multiple login methods, including local password access, even once the application has been onboarded to SSO.",{"url":4538,"width":4539,"height":4540},"https://images.ctfassets.net/y1cdw1ablpvd/w2X0MdbvfrmPcpPMUbLlC/12d42929f0f58134706ae1da46c82bf7/image3.png",1405,446,{"sys":4542,"__typename":4506,"title":4543,"caption":4544,"layoutMode":118,"file":4545},{"id":4211},"Detecting stolen credentials in lastpass","Push shows where stolen credentials have been used to log into an account and the source of the leak",{"url":4546,"width":4547,"height":4548},"https://images.ctfassets.net/y1cdw1ablpvd/HYlWtjgQJdjOYgjmRVMf3/2444a1804ff5c75e88884d75c8735aa8/image8.png",697,668,{"sys":4550,"__typename":4506,"title":4551,"caption":4552,"layoutMode":118,"file":4553},{"id":4279},"Password enforcement banner github","Push displays an in-browser splash screen prompting the user to change their insecure password at the point of login to an app",{"url":4554,"width":4555,"height":4556},"https://images.ctfassets.net/y1cdw1ablpvd/3vzYwxGIB9QEyevlCAQhSQ/5e97d859f943610bff21255072ebb982/image10.png",1440,809,{"sys":4558,"__typename":4559,"title":4560,"arcadeDemoUrl":4561,"playText":4562},{"id":1933},"ArcadeDemo","Arcade: Find and remediate password vulnerabilities in Atlassian","https://demo.arcade.software/O5HwAmXSXboyKZkkO6XS?embed","2 mins","content:blog:introducing-strong-password-enforcement.json","json","content","blog/introducing-strong-password-enforcement.json","blog/introducing-strong-password-enforcement",1776359985229]