[{"data":1,"prerenderedAt":2955},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/is-it-safe-to-allow-my-employees-to-connect-third-party-apps-to-our-m365":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"ogImage":118,"summary":1282,"title":1296,"subtitle":118,"metaTitle":1297,"synopsis":1292,"hashTags":118,"publishedDate":1298,"slug":1299,"tagsCollection":1300,"relatedBlogPostsCollection":1310,"authorsCollection":2191,"content":2195,"_id":2950,"_type":2951,"_source":2952,"_file":2953,"_stem":2954,"_extension":2951},"/blog/is-it-safe-to-allow-my-employees-to-connect-third-party-apps-to-our-m365","blog",{"id":1280,"publishedAt":1281},"68syxk4cmD6QOdVRcDqgEZ","2024-10-01T13:31:27.920Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1295},{},[1286],{"data":1287,"content":1288,"nodeType":1294},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"Learn about the benefits and risks of SaaS integrations and get tips for how to manage the risks.\n","text","paragraph","document","Is it safe to allow my employees to connect third-party apps to our M365/Google Workspace tenant?","Should I connect third-party apps to my M365/Google tenant?","2022-10-12T00:00:00.000Z","is-it-safe-to-allow-my-employees-to-connect-third-party-apps-to-our-m365",{"items":1301},[1302,1306],{"sys":1303,"name":1305},{"id":1304},"1gZi8NrRy2v9OqPV7C4dwD","Risk management",{"sys":1307,"name":1309},{"id":1308},"3pjES4THCIfSAwhGdNwBcy","Identity security",{"items":1311},[1312,1798],{"__typename":1313,"sys":1314,"content":1316,"title":1778,"synopsis":1779,"hashTags":118,"publishedDate":1780,"slug":1781,"tagsCollection":1782,"authorsCollection":1790},"BlogPosts",{"id":1315},"6yiDFGYTMw79qmErstqRqp",{"json":1317},{"data":1318,"content":1319,"nodeType":1295},{},[1320,1355,1359,1366,1373,1382,1389,1406,1413,1420,1440,1501,1504,1511,1582,1598,1605,1613,1633,1640,1662,1669,1676,1683,1690,1697,1704,1710,1717,1724,1740,1743,1761],{"data":1321,"content":1322,"nodeType":1294},{},[1323,1327,1338,1342,1351],{"data":1324,"marks":1325,"value":1326,"nodeType":1293},{},[],"Despite measures by Microsoft to address the issue, ",{"data":1328,"content":1330,"nodeType":1337},{"uri":1329},"https://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/",[1331],{"data":1332,"marks":1333,"value":1336,"nodeType":1293},{},[1334],{"type":1335},"underline","consent phishing is still on the rise","hyperlink",{"data":1339,"marks":1340,"value":1341,"nodeType":1293},{},[],". (Not sure what consent phishing is? ",{"data":1343,"content":1345,"nodeType":1337},{"uri":1344},"https://pushsecurity.com/blog/consent-phishing-the-emerging-phishing-technique-that-can-bypass-2fa/",[1346],{"data":1347,"marks":1348,"value":1350,"nodeType":1293},{},[1349],{"type":1335},"Read more here",{"data":1352,"marks":1353,"value":1354,"nodeType":1293},{},[],"). Although prevention is best, how do you check this hasn’t already happened? ",{"data":1356,"content":1357,"nodeType":1358},{},[],"hr",{"data":1360,"content":1361,"nodeType":1294},{},[1362],{"data":1363,"marks":1364,"value":1365,"nodeType":1293},{},[],"First, a bit of background on how OAuth apps work in Microsoft 365.",{"data":1367,"content":1368,"nodeType":1294},{},[1369],{"data":1370,"marks":1371,"value":1372,"nodeType":1293},{},[],"When you install an OAuth app in Microsoft 365, you see something like the familiar consent screen below, which shows the app's name and the permissions it's asking for. Once you've given your consent, behind the scenes a “service principal” is created in your tenant - this is your instance of the app. When the app does whatever the app is supposed to do (e.g. inspect your calendar, manage your to-do list etc.), it does it via this service principal.",{"data":1374,"content":1380,"nodeType":1381},{"target":1375},{"sys":1376},{"id":1377,"type":1378,"linkType":1379},"6nPueTKEjLphqlytbQ0gcx","Link","Entry",[],"embedded-entry-block",{"data":1383,"content":1384,"nodeType":1294},{},[1385],{"data":1386,"marks":1387,"value":1388,"nodeType":1293},{},[],"The app is able to authenticate to do this using a token that it is sent during the consent process. If you look closely at the URL you visit to get to the consent screen (example below), you’ll see there is a reply URL parameter - this is telling Microsoft where to send the token when a user consents:",{"data":1390,"content":1391,"nodeType":1294},{},[1392,1396,1402],{"data":1393,"marks":1394,"value":1395,"nodeType":1293},{},[],"https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=\u003Cclient_id>&response_type=code&",{"data":1397,"marks":1398,"value":1401,"nodeType":1293},{},[1399],{"type":1400},"bold","redirect_uri=https%3A%2F%pushsecurity.com ",{"data":1403,"marks":1404,"value":1405,"nodeType":1293},{},[],"&response_mode=query&scope=https%3A%2F%2Fgraph.microsoft.com%2F calendars.read%20https%3A%2F%2Fgraph.microsoft.com%2Fmail.send&state=12345",{"data":1407,"content":1408,"nodeType":1294},{},[1409],{"data":1410,"marks":1411,"value":1412,"nodeType":1293},{},[],"The app uses this token to authenticate as the service principal to then do whatever it’s supposed to do. In case your hacker brain is getting ahead of itself, you can’t change the reply URL to any old value to steal tokens. The app developer specifies a list of URLs that are allowed to be used here in the app’s manifest - more on that later.",{"data":1414,"content":1415,"nodeType":1294},{},[1416],{"data":1417,"marks":1418,"value":1419,"nodeType":1293},{},[],"Until recently, this ecosystem was a bit of a wild west. Although you can publish apps in the official app store, you don’t have to. Attackers were able to create an app on their tenant and then send consent URLs encouraging victims to grant them access, often having great success. ",{"data":1421,"content":1422,"nodeType":1294},{},[1423,1427,1436],{"data":1424,"marks":1425,"value":1426,"nodeType":1293},{},[],"In October 2020, ",{"data":1428,"content":1430,"nodeType":1337},{"uri":1429},"https://techcommunity.microsoft.com/t5/azure-active-directory-identity/publisher-verification-and-app-consent-policies-are-now/ba-p/1257374",[1431],{"data":1432,"marks":1433,"value":1435,"nodeType":1293},{},[1434],{"type":1335},"Microsoft released “Publisher verification”",{"data":1437,"marks":1438,"value":1439,"nodeType":1293},{},[],", allowing developers to be vetted by Microsoft and get a badge of approval on their consent screens. The following month, Microsoft changed policies so users, by default, weren't allowed to consent to apps that didn't come from a verified publisher. This makes a consent phishing attack much more difficult for attackers who are now left with the following options:",{"data":1441,"content":1442,"nodeType":1500},{},[1443,1467,1490],{"data":1444,"content":1445,"nodeType":1466},{},[1446],{"data":1447,"content":1448,"nodeType":1294},{},[1449,1453,1462],{"data":1450,"marks":1451,"value":1452,"nodeType":1293},{},[],"Find a tenant that allows users to consent to non-verified apps. The default should have been changed for all to not allow this but you can change it back (in case you’re curious, ",{"data":1454,"content":1456,"nodeType":1337},{"uri":1455},"https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?tabs=azure-portal",[1457],{"data":1458,"marks":1459,"value":1461,"nodeType":1293},{},[1460],{"type":1335},"see how to check your own settings here",{"data":1463,"marks":1464,"value":1465,"nodeType":1293},{},[],").","list-item",{"data":1468,"content":1469,"nodeType":1466},{},[1470],{"data":1471,"content":1472,"nodeType":1294},{},[1473,1477,1486],{"data":1474,"marks":1475,"value":1476,"nodeType":1293},{},[],"Go through the publisher verification process anyway: the process is ",{"data":1478,"content":1480,"nodeType":1337},{"uri":1479},"https://docs.microsoft.com/en-gb/azure/active-directory/develop/publisher-verification-overview#requirements",[1481],{"data":1482,"marks":1483,"value":1485,"nodeType":1293},{},[1484],{"type":1335},"detailed here",{"data":1487,"marks":1488,"value":1489,"nodeType":1293},{},[],". It’s probably possible to trick but requires mocking a real company which is going to be expensive and hard to scale.",{"data":1491,"content":1492,"nodeType":1466},{},[1493],{"data":1494,"content":1495,"nodeType":1294},{},[1496],{"data":1497,"marks":1498,"value":1499,"nodeType":1293},{},[],"Compromise an already verified publisher: definitely adds cost and complexity to an attack but would be an extremely valuable and effective approach - how much do you trust the security of all your app publishers?","unordered-list",{"data":1502,"content":1503,"nodeType":1358},{},[],{"data":1505,"content":1506,"nodeType":1294},{},[1507],{"data":1508,"marks":1509,"value":1510,"nodeType":1293},{},[],"So let’s look for some malicious apps...",{"data":1512,"content":1513,"nodeType":1294},{},[1514,1518,1527,1531,1540,1544,1553,1557,1566,1570,1578],{"data":1515,"marks":1516,"value":1517,"nodeType":1293},{},[],"The Azure AD interface to inspect OAuth apps, or service principals, is the ",{"data":1519,"content":1521,"nodeType":1337},{"uri":1520},"https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps/menuId/",[1522],{"data":1523,"marks":1524,"value":1526,"nodeType":1293},{},[1525],{"type":1335},"Enterprise Applications blade",{"data":1528,"marks":1529,"value":1530,"nodeType":1293},{},[]," but it’s lacking key information you need for this exercise like the reply URLs and publisher status. You might be able to see similar info if you have the licenses for ",{"data":1532,"content":1534,"nodeType":1337},{"uri":1533},"https://docs.microsoft.com/en-gb/cloud-app-security/what-is-cloud-app-security",[1535],{"data":1536,"marks":1537,"value":1539,"nodeType":1293},{},[1538],{"type":1335},"Cloud App Security",{"data":1541,"marks":1542,"value":1543,"nodeType":1293},{},[]," but they’re expensive - you can also get full information about service principals from ",{"data":1545,"content":1547,"nodeType":1337},{"uri":1546},"https://docs.microsoft.com/en-us/graph/api/resources/serviceprincipal?view=graph-rest-1.0",[1548],{"data":1549,"marks":1550,"value":1552,"nodeType":1293},{},[1551],{"type":1335},"Graph API",{"data":1554,"marks":1555,"value":1556,"nodeType":1293},{},[],", or ",{"data":1558,"content":1560,"nodeType":1337},{"uri":1559},"https://docs.microsoft.com/en-us/powershell/module/az.resources/get-azadserviceprincipal?view=azps-6.3.0",[1561],{"data":1562,"marks":1563,"value":1565,"nodeType":1293},{},[1564],{"type":1335},"PowerShell",{"data":1567,"marks":1568,"value":1569,"nodeType":1293},{},[]," (is it too early to say that ",{"data":1571,"content":1573,"nodeType":1337},{"uri":1572},"/features/secure-oauth-permissions-and-applications/",[1574],{"data":1575,"marks":1576,"value":1577,"nodeType":1293},{},[],"Push can also solve this problem",{"data":1579,"marks":1580,"value":1581,"nodeType":1293},{},[]," for you in only a few button clicks?)",{"data":1583,"content":1584,"nodeType":1294},{},[1585,1589,1594],{"data":1586,"marks":1587,"value":1588,"nodeType":1293},{},[],"Right off the bat, ",{"data":1590,"marks":1591,"value":1593,"nodeType":1293},{},[1592],{"type":1400},"we can disregard a lot of the information presented by the app",{"data":1595,"marks":1596,"value":1597,"nodeType":1293},{},[],". The app’s name, home page, logo can all be anything an attacker says so if they’re trying to trick a user this will most likely look convincing and legitimate. The best you can do here is sanity check that this app makes sense in the context of your organisation or this user. ",{"data":1599,"content":1600,"nodeType":1294},{},[1601],{"data":1602,"marks":1603,"value":1604,"nodeType":1293},{},[],"So what is useful?",{"data":1606,"content":1607,"nodeType":1612},{},[1608],{"data":1609,"marks":1610,"value":1611,"nodeType":1293},{},[],"What can the app do?","heading-2",{"data":1614,"content":1615,"nodeType":1294},{},[1616,1620,1629],{"data":1617,"marks":1618,"value":1619,"nodeType":1293},{},[],"Start by prioritising apps by the permissions they’ve been granted. Attackers will often target access to mail, files, or admin functionality so any app that requests these should be subject to more scrutiny and looked at first. As with any security exercise, you’ll know best for what’s sensitive to your organisation so apply that logic here. If you are unsure what a specific permission means, ",{"data":1621,"content":1623,"nodeType":1337},{"uri":1622},"https://docs.microsoft.com/en-us/graph/permissions-reference",[1624],{"data":1625,"marks":1626,"value":1628,"nodeType":1293},{},[1627],{"type":1335},"here's a full reference",{"data":1630,"marks":1631,"value":1632,"nodeType":1293},{},[],". ",{"data":1634,"content":1635,"nodeType":1612},{},[1636],{"data":1637,"marks":1638,"value":1639,"nodeType":1293},{},[],"Access to all data or just specific users?",{"data":1641,"content":1642,"nodeType":1294},{},[1643,1647,1658],{"data":1644,"marks":1645,"value":1646,"nodeType":1293},{},[],"It’s important to understand the difference between app permissions and delegated permissions. In short, app permissions grant tenant-wide access, delegated permissions grant access as the user. For example, if the app permission Mail.Read was granted to an app, it could read everyone’s email. If the delegated permission Mail.Read was granted to an app, it could only read the mail of the person who granted permission. ",{"data":1648,"content":1652,"nodeType":1657},{"target":1649},{"sys":1650},{"id":1651,"type":1378,"linkType":1379},"16568b78-3c85-451f-bb62-9d50148ca1b9",[1653],{"data":1654,"marks":1655,"value":1656,"nodeType":1293},{},[],"Learn more about app vs. delegated permissions here","entry-hyperlink",{"data":1659,"marks":1660,"value":1661,"nodeType":1293},{},[],".",{"data":1663,"content":1664,"nodeType":1612},{},[1665],{"data":1666,"marks":1667,"value":1668,"nodeType":1293},{},[],"How many users have installed this app?",{"data":1670,"content":1671,"nodeType":1294},{},[1672],{"data":1673,"marks":1674,"value":1675,"nodeType":1293},{},[],"If you are the victim of consent phishing, hopefully the attacker only managed to dupe a small number of users, so common advice would be prioritise apps with a low install count. Although this makes sense, it’s often not that practical since, unless you’ve been running a tight ship, you’ll probably find a lot of apps used by one or two people.",{"data":1677,"content":1678,"nodeType":1294},{},[1679],{"data":1680,"marks":1681,"value":1682,"nodeType":1293},{},[],"On the flip side, app permissions can only be approved by an admin; admins can also consent to delegated permissions on behalf of all users. So apps with these permissions - effectively tenant-wide access - have also probably been approved by only a single user. Hopefully you have more faith in your admins’ ability to spot a phish but you should still treat these as having only been vetted by a single user.",{"data":1684,"content":1685,"nodeType":1612},{},[1686],{"data":1687,"marks":1688,"value":1689,"nodeType":1293},{},[],"Where the tokens go - the thing you can’t spoof",{"data":1691,"content":1692,"nodeType":1294},{},[1693],{"data":1694,"marks":1695,"value":1696,"nodeType":1293},{},[],"The only piece of information an app can’t lie about is its reply URLs. As mentioned above, these are the URLs that Microsoft is allowed to send an access token to when a user consents. If the app publisher doesn’t own these domains, they won’t ever receive their token and they can’t use the app’s access. If you can confirm all the reply URLs specified by the app are legitimately owned by the organisation the app is supposed to be from, you can be fairly confident the app is owned by them.",{"data":1698,"content":1699,"nodeType":1294},{},[1700],{"data":1701,"marks":1702,"value":1703,"nodeType":1293},{},[],"In the interests of keeping this short(er), a guide on domain analysis is probably out of scope. However, here’s a real-world example malicious OAuth app that was pretending to be Salesforce related, using a pretty suspicious looking URL, so you won’t always need deep analysis:",{"data":1705,"content":1709,"nodeType":1381},{"target":1706},{"sys":1707},{"id":1708,"type":1378,"linkType":1379},"1oSdJPeXHsGlAXeX6Q2UOs",[],{"data":1711,"content":1712,"nodeType":1612},{},[1713],{"data":1714,"marks":1715,"value":1716,"nodeType":1293},{},[],"Is it verified? Does it matter?",{"data":1718,"content":1719,"nodeType":1294},{},[1720],{"data":1721,"marks":1722,"value":1723,"nodeType":1293},{},[],"You might be tempted to trust any app that is verified by Microsoft. The stamp of verification is clearly worth something but, as mentioned earlier, don’t discount the possibility of a determined attacker compromising a verified publisher to publish their own malicious app or edit an existing one. ",{"data":1725,"content":1726,"nodeType":1294},{},[1727,1731,1736],{"data":1728,"marks":1729,"value":1730,"nodeType":1293},{},[],"Likewise, you might also find a lot of your service principals, even ones by seemingly reputable publishers, are reported as not verified. This is because the service principal is an instance of the app at the time of install - if the publisher wasn’t verified at that point, the service principal won’t be (even if the publisher has since been verified). Since Microsoft only introduced publisher verification in 2020, all apps installed before this date will report as unverified. For reference, 78% of the service principals we’ve looked at report as having unverified publishers so this isn’t ",{"data":1732,"marks":1733,"value":1735,"nodeType":1293},{},[1734],{"type":312},"necessarily",{"data":1737,"marks":1738,"value":1739,"nodeType":1293},{},[]," something to worry about. ",{"data":1741,"content":1742,"nodeType":1358},{},[],{"data":1744,"content":1745,"nodeType":1294},{},[1746,1750,1757],{"data":1747,"marks":1748,"value":1749,"nodeType":1293},{},[],"If you find apps that look like they don't belong and you're worried they're the result of consent phishing, as well as removing the app's access (you can do this on the app's Properties page in the ",{"data":1751,"content":1753,"nodeType":1337},{"uri":1752},"https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps",[1754],{"data":1755,"marks":1756,"value":1526,"nodeType":1293},{},[],{"data":1758,"marks":1759,"value":1760,"nodeType":1293},{},[],"), you should investigate how the app got there in the first place. A detailed walkthrough of how to fully investigate is coming soon.",{"data":1762,"content":1763,"nodeType":1294},{},[1764,1768,1775],{"data":1765,"marks":1766,"value":1767,"nodeType":1293},{},[],"You can gather information about the apps in your Microsoft 365 tenant with only a few clicks using the Push platform. See which apps are installed on your tenant, what kind of access they have and if we think any look suspicious. It only takes a few minutes and is totally free! ",{"data":1769,"content":1770,"nodeType":1337},{"uri":1572},[1771],{"data":1772,"marks":1773,"value":1774,"nodeType":1293},{},[],"Check it out.",{"data":1776,"marks":1777,"value":37,"nodeType":1293},{},[],"How to find a malicious OAuth app on Microsoft 365 ","How do you find a malicious Microsoft 365 OAuth app? Learn what to look for, and what to ignore, when checking your users haven't been consent phished.","2021-09-06T00:00:00.000+01:00","how-to-find-a-malicious-oauth-app-on-microsoft-365",{"items":1783},[1784,1786],{"sys":1785,"name":1309},{"id":1308},{"sys":1787,"name":1789},{"id":1788},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1791},[1792],{"fullName":1793,"firstName":1794,"jobTitle":1795,"profilePicture":1796},"Andy Waugh","Andy","VP Product",{"url":1797},"https://images.ctfassets.net/y1cdw1ablpvd/3Rf76rJn6S9inMb4dUnAIJ/0a787f8141d05b95300e2fe77c4493fa/DSC_6868.jpg",{"__typename":1313,"sys":1799,"content":1801,"title":2173,"synopsis":2174,"hashTags":118,"publishedDate":2175,"slug":2176,"tagsCollection":2177,"authorsCollection":2183},{"id":1800},"1pbtctbbJRqLuz8dOsecOt",{"json":1802},{"data":1803,"content":1804,"nodeType":1295},{},[1805,1812,1819,1825,1832,1838,1845,1852,1859,1866,1873,1879,1886,1894,1901,1919,1937,1955,1985,2011,2029,2036,2043,2050,2057,2064,2071,2089,2120,2127,2145,2152,2159,2166],{"data":1806,"content":1807,"nodeType":1294},{},[1808],{"data":1809,"marks":1810,"value":1811,"nodeType":1293},{},[],"We have all seen the option on websites to login using a variety of different tech giant accounts (“Login with Google, Login with Microsoft”), instead of creating a new account or using username and password. This is known as a social login and, less often, social sign-in or social sign-on. ",{"data":1813,"content":1814,"nodeType":1294},{},[1815],{"data":1816,"marks":1817,"value":1818,"nodeType":1293},{},[],"Normally, this is more associated with personal use than business use, but it’s just as possible for employees to log into a SaaS platform using a business Google Workspace account - but should we be encouraging or discouraging this behavior? We’ll answer that question in this article but, spoiler alert, at Push Security we encourage it in most cases and we’ll explain why in this article. ",{"data":1820,"content":1824,"nodeType":1381},{"target":1821},{"sys":1822},{"id":1823,"type":1378,"linkType":1379},"47o2DQc4uabGwXXN85HBUG",[],{"data":1826,"content":1827,"nodeType":1294},{},[1828],{"data":1829,"marks":1830,"value":1831,"nodeType":1293},{},[],"We've created a quick and dirty video demo of a social login to help explain the concept: ",{"data":1833,"content":1837,"nodeType":1381},{"target":1834},{"sys":1835},{"id":1836,"type":1378,"linkType":1379},"2rIwQIeOZ9cZY47vUrYkf3",[],{"data":1839,"content":1840,"nodeType":1612},{},[1841],{"data":1842,"marks":1843,"value":1844,"nodeType":1293},{},[],"What is a social login?",{"data":1846,"content":1847,"nodeType":1294},{},[1848],{"data":1849,"marks":1850,"value":1851,"nodeType":1293},{},[],"So what actually happens when you click to login with Google? Aren’t you just giving your Google password to some random website? That’s a security concern many people have but, thankfully, that isn’t the case. ",{"data":1853,"content":1854,"nodeType":1294},{},[1855],{"data":1856,"marks":1857,"value":1858,"nodeType":1293},{},[],"Social logins actually work using OAuth 2.0, which stands for “Open Authorization.” It’s a standard to allow third-party apps to access your data. OAuth is actually for a much broader set of use cases than just social logins, but that’s for another article. ",{"data":1860,"content":1861,"nodeType":1294},{},[1862],{"data":1863,"marks":1864,"value":1865,"nodeType":1293},{},[],"Let’s focus on what happens when you click to sign-in with Google. You’re actually redirected to Google’s own servers and asked to authorize the website to be granted any access to your data that it has requested. In a simple social login case, the website should only be asking for minimal access to view simple details, such as your email address and full name in order to verify your identity.",{"data":1867,"content":1868,"nodeType":1294},{},[1869],{"data":1870,"marks":1871,"value":1872,"nodeType":1293},{},[],"If this is the case, Google does not even specifically ask you to accept those permissions, it just verifies which Google account you would like to use. If you are already logged in with Google then you won’t even need to enter your password.",{"data":1874,"content":1878,"nodeType":1381},{"target":1875},{"sys":1876},{"id":1877,"type":1378,"linkType":1379},"2PbJH7qfRYIxJRBmHJLSdI",[],{"data":1880,"content":1881,"nodeType":1294},{},[1882],{"data":1883,"marks":1884,"value":1885,"nodeType":1293},{},[],"…and that’s it, you’ve just socially logged in to a website using your Google account. You didn’t need to create an account, set a password, use a password manager or even enter your Google password. It was so easy! But is it secure?",{"data":1887,"content":1888,"nodeType":1893},{},[1889],{"data":1890,"marks":1891,"value":1892,"nodeType":1293},{},[],"Security Benefits","heading-1",{"data":1895,"content":1896,"nodeType":1294},{},[1897],{"data":1898,"marks":1899,"value":1900,"nodeType":1293},{},[],"The short answer is - yes, it is secure, and there are actually many security benefits. Let’s consider some of them:",{"data":1902,"content":1903,"nodeType":1500},{},[1904],{"data":1905,"content":1906,"nodeType":1466},{},[1907],{"data":1908,"content":1909,"nodeType":1294},{},[1910,1915],{"data":1911,"marks":1912,"value":1914,"nodeType":1293},{},[1913],{"type":1400},"Multi-Factor authentication (MFA) everywhere!",{"data":1916,"marks":1917,"value":1918,"nodeType":1293},{},[]," - You’ve followed good security practice and enabled MFA for all of your Google accounts, right? Great, well then every other SaaS platform that your employees use social logins just inherited MFA protection for free! Not only does the platform not even need to support MFA on its own (most don’t), but you don't even need to set it up!",{"data":1920,"content":1921,"nodeType":1500},{},[1922],{"data":1923,"content":1924,"nodeType":1466},{},[1925],{"data":1926,"content":1927,"nodeType":1294},{},[1928,1933],{"data":1929,"marks":1930,"value":1932,"nodeType":1293},{},[1931],{"type":1400},"Easy password resets",{"data":1934,"marks":1935,"value":1936,"nodeType":1293},{},[]," - Ok, so one of your employees gets their (commonly shared) password phished. All those SaaS accounts could be immediately compromised and how many password resets now need to be performed? Oh, they use a password manager? Ok, what if their laptop is compromised with malware? You need to assume the password manager is compromised too. That’s still a lot of password resets. On the other hand, if you use social logins for everything you only have one password to change. If you have MFA too, it probably would have been tough for the attacker to make use of that password during the compromise window before the change, too.",{"data":1938,"content":1939,"nodeType":1500},{},[1940],{"data":1941,"content":1942,"nodeType":1466},{},[1943],{"data":1944,"content":1945,"nodeType":1294},{},[1946,1951],{"data":1947,"marks":1948,"value":1950,"nodeType":1293},{},[1949],{"type":1400},"Easy offboarding -",{"data":1952,"marks":1953,"value":1954,"nodeType":1293},{},[]," When an employee leaves the company, it’s not so hard to delete their core business accounts, but it’s much more painful to have a process for removing all old SaaS accounts too. If social logins are well implemented by the SaaS provider then the removal of a Google workspace account automatically means the corresponding SaaS accounts are no longer accessible either.  ",{"data":1956,"content":1957,"nodeType":1500},{},[1958],{"data":1959,"content":1960,"nodeType":1466},{},[1961],{"data":1962,"content":1963,"nodeType":1294},{},[1964,1969,1973,1981],{"data":1965,"marks":1966,"value":1968,"nodeType":1293},{},[1967],{"type":1400},"Visibility",{"data":1970,"marks":1971,"value":1972,"nodeType":1293},{},[]," - If employees use custom logins for all their SaaS platforms, you’ll have no idea what SaaS platforms are in use (unless you use the Push browser extension ;)). With social logins, you can see exactly which platforms your employees are using across the organization. (",{"data":1974,"content":1976,"nodeType":1337},{"uri":1975},"https://support.google.com/a/answer/7281227?hl=en#zippy=",[1977],{"data":1978,"marks":1979,"value":1975,"nodeType":1293},{},[1980],{"type":1335},{"data":1982,"marks":1983,"value":1984,"nodeType":1293},{},[],") ",{"data":1986,"content":1987,"nodeType":1500},{},[1988],{"data":1989,"content":1990,"nodeType":1466},{},[1991],{"data":1992,"content":1993,"nodeType":1294},{},[1994,1999,2003,2008],{"data":1995,"marks":1996,"value":1998,"nodeType":1293},{},[1997],{"type":1400},"Simplicity ",{"data":2000,"marks":2001,"value":2002,"nodeType":1293},{},[],"- Complexity is often the enemy of security and, let’s face it, getting all your employees to use password managers with different passwords for large numbers of accounts, creating new accounts every time, handling password changes for all of them, etc., is the definition of complexity. On the other hand, social logins are just so simple. You login to Google once, then any other SaaS platform you want to access that supports them you just click “login with Google”, select your account and you’re done. That’s it - ",{"data":2004,"marks":2005,"value":2007,"nodeType":1293},{},[2006],{"type":1400},"simplicity benefits security",{"data":2009,"marks":2010,"value":1632,"nodeType":1293},{},[],{"data":2012,"content":2013,"nodeType":1500},{},[2014],{"data":2015,"content":2016,"nodeType":1466},{},[2017],{"data":2018,"content":2019,"nodeType":1294},{},[2020,2025],{"data":2021,"marks":2022,"value":2024,"nodeType":1293},{},[2023],{"type":1400},"No shared passwords ",{"data":2026,"marks":2027,"value":2028,"nodeType":1293},{},[],"- Let’s face it, it’s difficult to get employees to use password managers for everything and commonly people end up using the same one or two passwords for everything. Then all it takes is for any one platform to be compromised and that account is compromised for any other platforms where the password is shared. Therefore, your security is dependent on the security of the weakest platform you use of many. On the other hand, if you use social logins for everything, there is only ever one strongly protected account, which is much less likely to be compromised.",{"data":2030,"content":2031,"nodeType":1294},{},[2032],{"data":2033,"marks":2034,"value":2035,"nodeType":1293},{},[],"Our view is that it’s better to have one account that you put all your focus on securing as best as possible than many accounts that individually have a lower level of security. ",{"data":2037,"content":2038,"nodeType":1294},{},[2039],{"data":2040,"marks":2041,"value":2042,"nodeType":1293},{},[],"But why would I want everything in one account, protected with one password?If your Google account is used to access everything then all your eggs are in one basket right? If your Google account is compromised, or even Google themselves are compromised, then everything else you use is compromised too. Pretty concerning, right? This is true and it does remain a risk. ",{"data":2044,"content":2045,"nodeType":1294},{},[2046],{"data":2047,"marks":2048,"value":2049,"nodeType":1293},{},[],"However, if you’re a Google Workspace user then you’re trusting Google with most of your key data anyway - all your email, documents, calendar appointments etc are stored with Google and accessed using Google accounts. Also, if your Google email gets hacked that can generally be used to password reset all your other accounts anyway! Plus, using a password manager could be argued to also be putting all your eggs in one basket too.",{"data":2051,"content":2052,"nodeType":1294},{},[2053],{"data":2054,"marks":2055,"value":2056,"nodeType":1293},{},[],"We’ll go into some of the potential concerns of using social logins in this next section because there may be some valid use cases where you won’t want to use them.",{"data":2058,"content":2059,"nodeType":1893},{},[2060],{"data":2061,"marks":2062,"value":2063,"nodeType":1293},{},[],"Security Caveats",{"data":2065,"content":2066,"nodeType":1294},{},[2067],{"data":2068,"marks":2069,"value":2070,"nodeType":1293},{},[],"Ok, we said at Push Security that we encourage the use of social logins. But we aren’t going to wave our hands and cover up any downsides - as always, there are always some. We consider some of the following to be key drawbacks:",{"data":2072,"content":2073,"nodeType":1500},{},[2074],{"data":2075,"content":2076,"nodeType":1466},{},[2077],{"data":2078,"content":2079,"nodeType":1294},{},[2080,2085],{"data":2081,"marks":2082,"value":2084,"nodeType":1293},{},[2083],{"type":1400},"Giving away sensitive data",{"data":2086,"marks":2087,"value":2088,"nodeType":1293},{},[]," - This article has been entirely focused on social logins, but we said at the start that OAuth was for more than that. When a user logs in using Google, the website can ask for permissions far beyond what is needed for a simple social login. These can be sensitive, such as allowing access to emails, calendars, Google Drive documents etc and the user will be prompted separately to accept or refuse this. In most cases, you’ll probably find websites do not request additional permissions for a simple login/signup but may do if you enable more advanced integrations. However, some websites may just ask for the kitchen sink from the first login. It’s possible your employees may then start giving away sensitive access to third parties without a second thought.",{"data":2090,"content":2091,"nodeType":1294},{},[2092,2096,2106,2110,2117],{"data":2093,"marks":2094,"value":2095,"nodeType":1293},{},[],"There are also malicious apps created simply to exploit permissions so they can gain access to an employee’s or company’s data by requesting excessive permissions and requesting the employee to opt into them by default. This is called consent phishing and we’ve written up a ",{"data":2097,"content":2101,"nodeType":1657},{"target":2098},{"sys":2099},{"id":2100,"type":1378,"linkType":1379},"1bV8YTSQHvveCTnRc4H8su",[2102],{"data":2103,"marks":2104,"value":2105,"nodeType":1293},{},[],"quick guide",{"data":2107,"marks":2108,"value":2109,"nodeType":1293},{},[]," here about what the risk is, how it works, and how to handle it. ",{"data":2111,"content":2112,"nodeType":1337},{"uri":1344},[2113],{"data":2114,"marks":2115,"value":37,"nodeType":1293},{},[2116],{"type":1335},{"data":2118,"marks":2119,"value":37,"nodeType":1293},{},[],{"data":2121,"content":2122,"nodeType":1294},{},[2123],{"data":2124,"marks":2125,"value":2126,"nodeType":1293},{},[],"You can always see what access has been given by your employees to different platforms and review accordingly and you can even configure more sensitive permissions as restricted so your employees can’t accept them on their own. However, this risk remains, whereas it’s not as easy for an employee to inadvertently open up significant data access with a custom login for a website.   ",{"data":2128,"content":2129,"nodeType":1500},{},[2130],{"data":2131,"content":2132,"nodeType":1466},{},[2133],{"data":2134,"content":2135,"nodeType":1294},{},[2136,2141],{"data":2137,"marks":2138,"value":2140,"nodeType":1293},{},[2139],{"type":1400},"Privacy and Anonymity",{"data":2142,"marks":2143,"value":2144,"nodeType":1293},{},[]," - if you use social logins for everything, then every SaaS platform your employees use will have at least some access to basic personal information for your employees that use them. Google will also probably have more information about what SaaS providers you are using than they would otherwise, too. ",{"data":2146,"content":2147,"nodeType":1294},{},[2148],{"data":2149,"marks":2150,"value":2151,"nodeType":1293},{},[],"Maybe you just wanted to try out a new SaaS service without getting spammed by their sales team for the next 12 months? For that, you might want to go with an anonymous, disposable email address. Whatever the case, social logins will always give away basic personal details at a minimum and there might be times where this isn’t desirable. But for most companies, we’ve found those to be edge cases.",{"data":2153,"content":2154,"nodeType":1294},{},[2155],{"data":2156,"marks":2157,"value":2158,"nodeType":1293},{},[],"You may not necessarily want the public (or your adversaries) to know what SaaS apps employees are using. If an attacker gained access to your Google or Microsoft account that you were using for social login, they would be able to see the apps that are accessed with social login. On the other hand, if an attacker gets access to your primary core business platforms, this is likely going to be the least of your concerns.",{"data":2160,"content":2161,"nodeType":1893},{},[2162],{"data":2163,"marks":2164,"value":2165,"nodeType":1293},{},[],"Conclusion",{"data":2167,"content":2168,"nodeType":1294},{},[2169],{"data":2170,"marks":2171,"value":2172,"nodeType":1293},{},[],"Social logins are good for business use for third-party SaaS platforms, not just for personal use. They save time and bring many security benefits in most cases too. As long as you understand the residual risks that remain and are happy managing those risks, you should consider encouraging your users to use social logins. ","Should I let my employees login with their work Google account?","Is logging in with Google or Microsoft secure? Yes, with caveats. ","2022-10-04T00:00:00.000Z","should-i-let-my-employees-login-with-their-work-google-account",{"items":2178},[2179,2181],{"sys":2180,"name":1305},{"id":1304},{"sys":2182,"name":1309},{"id":1308},{"items":2184},[2185],{"fullName":2186,"firstName":2187,"jobTitle":2188,"profilePicture":2189},"Luke Jennings","Luke","Vice President, R&D",{"url":2190},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg",{"items":2192},[2193],{"fullName":2186,"firstName":2187,"jobTitle":2188,"profilePicture":2194},{"url":2190},{"json":2196,"links":2875},{"nodeType":1295,"data":2197,"content":2198},{},[2199,2206,2213,2220,2240,2247,2277,2284,2291,2310,2316,2323,2330,2336,2343,2350,2356,2363,2369,2375,2382,2388,2395,2401,2408,2415,2422,2429,2436,2443,2450,2457,2464,2527,2534,2702,2709,2716,2863,2869],{"nodeType":1294,"data":2200,"content":2201},{},[2202],{"nodeType":1293,"value":2203,"marks":2204,"data":2205},"It’s no secret that SaaS use is growing exponentially, but less has been said about third-party SaaS integrations, especially to core platforms like M365 or Google Workspace. In this article, we’ll explain what these third-party integrations are and what the security benefits vs risks of using them in your organization are. We’ll also provide some helpful tips about what you can do to remediate or at least lessen the risks.",[],{},{"nodeType":1893,"data":2207,"content":2208},{},[2209],{"nodeType":1293,"value":2210,"marks":2211,"data":2212},"What are third-party SaaS integrations and what the heck is OAuth?",[],{},{"nodeType":1294,"data":2214,"content":2215},{},[2216],{"nodeType":1293,"value":2217,"marks":2218,"data":2219},"A third-party SaaS integration with your M365 or Google Workspace deployment allows an employee (or administrator) to grant some level of access to your data by that SaaS vendor. Employees want to connect these apps because they want to easily share projects across their tools, or integrate add-on features that make their workspaces more flexible or customized to their needs, or they simply need them to be more productive. And those apps must have some level of access to your data (and the employee’s data) to function properly. The problem comes in primarily because the level of access each app requests can vary significantly by both the type of data exposed and the number of employees it affects. ",[],{},{"nodeType":1294,"data":2221,"content":2222},{},[2223,2227,2236],{"nodeType":1293,"value":2224,"marks":2225,"data":2226},"It can be as simple as sharing an employee’s full name and email address with the SaaS provider if they login using their business Microsoft/Google account, otherwise known as a \"",[],{},{"nodeType":1657,"data":2228,"content":2231},{"target":2229},{"sys":2230},{"id":1800,"type":1378,"linkType":1379},[2232],{"nodeType":1293,"value":2233,"marks":2234,"data":2235},"social login",[],{},{"nodeType":1293,"value":2237,"marks":2238,"data":2239},".\" However, integrations can also request access to much more sensitive data, such as email inboxes and document stores (OneDrive, Sharepoint, Google Drive). Employees with administrative privileges can even create integrations that allow access to all employees’ data, rather than sharing only their own data. ",[],{},{"nodeType":1294,"data":2241,"content":2242},{},[2243],{"nodeType":1293,"value":2244,"marks":2245,"data":2246},"Clearly, the security and compliance risks associated are highly variable depending on the type of integration.",[],{},{"nodeType":1294,"data":2248,"content":2249},{},[2250,2254,2261,2265,2273],{"nodeType":1293,"value":2251,"marks":2252,"data":2253},"OAuth is an industry standard protocol for authorization (",[],{},{"nodeType":1337,"data":2255,"content":2257},{"uri":2256},"https://oauth.net/2/",[2258],{"nodeType":1293,"value":2256,"marks":2259,"data":2260},[],{},{"nodeType":1293,"value":2262,"marks":2263,"data":2264},"). If you want to share your data on one app with another third-party app, rather than share your username and password, OAuth provides a way to authorize access to specific data based on a set of permissions. You can even later revoke access to specific apps without changing your password. A vendor that allows sharing of their data via OAuth can implement their own custom permissions - Google implements hundreds of permissions alone (",[],{},{"nodeType":1337,"data":2266,"content":2268},{"uri":2267},"https://developers.google.com/identity/protocols/oauth2/scopes",[2269],{"nodeType":1293,"value":2267,"marks":2270,"data":2272},[2271],{"type":1335},{},{"nodeType":1293,"value":2274,"marks":2275,"data":2276},"). ",[],{},{"nodeType":1294,"data":2278,"content":2279},{},[2280],{"nodeType":1293,"value":2281,"marks":2282,"data":2283},"Essentially, OAuth is the protocol that allows you to easily choose which data you share with who and thus is a very common approach for how SaaS platforms integrate with other core SaaS platforms like Google or Microsoft.    ",[],{},{"nodeType":1612,"data":2285,"content":2286},{},[2287],{"nodeType":1293,"value":2288,"marks":2289,"data":2290},"An Example - Adobe Creative Cloud",[],{},{"nodeType":1294,"data":2292,"content":2293},{},[2294,2298,2306],{"nodeType":1293,"value":2295,"marks":2296,"data":2297},"Let’s say your Marketing team wants to make use of Adobe Creative Cloud - perhaps they need Photoshop for some image-editing and Acrobat for some PDF-editing for marketing materials. They pop along to ",[],{},{"nodeType":1337,"data":2299,"content":2301},{"uri":2300},"https://creativecloud.adobe.com/",[2302],{"nodeType":1293,"value":2300,"marks":2303,"data":2305},[2304],{"type":1335},{},{"nodeType":1293,"value":2307,"marks":2308,"data":2309}," and click to sign up and are presented with the following choice: ",[],{},{"nodeType":1381,"data":2311,"content":2315},{"target":2312},{"sys":2313},{"id":2314,"type":1378,"linkType":1379},"ffx3tPYZNwZD6xj7IcLm1",[],{"nodeType":1294,"data":2317,"content":2318},{},[2319],{"nodeType":1293,"value":2320,"marks":2321,"data":2322},"Your organization is using Google Workspace for most core business functions, so they think “Oh great, I can login using my business Google account, no need to setup yet another online account and password!”",[],{},{"nodeType":1294,"data":2324,"content":2325},{},[2326],{"nodeType":1293,"value":2327,"marks":2328,"data":2329},"They click to “Continue with Google” and are presented with the choice to select their account. They are already logged in with Google so they don’t even need to enter their password.",[],{},{"nodeType":1381,"data":2331,"content":2335},{"target":2332},{"sys":2333},{"id":2334,"type":1378,"linkType":1379},"507PcDcFrMbGBdpVzt8RFl",[],{"nodeType":1294,"data":2337,"content":2338},{},[2339],{"nodeType":1293,"value":2340,"marks":2341,"data":2342},"That’s it, they are now signed up to Adobe Creative Cloud, they pay their subscription and start using Adobe’s SaaS offerings. This is known as a Social Login, and it lets your marketing team quickly and easily log into Adobe using their existing Google account.",[],{},{"nodeType":1294,"data":2344,"content":2345},{},[2346],{"nodeType":1293,"value":2347,"marks":2348,"data":2349},"However, very limited data access has actually been provided to Adobe. Adobe has only been authorized to access basic details of the employee who signed up, as you can see in the integration details below:",[],{},{"nodeType":1381,"data":2351,"content":2355},{"target":2352},{"sys":2353},{"id":2354,"type":1378,"linkType":1379},"HwDgqIjni9MzkwGJikdk1",[],{"nodeType":1294,"data":2357,"content":2358},{},[2359],{"nodeType":1293,"value":2360,"marks":2361,"data":2362},"However, after some use of Photoshop and Acrobat, your marketing team needs to both open and save documents on their Google Drive or OneDrive as that’s how they collaborate on all other documents within the company. No problem, Adobe allows you to add one of many cloud storage options. Given your company is using Google Drive, they pick that option and are presented with a new permission request from Google:",[],{},{"nodeType":1381,"data":2364,"content":2368},{"target":2365},{"sys":2366},{"id":2367,"type":1378,"linkType":1379},"3pVLUawIy8ZIZwFCZXCOs8",[],{"nodeType":1381,"data":2370,"content":2374},{"target":2371},{"sys":2372},{"id":2373,"type":1378,"linkType":1379},"zNKE1Et3zgLPFmdrvQrh4",[],{"nodeType":1294,"data":2376,"content":2377},{},[2378],{"nodeType":1293,"value":2379,"marks":2380,"data":2381},"This time, Adobe is requesting much more sensitive access than merely basic personal details - it’s asking for full read/write access to the employee’s entire Google Drive store. Google makes sure that’s clear and asks for authorization. Your employee clicks to continue and now they have the ability to read and write Google Drive from within Acrobat:",[],{},{"nodeType":1381,"data":2383,"content":2387},{"target":2384},{"sys":2385},{"id":2386,"type":1378,"linkType":1379},"3EztvIY0a6amE9qx6pi3Pe",[],{"nodeType":1294,"data":2389,"content":2390},{},[2391],{"nodeType":1293,"value":2392,"marks":2393,"data":2394},"We can now see a new integration has been created, exposing a much more significant asset by allowing full access to Google Drive on behalf of the marketing employee.",[],{},{"nodeType":1381,"data":2396,"content":2400},{"target":2397},{"sys":2398},{"id":2399,"type":1378,"linkType":1379},"7EJrX4ccSmWzWJ1kC6kMzf",[],{"nodeType":1294,"data":2402,"content":2403},{},[2404],{"nodeType":1293,"value":2405,"marks":2406,"data":2407},"We have just followed a user journey for two particularly common examples of integrations, but there are a huge number of SaaS providers out there and a huge variety of different types of integrations. However, the most common cases are simple social logins, document access, email access, calendar access and contacts access depending on the SaaS provider in use.",[],{},{"nodeType":1893,"data":2409,"content":2410},{},[2411],{"nodeType":1293,"value":2412,"marks":2413,"data":2414},"Should I be worried about this?",[],{},{"nodeType":1294,"data":2416,"content":2417},{},[2418],{"nodeType":1293,"value":2419,"marks":2420,"data":2421},"As always, the answer is “it depends.” On the one hand, by default your employees can enable integrations for their own account with whatever third parties they like and potentially expose very sensitive data assets like document stores and email. It’s a bit melodramatic to put it this way, but consenting to OAuth permissions is like giving a third party an everlasting password to act in a limited capacity as a number of users with minimal monitoring and trusting them not to abuse that access.  ",[],{},{"nodeType":1294,"data":2423,"content":2424},{},[2425],{"nodeType":1293,"value":2426,"marks":2427,"data":2428},"On the other, many integrations (especially the ones you’ll recognize by name) don’t ask for excessive permissions, and are managed by responsible and security conscious vendors that generally do a great job of securing your data. The challenge is finding integrations for which this isn’t true.",[],{},{"nodeType":1294,"data":2430,"content":2431},{},[2432],{"nodeType":1293,"value":2433,"marks":2434,"data":2435},"The reality is that it’s probably already happening across your organization, whether you know it or not. After all, SaaS use is key to modern working environments and your employees will be using it somehow. At Push Security, it’s not unusual for us to see hundreds of third-party integrations on our customers’ Google Workspace and M365 instances, even in relatively small organizations. ",[],{},{"nodeType":1294,"data":2437,"content":2438},{},[2439],{"nodeType":1293,"value":2440,"marks":2441,"data":2442},"And in fact it’s not all doom and gloom, since your employees need to use SaaS providers anyway, there are actually some security benefits to making use of social logins and third party SaaS integrations are the key mechanism for doing so. ",[],{},{"nodeType":1294,"data":2444,"content":2445},{},[2446],{"nodeType":1293,"value":2447,"marks":2448,"data":2449},"This is a key reason to not take a heavy-handed stance of “block all integrations” - while you would certainly reduce the risk of data leaks, you’d also be losing the security benefits of social logins and severely hindering your employees from getting things done quickly and easily. You will also probably force them into effectively doing the same in a different way anyway (perhaps they simply start using their personal google account and google drive where they can do these integrations instead?).",[],{},{"nodeType":1893,"data":2451,"content":2452},{},[2453],{"nodeType":1293,"value":2454,"marks":2455,"data":2456},"\nWhat are the security benefits?",[],{},{"nodeType":1294,"data":2458,"content":2459},{},[2460],{"nodeType":1293,"value":2461,"marks":2462,"data":2463},"There are a number of security benefits to using social logins and third-party integrations, but a few key considerations are:",[],{},{"nodeType":1500,"data":2465,"content":2466},{},[2467,2482,2497,2512],{"nodeType":1466,"data":2468,"content":2469},{},[2470],{"nodeType":1294,"data":2471,"content":2472},{},[2473,2478],{"nodeType":1293,"value":2474,"marks":2475,"data":2477},"Fewer passwords",[2476],{"type":1400},{},{"nodeType":1293,"value":2479,"marks":2480,"data":2481}," - if your employees use social logins everywhere, they can focus on having one strong password and not have to manage separate accounts and passwords for 20 different SaaS platforms.",[],{},{"nodeType":1466,"data":2483,"content":2484},{},[2485],{"nodeType":1294,"data":2486,"content":2487},{},[2488,2493],{"nodeType":1293,"value":2489,"marks":2490,"data":2492},"MFA everywhere",[2491],{"type":1400},{},{"nodeType":1293,"value":2494,"marks":2495,"data":2496}," - if you have set up strong password policies and enforced MFA on your Google and Microsoft accounts, all of your SaaS platforms inherit the same security if you are using social logins.",[],{},{"nodeType":1466,"data":2498,"content":2499},{},[2500],{"nodeType":1294,"data":2501,"content":2502},{},[2503,2508],{"nodeType":1293,"value":2504,"marks":2505,"data":2507},"Visibility of SaaS use",[2506],{"type":1400},{},{"nodeType":1293,"value":2509,"marks":2510,"data":2511}," - if employees use custom logins for all their SaaS platforms, you’ll have no idea what SaaS is in use (unless you use the Push browser extension ;)). With social logins and third-party integrations, you can see exactly what integrations you have across your organization, including which employees have shared which type of data access.",[],{},{"nodeType":1466,"data":2513,"content":2514},{},[2515],{"nodeType":1294,"data":2516,"content":2517},{},[2518,2523],{"nodeType":1293,"value":2519,"marks":2520,"data":2522},"Fine-grained permissions ",[2521],{"type":1400},{},{"nodeType":1293,"value":2524,"marks":2525,"data":2526},"- OAuth integrations can request as little or as much access as they like. Ideally, many integrations will be nothing more than a social login or will otherwise limit the permissions to a small subset of data they require to reduce the risk. This is far more transparent than alternatives like integrations using API keys typically are.",[],{},{"nodeType":1612,"data":2528,"content":2529},{},[2530],{"nodeType":1293,"value":2531,"marks":2532,"data":2533},"What are the security risks?",[],{},{"nodeType":1500,"data":2535,"content":2536},{},[2537,2552,2567,2606,2621,2649,2676],{"nodeType":1466,"data":2538,"content":2539},{},[2540],{"nodeType":1294,"data":2541,"content":2542},{},[2543,2548],{"nodeType":1293,"value":2544,"marks":2545,"data":2547},"Blindspots in your attack surface",[2546],{"type":1400},{},{"nodeType":1293,"value":2549,"marks":2550,"data":2551}," - At a higher level, you need to care because each of these third parties is now handling your data and you need to ensure they only have access to what they need to function, that they’re storing and managing your data responsibly, and that you treat them as you would any other vendor in your supply chain.",[],{},{"nodeType":1466,"data":2553,"content":2554},{},[2555],{"nodeType":1294,"data":2556,"content":2557},{},[2558,2563],{"nodeType":1293,"value":2559,"marks":2560,"data":2562},"Excessive permissions",[2561],{"type":1400},{},{"nodeType":1293,"value":2564,"marks":2565,"data":2566}," - Third-party integrations can request whatever permissions they like. Some SaaS apps may choose to request excessively high permissions and simply not function unless an employee accepts it. This can lead to employees being conditioned to accept permissions whatever they are and granting excessive permissions.",[],{},{"nodeType":1466,"data":2568,"content":2569},{},[2570],{"nodeType":1294,"data":2571,"content":2572},{},[2573,2578,2582,2589,2593,2602],{"nodeType":1293,"value":2574,"marks":2575,"data":2577},"Consent phishing",[2576],{"type":1400},{},{"nodeType":1293,"value":2579,"marks":2580,"data":2581}," - A technique that tricks a user into granting a malicious third-party app access to their account. Since this technique preys on users that are already logged in, it is effective against users with strong passwords, multi-factor authentication, or even passwordless setups. You can read more about this technique in our ",[],{},{"nodeType":1337,"data":2583,"content":2584},{"uri":1344},[2585],{"nodeType":1293,"value":2586,"marks":2587,"data":2588},"previous blog post",[],{},{"nodeType":1293,"value":2590,"marks":2591,"data":2592},". ",[],{},{"nodeType":1337,"data":2594,"content":2596},{"uri":2595},"https://www.bleepingcomputer.com/news/security/sans-shares-details-on-attack-that-led-to-their-data-breach/",[2597],{"nodeType":1293,"value":2598,"marks":2599,"data":2601},"SANS had a breach in 2020",[2600],{"type":1335},{},{"nodeType":1293,"value":2603,"marks":2604,"data":2605}," caused by a consent phishing attack, which led to a leak of around 28,000 records of SANs members’ personal information (PII).",[],{},{"nodeType":1466,"data":2607,"content":2608},{},[2609],{"nodeType":1294,"data":2610,"content":2611},{},[2612,2617],{"nodeType":1293,"value":2613,"marks":2614,"data":2616},"SaaS account compromise",[2615],{"type":1400},{},{"nodeType":1293,"value":2618,"marks":2619,"data":2620}," - If an employee has a separate account and password for a SaaS platform and that is compromised somehow, any integrations with your Google workspace or M365 are also compromised. For example, perhaps they have a weak password with no MFA on a SaaS provider and then an attacker uses that to access Google Drive via a pre-existing integration from that SaaS platform.",[],{},{"nodeType":1466,"data":2622,"content":2623},{},[2624],{"nodeType":1294,"data":2625,"content":2626},{},[2627,2632,2636,2645],{"nodeType":1293,"value":2628,"marks":2629,"data":2631},"SaaS provider compromise",[2630],{"type":1400},{},{"nodeType":1293,"value":2633,"marks":2634,"data":2635}," - If a SaaS provider itself is compromised, any integrations could also be exploited. This is the SaaS integration equivalent of an MSP or other third party with privileged access to your data being compromised. Hubspot ",[],{},{"nodeType":1337,"data":2637,"content":2639},{"uri":2638},"https://thehackernews.com/2022/04/into-breach-breaking-down-3-saas-app.html",[2640],{"nodeType":1293,"value":2641,"marks":2642,"data":2644},"experienced a breach",[2643],{"type":1335},{},{"nodeType":1293,"value":2646,"marks":2647,"data":2648}," in April 2022, which “allowed malicious actors the ability to access and export contact data using the employee's access to several HubSpot accounts.”",[],{},{"nodeType":1466,"data":2650,"content":2651},{},[2652],{"nodeType":1294,"data":2653,"content":2654},{},[2655,2660,2664,2672],{"nodeType":1293,"value":2656,"marks":2657,"data":2659},"Stolen integration tokens ",[2658],{"type":1400},{},{"nodeType":1293,"value":2661,"marks":2662,"data":2663},"- The way integrations work under the hood are via OAuth tokens. If these are stolen somehow, due to a device compromise or SaaS provider compromise, they can potentially be used to gain access to data, similar to if a password was stolen in the same circumstances. They also do not expire on a password change, so changing a password after a compromise is not enough on its own to deal with this threat. A recent example of this was the ",[],{},{"nodeType":1337,"data":2665,"content":2667},{"uri":2666},"https://github.blog/2022-04-15-security-alert-stolen-oauth-user-tokens/",[2668],{"nodeType":1293,"value":2669,"marks":2670,"data":2671},"exploitation of GitHub",[],{},{"nodeType":1293,"value":2673,"marks":2674,"data":2675}," via tokens stolen from Heroku and TravisCI. ",[],{},{"nodeType":1466,"data":2677,"content":2678},{},[2679],{"nodeType":1294,"data":2680,"content":2681},{},[2682,2687,2691,2699],{"nodeType":1293,"value":2683,"marks":2684,"data":2686},"Integration backdoors",[2685],{"type":1400},{},{"nodeType":1293,"value":2688,"marks":2689,"data":2690}," - Integrations provide another method of backdoor access to a user account post-compromise. Setting up a malicious integration is one method to maintain access to data that will survive a password change conducted as part of incident response. A real-world example of this issue was a privilege escalation attack in Azure, covered nicely ",[],{},{"nodeType":1337,"data":2692,"content":2694},{"uri":2693},"https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5",[2695],{"nodeType":1293,"value":2696,"marks":2697,"data":2698},"here",[],{},{"nodeType":1293,"value":2590,"marks":2700,"data":2701},[],{},{"nodeType":1612,"data":2703,"content":2704},{},[2705],{"nodeType":1293,"value":2706,"marks":2707,"data":2708},"Security guidance tips for third-party integrations",[],{},{"nodeType":1294,"data":2710,"content":2711},{},[2712],{"nodeType":1293,"value":2713,"marks":2714,"data":2715},"Let’s face it, your employees need to use SaaS solutions to be productive and they are going to use them somehow. We have even seen how third-party SaaS integrations can provide some security benefits, too, but there are new risks to be aware of as well. Here are some basic security tips to consider to ensure you are enabling this practice securely.",[],{},{"nodeType":1500,"data":2717,"content":2718},{},[2719,2734,2749,2764,2779,2794,2835],{"nodeType":1466,"data":2720,"content":2721},{},[2722],{"nodeType":1294,"data":2723,"content":2724},{},[2725,2730],{"nodeType":1293,"value":2726,"marks":2727,"data":2729},"Gain visibility",[2728],{"type":1400},{},{"nodeType":1293,"value":2731,"marks":2732,"data":2733}," - Whether you know it or not, your employees are probably using SaaS platforms, which may include third-party SaaS integrations. Find out what SaaS platforms and integrations are in use and pay attention to any with sensitive permissions you might want to review. Push can help do this for you. ",[],{},{"nodeType":1466,"data":2735,"content":2736},{},[2737],{"nodeType":1294,"data":2738,"content":2739},{},[2740,2745],{"nodeType":1293,"value":2741,"marks":2742,"data":2744},"Remove dormant or infrequently used integrations ",[2743],{"type":1400},{},{"nodeType":1293,"value":2746,"marks":2747,"data":2748},"- Reduce your attack surface by simply removing the apps no one or only a few people are using. This also makes the third-party security vetting process a bit less burdensome, so it’s a smart move once you know which integrations won’t be missed when they’re gone. We can help with this as well. ",[],{},{"nodeType":1466,"data":2750,"content":2751},{},[2752],{"nodeType":1294,"data":2753,"content":2754},{},[2755,2760],{"nodeType":1293,"value":2756,"marks":2757,"data":2759},"Modify incident response playbooks ",[2758],{"type":1400},{},{"nodeType":1293,"value":2761,"marks":2762,"data":2763},"- If you have incident response playbooks in place for what to do in the event of an employee’s password being compromised or their laptop/mobile being stolen or infected with malware, you need to consider modifying these. Consider adding invalidating SaaS OAuth tokens in addition to standard steps like password changes, remote wipes and fresh device builds.",[],{},{"nodeType":1466,"data":2765,"content":2766},{},[2767],{"nodeType":1294,"data":2768,"content":2769},{},[2770,2775],{"nodeType":1293,"value":2771,"marks":2772,"data":2774},"Encourage social logins ",[2773],{"type":1400},{},{"nodeType":1293,"value":2776,"marks":2777,"data":2778},"- Social logins have a bit of a bad rap, possibly this is due to their roots in low security, non-work environments - but that being said, when using your M365 or Workspace as the identity source these methods are a great for for many organizations that struggle with weak passwords, shared passwords and a lack of MFA across SaaS apps. If you're going to be using social logins, it makes sense to ensure your Google/Microsoft accounts have good password policies and MFA. ",[],{},{"nodeType":1466,"data":2780,"content":2781},{},[2782],{"nodeType":1294,"data":2783,"content":2784},{},[2785,2790],{"nodeType":1293,"value":2786,"marks":2787,"data":2789},"Educate your users about consent phishing",[2788],{"type":1400},{},{"nodeType":1293,"value":2791,"marks":2792,"data":2793}," - Awareness of traditional phishing for passwords is pretty high these days, but awareness about consent phishing is far lower. Make sure your employees are aware of this as well and know who to speak to if they’re worried they consented to a malicious app.",[],{},{"nodeType":1466,"data":2795,"content":2796},{},[2797],{"nodeType":1294,"data":2798,"content":2799},{},[2800,2805,2809,2818,2822,2831],{"nodeType":1293,"value":2801,"marks":2802,"data":2804},"Admin approval for sensitive permissions - ",[2803],{"type":1400},{},{"nodeType":1293,"value":2806,"marks":2807,"data":2808},"M365 has an admin approval process for integrations and allows you to define low risk permissions that users can consent to themselves. This can allow you to empower users to use social logins and lower risk integrations on their own, but require an admin to approve apps requiring more sensitive permissions. Google workspace allows you to configure restricted permissions but is much less flexible. Check out Microsoft’s ",[],{},{"nodeType":1337,"data":2810,"content":2812},{"uri":2811},"https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow",[2813],{"nodeType":1293,"value":2814,"marks":2815,"data":2817},"admin consent workflow guide",[2816],{"type":1335},{},{"nodeType":1293,"value":2819,"marks":2820,"data":2821}," and their article about ",[],{},{"nodeType":1337,"data":2823,"content":2825},{"uri":2824},"https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-permission-classifications?tabs=azure-portal",[2826],{"nodeType":1293,"value":2827,"marks":2828,"data":2830},"how to configure permissions ",[2829],{"type":1335},{},{"nodeType":1293,"value":2832,"marks":2833,"data":2834},"for more guidance.",[],{},{"nodeType":1466,"data":2836,"content":2837},{},[2838],{"nodeType":1294,"data":2839,"content":2840},{},[2841,2846,2850,2860],{"nodeType":1293,"value":2842,"marks":2843,"data":2845},"Prioritize apps that need additional vetting ",[2844],{"type":1400},{},{"nodeType":1293,"value":2847,"marks":2848,"data":2849},"- prioritize apps based on how many people in the company use it and if it’s requesting access to highly sensitive data to work or integrating with SaaS that have data you don’t want exposed. We provided some more practical guidance on risk prioritization ",[],{},{"nodeType":1657,"data":2851,"content":2855},{"target":2852},{"sys":2853},{"id":2854,"type":1378,"linkType":1379},"3PqX7fLrTIYhWjbEhHSRHG",[2856],{"nodeType":1293,"value":2696,"marks":2857,"data":2859},[2858],{"type":1335},{},{"nodeType":1293,"value":1661,"marks":2861,"data":2862},[],{},{"nodeType":1381,"data":2864,"content":2868},{"target":2865},{"sys":2866},{"id":2867,"type":1378,"linkType":1379},"6oHRbGLus4bstsAc7E0zBD",[],{"nodeType":1294,"data":2870,"content":2871},{},[2872],{"nodeType":1293,"value":37,"marks":2873,"data":2874},[],{},{"entries":2876},{"inline":2877,"hyperlink":2878,"block":2885},[],[2879,2881],{"sys":2880,"__typename":1313,"title":2173,"slug":2176},{"id":1800},{"sys":2882,"__typename":1313,"title":2883,"slug":2884},{"id":2854},"5 steps to manage the risk of unsanctioned SaaS ","manage-saas-risks-without-hindering-employees",[2886,2895,2901,2908,2914,2921,2927,2933],{"sys":2887,"__typename":2888,"title":2889,"caption":2890,"layoutMode":118,"file":2891},{"id":2314},"Image","OAuth Adobe example","Example of an OAuth / Social login",{"url":2892,"width":2893,"height":2894},"https://images.ctfassets.net/y1cdw1ablpvd/6pEiqSetxWVLelN31IKEeY/c0d22fd96149753ebc08d05b79c398c5/image6.png",930,922,{"sys":2896,"__typename":2888,"title":2897,"caption":2898,"layoutMode":118,"file":2899},{"id":2334},"Login with Google example","Choose which Google account to login with",{"url":2900,"width":2893,"height":2894},"https://images.ctfassets.net/y1cdw1ablpvd/n3VMAqOZNNsOoQrdjZyvS/79e6a4d8c33add2d014be89457907da1/image4.png",{"sys":2902,"__typename":2888,"title":2903,"caption":2903,"layoutMode":118,"file":2904},{"id":2354},"Push OAuth (third-party integration) details panel",{"url":2905,"width":2906,"height":2907},"https://images.ctfassets.net/y1cdw1ablpvd/5LRUtkyeQF3RvD7V9KVBNV/4bd2f9cb0b0709a74a32259543461d45/image3.png",733,688,{"sys":2909,"__typename":2888,"title":2910,"caption":2910,"layoutMode":118,"file":2911},{"id":2367},"Permission request from Google",{"url":2912,"width":2893,"height":2913},"https://images.ctfassets.net/y1cdw1ablpvd/4oCVoWws9dIB52qS3dXqdv/5cb3dd2d3be0295443853b86ac0afbba/image2.png",352,{"sys":2915,"__typename":2888,"title":2916,"caption":2917,"layoutMode":118,"file":2918},{"id":2373},"Adobe wants to access your Google account","Adobe connecting to Google",{"url":2919,"width":2893,"height":2920},"https://images.ctfassets.net/y1cdw1ablpvd/AdvCDGO8Hqow3GhbA8JVv/dc70d323c1e5cce3e78e257b481b16a2/image1.png",1566,{"sys":2922,"__typename":2888,"title":2923,"caption":2923,"layoutMode":118,"file":2924},{"id":2386},"Acrobat requesting permission to access Google ",{"url":2925,"width":2893,"height":2926},"https://images.ctfassets.net/y1cdw1ablpvd/6Mai9NoebpGJvZBv4yUyDZ/98e63a152b4cdd7608195f10240604d6/image5.png",634,{"sys":2928,"__typename":2888,"title":2929,"caption":2930,"layoutMode":118,"file":2931},{"id":2399},"Push's OAuth integration panel Adobe","Push's OAuth integration panel for the Adobe app",{"url":2932,"width":2906,"height":2907},"https://images.ctfassets.net/y1cdw1ablpvd/6bAz2nvGdkJYA45K7Sfwh/4c09eb10980f8f94f05b9ccaa1f97227/image7.png",{"sys":2934,"__typename":2935,"content":2936,"title":2947,"buttonText":2948,"buttonUrl":2949,"signupRedirectUrl":118},{"id":2867},"ActionBlockComponent",{"json":2937},{"nodeType":1295,"data":2938,"content":2939},{},[2940],{"nodeType":1294,"content":2941,"data":2946},[2942],{"nodeType":1293,"value":2943,"marks":2944,"data":2945},"Find out if you have any malicious apps that employees have accidentally installed due to consent phishing. Note: you must be logged in to access.",[],{},{},"Detect risky third-party apps and malicious mail rules ","Check now","/app/feature/secure-oauth-permissions-and-applications/","content:blog:is-it-safe-to-allow-my-employees-to-connect-third-party-apps-to-our-m365.json","json","content","blog/is-it-safe-to-allow-my-employees-to-connect-third-party-apps-to-our-m365.json","blog/is-it-safe-to-allow-my-employees-to-connect-third-party-apps-to-our-m365",1776359994072]