[{"data":1,"prerenderedAt":3566},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/new-phishing-campaign-identified-targeting-linkedin-users":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"ogImage":118,"summary":1282,"title":1296,"subtitle":118,"metaTitle":1297,"synopsis":1298,"hashTags":118,"publishedDate":1299,"slug":1300,"tagsCollection":1301,"relatedBlogPostsCollection":1311,"authorsCollection":3004,"content":3008,"_id":3561,"_type":3562,"_source":3563,"_file":3564,"_stem":3565,"_extension":3562},"/blog/new-phishing-campaign-identified-targeting-linkedin-users","blog",{"id":1280,"publishedAt":1281},"4vPEPmjd8MOlARD7oXfOrj","2025-11-17T15:27:30.278Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1295},{},[1286],{"data":1287,"content":1288,"nodeType":1294},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"Attackers are increasingly sending phishing lures via non-email delivery channels like social media, instant messaging apps, and search engines. In this article, we’re diving into the latest sophisticated LinkedIn phishing campaign intercepted by Push. ","text","paragraph","document","New phishing campaign identified targeting LinkedIn users","New LinkedIn phishing campaign identified by Push Security","Diving into the latest sophisticated LinkedIn phishing campaign intercepted by Push. ","2025-10-30T00:00:00.000Z","new-phishing-campaign-identified-targeting-linkedin-users",{"items":1302},[1303,1307],{"sys":1304,"name":1306},{"id":1305},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"sys":1308,"name":1310},{"id":1309},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"items":1312},[1313,1897,2390],{"__typename":1314,"sys":1315,"content":1317,"title":1879,"synopsis":1880,"hashTags":118,"publishedDate":1881,"slug":1882,"tagsCollection":1883,"authorsCollection":1889},"BlogPosts",{"id":1316},"2yEhB2gFC2TJDLquVP3cg2",{"json":1318},{"nodeType":1295,"data":1319,"content":1320},{},[1321,1330,1337,1344,1351,1355,1365,1372,1394,1400,1407,1413,1420,1427,1433,1449,1455,1462,1468,1471,1479,1486,1495,1515,1522,1529,1537,1557,1565,1585,1593,1613,1619,1622,1630,1637,1682,1689,1696,1699,1707,1714,1760,1763,1771,1778,1823,1852,1859],{"nodeType":1322,"data":1323,"content":1329},"embedded-entry-block",{"target":1324},{"sys":1325},{"id":1326,"type":1327,"linkType":1328},"2pi21QGUvtdsDTbZYIF5Pr","Link","Entry",[],{"nodeType":1294,"data":1331,"content":1332},{},[1333],{"nodeType":1293,"value":1334,"marks":1335,"data":1336},"Push recently detected and blocked a high-risk phishing attack targeting a company executive's Google Workspace account. ",[],{},{"nodeType":1294,"data":1338,"content":1339},{},[1340],{"nodeType":1293,"value":1341,"marks":1342,"data":1343},"This attack demonstrated a range of advanced detection evasion techniques designed to circumvent traditional detection controls. ",[],{},{"nodeType":1294,"data":1345,"content":1346},{},[1347],{"nodeType":1293,"value":1348,"marks":1349,"data":1350},"Given this was a highly targeted attack against a company executive, the impact of a successful phish would have been extremely high. Push’s browser-based detection and response solution intercepted and blocked the phish in real-time, preventing the Microsoft session or credentials being captured by the attacker.",[],{},{"nodeType":1352,"data":1353,"content":1354},"hr",{},[],{"nodeType":1356,"data":1357,"content":1358},"heading-1",{},[1359],{"nodeType":1293,"value":1360,"marks":1361,"data":1364},"What happened",[1362],{"type":1363},"bold",{},{"nodeType":1294,"data":1366,"content":1367},{},[1368],{"nodeType":1293,"value":1369,"marks":1370,"data":1371},"A Push customer’s exec was targeted on LinkedIn via a direct message from another exec about an investment opportunity. The sender’s account had been compromised and used to approach high-value targets. ",[],{},{"nodeType":1294,"data":1373,"content":1374},{},[1375,1379,1390],{"nodeType":1293,"value":1376,"marks":1377,"data":1378},"The victim was sent a link to a basic page hosted on ",[],{},{"nodeType":1380,"data":1381,"content":1383},"hyperlink",{"uri":1382},"http://sites.google.com",[1384],{"nodeType":1293,"value":1385,"marks":1386,"data":1389},"sites.google.com",[1387],{"type":1388},"underline",{},{"nodeType":1293,"value":1391,"marks":1392,"data":1393},", styled as a landing page for a private equity fund investment opportunity. The page had buttons to handle both Microsoft and Google users. ",[],{},{"nodeType":1322,"data":1395,"content":1399},{"target":1396},{"sys":1397},{"id":1398,"type":1327,"linkType":1328},"1cEvEzLdKIuj6zuGn9aWJB",[],{"nodeType":1294,"data":1401,"content":1402},{},[1403],{"nodeType":1293,"value":1404,"marks":1405,"data":1406},"Upon clicking a button, Google Search was used as a redirect before taking the victim to a second page hosted on Microsoft Dynamics. This page was styled to look like Google Drive, where the victim was prompted to enter their last name and email into the form. ",[],{},{"nodeType":1322,"data":1408,"content":1412},{"target":1409},{"sys":1410},{"id":1411,"type":1327,"linkType":1328},"4fJ3JUdGcuRTa2Nza9QhkU",[],{"nodeType":1294,"data":1414,"content":1415},{},[1416],{"nodeType":1293,"value":1417,"marks":1418,"data":1419},"Upon entering their details and clicking submit, the victim was finally sent to an  Attacker-in-the-Middle (AitM) phishing page. ",[],{},{"nodeType":1294,"data":1421,"content":1422},{},[1423],{"nodeType":1293,"value":1424,"marks":1425,"data":1426},"To access the page, the victim had to solve a custom CAPTCHA challenge, which we’ve observed in a number of recent phishing attacks that we’ve linked to the Tycoon 2FA phishing kit.  ",[],{},{"nodeType":1322,"data":1428,"content":1432},{"target":1429},{"sys":1430},{"id":1431,"type":1327,"linkType":1328},"4Yu36QHTzSBZSg00QpbD1o",[],{"nodeType":1294,"data":1434,"content":1435},{},[1436,1440,1445],{"nodeType":1293,"value":1437,"marks":1438,"data":1439},"Because the customer had configured Push’s ",[],{},{"nodeType":1293,"value":1441,"marks":1442,"data":1444},"phishing tool detection control",[1443],{"type":1363},{},{"nodeType":1293,"value":1446,"marks":1447,"data":1448}," in block mode, the Push browser agent flagged the page as malicious to the user and prevented the attack from continuing. ",[],{},{"nodeType":1322,"data":1450,"content":1454},{"target":1451},{"sys":1452},{"id":1453,"type":1327,"linkType":1328},"6LfBXkDKqh1ogCMxaxyV6x",[],{"nodeType":1294,"data":1456,"content":1457},{},[1458],{"nodeType":1293,"value":1459,"marks":1460,"data":1461},"This detection was hooked by the customer’s security lake to trigger their security incident response workflow for further investigation. Push’s timelines feature ensured that the full chain of URLs accessed and actions performed on different pages could be analyzed by the security team. ",[],{},{"nodeType":1322,"data":1463,"content":1467},{"target":1464},{"sys":1465},{"id":1466,"type":1327,"linkType":1328},"4S8J7zmi6Q5wOt9vQHUe6l",[],{"nodeType":1352,"data":1469,"content":1470},{},[],{"nodeType":1356,"data":1472,"content":1473},{},[1474],{"nodeType":1293,"value":1475,"marks":1476,"data":1478},"Notable techniques",[1477],{"type":1363},{},{"nodeType":1294,"data":1480,"content":1481},{},[1482],{"nodeType":1293,"value":1483,"marks":1484,"data":1485},"This attack featured a number of notable attacker techniques designed to evade common phishing detection controls. ",[],{},{"nodeType":1487,"data":1488,"content":1489},"heading-2",{},[1490],{"nodeType":1293,"value":1491,"marks":1492,"data":1494},"Delivering the phishing lure via LinkedIn",[1493],{"type":1363},{},{"nodeType":1294,"data":1496,"content":1497},{},[1498,1502,1511],{"nodeType":1293,"value":1499,"marks":1500,"data":1501},"Using ",[],{},{"nodeType":1380,"data":1503,"content":1505},{"uri":1504},"https://phishing-techniques.pushsecurity.com/techniques/social-media/",[1506],{"nodeType":1293,"value":1507,"marks":1508,"data":1510},"social media sites like LinkedIn",[1509],{"type":1388},{},{"nodeType":1293,"value":1512,"marks":1513,"data":1514}," to deliver a phishing message has a number of advantages for the attacker. Generally, users are less alert to phishing attempts on social platforms, particularly those like LinkedIn which are used for personal as well as work purposes. ",[],{},{"nodeType":1294,"data":1516,"content":1517},{},[1518],{"nodeType":1293,"value":1519,"marks":1520,"data":1521},"However, the primary benefit of delivering phishing over LinkedIn is to evade email-based detection controls. With modern email security tools conducting various stages of analysis, such as analysing the URL, attempting to inspect the page in a web sandbox, and analyzing the written content of an email for possible malicious intent, it can be easier for attackers to simply bypass email altogether. ",[],{},{"nodeType":1294,"data":1523,"content":1524},{},[1525],{"nodeType":1293,"value":1526,"marks":1527,"data":1528},"With modern work communications now happening over several platforms, sites like LinkedIn where users can be directly messaged by people outside the organization, but are often accessed from work devices, are a prime target. ",[],{},{"nodeType":1487,"data":1530,"content":1531},{},[1532],{"nodeType":1293,"value":1533,"marks":1534,"data":1536},"Using legitimate, trusted sites to host links",[1535],{"type":1363},{},{"nodeType":1294,"data":1538,"content":1539},{},[1540,1544,1553],{"nodeType":1293,"value":1541,"marks":1542,"data":1543},"Attackers are increasingly ",[],{},{"nodeType":1380,"data":1545,"content":1547},{"uri":1546},"https://phishing-techniques.pushsecurity.com/techniques/trusted-website-hosting/",[1548],{"nodeType":1293,"value":1549,"marks":1550,"data":1552},"using legitimate sites to host their phishing links",[1551],{"type":1388},{},{"nodeType":1293,"value":1554,"marks":1555,"data":1556}," and perform redirections. Fronting phishing attacks with pages hosted on legitimate sites, in combination with lengthy redirect chains, can make it harder for security tools which rely on analysing the initial page served to the victim. In this example, Google Sites, Google Search, and Microsoft Dynamics were used. ",[],{},{"nodeType":1487,"data":1558,"content":1559},{},[1560],{"nodeType":1293,"value":1561,"marks":1562,"data":1564},"Using bot protection to defeat sandbox analysis tools",[1563],{"type":1363},{},{"nodeType":1294,"data":1566,"content":1567},{},[1568,1572,1581],{"nodeType":1293,"value":1569,"marks":1570,"data":1571},"Email and proxy security tools rely on loading a page in a web sandbox to analyze it for properties matching their detection signatures. However, dynamic elements that require user interaction to proceed are known to break these sandboxes. The most common way of attackers doing this is by ",[],{},{"nodeType":1380,"data":1573,"content":1575},{"uri":1574},"https://phishing-techniques.pushsecurity.com/techniques/bot-protection/",[1576],{"nodeType":1293,"value":1577,"marks":1578,"data":1580},"using legitimate bot protection",[1579],{"type":1388},{},{"nodeType":1293,"value":1582,"marks":1583,"data":1584}," technologies such as CAPTCHA and CloudFlare Turnstile. ",[],{},{"nodeType":1487,"data":1586,"content":1587},{},[1588],{"nodeType":1293,"value":1589,"marks":1590,"data":1592},"Performing layered redirects at different stages",[1591],{"type":1363},{},{"nodeType":1294,"data":1594,"content":1595},{},[1596,1600,1609],{"nodeType":1293,"value":1597,"marks":1598,"data":1599},"As already mentioned, the ",[],{},{"nodeType":1380,"data":1601,"content":1603},{"uri":1602},"https://phishing-techniques.pushsecurity.com/techniques/domain-rotation-redirection/",[1604],{"nodeType":1293,"value":1605,"marks":1606,"data":1608},"chain of redirects",[1607],{"type":1388},{},{"nodeType":1293,"value":1610,"marks":1611,"data":1612}," across different sites was particularly notable in this case (you can see this in the timeline screenshot provided above). To maximize the lifespan of a malicious domain, attackers are known to use various redirection tricks (often though legit sites that are often excluded from scanning tools). Using several redirections before serving the malicious page to break referrer-based checks that are common in proxy solutions and prevent the initial URLs seeded out from being discovered. By obfuscating the initial URL delivered to victims, and both masking and rotating the phishing URLs, it is much harder for organizations to blocklist known-bad sites effectively.",[],{},{"nodeType":1322,"data":1614,"content":1618},{"target":1615},{"sys":1616},{"id":1617,"type":1327,"linkType":1328},"6QzB0BlVC5mstXwXHvy2c3",[],{"nodeType":1352,"data":1620,"content":1621},{},[],{"nodeType":1356,"data":1623,"content":1624},{},[1625],{"nodeType":1293,"value":1626,"marks":1627,"data":1629},"Indicators of Compromise",[1628],{"type":1363},{},{"nodeType":1294,"data":1631,"content":1632},{},[1633],{"nodeType":1293,"value":1634,"marks":1635,"data":1636},"Static IoCs are of limited value in this case due to the use of disposable pages designed to be used once and then rotated. In this case, the page hosting the malicious AITM kit has now been flagged by Google after being reported. This makes blocking specific malicious subdomains hosted on otherwise legitimate sites difficult. However, we have observed a consistent pattern in the attacks identified by Push:",[],{},{"nodeType":1638,"data":1639,"content":1640},"unordered-list",{},[1641,1652,1662,1672],{"nodeType":1642,"data":1643,"content":1644},"list-item",{},[1645],{"nodeType":1294,"data":1646,"content":1647},{},[1648],{"nodeType":1293,"value":1649,"marks":1650,"data":1651},"Phishing lure delivered over LinkedIn",[],{},{"nodeType":1642,"data":1653,"content":1654},{},[1655],{"nodeType":1294,"data":1656,"content":1657},{},[1658],{"nodeType":1293,"value":1659,"marks":1660,"data":1661},"Link to sites.google.com page (e.g. sites.google.com/view/\u003CINVESTMENTCOMPANY>-ai/home)",[],{},{"nodeType":1642,"data":1663,"content":1664},{},[1665],{"nodeType":1294,"data":1666,"content":1667},{},[1668],{"nodeType":1293,"value":1669,"marks":1670,"data":1671},"Link to Microsoft Dynamics page (e.g. [assets-usa.mkt].dynamics.com/...)",[],{},{"nodeType":1642,"data":1673,"content":1674},{},[1675],{"nodeType":1294,"data":1676,"content":1677},{},[1678],{"nodeType":1293,"value":1679,"marks":1680,"data":1681},"Link to (*).sa.com phishing page",[],{},{"nodeType":1294,"data":1683,"content":1684},{},[1685],{"nodeType":1293,"value":1686,"marks":1687,"data":1688},"Given the targeted nature of the attack, we recommend hunting for executive-level users accessing some combination of these URLs (and variants) in a short timespan.",[],{},{"nodeType":1294,"data":1690,"content":1691},{},[1692],{"nodeType":1293,"value":1693,"marks":1694,"data":1695},"We also recommend informing your executive team about the rise in LinkedIn phishing attacks and the specific nature of the investment opportunity lure.",[],{},{"nodeType":1352,"data":1697,"content":1698},{},[],{"nodeType":1356,"data":1700,"content":1701},{},[1702],{"nodeType":1293,"value":1703,"marks":1704,"data":1706},"Impact analysis",[1705],{"type":1363},{},{"nodeType":1294,"data":1708,"content":1709},{},[1710],{"nodeType":1293,"value":1711,"marks":1712,"data":1713},"There aren’t many more valuable accounts than those belonging to your company executives. Compromising a Google Workspace account doesn’t just give the attacker access to the Workspace tenant, emails, chat, etc. — it also grants access to any accounts on downstream apps configured for SSO. The blast radius of such a compromise is pretty widespread, giving plenty of scope for further exploitation for an attacker with a clear idea of what they want to achieve. ",[],{},{"nodeType":1294,"data":1715,"content":1716},{},[1717,1721,1730,1734,1743,1747,1756],{"nodeType":1293,"value":1718,"marks":1719,"data":1720},"In short, stopping this attack at the earliest opportunity was a significant benefit. Even if the attack had been later stopped following the compromise and the stolen account reset, unpicking the web of potentially compromised downstream accounts that may have been accessed and backdoored by the attacker (such as by configuring stealthy persistence mechanisms like ",[],{},{"nodeType":1380,"data":1722,"content":1724},{"uri":1723},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/evil_twin_integrations/description.md",[1725],{"nodeType":1293,"value":1726,"marks":1727,"data":1729},"evil twin integrations",[1728],{"type":1388},{},{"nodeType":1293,"value":1731,"marks":1732,"data":1733},", ",[],{},{"nodeType":1380,"data":1735,"content":1737},{"uri":1736},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/api_keys/description.md",[1738],{"nodeType":1293,"value":1739,"marks":1740,"data":1742},"API keys",[1741],{"type":1388},{},{"nodeType":1293,"value":1744,"marks":1745,"data":1746}," or other ",[],{},{"nodeType":1380,"data":1748,"content":1750},{"uri":1749},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/ghost_logins/description.md",[1751],{"nodeType":1293,"value":1752,"marks":1753,"data":1755},"ghost login",[1754],{"type":1388},{},{"nodeType":1293,"value":1757,"marks":1758,"data":1759}," methods) presents a sizable overhead for the security team.     ",[],{},{"nodeType":1352,"data":1761,"content":1762},{},[],{"nodeType":1356,"data":1764,"content":1765},{},[1766],{"nodeType":1293,"value":1767,"marks":1768,"data":1770},"Learn more about Push",[1769],{"type":1363},{},{"nodeType":1294,"data":1772,"content":1773},{},[1774],{"nodeType":1293,"value":1775,"marks":1776,"data":1777},"Two key features played a part in this detection, which you can read more about below:",[],{},{"nodeType":1638,"data":1779,"content":1780},{},[1781,1802],{"nodeType":1642,"data":1782,"content":1783},{},[1784],{"nodeType":1294,"data":1785,"content":1786},{},[1787,1790,1799],{"nodeType":1293,"value":37,"marks":1788,"data":1789},[],{},{"nodeType":1380,"data":1791,"content":1793},{"uri":1792},"https://pushsecurity.com/blog/detecting-and-blocking-phishing-attacks-in-the-browser/",[1794],{"nodeType":1293,"value":1795,"marks":1796,"data":1798},"Phishing attack detection",[1797],{"type":1388},{},{"nodeType":1293,"value":37,"marks":1800,"data":1801},[],{},{"nodeType":1642,"data":1803,"content":1804},{},[1805],{"nodeType":1294,"data":1806,"content":1807},{},[1808,1811,1820],{"nodeType":1293,"value":37,"marks":1809,"data":1810},[],{},{"nodeType":1380,"data":1812,"content":1814},{"uri":1813},"https://pushsecurity.com/blog/introducing-push-detections/",[1815],{"nodeType":1293,"value":1816,"marks":1817,"data":1819},"Push detection and response capabilities inc. timeline visibility ",[1818],{"type":1388},{},{"nodeType":1293,"value":37,"marks":1821,"data":1822},[],{},{"nodeType":1294,"data":1824,"content":1825},{},[1826,1830,1835,1839,1848],{"nodeType":1293,"value":1827,"marks":1828,"data":1829},"Push doesn’t detect the redirect tricks or rely on outdated domain TI feeds. The reason we detect these attacks (which make it through all the other layers of phishing protection) is that ",[],{},{"nodeType":1293,"value":1831,"marks":1832,"data":1834},"Push sees what your users see",[1833],{"type":1363},{},{"nodeType":1293,"value":1836,"marks":1837,"data":1838},". It doesn’t matter what ",[],{},{"nodeType":1380,"data":1840,"content":1842},{"uri":1841},"https://phishing-techniques.pushsecurity.com/",[1843],{"nodeType":1293,"value":1844,"marks":1845,"data":1847},"delivery channel or camouflage methods are used",[1846],{"type":1388},{},{"nodeType":1293,"value":1849,"marks":1850,"data":1851},", Push detects and blocks attacks by identifying the attack in real time, as the user loads the page in their web browser.",[],{},{"nodeType":1294,"data":1853,"content":1854},{},[1855],{"nodeType":1293,"value":1856,"marks":1857,"data":1858},"This isn’t all we do: Push’s browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks browser-based attacks like AiTM phishing, credential stuffing, password spraying and session hijacking using stolen session tokens. You don’t need to wait until it all goes wrong — you can also use Push to find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, risky OAuth integrations, and more to harden your identity attack surface.",[],{},{"nodeType":1294,"data":1860,"content":1861},{},[1862,1866,1875],{"nodeType":1293,"value":1863,"marks":1864,"data":1865},"If you want to learn more about how Push helps you to detect and stop attacks in the browser, ",[],{},{"nodeType":1380,"data":1867,"content":1869},{"uri":1868},"https://pushsecurity.com/demo/",[1870],{"nodeType":1293,"value":1871,"marks":1872,"data":1874},"book some time with one of our team for a live demo",[1873],{"type":1388},{},{"nodeType":1293,"value":1876,"marks":1877,"data":1878},".",[],{},"How Push stopped a high risk LinkedIn spear-phishing attack against a company exec","How Push saved a company exec from a sophisticated Attacker-in-the-Middle phishing attack delivered via a LinkedIn direct message.","2025-09-08T00:00:00.000Z","how-push-stopped-a-high-risk-linkedin-spear-phishing-attack",{"items":1884},[1885,1887],{"sys":1886,"name":1306},{"id":1305},{"sys":1888,"name":1310},{"id":1309},{"items":1890},[1891],{"fullName":1892,"firstName":1893,"jobTitle":1894,"profilePicture":1895},"Dan Green","Dan","Threat Research",{"url":1896},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"__typename":1314,"sys":1898,"content":1900,"title":2372,"synopsis":2373,"hashTags":118,"publishedDate":2374,"slug":2375,"tagsCollection":2376,"authorsCollection":2382},{"id":1899},"51p0V5Vr4I9rapUytBWX0R",{"json":1901},{"nodeType":1295,"data":1902,"content":1903},{},[1904,1911,1918,1925,1931,1938,1944,1951,1958,1961,1969,1976,1983,2006,2013,2016,2024,2040,2046,2053,2059,2066,2073,2076,2084,2104,2110,2117,2123,2126,2134,2154,2160,2167,2173,2193,2199,2205,2208,2216,2223,2230,2236,2239,2247,2254,2261,2264,2272,2279,2286,2292,2299,2332,2338,2346,2353],{"nodeType":1356,"data":1905,"content":1906},{},[1907],{"nodeType":1293,"value":1360,"marks":1908,"data":1910},[1909],{"type":1363},{},{"nodeType":1294,"data":1912,"content":1913},{},[1914],{"nodeType":1293,"value":1915,"marks":1916,"data":1917},"On April 11th our browser-based phishing detection controls were triggered for a user with the Push extension installed. ",[],{},{"nodeType":1294,"data":1919,"content":1920},{},[1921],{"nodeType":1293,"value":1922,"marks":1923,"data":1924},"The user had visited the url dashboard[.]onfido[.].us[.]com after entering a Google search for ‘onfido’, a site they had previously accessed for work and had an account on. A convincing looking Google ad duped the user into clicking the fake link.",[],{},{"nodeType":1322,"data":1926,"content":1930},{"target":1927},{"sys":1928},{"id":1929,"type":1327,"linkType":1328},"5o1LEkZfeYVjMZmROi3Yh",[],{"nodeType":1294,"data":1932,"content":1933},{},[1934],{"nodeType":1293,"value":1935,"marks":1936,"data":1937},"Although the page was not the official login page for Onfido, it appeared legitimate enough at first glance to trick the user. ",[],{},{"nodeType":1322,"data":1939,"content":1943},{"target":1940},{"sys":1941},{"id":1942,"type":1327,"linkType":1328},"4Tp1RJ3eSx7r79wwm9d9DZ",[],{"nodeType":1294,"data":1945,"content":1946},{},[1947],{"nodeType":1293,"value":1948,"marks":1949,"data":1950},"After clicking the link, the user was blocked from interacting with the malicious page running Evilginx by Push. We then took action to identify other Onfido users within the Push customer base and notify them accordingly of the campaign. ",[],{},{"nodeType":1294,"data":1952,"content":1953},{},[1954],{"nodeType":1293,"value":1955,"marks":1956,"data":1957},"There are a few interesting elements worth exploring. Let’s dive in. ",[],{},{"nodeType":1352,"data":1959,"content":1960},{},[],{"nodeType":1356,"data":1962,"content":1963},{},[1964],{"nodeType":1293,"value":1965,"marks":1966,"data":1968},"Why Onfido?",[1967],{"type":1363},{},{"nodeType":1294,"data":1970,"content":1971},{},[1972],{"nodeType":1293,"value":1973,"marks":1974,"data":1975},"Onfido is an interesting choice. It’s not your typical phishing target, which points to an interesting trend we’ve observed where attackers are diversifying their phishing targets. ",[],{},{"nodeType":1294,"data":1977,"content":1978},{},[1979],{"nodeType":1293,"value":1980,"marks":1981,"data":1982},"There are two main reasons for this:",[],{},{"nodeType":1638,"data":1984,"content":1985},{},[1986,1996],{"nodeType":1642,"data":1987,"content":1988},{},[1989],{"nodeType":1294,"data":1990,"content":1991},{},[1992],{"nodeType":1293,"value":1993,"marks":1994,"data":1995},"People are becoming increasingly suspicious of phishing attacks targeting core apps such as Microsoft, Google, Okta, etc. and are much more likely to spot real vs fake pages. ",[],{},{"nodeType":1642,"data":1997,"content":1998},{},[1999],{"nodeType":1294,"data":2000,"content":2001},{},[2002],{"nodeType":1293,"value":2003,"marks":2004,"data":2005},"Because highly targeted apps like IdPs and enterprise cloud platforms are becoming increasingly hardened from an identity perspective, attackers have a lower chance of success relative to accounts on the long tail of internet apps used by an organization — many of which simply cannot be securely configured in the same way (e.g. no passkey/WebAuthn support, limited admin controls to discover and remediate identity security gaps, etc.). ",[],{},{"nodeType":1294,"data":2007,"content":2008},{},[2009],{"nodeType":1293,"value":2010,"marks":2011,"data":2012},"Onfido is also an interesting example in that it definitely contains valuable data that attackers can take advantage of. As a digital identity solution, it presents a significant risk from both a personal and company perspective if compromised, with plenty of PII that can be leveraged to extort a victim — and clear bad press (and possible regulator scrutiny) if the data is leaked!",[],{},{"nodeType":1352,"data":2014,"content":2015},{},[],{"nodeType":1356,"data":2017,"content":2018},{},[2019],{"nodeType":1293,"value":2020,"marks":2021,"data":2023},"Why Google ads?",[2022],{"type":1363},{},{"nodeType":1294,"data":2025,"content":2026},{},[2027,2031,2036],{"nodeType":1293,"value":2028,"marks":2029,"data":2030},"The attack is a form of ",[],{},{"nodeType":1293,"value":2032,"marks":2033,"data":2035},"malvertising",[2034],{"type":1363},{},{"nodeType":1293,"value":2037,"marks":2038,"data":2039}," where attackers distribute malicious links via ads — in this case, via Google. This is just one example of the many non-email phishing channels that attackers have at their disposal today. ",[],{},{"nodeType":1322,"data":2041,"content":2045},{"target":2042},{"sys":2043},{"id":2044,"type":1327,"linkType":1328},"7kfeOKGXEWVL5RW5jFnQBo",[],{"nodeType":1294,"data":2047,"content":2048},{},[2049],{"nodeType":1293,"value":2050,"marks":2051,"data":2052},"The use of malvertising has a couple of notable advantages here. Namely, because Google ads do not use the same reputation-based checks as an email security provider does, the attacker can use freshly created domains to conduct the attack. Usually, attackers would aim to take over existing domains with a reputation already built up, or spend 6-12 months bedding in their domains so that they pass mail filters. ",[],{},{"nodeType":1322,"data":2054,"content":2058},{"target":2055},{"sys":2056},{"id":2057,"type":1327,"linkType":1328},"499fj1Xark8Bj7iQjv9Vsm",[],{"nodeType":1294,"data":2060,"content":2061},{},[2062],{"nodeType":1293,"value":2063,"marks":2064,"data":2065},"But in this case, the domain was registered only shortly before being used. We detected it only a few hours after it had been registered — and it’s already been taken down since (no doubt to be replaced with the next one). This means it’s easy for attackers to spin up these malvertising campaigns at will, without any real forward planning. ",[],{},{"nodeType":1294,"data":2067,"content":2068},{},[2069],{"nodeType":1293,"value":2070,"marks":2071,"data":2072},"In fact, malvertising doesn’t require much effort on the attacker’s part whatsoever. As a watering hole, you put the link up and wait for the clicks to roll in. Unfortunately, many people Google search for sites that they frequently use rather than accessing via bookmark, opening them up to these kinds of malvertising attacks. ",[],{},{"nodeType":1352,"data":2074,"content":2075},{},[],{"nodeType":1487,"data":2077,"content":2078},{},[2079],{"nodeType":1293,"value":2080,"marks":2081,"data":2083},"No frills ",[2082],{"type":1363},{},{"nodeType":1294,"data":2085,"content":2086},{},[2087,2091,2100],{"nodeType":1293,"value":2088,"marks":2089,"data":2090},"Unlike many of the other campaigns using MFA-bypass phishing kits we’ve seen in the wild, the attacker put very little effort into obfuscating the malicious page. We’ve seen some using things like Cloudflare Turnstile, CAPTCHA, or even ",[],{},{"nodeType":1380,"data":2092,"content":2094},{"uri":2093},"https://pushsecurity.com/blog/how-consent-phishing-is-evolving/",[2095],{"nodeType":1293,"value":2096,"marks":2097,"data":2099},"Consent Phishing for OIDC scopes ",[2098],{"type":1388},{},{"nodeType":1293,"value":2101,"marks":2102,"data":2103},"to break sandbox detections and prevent security tools from reaching the malicious content to analyze it. ",[],{},{"nodeType":1322,"data":2105,"content":2109},{"target":2106},{"sys":2107},{"id":2108,"type":1327,"linkType":1328},"7csybR6fJlCWsRy91CbNYL",[],{"nodeType":1294,"data":2111,"content":2112},{},[2113],{"nodeType":1293,"value":2114,"marks":2115,"data":2116},"That said, there was evidence to suggest that the domain required a specific URL path — namely, the page must be accessed via Google ads to load. When the page was accessed without the correct parameters set, we were forwarded to a nonexistent page within the legitimate onfido.com domain, resulting in a 404 error.",[],{},{"nodeType":1322,"data":2118,"content":2122},{"target":2119},{"sys":2120},{"id":2121,"type":1327,"linkType":1328},"658fTppp0l1YkoMERiQ1Oj",[],{"nodeType":1352,"data":2124,"content":2125},{},[],{"nodeType":1356,"data":2127,"content":2128},{},[2129],{"nodeType":1293,"value":2130,"marks":2131,"data":2133},"What’s interesting about the domain?",[2132],{"type":1363},{},{"nodeType":1294,"data":2135,"content":2136},{},[2137,2141,2150],{"nodeType":1293,"value":2138,"marks":2139,"data":2140},"One of the things that really stood out to us was the hosting domain — ",[],{},{"nodeType":1380,"data":2142,"content":2144},{"uri":2143},"http://us.com",[2145],{"nodeType":1293,"value":2146,"marks":2147,"data":2149},"us.com",[2148],{"type":1388},{},{"nodeType":1293,"value":2151,"marks":2152,"data":2153},". Unlike the official government TLD .us, us.com is designed to look and feel legit but does not require any US affiliation or evidence of a US presence. This isn’t a TLD, it’s just a domain selling subdomains within their domain. This means there’s no WHOIS information available on the domains. ",[],{},{"nodeType":1322,"data":2155,"content":2159},{"target":2156},{"sys":2157},{"id":2158,"type":1327,"linkType":1328},"7HtOWLePxPclyfODqC0oR",[],{"nodeType":1294,"data":2161,"content":2162},{},[2163],{"nodeType":1293,"value":2164,"marks":2165,"data":2166},"This is incredibly deceptive to the user and will fool many people glancing at the link. It doesn’t look as obviously suspicious as your .xyz or .biz and has the feel of a legitimate domain. It’s also incredibly cheap to pick up .us.com domains right now. ",[],{},{"nodeType":1322,"data":2168,"content":2172},{"target":2169},{"sys":2170},{"id":2171,"type":1327,"linkType":1328},"5CHWwlH2ZFZiVOQWMpkquy",[],{"nodeType":1294,"data":2174,"content":2175},{},[2176,2180,2189],{"nodeType":1293,"value":2177,"marks":2178,"data":2179},"You can find additional information on ",[],{},{"nodeType":1380,"data":2181,"content":2183},{"uri":2182},"https://urlscan.io/result/0196338c-75ea-720c-a0e4-c2898acc4779/",[2184],{"nodeType":1293,"value":2185,"marks":2186,"data":2188},"urlscan",[2187],{"type":1388},{},{"nodeType":1293,"value":2190,"marks":2191,"data":2192}," here.",[],{},{"nodeType":1322,"data":2194,"content":2198},{"target":2195},{"sys":2196},{"id":2197,"type":1327,"linkType":1328},"6hdBHT8SrC6z7O0gIc7xnh",[],{"nodeType":1322,"data":2200,"content":2204},{"target":2201},{"sys":2202},{"id":2203,"type":1327,"linkType":1328},"3KxFiCeGlk7fVC8k1oo7cX",[],{"nodeType":1352,"data":2206,"content":2207},{},[],{"nodeType":1356,"data":2209,"content":2210},{},[2211],{"nodeType":1293,"value":2212,"marks":2213,"data":2215},"Isn’t Evilginx a red team tool?",[2214],{"type":1363},{},{"nodeType":1294,"data":2217,"content":2218},{},[2219],{"nodeType":1293,"value":2220,"marks":2221,"data":2222},"Evilginx is nominally a red team tool, but we frequently spot it being used in phishing campaigns against our customers. Evilginx is a great choice for attackers looking to target non-standard web apps because it is capable of emulating a range of domains — it’s designed to be flexible and work for any page without generating a load of custom JavaScript that might stand out to security tools/analysts. ",[],{},{"nodeType":1294,"data":2224,"content":2225},{},[2226],{"nodeType":1293,"value":2227,"marks":2228,"data":2229},"If you want to see an example of Evilginx being used to phish a user, check out the example below. ",[],{},{"nodeType":1322,"data":2231,"content":2235},{"target":2232},{"sys":2233},{"id":2234,"type":1327,"linkType":1328},"7IuP0mcRZJkL8YGNoZo5Dj",[],{"nodeType":1352,"data":2237,"content":2238},{},[],{"nodeType":1356,"data":2240,"content":2241},{},[2242],{"nodeType":1293,"value":2243,"marks":2244,"data":2246},"What can you do about it?",[2245],{"type":1363},{},{"nodeType":1294,"data":2248,"content":2249},{},[2250],{"nodeType":1293,"value":2251,"marks":2252,"data":2253},"There’s not a huge amount of impartial advice to give here unfortunately. With malicious Google ads not going away anytime soon, response action is limited. If you are an Onfido user, be sure to block the URL and any related patterns (we noticed that after appearing to have been taken down initially, the site has reappeared at dashboard[.]onfido[.]us[.]com/users/sign_in and no longer appears to require the same URL path). However, it goes without saying that this is a temporary measure and the attacker will no doubt rotate the domain in the near future. ",[],{},{"nodeType":1294,"data":2255,"content":2256},{},[2257],{"nodeType":1293,"value":2258,"marks":2259,"data":2260},"One good option is to encourage your users to bookmark their links rather than Google searching for the page. If you’re using an IdP with an application dashboard like Okta, Microsoft, or Google, this provides a convenient way to find all your apps in one place. ",[],{},{"nodeType":1352,"data":2262,"content":2263},{},[],{"nodeType":1356,"data":2265,"content":2266},{},[2267],{"nodeType":1293,"value":2268,"marks":2269,"data":2271},"Bonus: How Push stopped the attack",[2270],{"type":1363},{},{"nodeType":1294,"data":2273,"content":2274},{},[2275],{"nodeType":1293,"value":2276,"marks":2277,"data":2278},"Interested in how we stopped the attack?",[],{},{"nodeType":1294,"data":2280,"content":2281},{},[2282],{"nodeType":1293,"value":2283,"marks":2284,"data":2285},"When the user visited the page, Push detected Evilginx running on the page and blocked the user. Check it out.",[],{},{"nodeType":1322,"data":2287,"content":2291},{"target":2288},{"sys":2289},{"id":2290,"type":1327,"linkType":1328},"5QavzZPS4siFvHCBhpujEe",[],{"nodeType":1294,"data":2293,"content":2294},{},[2295],{"nodeType":1293,"value":2296,"marks":2297,"data":2298},"Using our browser-based security platform, you can also see all users with an account on Onfido across your workforce. Using Push, you can:",[],{},{"nodeType":1638,"data":2300,"content":2301},{},[2302,2312,2322],{"nodeType":1642,"data":2303,"content":2304},{},[2305],{"nodeType":1294,"data":2306,"content":2307},{},[2308],{"nodeType":1293,"value":2309,"marks":2310,"data":2311},"Quickly identify which users have a password-based login set for their account (and therefore could be phished). ",[],{},{"nodeType":1642,"data":2313,"content":2314},{},[2315],{"nodeType":1294,"data":2316,"content":2317},{},[2318],{"nodeType":1293,"value":2319,"marks":2320,"data":2321},"Identify users to enable them to be contacted about the attacks targeting Onfido.",[],{},{"nodeType":1642,"data":2323,"content":2324},{},[2325],{"nodeType":1294,"data":2326,"content":2327},{},[2328],{"nodeType":1293,"value":2329,"marks":2330,"data":2331},"Set an app banner for Onfido warning users of the attacks and guiding them to access and login to the app via your SSO solution. ",[],{},{"nodeType":1322,"data":2333,"content":2337},{"target":2334},{"sys":2335},{"id":2336,"type":1327,"linkType":1328},"23B4EHUs1vt0se5r1cUI4t",[],{"nodeType":1487,"data":2339,"content":2340},{},[2341],{"nodeType":1293,"value":2342,"marks":2343,"data":2345},"We don’t just stop phishing attacks",[2344],{"type":1363},{},{"nodeType":1294,"data":2347,"content":2348},{},[2349],{"nodeType":1293,"value":2350,"marks":2351,"data":2352},"It doesn’t stop there — Push provides comprehensive identity attack detection and response capabilities against techniques like credential stuffing, password spraying and session hijacking using stolen session tokens. You can also use Push to find and fix identity vulnerabilities across every app that your employees use like: ghost logins; SSO coverage gaps; MFA gaps; weak, breached and reused passwords; risky OAuth integrations; and more. ",[],{},{"nodeType":1294,"data":2354,"content":2355},{},[2356,2360,2368],{"nodeType":1293,"value":2357,"marks":2358,"data":2359},"If you want to learn more about how Push helps you to detect and defeat advanced identity attack techniques in the browser, ",[],{},{"nodeType":1380,"data":2361,"content":2363},{"uri":2362},"https://pushsecurity.com/demo",[2364],{"nodeType":1293,"value":2365,"marks":2366,"data":2367},"book some time with one of our team",[],{},{"nodeType":1293,"value":2369,"marks":2370,"data":2371}," for a live demo.",[],{},"Investigating a recent malvertising campaign targeting Onfido customers","We recently investigated a malvertising campaign using Evilginx to target Onfido customers via Google ads.","2025-04-15T00:00:00.000Z","investigating-a-recent-malvertising-campaign-targeting-onfido-customers",{"items":2377},[2378,2380],{"sys":2379,"name":1310},{"id":1309},{"sys":2381,"name":1306},{"id":1305},{"items":2383},[2384],{"fullName":2385,"firstName":2386,"jobTitle":2387,"profilePicture":2388},"Luke Jennings","Luke","Vice President, R&D",{"url":2389},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg",{"__typename":1314,"sys":2391,"content":2393,"title":2990,"synopsis":2991,"hashTags":118,"publishedDate":2992,"slug":2993,"tagsCollection":2994,"authorsCollection":3000},{"id":2392},"5y6UUG3mMTu1dFhtKO0AUT",{"json":2394},{"data":2395,"content":2396,"nodeType":1295},{},[2397,2404,2411,2431,2438,2457,2464,2467,2475,2482,2489,2495,2502,2547,2589,2597,2604,2624,2662,2668,2675,2681,2688,2696,2727,2733,2736,2744,2764,2784,2815,2820,2823,2831,2838,2932,2935,2942,2958,2965,2972],{"data":2398,"content":2399,"nodeType":1294},{},[2400],{"data":2401,"marks":2402,"value":2403,"nodeType":1293},{},[],"Everything we do at Push is research-driven. Our detections for phishing attacks were created through hands-on analysis of phishing kits that our customers have been targeted with. This gives us a steady supply of all manner of modern Attacker-in-the-Middle phishing kits to analyze — from the classic Evilginx-style phish kit to professionalized criminal as-a-Service infrastructure. ",{"data":2405,"content":2406,"nodeType":1294},{},[2407],{"data":2408,"marks":2409,"value":2410,"nodeType":1293},{},[],"In our most recent phish kit teardown, we encountered a standard reverse-proxy clone of a Microsoft login page — nothing unusual at first glance. But increasingly, a lot of the innovation comes outside of the phishing page itself. ",{"data":2412,"content":2413,"nodeType":1294},{},[2414,2418,2427],{"data":2415,"marks":2416,"value":2417,"nodeType":1293},{},[],"The art in detection evasion comes from being able to successfully deliver the page to a user and have them open the page without it being intercepted by an email security, proxy scanner, URL TI feed, or web analysis tool. To achieve this, the attacker found a way to redirect from a legitimate ",{"data":2419,"content":2421,"nodeType":1380},{"uri":2420},"http://outlook.office.com",[2422],{"data":2423,"marks":2424,"value":2426,"nodeType":1293},{},[2425],{"type":1388},"outlook.office.com",{"data":2428,"marks":2429,"value":2430,"nodeType":1293},{},[]," link to a phishing website. ",{"data":2432,"content":2433,"nodeType":1294},{},[2434],{"data":2435,"marks":2436,"value":2437,"nodeType":1293},{},[],"This is essentially an open redirect vulnerability — maybe not the classic example where someone has forgotten to do input sanitization on their website, but the outcome is the same.",{"data":2439,"content":2440,"nodeType":1294},{},[2441,2445,2453],{"data":2442,"marks":2443,"value":2444,"nodeType":1293},{},[],"Central to our analysis was the use of our timelines feature, ",{"data":2446,"content":2447,"nodeType":1380},{"uri":1813},[2448],{"data":2449,"marks":2450,"value":2452,"nodeType":1293},{},[2451],{"type":1388},"part of our latest Detections feature release",{"data":2454,"marks":2455,"value":2456,"nodeType":1293},{},[],". I’m not going to talk in any detail about this, but the TL;DR is that it allows us to trace back the entire chain of browsing activity leading up to a detection — showing the full (sometimes lengthy) redirect chain from the initial link delivery source to the actual phishing page, tabs opened and closed, popup windows, forms submitted, passwords entered, and more. ",{"data":2458,"content":2459,"nodeType":1294},{},[2460],{"data":2461,"marks":2462,"value":2463,"nodeType":1293},{},[],"First, let’s go through the steps of my investigation before looking at the findings (and the implications for phishing detection evasion techniques). ",{"data":2465,"content":2466,"nodeType":1352},{},[],{"data":2468,"content":2469,"nodeType":1356},{},[2470],{"data":2471,"marks":2472,"value":2474,"nodeType":1293},{},[2473],{"type":1363},"Investigation walkthrough",{"data":2476,"content":2477,"nodeType":1294},{},[2478],{"data":2479,"marks":2480,"value":2481,"nodeType":1293},{},[],"As I opened with, there was nothing especially notable about the phishing page itself — a standard reverse-proxy AitM page designed to intercept the user’s session as they authenticate, bypassing MFA in the process. ",{"data":2483,"content":2484,"nodeType":1294},{},[2485],{"data":2486,"marks":2487,"value":2488,"nodeType":1293},{},[],"This was not targeted delivery — employees from several customers were impacted. I’ve included an example of how one user arrived at the site below.",{"data":2490,"content":2494,"nodeType":1322},{"target":2491},{"sys":2492},{"id":2493,"type":1327,"linkType":1328},"51MnOL9XqQDkllK2Jer4S9",[],{"data":2496,"content":2497,"nodeType":1294},{},[2498],{"data":2499,"marks":2500,"value":2501,"nodeType":1293},{},[],"This one stood out to me for a few reasons. ",{"data":2503,"content":2504,"nodeType":1638},{},[2505,2515,2537],{"data":2506,"content":2507,"nodeType":1642},{},[2508],{"data":2509,"content":2510,"nodeType":1294},{},[2511],{"data":2512,"marks":2513,"value":2514,"nodeType":1293},{},[],"The user had accessed the malicious link from Google search. They searched “Office 265\" (a typo presumably), clicked a link, and were taken to an Office login page.",{"data":2516,"content":2517,"nodeType":1642},{},[2518],{"data":2519,"content":2520,"nodeType":1294},{},[2521,2525,2533],{"data":2522,"marks":2523,"value":2524,"nodeType":1293},{},[],"The Outlook link had a number of Google Ads tracking parameters attached, meaning they clicked an ad, not an organic link — making this a ",{"data":2526,"content":2528,"nodeType":1380},{"uri":2527},"https://pushsecurity.github.io/phishing-techniques/techniques/malvertising/",[2529],{"data":2530,"marks":2531,"value":2032,"nodeType":1293},{},[2532],{"type":1388},{"data":2534,"marks":2535,"value":2536,"nodeType":1293},{},[]," attack. ",{"data":2538,"content":2539,"nodeType":1642},{},[2540],{"data":2541,"content":2542,"nodeType":1294},{},[2543],{"data":2544,"marks":2545,"value":2546,"nodeType":1293},{},[],"Another domain — bluegraintours[.]com — was in the URL path, after which they were redirected to the Microsoft-impersonating phishing site (login-microsoftonline[.]offirmtm[.]com ...). ",{"data":2548,"content":2549,"nodeType":1294},{},[2550,2554,2563,2567,2574,2578,2585],{"data":2551,"marks":2552,"value":2553,"nodeType":1293},{},[],"This got me wondering — how did they get ",{"data":2555,"content":2557,"nodeType":1380},{"uri":2556},"http://office.com",[2558],{"data":2559,"marks":2560,"value":2562,"nodeType":1293},{},[2561],{"type":1388},"office.com",{"data":2564,"marks":2565,"value":2566,"nodeType":1293},{},[]," to redirect to the phishing site, and why was the bluegraintours domain in the path of an ",{"data":2568,"content":2569,"nodeType":1380},{"uri":2556},[2570],{"data":2571,"marks":2572,"value":2562,"nodeType":1293},{},[2573],{"type":1388},{"data":2575,"marks":2576,"value":2577,"nodeType":1293},{},[]," link? There was no indication that an actual phishing email was interacted with, it seemed to all happen directly from the legitimate ",{"data":2579,"content":2580,"nodeType":1380},{"uri":2556},[2581],{"data":2582,"marks":2583,"value":2562,"nodeType":1293},{},[2584],{"type":1388},{"data":2586,"marks":2587,"value":2588,"nodeType":1293},{},[]," link. ",{"data":2590,"content":2591,"nodeType":1487},{},[2592],{"data":2593,"marks":2594,"value":2596,"nodeType":1293},{},[2595],{"type":1363},"Redirecting to a malicious login page via ADFS",{"data":2598,"content":2599,"nodeType":1294},{},[2600],{"data":2601,"marks":2602,"value":2603,"nodeType":1293},{},[],"From memory, I knew that the tenant name can appear in the URL when you’re accessing a specific Microsoft tenant for your organization — essentially a domain-specific landing page. ",{"data":2605,"content":2606,"nodeType":1294},{},[2607,2611,2620],{"data":2608,"marks":2609,"value":2610,"nodeType":1293},{},[],"It turns out the attacker had set up a custom Microsoft tenant with ",{"data":2612,"content":2614,"nodeType":1380},{"uri":2613},"https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/ad-fs-overview",[2615],{"data":2616,"marks":2617,"value":2619,"nodeType":1293},{},[2618],{"type":1388},"Active Directory Federation Services (ADFS)",{"data":2621,"marks":2622,"value":2623,"nodeType":1293},{},[]," configured. If you’re not familiar, ADFS is an SSO solution that is often used to connect on-premises Active Directory with cloud services like Microsoft 365 or Azure Active Directory. This means Microsoft will perform the redirect to the custom malicious domain. ",{"data":2625,"content":2626,"nodeType":1294},{},[2627,2631,2640,2644,2653,2657],{"data":2628,"marks":2629,"value":2630,"nodeType":1293},{},[],"This is strikingly similar to ",{"data":2632,"content":2634,"nodeType":1380},{"uri":2633},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/samljacking/description.md",[2635],{"data":2636,"marks":2637,"value":2639,"nodeType":1293},{},[2638],{"type":1388},"SAMLjacking",{"data":2641,"marks":2642,"value":2643,"nodeType":1293},{},[],", a technique I’ve ",{"data":2645,"content":2647,"nodeType":1380},{"uri":2646},"https://pushsecurity.com/blog/samljacking-a-poisoned-tenant/",[2648],{"data":2649,"marks":2650,"value":2652,"nodeType":1293},{},[2651],{"type":1388},"blogged about previously",{"data":2654,"marks":2655,"value":2656,"nodeType":1293},{},[]," which allows you to change the identity provider domain that an application’s users authenticate through. Attackers can change this link to their phishing page that proxies the legitimate site to phish users through legitimate sign-in links — ",{"data":2658,"marks":2659,"value":2661,"nodeType":1293},{},[2660],{"type":1363},"so I guess that makes this ADFSjacking?",{"data":2663,"content":2667,"nodeType":1322},{"target":2664},{"sys":2665},{"id":2666,"type":1327,"linkType":1328},"3BXyDhMC69355gLRqyIwQP",[],{"data":2669,"content":2670,"nodeType":1294},{},[2671],{"data":2672,"marks":2673,"value":2674,"nodeType":1293},{},[],"I had initially assumed that bluegraintours was a legitimate website that had been compromised by the attacker and used as a redirect, which is pretty common behavior for threat groups. However, it turns out that it’s actually a fake website that the attackers have probably vibe-coded. ",{"data":2676,"content":2680,"nodeType":1322},{"target":2677},{"sys":2678},{"id":2679,"type":1327,"linkType":1328},"1hnWJ0jgsPqRELDqUeFzf3",[],{"data":2682,"content":2683,"nodeType":1294},{},[2684],{"data":2685,"marks":2686,"value":2687,"nodeType":1293},{},[],"It’s worth noting that this isn’t something that the phishing victim would see as part of the attack — it’s purely used as an invisible redirect. This is most likely to be an attempt to mask the nature of the domain for domain categorization purposes, which is typical for proxy-based solutions to prevent users from browsing to unapproved things — this way, automated scanners will classify it as a travel blog. ",{"data":2689,"content":2690,"nodeType":1487},{},[2691],{"data":2692,"marks":2693,"value":2695,"nodeType":1293},{},[2694],{"type":1363},"Conditional loading interrupted the page analysis",{"data":2697,"content":2698,"nodeType":1294},{},[2699,2703,2712,2716,2723],{"data":2700,"marks":2701,"value":2702,"nodeType":1293},{},[],"While the user was taken to the phishing page at the end of the chain, ",{"data":2704,"content":2706,"nodeType":1380},{"uri":2705},"https://pushsecurity.github.io/phishing-techniques/techniques/conditional-loading/",[2707],{"data":2708,"marks":2709,"value":2711,"nodeType":1293},{},[2710],{"type":1388},"conditional loading",{"data":2713,"marks":2714,"value":2715,"nodeType":1293},{},[]," restrictions prevented us from recreating the full attack flow when loading the initial link clicked by the user. This happens when certain conditions of the page load aren’t met. Because the kit decides I’m not a valid target, I’m redirected back to ",{"data":2717,"content":2718,"nodeType":1380},{"uri":2556},[2719],{"data":2720,"marks":2721,"value":2562,"nodeType":1293},{},[2722],{"type":1388},{"data":2724,"marks":2725,"value":2726,"nodeType":1293},{},[],". However, we were able to skip ahead and bypass the conditional loading to access the phishing server directly. ",{"data":2728,"content":2732,"nodeType":1322},{"target":2729},{"sys":2730},{"id":2731,"type":1327,"linkType":1328},"68rW6CHJOJ2u3mCc08lGvZ",[],{"data":2734,"content":2735,"nodeType":1352},{},[],{"data":2737,"content":2738,"nodeType":1356},{},[2739],{"data":2740,"marks":2741,"value":2743,"nodeType":1293},{},[2742],{"type":1363},"Key takeaways",{"data":2745,"content":2746,"nodeType":1294},{},[2747,2751,2760],{"data":2748,"marks":2749,"value":2750,"nodeType":1293},{},[],"While this isn’t a vulnerability per se, the ability for attackers to add their own Microsoft ADFS server to host their phishing page and have Microsoft redirect to it is a concerning development that will make URL-based detections even more challenging than they already are. ",{"data":2752,"content":2754,"nodeType":1380},{"uri":2753},"https://pushsecurity.github.io/phishing-techniques/techniques/trusted-website-hosting/",[2755],{"data":2756,"marks":2757,"value":2759,"nodeType":1293},{},[2758],{"type":1388},"Hosting phishing links on trusted third-party websites",{"data":2761,"marks":2762,"value":2763,"nodeType":1293},{},[]," is a highly effective way of both bypassing URL-based detections and implementing layers of obfuscation in their phishing delivery chain that can break automated analysis tools.  ",{"data":2765,"content":2766,"nodeType":1294},{},[2767,2771,2780],{"data":2768,"marks":2769,"value":2770,"nodeType":1293},{},[],"This is basically the equivalent to ",{"data":2772,"content":2774,"nodeType":1380},{"uri":2773},"http://outlook.com",[2775],{"data":2776,"marks":2777,"value":2779,"nodeType":1293},{},[2778],{"type":1388},"Outlook.com",{"data":2781,"marks":2782,"value":2783,"nodeType":1293},{},[]," having an open redirect vulnerability, which would be a huge deal in the eyes of most security practitioners. In practice, it’s a little harder for the average attacker to make use of this, but anyone that is willing to create a Microsoft tenant and set up ADFS could create similar phishing infrastructure  — which only requires passing a credit card check. ",{"data":2785,"content":2786,"nodeType":1294},{},[2787,2791,2798,2802,2811],{"data":2788,"marks":2789,"value":2790,"nodeType":1293},{},[],"The other notable component to this attack is the use of ",{"data":2792,"content":2793,"nodeType":1380},{"uri":2527},[2794],{"data":2795,"marks":2796,"value":2032,"nodeType":1293},{},[2797],{"type":1388},{"data":2799,"marks":2800,"value":2801,"nodeType":1293},{},[]," as the lure delivery channel. This is a trend we spotted recently with ",{"data":2803,"content":2805,"nodeType":1380},{"uri":2804},"https://pushsecurity.com/blog/investigating-a-recent-malvertising-campaign-targeting-onfido-customers/",[2806],{"data":2807,"marks":2808,"value":2810,"nodeType":1293},{},[2809],{"type":1388},"Scattered Spider’s use of Onfido-based malvertising lures",{"data":2812,"marks":2813,"value":2814,"nodeType":1293},{},[],". Malvertising is a great way for attackers to sidestep phishing controls placed at the email layer (where the majority are) and, as in this case, can create a highly-convincing and difficult-to-spot phishing scenario.  ",{"data":2816,"content":2819,"nodeType":1322},{"target":2817},{"sys":2818},{"id":1617,"type":1327,"linkType":1328},[],{"data":2821,"content":2822,"nodeType":1352},{},[],{"data":2824,"content":2825,"nodeType":1356},{},[2826],{"data":2827,"marks":2828,"value":2830,"nodeType":1293},{},[2829],{"type":1363},"Detection recommendations",{"data":2832,"content":2833,"nodeType":1294},{},[2834],{"data":2835,"marks":2836,"value":2837,"nodeType":1293},{},[],"There are a couple of tool-agnostic hardening options that can used to limit exposure to the specifics of this attack:",{"data":2839,"content":2840,"nodeType":1638},{},[2841,2851,2872],{"data":2842,"content":2843,"nodeType":1642},{},[2844],{"data":2845,"content":2846,"nodeType":1294},{},[2847],{"data":2848,"marks":2849,"value":2850,"nodeType":1293},{},[],"Monitoring for ADFS redirects in proxy logs that could be malicious, i.e. login.microsoftonline.com redirecting to another domain with /adfs/ls/ in the path. Many organizations do not use ADFS, while those that do should be able to filter legitimate ones to their legitimate domain relatively easily. ",{"data":2852,"content":2853,"nodeType":1642},{},[2854],{"data":2855,"content":2856,"nodeType":1294},{},[2857,2861,2868],{"data":2858,"marks":2859,"value":2860,"nodeType":1293},{},[],"Monitoring for Google redirects to ",{"data":2862,"content":2863,"nodeType":1380},{"uri":2556},[2864],{"data":2865,"marks":2866,"value":2562,"nodeType":1293},{},[2867],{"type":1388},{"data":2869,"marks":2870,"value":2871,"nodeType":1293},{},[]," with Google ad parameters for more specific detection of malvertising + ADFS hijacking as in this example. ",{"data":2873,"content":2874,"nodeType":1642},{},[2875],{"data":2876,"content":2877,"nodeType":1294},{},[2878,2882,2891,2894,2903,2906,2915,2919,2928],{"data":2879,"marks":2880,"value":2881,"nodeType":1293},{},[],"Deploying ad blockers to all of your browsers to stop malvertising attacks — though this only serves to tackle one of the several possible delivery vectors, such as links delivered using ",{"data":2883,"content":2885,"nodeType":1380},{"uri":2884},"https://pushsecurity.github.io/phishing-techniques/techniques/email-legitimate-app/",[2886],{"data":2887,"marks":2888,"value":2890,"nodeType":1293},{},[2889],{"type":1388},"legitimate third-party services",{"data":2892,"marks":2893,"value":1731,"nodeType":1293},{},[],{"data":2895,"content":2897,"nodeType":1380},{"uri":2896},"https://pushsecurity.github.io/phishing-techniques/techniques/social-media/",[2898],{"data":2899,"marks":2900,"value":2902,"nodeType":1293},{},[2901],{"type":1388},"social media",{"data":2904,"marks":2905,"value":1731,"nodeType":1293},{},[],{"data":2907,"content":2909,"nodeType":1380},{"uri":2908},"https://pushsecurity.github.io/phishing-techniques/techniques/instant-messenger/",[2910],{"data":2911,"marks":2912,"value":2914,"nodeType":1293},{},[2913],{"type":1388},"instant messenger",{"data":2916,"marks":2917,"value":2918,"nodeType":1293},{},[],", or ",{"data":2920,"content":2922,"nodeType":1380},{"uri":2921},"https://pushsecurity.github.io/phishing-techniques/techniques/email-attachment/",[2923],{"data":2924,"marks":2925,"value":2927,"nodeType":1293},{},[2926],{"type":1388},"email attachment",{"data":2929,"marks":2930,"value":2931,"nodeType":1293},{},[],". (This is one of the limitations of focusing on specific delivery mechanisms — attackers have more to choose from than ever before. It’s not just an email problem). ",{"data":2933,"content":2934,"nodeType":1352},{},[],{"data":2936,"content":2937,"nodeType":1356},{},[2938],{"data":2939,"marks":2940,"value":1767,"nodeType":1293},{},[2941],{"type":1363},{"data":2943,"content":2944,"nodeType":1294},{},[2945,2949,2955],{"data":2946,"marks":2947,"value":2948,"nodeType":1293},{},[],"Push doesn’t detect the redirect tricks, or relies on outdated domain TI feeds. It doesn’t matter what ",{"data":2950,"content":2951,"nodeType":1380},{"uri":1841},[2952],{"data":2953,"marks":2954,"value":1844,"nodeType":1293},{},[],{"data":2956,"marks":2957,"value":1849,"nodeType":1293},{},[],{"data":2959,"content":2960,"nodeType":1294},{},[2961],{"data":2962,"marks":2963,"value":2964,"nodeType":1293},{},[],"Push’s browser-based security platform provides comprehensive identity attack detection and response capabilities against techniques like AiTM phishing, credential stuffing, password spraying, and session hijacking using stolen session tokens. ",{"data":2966,"content":2967,"nodeType":1294},{},[2968],{"data":2969,"marks":2970,"value":2971,"nodeType":1293},{},[],"You can also use Push to find and fix identity vulnerabilities across every app that your employees use, including ghost logins; SSO coverage gaps; MFA gaps; weak, breached and reused passwords; risky OAuth integrations; and more.",{"data":2973,"content":2974,"nodeType":1294},{},[2975,2979,2987],{"data":2976,"marks":2977,"value":2978,"nodeType":1293},{},[],"If you want to learn more about how Push helps you to detect and defeat common identity attack techniques, ",{"data":2980,"content":2981,"nodeType":1380},{"uri":1868},[2982],{"data":2983,"marks":2984,"value":2986,"nodeType":1293},{},[2985],{"type":1388},"request a demo.",{"data":2988,"marks":2989,"value":37,"nodeType":1293},{},[],"How attackers are using Active Directory Federation Services to phish with legit office.com links","Push recently identified a novel phishing attack using Active Directory Federation Services to get Microsoft to send victims to a phishing site.","2025-08-12T00:00:00.000Z","phishing-with-active-directory-federation-services",{"items":2995},[2996,2998],{"sys":2997,"name":1306},{"id":1305},{"sys":2999,"name":1310},{"id":1309},{"items":3001},[3002],{"fullName":2385,"firstName":2386,"jobTitle":2387,"profilePicture":3003},{"url":2389},{"items":3005},[3006],{"fullName":1892,"firstName":1893,"jobTitle":1894,"profilePicture":3007},{"url":1896},{"json":3009,"links":3452},{"nodeType":1295,"data":3010,"content":3011},{},[3012,3031,3047,3053,3060,3067,3070,3078,3097,3104,3110,3117,3123,3130,3136,3143,3149,3156,3162,3165,3173,3191,3197,3205,3224,3232,3263,3270,3278,3297,3305,3325,3331,3334,3341,3361,3368,3373,3376,3384,3402,3409,3416,3422],{"nodeType":1294,"data":3013,"content":3014},{},[3015,3019,3027],{"nodeType":1293,"value":3016,"marks":3017,"data":3018},"Push recently detected and blocked a high-risk LinkedIn phishing attack that demonstrated a number of crafty (and increasingly common) ",[],{},{"nodeType":1380,"data":3020,"content":3021},{"uri":1841},[3022],{"nodeType":1293,"value":3023,"marks":3024,"data":3026},"detection evasion techniques",[3025],{"type":1388},{},{"nodeType":1293,"value":3028,"marks":3029,"data":3030},". ",[],{},{"nodeType":1294,"data":3032,"content":3033},{},[3034,3038,3043],{"nodeType":1293,"value":3035,"marks":3036,"data":3037},"Phishing via LinkedIn is increasingly common, although it often goes undetected and unreported. This is to be expected when most of the industry’s data on phishing attacks comes from email security vendors and tools. In contrast to email-centric reporting, ",[],{},{"nodeType":1293,"value":3039,"marks":3040,"data":3042},"34% of the phishing attacks intercepted by Push last month came through non-email channels",[3041],{"type":1363},{},{"nodeType":1293,"value":3044,"marks":3045,"data":3046}," like social media, IM platforms, malicious search engine ads, and in-app communications. ",[],{},{"nodeType":1322,"data":3048,"content":3052},{"target":3049},{"sys":3050},{"id":3051,"type":1327,"linkType":1328},"7i8panfdFUqW9wqYkd9uDc",[],{"nodeType":1294,"data":3054,"content":3055},{},[3056],{"nodeType":1293,"value":3057,"marks":3058,"data":3059},"Phishing via LinkedIn is a great way to catch victims unawares and evade traditionally email-based anti-phishing controls. While often used for work and commonly accessed from corporate devices, it sits outside the purview of enterprise security tools, exploiting a visibility and control blind spot. ",[],{},{"nodeType":1294,"data":3061,"content":3062},{},[3063],{"nodeType":1293,"value":3064,"marks":3065,"data":3066},"Let’s break it down. ",[],{},{"nodeType":1352,"data":3068,"content":3069},{},[],{"nodeType":1356,"data":3071,"content":3072},{},[3073],{"nodeType":1293,"value":3074,"marks":3075,"data":3077},"Phishing attack breakdown",[3076],{"type":1363},{},{"nodeType":1294,"data":3079,"content":3080},{},[3081,3085,3093],{"nodeType":1293,"value":3082,"marks":3083,"data":3084},"The victim was sent a malicious link via LinkedIn DM relating to a fake investment opportunity for executives ",[],{},{"nodeType":1380,"data":3086,"content":3088},{"uri":3087},"https://www.bleepingcomputer.com/news/security/linkedin-phishing-targets-finance-execs-with-fake-board-invites/",[3089],{"nodeType":1293,"value":3090,"marks":3091,"data":3092},"to join the executive board of a newly created \"Common Wealth\" investment fund.",[],{},{"nodeType":1293,"value":3094,"marks":3095,"data":3096}," ",[],{},{"nodeType":1294,"data":3098,"content":3099},{},[3100],{"nodeType":1293,"value":3101,"marks":3102,"data":3103},"After clicking the link, they were redirected three times — via Google Search, and then payrails-canaccord[.]icu/(redacted) — before being sent to a custom landing page hosted on firebasestorage.googleapis[.]com/(redacted). ",[],{},{"nodeType":1322,"data":3105,"content":3109},{"target":3106},{"sys":3107},{"id":3108,"type":1327,"linkType":1328},"65PeJOKzn6Ba7FDUQRae3Q",[],{"nodeType":1294,"data":3111,"content":3112},{},[3113],{"nodeType":1293,"value":3114,"marks":3115,"data":3116},"Upon clicking on one of the document links on the page, the victim is prompted to “view with Microsoft”. ",[],{},{"nodeType":1322,"data":3118,"content":3122},{"target":3119},{"sys":3120},{"id":3121,"type":1327,"linkType":1328},"4f27KuwTRx1Do59rs3JoVl",[],{"nodeType":1294,"data":3124,"content":3125},{},[3126],{"nodeType":1293,"value":3127,"marks":3128,"data":3129},"The user is then met with a Cloudflare Turnstile gate challenge at login.kggpho[.]icu before the page will fully render, and malicious content is loaded. ",[],{},{"nodeType":1322,"data":3131,"content":3135},{"target":3132},{"sys":3133},{"id":3134,"type":1327,"linkType":1328},"3lpVmLBZSocOSGdlCKhKnD",[],{"nodeType":1294,"data":3137,"content":3138},{},[3139],{"nodeType":1293,"value":3140,"marks":3141,"data":3142},"The Microsoft-impersonating AITM phishing page is then served to the victim. Entering credentials and completing the MFA check will result in their Microsoft session being stolen by the attacker. ",[],{},{"nodeType":1322,"data":3144,"content":3148},{"target":3145},{"sys":3146},{"id":3147,"type":1327,"linkType":1328},"5FCa4EJwyux13K9KBT3nd4",[],{"nodeType":1294,"data":3150,"content":3151},{},[3152],{"nodeType":1293,"value":3153,"marks":3154,"data":3155},"You can see the full timeline of events in the Detection Timeline below. ",[],{},{"nodeType":1322,"data":3157,"content":3161},{"target":3158},{"sys":3159},{"id":3160,"type":1327,"linkType":1328},"8lizkPJcGdZhtWFV2QEwQ",[],{"nodeType":1352,"data":3163,"content":3164},{},[],{"nodeType":1356,"data":3166,"content":3167},{},[3168],{"nodeType":1293,"value":3169,"marks":3170,"data":3172},"Detection evasion techniques observed",[3171],{"type":1363},{},{"nodeType":1294,"data":3174,"content":3175},{},[3176,3180,3187],{"nodeType":1293,"value":3177,"marks":3178,"data":3179},"The attacker used a number of ",[],{},{"nodeType":1380,"data":3181,"content":3182},{"uri":1841},[3183],{"nodeType":1293,"value":3023,"marks":3184,"data":3186},[3185],{"type":1388},{},{"nodeType":1293,"value":3188,"marks":3189,"data":3190}," to prevent the phishing site being analysed and detected by security tools. ",[],{},{"nodeType":1322,"data":3192,"content":3196},{"target":3193},{"sys":3194},{"id":3195,"type":1327,"linkType":1328},"7q9D1MREwTCCpnjvZZ5wk1",[],{"nodeType":1487,"data":3198,"content":3199},{},[3200],{"nodeType":1293,"value":3201,"marks":3202,"data":3204},"LinkedIn delivery",[3203],{"type":1363},{},{"nodeType":1294,"data":3206,"content":3207},{},[3208,3212,3220],{"nodeType":1293,"value":3209,"marks":3210,"data":3211},"As we mentioned above, sending phishing lures via ",[],{},{"nodeType":1380,"data":3213,"content":3214},{"uri":1504},[3215],{"nodeType":1293,"value":3216,"marks":3217,"data":3219},"social media apps",[3218],{"type":1388},{},{"nodeType":1293,"value":3221,"marks":3222,"data":3223}," like LinkedIn is a great way to reach employees in a place that they expect to be contacted by people outside of their organization. By evading the traditional phishing control point altogether (email) attackers significantly reduce the risk of interception. ",[],{},{"nodeType":1487,"data":3225,"content":3226},{},[3227],{"nodeType":1293,"value":3228,"marks":3229,"data":3231},"Lengthy redirect chain through trusted sites",[3230],{"type":1363},{},{"nodeType":1294,"data":3233,"content":3234},{},[3235,3239,3247,3251,3259],{"nodeType":1293,"value":3236,"marks":3237,"data":3238},"Attackers use ",[],{},{"nodeType":1380,"data":3240,"content":3241},{"uri":1602},[3242],{"nodeType":1293,"value":3243,"marks":3244,"data":3246},"lengthy redirect chains",[3245],{"type":1388},{},{"nodeType":1293,"value":3248,"marks":3249,"data":3250}," in combination with hosting pages on ",[],{},{"nodeType":1380,"data":3252,"content":3253},{"uri":1546},[3254],{"nodeType":1293,"value":3255,"marks":3256,"data":3258},"legitimate, trusted sites",[3257],{"type":1388},{},{"nodeType":1293,"value":3260,"marks":3261,"data":3262}," (in this case Firebase, Google’s app development platform). This is a technique we see a lot, with various Google and Microsoft sites cropping up time and again, including Google Forms, Google Sites, Google Script, Google AMP, Microsoft Dynamics, SharePoint, Azure Front Door, and many more, all used by attackers as part of their phishing attacks. ",[],{},{"nodeType":1294,"data":3264,"content":3265},{},[3266],{"nodeType":1293,"value":3267,"marks":3268,"data":3269},"Legitimate services are less likely to be flagged by link analysis tools and effectively cloak the initial URL delivered to the victim to increase the chance of successful delivery of and access to the link, while many services are excluded from page scanning tools owing to their association with trusted domains. ",[],{},{"nodeType":1487,"data":3271,"content":3272},{},[3273],{"nodeType":1293,"value":3274,"marks":3275,"data":3277},"Bot protection",[3276],{"type":1363},{},{"nodeType":1294,"data":3279,"content":3280},{},[3281,3285,3293],{"nodeType":1293,"value":3282,"marks":3283,"data":3284},"Attackers are using common ",[],{},{"nodeType":1380,"data":3286,"content":3287},{"uri":1574},[3288],{"nodeType":1293,"value":3289,"marks":3290,"data":3292},"bot protection",[3291],{"type":1388},{},{"nodeType":1293,"value":3294,"marks":3295,"data":3296}," technologies like CAPTCHA and Cloudflare Turnstile to prevent security bots from accessing their web pages to be able to analyse them (and therefore block pages from being automatically flagged). This requires anyone visiting the page to pass a bot check/challenge before the page can be loaded, meaning the full page cannot be analysed by automated tools. ",[],{},{"nodeType":1487,"data":3298,"content":3299},{},[3300],{"nodeType":1293,"value":3301,"marks":3302,"data":3304},"Page obfuscation",[3303],{"type":1363},{},{"nodeType":1294,"data":3306,"content":3307},{},[3308,3312,3321],{"nodeType":1293,"value":3309,"marks":3310,"data":3311},"Phishing pages ",[],{},{"nodeType":1380,"data":3313,"content":3315},{"uri":3314},"https://phishing-techniques.pushsecurity.com/techniques/page-obfuscation/",[3316],{"nodeType":1293,"value":3317,"marks":3318,"data":3320},"change and even randomize elements of the page",[3319],{"type":1388},{},{"nodeType":1293,"value":3322,"marks":3323,"data":3324}," to avoid static fingerprints and defeat comparison-based checks against real pages. This includes the page title, text, images, backgrounds, logos, favicons, etc. — all of which may be signatured components using web page analysis tools. These elements can even be embedded in an encoded form so it isn’t present in the initial HTML, and is instead dynamically set at runtime when loaded. As an example, you can see that the page randomly generated the tab header text.",[],{},{"nodeType":1322,"data":3326,"content":3330},{"target":3327},{"sys":3328},{"id":3329,"type":1327,"linkType":1328},"2bbOZC9M4y69ACDy7bn209",[],{"nodeType":1352,"data":3332,"content":3333},{},[],{"nodeType":1356,"data":3335,"content":3336},{},[3337],{"nodeType":1293,"value":1703,"marks":3338,"data":3340},[3339],{"type":1363},{},{"nodeType":1294,"data":3342,"content":3343},{},[3344,3348,3357],{"nodeType":1293,"value":3345,"marks":3346,"data":3347},"We’re seeing ",[],{},{"nodeType":1380,"data":3349,"content":3351},{"uri":3350},"https://pushsecurity.com/blog/how-push-stopped-a-high-risk-linkedin-spear-phishing-attack/",[3352],{"nodeType":1293,"value":3353,"marks":3354,"data":3356},"many phishing campaigns pivoting to social media apps like LinkedIn",[3355],{"type":1388},{},{"nodeType":1293,"value":3358,"marks":3359,"data":3360}," and organizations should be on guard against this attack vector, which is highly effective at evading common anti-phishing controls.  ",[],{},{"nodeType":1294,"data":3362,"content":3363},{},[3364],{"nodeType":1293,"value":3365,"marks":3366,"data":3367},"Just because the attack happens over LinkedIn doesn’t lessen the impact — these are corporate credentials and accounts being targeted, even if it is nominally a “personal” application. Taking over a core identity like a Microsoft or Google account can have wide-ranging consequences, putting data at risk in both core apps and any downstream apps that can be accessed via SSO from the compromised account. ",[],{},{"nodeType":1322,"data":3369,"content":3372},{"target":3370},{"sys":3371},{"id":1617,"type":1327,"linkType":1328},[],{"nodeType":1352,"data":3374,"content":3375},{},[],{"nodeType":1356,"data":3377,"content":3378},{},[3379],{"nodeType":1293,"value":3380,"marks":3381,"data":3383},"How Push stopped the attack",[3382],{"type":1363},{},{"nodeType":1294,"data":3385,"content":3386},{},[3387,3391,3398],{"nodeType":1293,"value":3388,"marks":3389,"data":3390},"Push doesn’t detect the redirect tricks or rely on outdated domain TI feeds. The reason we detect these attacks (which make it through all the other layers of phishing protection) is that Push sees what your users see. It doesn’t matter what ",[],{},{"nodeType":1380,"data":3392,"content":3393},{"uri":1841},[3394],{"nodeType":1293,"value":1844,"marks":3395,"data":3397},[3396],{"type":1388},{},{"nodeType":1293,"value":3399,"marks":3400,"data":3401},", Push shuts the attack down in real time, as the user loads the malicious page in their web browser.",[],{},{"nodeType":1294,"data":3403,"content":3404},{},[3405],{"nodeType":1293,"value":3406,"marks":3407,"data":3408},"This isn’t all we do: Push’s browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong — you can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.",[],{},{"nodeType":1294,"data":3410,"content":3411},{},[3412],{"nodeType":1293,"value":3413,"marks":3414,"data":3415},"Check out the demo below to see Push detect and block this attack in real-time. ",[],{},{"nodeType":1322,"data":3417,"content":3421},{"target":3418},{"sys":3419},{"id":3420,"type":1327,"linkType":1328},"5VsFECWlJ1HNGtC0jUcPjH",[],{"nodeType":1294,"data":3423,"content":3424},{},[3425,3429,3438,3442,3449],{"nodeType":1293,"value":3426,"marks":3427,"data":3428},"To learn more about Push, ",[],{},{"nodeType":1380,"data":3430,"content":3432},{"uri":3431},"https://pushsecurity.com/resources/product-brochure",[3433],{"nodeType":1293,"value":3434,"marks":3435,"data":3437},"check out our latest product overview",[3436],{"type":1388},{},{"nodeType":1293,"value":3439,"marks":3440,"data":3441}," or ",[],{},{"nodeType":1380,"data":3443,"content":3444},{"uri":2362},[3445],{"nodeType":1293,"value":1871,"marks":3446,"data":3448},[3447],{"type":1388},{},{"nodeType":1293,"value":1876,"marks":3450,"data":3451},[],{},{"entries":3453},{"hyperlink":3454,"inline":3455,"block":3456},[],[],[3457,3484,3492,3497,3502,3508,3515,3540,3547,3555],{"sys":3458,"__typename":3459,"content":3460,"name":3483,"title":118},{"id":3051},"InsightTextBlockComponent",{"json":3461},{"nodeType":1295,"data":3462,"content":3463},{},[3464],{"nodeType":1294,"data":3465,"content":3466},{},[3467,3471,3479],{"nodeType":1293,"value":3468,"marks":3469,"data":3470},"This is the second blog post we’ve released on LinkedIn-based phishing attacks — ",[],{},{"nodeType":1380,"data":3472,"content":3473},{"uri":3350},[3474],{"nodeType":1293,"value":3475,"marks":3476,"data":3478},"read our last report",[3477],{"type":1388},{},{"nodeType":1293,"value":3480,"marks":3481,"data":3482}," to learn about a sophisticated spear-phishing campaign targeting tech company executives.",[],{},"Phishing blog post insight box 2",{"sys":3485,"__typename":3486,"title":3487,"caption":3487,"layoutMode":118,"file":3488},{"id":3108},"Image","Custom landing page hosted on Firebase.",{"url":3489,"width":3490,"height":3491},"https://images.ctfassets.net/y1cdw1ablpvd/5gjDDExYBbCZOIH4FcSONO/0bfd1bddd13fd5096f0a60b690803930/image4.png",1999,1080,{"sys":3493,"__typename":3486,"title":3494,"caption":3494,"layoutMode":118,"file":3495},{"id":3121},"The victim is prompted to click the link to “view with Microsoft”. ",{"url":3496,"width":3490,"height":3491},"https://images.ctfassets.net/y1cdw1ablpvd/6Wm1lVmjX8WyLHmTP4sEpV/49b6d013ccde770b1b467dc16da01d45/image3.png",{"sys":3498,"__typename":3486,"title":3499,"caption":3499,"layoutMode":118,"file":3500},{"id":3134},"The phishing page is protected by Cloudflare Turnstile.",{"url":3501,"width":3490,"height":3491},"https://images.ctfassets.net/y1cdw1ablpvd/4nxdRlox0ZOAqd3YWaIerI/245ffaec121d59d565aa4c6f073e590a/image2.png",{"sys":3503,"__typename":3486,"title":3504,"caption":3504,"layoutMode":118,"file":3505},{"id":3147},"AITM phishing page impersonating Microsoft.",{"url":3506,"width":3490,"height":3507},"https://images.ctfassets.net/y1cdw1ablpvd/2aLY3it2x1Vslss8uCDsOz/9f93644ece3f88fc3b8cd118c906257c/image6.png",1085,{"sys":3509,"__typename":3486,"title":3510,"caption":3510,"layoutMode":118,"file":3511},{"id":3160},"Detection Timeline provided by the Push platform.",{"url":3512,"width":3513,"height":3514},"https://images.ctfassets.net/y1cdw1ablpvd/2iD9HLNz1sLjMeXVm4BoWU/0072a2ad90de59cd5e2a373905be67e2/Frame_627987.png",908,788,{"sys":3516,"__typename":3459,"content":3517,"name":3539,"title":118},{"id":3195},{"json":3518},{"nodeType":1295,"data":3519,"content":3520},{},[3521],{"nodeType":1294,"data":3522,"content":3523},{},[3524,3528,3536],{"nodeType":1293,"value":3525,"marks":3526,"data":3527},"Learn more about phishing detection evasion techniques in our recent whitepaper: ",[],{},{"nodeType":1380,"data":3529,"content":3531},{"uri":3530},"https://pushsecurity.com/resources/phishing-evolution",[3532],{"nodeType":1293,"value":3533,"marks":3534,"data":3535},"The Evolution of Phishing Attacks",[],{},{"nodeType":1293,"value":1876,"marks":3537,"data":3538},[],{},"LinkedIn Phishing p2: Insight box 1",{"sys":3541,"__typename":3486,"title":3542,"caption":3542,"layoutMode":118,"file":3543},{"id":3329},"Randomly generated tab header text.",{"url":3544,"width":3545,"height":3546},"https://images.ctfassets.net/y1cdw1ablpvd/28EfPHtOCKnnIBLtAuHjDH/a441a96b328ed6228e096542a44092a8/image1.png",1430,208,{"sys":3548,"__typename":3549,"type":3550,"ctaText":3551,"buttonLabel":3552,"buttonColour":3553,"buttonUrl":3554},{"id":1617},"CtaWidget","Custom","Learn how phishing evolved in 2025, showcasing the most sophisticated attacks and key trends uncovered by Push researchers","Register Now","sunny orange","https://pushsecurity.com/webinar/phishing-2025-review",{"sys":3556,"__typename":3557,"title":3558,"arcadeDemoUrl":3559,"playText":3560},{"id":3420},"ArcadeDemo","LinkedIn Phishing Attack Stopped By Push","https://demo.arcade.software/C99MO1d824gs5anTRyIJ?embed","1 mins","content:blog:new-phishing-campaign-identified-targeting-linkedin-users.json","json","content","blog/new-phishing-campaign-identified-targeting-linkedin-users.json","blog/new-phishing-campaign-identified-targeting-linkedin-users",1776359982932]