[{"data":1,"prerenderedAt":4938},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/okta-swa":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"ogImage":118,"summary":1282,"title":1296,"subtitle":118,"metaTitle":1297,"synopsis":1298,"hashTags":118,"publishedDate":1299,"slug":1300,"tagsCollection":1301,"relatedBlogPostsCollection":1311,"authorsCollection":3622,"content":3630,"_id":4934,"_type":4878,"_source":4935,"_file":4936,"_stem":4937,"_extension":4878},"/blog/okta-swa","blog",{"id":1280,"publishedAt":1281},"1te7lpcknxuN73jdCdkXjd","2024-03-21T08:54:57.663Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1295},{},[1286],{"data":1287,"content":1288,"nodeType":1294},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"In this article, we’ll discuss and demonstrate why Okta's SWA isn't the same or as secure as using SAML and OIDC authentication methods for SSO.\n","text","paragraph","document","Abusing Okta's SWA authentication","Abusing Okta's SWA authentication method","We'll cover the implications of using Okta's SWA authentication method. Learn what security teams need to know in an account breach and IR scenario. ","2023-11-30T00:00:00.000Z","okta-swa",{"items":1302},[1303,1307],{"sys":1304,"name":1306},{"id":1305},"3pjES4THCIfSAwhGdNwBcy","Identity security",{"sys":1308,"name":1310},{"id":1309},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1312},[1313,2659,3418],{"__typename":1314,"sys":1315,"content":1317,"title":2640,"synopsis":1332,"hashTags":118,"publishedDate":2641,"slug":2642,"tagsCollection":2643,"authorsCollection":2651},"BlogPosts",{"id":1316},"3JXKiUMGU8JBpndhLRYOCJ",{"json":1318},{"nodeType":1295,"data":1319,"content":1320},{},[1321,1328,1335,1343,1351,1377,1384,1391,1398,1405,1412,1448,1454,1461,1582,1589,1596,1852,1859,1866,1872,1905,1912,1919,1925,1932,1938,1945,1952,1958,1965,1972,1978,1985,1992,1998,2005,2021,2027,2034,2067,2074,2094,2101,2108,2115,2121,2159,2179,2234,2241,2248,2268,2287,2294,2327,2333,2340,2347,2354,2361,2368,2375,2395,2401,2408,2427,2434,2441,2447,2454,2461,2467,2474,2520,2527,2533,2540,2546,2553,2560,2593,2600,2607,2614,2621,2628,2634],{"nodeType":1294,"data":1322,"content":1323},{},[1324],{"nodeType":1293,"value":1325,"marks":1326,"data":1327},"With the proliferation of SaaS apps and integrations comes an equal helping of uncertainty surrounding the associated security risks. If you’ve ever found yourself in a position where you’ve had to review a SaaS app integration, whether it’s during the remediation stage of an incident or simply during the process of tending to a user request, then keep on reading. ",[],{},{"nodeType":1294,"data":1329,"content":1330},{},[1331],{"nodeType":1293,"value":1332,"marks":1333,"data":1334},"This article covers common ways an app could lead to compromise in Microsoft Azure, and what to look out for when determining risk to your organization.",[],{},{"nodeType":1336,"data":1337,"content":1338},"heading-1",{},[1339],{"nodeType":1293,"value":1340,"marks":1341,"data":1342},"Consent phishing",[],{},{"nodeType":1344,"data":1345,"content":1346},"heading-2",{},[1347],{"nodeType":1293,"value":1348,"marks":1349,"data":1350},"The issue:",[],{},{"nodeType":1294,"data":1352,"content":1353},{},[1354,1358,1373],{"nodeType":1293,"value":1355,"marks":1356,"data":1357},"This method of compromising user accounts has been covered a ",[],{},{"nodeType":1359,"data":1360,"content":1366},"entry-hyperlink",{"target":1361},{"sys":1362},{"id":1363,"type":1364,"linkType":1365},"1bV8YTSQHvveCTnRc4H8su","Link","Entry",[1367],{"nodeType":1293,"value":1368,"marks":1369,"data":1372},"few times",[1370],{"type":1371},"underline",{},{"nodeType":1293,"value":1374,"marks":1375,"data":1376}," by Push. Without rehashing too much of the content, the main idea behind consent phishing is to get a user to perform an integration while the app masquerades as something official. ",[],{},{"nodeType":1294,"data":1378,"content":1379},{},[1380],{"nodeType":1293,"value":1381,"marks":1382,"data":1383},"As an example, a user is sent an email where the content is either surprisingly legitimate, or sparks sufficient curiosity to make them want to access the data behind the link. They are directed to a Microsoft or Google login page, where the app asks for certain permissions, such as mailbox access. The user, having performed these actions before, thinks nothing of it and clicks ‘allow’. The attacker successfully tricked the user to give them access to their mailbox (or whichever privileges the app was requesting).",[],{},{"nodeType":1385,"data":1386,"content":1390},"embedded-entry-block",{"target":1387},{"sys":1388},{"id":1389,"type":1364,"linkType":1365},"2zeeE8NrgX4MnpHdIjszot",[],{"nodeType":1344,"data":1392,"content":1393},{},[1394],{"nodeType":1293,"value":1395,"marks":1396,"data":1397},"The solution:",[],{},{"nodeType":1294,"data":1399,"content":1400},{},[1401],{"nodeType":1293,"value":1402,"marks":1403,"data":1404},"There are two ways to help prevent this type of compromise:",[],{},{"nodeType":1294,"data":1406,"content":1407},{},[1408],{"nodeType":1293,"value":1409,"marks":1410,"data":1411},"The first is to go the “block everything” route by preventing any integrations from being added to your tenants at all. This is quite heavy-handed and a bit like throwing the baby out with the bathwater, as this approach leads to IT/security departments becoming known as the departments of ‘NO’, potentially resulting in users circumventing controls, and the emergence of shadow IT.",[],{},{"nodeType":1294,"data":1413,"content":1414},{},[1415,1419,1429,1433,1444],{"nodeType":1293,"value":1416,"marks":1417,"data":1418},"The second is to be sensible about what to allow and what to prevent during SaaS integrations. For instance, in Microsoft 365 administrators are able to ",[],{},{"nodeType":1420,"data":1421,"content":1423},"hyperlink",{"uri":1422},"https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-permission-classifications",[1424],{"nodeType":1293,"value":1425,"marks":1426,"data":1428},"specify low-risk scopes",[1427],{"type":1371},{},{"nodeType":1293,"value":1430,"marks":1431,"data":1432},", such as ones specifically used for performing social logins (which are okay to do ",[],{},{"nodeType":1359,"data":1434,"content":1438},{"target":1435},{"sys":1436},{"id":1437,"type":1364,"linkType":1365},"68syxk4cmD6QOdVRcDqgEZ",[1439],{"nodeType":1293,"value":1440,"marks":1441,"data":1443},"by the way",[1442],{"type":1371},{},{"nodeType":1293,"value":1445,"marks":1446,"data":1447},"). Admins can then allow employees to perform social logins, and integrate apps making use of other low-risk scopes from  verified apps only. Employees can also request access to anything requiring other scopes. This is a great way to enable users to perform their jobs, while preventing them from accidentally exposing themselves or the wider organization to unnecessary risk.",[],{},{"nodeType":1385,"data":1449,"content":1453},{"target":1450},{"sys":1451},{"id":1452,"type":1364,"linkType":1365},"44NsMwlLpX4qnZP94GyTSO",[],{"nodeType":1294,"data":1455,"content":1456},{},[1457],{"nodeType":1293,"value":1458,"marks":1459,"data":1460},"When configuring the above for the first time, Microsoft provides a list of 5 scopes:",[],{},{"nodeType":1462,"data":1463,"content":1464},"table",{},[1465,1490,1513,1536,1559],{"nodeType":1466,"data":1467,"content":1468},"table-row",{},[1469,1480],{"nodeType":1470,"data":1471,"content":1472},"table-cell",{},[1473],{"nodeType":1294,"data":1474,"content":1475},{},[1476],{"nodeType":1293,"value":1477,"marks":1478,"data":1479},"profile",[],{},{"nodeType":1470,"data":1481,"content":1482},{},[1483],{"nodeType":1294,"data":1484,"content":1485},{},[1486],{"nodeType":1293,"value":1487,"marks":1488,"data":1489},"View user's basic profile",[],{},{"nodeType":1466,"data":1491,"content":1492},{},[1493,1503],{"nodeType":1470,"data":1494,"content":1495},{},[1496],{"nodeType":1294,"data":1497,"content":1498},{},[1499],{"nodeType":1293,"value":1500,"marks":1501,"data":1502},"openid",[],{},{"nodeType":1470,"data":1504,"content":1505},{},[1506],{"nodeType":1294,"data":1507,"content":1508},{},[1509],{"nodeType":1293,"value":1510,"marks":1511,"data":1512},"Sign users in",[],{},{"nodeType":1466,"data":1514,"content":1515},{},[1516,1526],{"nodeType":1470,"data":1517,"content":1518},{},[1519],{"nodeType":1294,"data":1520,"content":1521},{},[1522],{"nodeType":1293,"value":1523,"marks":1524,"data":1525},"email",[],{},{"nodeType":1470,"data":1527,"content":1528},{},[1529],{"nodeType":1294,"data":1530,"content":1531},{},[1532],{"nodeType":1293,"value":1533,"marks":1534,"data":1535},"View user's email address",[],{},{"nodeType":1466,"data":1537,"content":1538},{},[1539,1549],{"nodeType":1470,"data":1540,"content":1541},{},[1542],{"nodeType":1294,"data":1543,"content":1544},{},[1545],{"nodeType":1293,"value":1546,"marks":1547,"data":1548},"User.Read",[],{},{"nodeType":1470,"data":1550,"content":1551},{},[1552],{"nodeType":1294,"data":1553,"content":1554},{},[1555],{"nodeType":1293,"value":1556,"marks":1557,"data":1558},"Sign in and read user profile",[],{},{"nodeType":1466,"data":1560,"content":1561},{},[1562,1572],{"nodeType":1470,"data":1563,"content":1564},{},[1565],{"nodeType":1294,"data":1566,"content":1567},{},[1568],{"nodeType":1293,"value":1569,"marks":1570,"data":1571},"Offline_access",[],{},{"nodeType":1470,"data":1573,"content":1574},{},[1575],{"nodeType":1294,"data":1576,"content":1577},{},[1578],{"nodeType":1293,"value":1579,"marks":1580,"data":1581},"Maintain access to data you. have given it access to (refresh tokens)",[],{},{"nodeType":1294,"data":1583,"content":1584},{},[1585],{"nodeType":1293,"value":1586,"marks":1587,"data":1588},"The above scopes are the minimum required to enable social logins to take place, and would cover a good amount of apps that only require basic information for account creation purposes. ",[],{},{"nodeType":1294,"data":1590,"content":1591},{},[1592],{"nodeType":1293,"value":1593,"marks":1594,"data":1595},"If you’d like to go a step further, you should also consider approving the following to allow users to integrate these relatively common scopes from verified apps:",[],{},{"nodeType":1462,"data":1597,"content":1598},{},[1599,1622,1645,1668,1691,1714,1737,1760,1783,1806,1829],{"nodeType":1466,"data":1600,"content":1601},{},[1602,1612],{"nodeType":1470,"data":1603,"content":1604},{},[1605],{"nodeType":1294,"data":1606,"content":1607},{},[1608],{"nodeType":1293,"value":1609,"marks":1610,"data":1611},"Calendars.Read",[],{},{"nodeType":1470,"data":1613,"content":1614},{},[1615],{"nodeType":1294,"data":1616,"content":1617},{},[1618],{"nodeType":1293,"value":1619,"marks":1620,"data":1621},"Read user calendars",[],{},{"nodeType":1466,"data":1623,"content":1624},{},[1625,1635],{"nodeType":1470,"data":1626,"content":1627},{},[1628],{"nodeType":1294,"data":1629,"content":1630},{},[1631],{"nodeType":1293,"value":1632,"marks":1633,"data":1634},"Calendars.ReadWrite",[],{},{"nodeType":1470,"data":1636,"content":1637},{},[1638],{"nodeType":1294,"data":1639,"content":1640},{},[1641],{"nodeType":1293,"value":1642,"marks":1643,"data":1644},"Have full access to user calendars",[],{},{"nodeType":1466,"data":1646,"content":1647},{},[1648,1658],{"nodeType":1470,"data":1649,"content":1650},{},[1651],{"nodeType":1294,"data":1652,"content":1653},{},[1654],{"nodeType":1293,"value":1655,"marks":1656,"data":1657},"Calendars.ReadWrite.Shared",[],{},{"nodeType":1470,"data":1659,"content":1660},{},[1661],{"nodeType":1294,"data":1662,"content":1663},{},[1664],{"nodeType":1293,"value":1665,"marks":1666,"data":1667},"Read and write user and shared calendars",[],{},{"nodeType":1466,"data":1669,"content":1670},{},[1671,1681],{"nodeType":1470,"data":1672,"content":1673},{},[1674],{"nodeType":1294,"data":1675,"content":1676},{},[1677],{"nodeType":1293,"value":1678,"marks":1679,"data":1680},"Contacts.Read",[],{},{"nodeType":1470,"data":1682,"content":1683},{},[1684],{"nodeType":1294,"data":1685,"content":1686},{},[1687],{"nodeType":1293,"value":1688,"marks":1689,"data":1690},"Read user contacts",[],{},{"nodeType":1466,"data":1692,"content":1693},{},[1694,1704],{"nodeType":1470,"data":1695,"content":1696},{},[1697],{"nodeType":1294,"data":1698,"content":1699},{},[1700],{"nodeType":1293,"value":1701,"marks":1702,"data":1703},"Contacts.Read.Shared",[],{},{"nodeType":1470,"data":1705,"content":1706},{},[1707],{"nodeType":1294,"data":1708,"content":1709},{},[1710],{"nodeType":1293,"value":1711,"marks":1712,"data":1713},"Read user and shared contacts",[],{},{"nodeType":1466,"data":1715,"content":1716},{},[1717,1727],{"nodeType":1470,"data":1718,"content":1719},{},[1720],{"nodeType":1294,"data":1721,"content":1722},{},[1723],{"nodeType":1293,"value":1724,"marks":1725,"data":1726},"Contacts.ReadWrite",[],{},{"nodeType":1470,"data":1728,"content":1729},{},[1730],{"nodeType":1294,"data":1731,"content":1732},{},[1733],{"nodeType":1293,"value":1734,"marks":1735,"data":1736},"Have full access to user contacts",[],{},{"nodeType":1466,"data":1738,"content":1739},{},[1740,1750],{"nodeType":1470,"data":1741,"content":1742},{},[1743],{"nodeType":1294,"data":1744,"content":1745},{},[1746],{"nodeType":1293,"value":1747,"marks":1748,"data":1749},"Contacts.ReadWrite.Shared",[],{},{"nodeType":1470,"data":1751,"content":1752},{},[1753],{"nodeType":1294,"data":1754,"content":1755},{},[1756],{"nodeType":1293,"value":1757,"marks":1758,"data":1759},"Read and write user and shared contacts",[],{},{"nodeType":1466,"data":1761,"content":1762},{},[1763,1773],{"nodeType":1470,"data":1764,"content":1765},{},[1766],{"nodeType":1294,"data":1767,"content":1768},{},[1769],{"nodeType":1293,"value":1770,"marks":1771,"data":1772},"People.Read",[],{},{"nodeType":1470,"data":1774,"content":1775},{},[1776],{"nodeType":1294,"data":1777,"content":1778},{},[1779],{"nodeType":1293,"value":1780,"marks":1781,"data":1782},"Read users' relevant people lists",[],{},{"nodeType":1466,"data":1784,"content":1785},{},[1786,1796],{"nodeType":1470,"data":1787,"content":1788},{},[1789],{"nodeType":1294,"data":1790,"content":1791},{},[1792],{"nodeType":1293,"value":1793,"marks":1794,"data":1795},"Files.Read.Selected",[],{},{"nodeType":1470,"data":1797,"content":1798},{},[1799],{"nodeType":1294,"data":1800,"content":1801},{},[1802],{"nodeType":1293,"value":1803,"marks":1804,"data":1805},"Read files that the user selects",[],{},{"nodeType":1466,"data":1807,"content":1808},{},[1809,1819],{"nodeType":1470,"data":1810,"content":1811},{},[1812],{"nodeType":1294,"data":1813,"content":1814},{},[1815],{"nodeType":1293,"value":1816,"marks":1817,"data":1818},"Files.ReadWrite.Selected",[],{},{"nodeType":1470,"data":1820,"content":1821},{},[1822],{"nodeType":1294,"data":1823,"content":1824},{},[1825],{"nodeType":1293,"value":1826,"marks":1827,"data":1828},"Read and write files that the user selects",[],{},{"nodeType":1466,"data":1830,"content":1831},{},[1832,1842],{"nodeType":1470,"data":1833,"content":1834},{},[1835],{"nodeType":1294,"data":1836,"content":1837},{},[1838],{"nodeType":1293,"value":1839,"marks":1840,"data":1841},"User.ReadWrite",[],{},{"nodeType":1470,"data":1843,"content":1844},{},[1845],{"nodeType":1294,"data":1846,"content":1847},{},[1848],{"nodeType":1293,"value":1849,"marks":1850,"data":1851},"Read and write access to user profile",[],{},{"nodeType":1294,"data":1853,"content":1854},{},[1855],{"nodeType":1293,"value":1856,"marks":1857,"data":1858},"We’ve determined these scopes to be relatively low-risk, but this would depend on the risk appetite of your organization. Pre-approving the scopes will go a long way towards enabling your users to make use of SaaS apps without raising unnecessary approval requests from your IT or security team.",[],{},{"nodeType":1336,"data":1860,"content":1861},{},[1862],{"nodeType":1293,"value":1863,"marks":1864,"data":1865},"Unverified apps",[],{},{"nodeType":1344,"data":1867,"content":1868},{},[1869],{"nodeType":1293,"value":1348,"marks":1870,"data":1871},[],{},{"nodeType":1294,"data":1873,"content":1874},{},[1875,1879,1888,1892,1901],{"nodeType":1293,"value":1876,"marks":1877,"data":1878},"First, let’s define what causes an app to be classified as unverified. When you see an app in your tenant that’s marked as unverified, it means that the tenant that publishes the app has not gone through the ",[],{},{"nodeType":1420,"data":1880,"content":1882},{"uri":1881},"https://learn.microsoft.com/en-gb/azure/active-directory/develop/publisher-verification-overview",[1883],{"nodeType":1293,"value":1884,"marks":1885,"data":1887},"Publisher Verification",[1886],{"type":1371},{},{"nodeType":1293,"value":1889,"marks":1890,"data":1891}," process. Going through the verification process requires the publisher to have a Microsoft Partner Network (MPN) account, which typically involves ",[],{},{"nodeType":1420,"data":1893,"content":1895},{"uri":1894},"https://learn.microsoft.com/en-us/partner-center/verification-responses",[1896],{"nodeType":1293,"value":1897,"marks":1898,"data":1900},"verifying",[1899],{"type":1371},{},{"nodeType":1293,"value":1902,"marks":1903,"data":1904}," their business address, email address, and a few additional due diligence tasks. ",[],{},{"nodeType":1294,"data":1906,"content":1907},{},[1908],{"nodeType":1293,"value":1909,"marks":1910,"data":1911},"While I’m sure this is not a 100% infallible process, at the very least it provides you with the confidence that someone at Microsoft had reached out to the company and spoken to someone who claims they are who they say they are. This is opposed to a random person creating a Microsoft Azure tenant and marking their app as being published by Adobe, as an example.",[],{},{"nodeType":1294,"data":1913,"content":1914},{},[1915],{"nodeType":1293,"value":1916,"marks":1917,"data":1918},"At Push, we’ve noticed plenty of unverified apps published by legitimate vendors. This could be related to vendors having multiple tenants, and not having completed the verification process across all yet. As an example, we have a few of Adobe’s apps for Microsoft 365:",[],{},{"nodeType":1385,"data":1920,"content":1924},{"target":1921},{"sys":1922},{"id":1923,"type":1364,"linkType":1365},"4eDWZKrMau1AfU4pXgOW42",[],{"nodeType":1294,"data":1926,"content":1927},{},[1928],{"nodeType":1293,"value":1929,"marks":1930,"data":1931},"In the above image, we have a verified app from Adobe, Inc. We know this due to the ‘Verified Publisher’ attribute that is included when parsing the information provided by Microsoft. We can also see that the only reply url is one associated directly with Adobe – adobe.com. Next, we have an unverified app:",[],{},{"nodeType":1385,"data":1933,"content":1937},{"target":1934},{"sys":1935},{"id":1936,"type":1364,"linkType":1365},"5e5RhdYiMh0Q3CZzmNoRDI",[],{"nodeType":1294,"data":1939,"content":1940},{},[1941],{"nodeType":1293,"value":1942,"marks":1943,"data":1944},"This app does not include the ‘verified publisher’ attribute when reading the information provided by Microsoft. However, the app only has one reply url, and this is again a subdomain of adobe.com.",[],{},{"nodeType":1294,"data":1946,"content":1947},{},[1948],{"nodeType":1293,"value":1949,"marks":1950,"data":1951},"The takeaway here is that not all unverified apps are malicious. More often than not it’s related to the vendor not having gone through the verification process, but this means it unfortunately becomes the security team’s burden to figure out.",[],{},{"nodeType":1344,"data":1953,"content":1954},{},[1955],{"nodeType":1293,"value":1395,"marks":1956,"data":1957},[],{},{"nodeType":1294,"data":1959,"content":1960},{},[1961],{"nodeType":1293,"value":1962,"marks":1963,"data":1964},"At Push, we attempt to review every application we come across to determine if it's legit and whether it belongs to the vendor it claims to originate from. There are multiple ways to do this, but as a general rule of thumb if all the app’s reply urls are associated with the vendor, you are good. You can perform an integration from the app’s website to verify that the particular app ID (seen in the metadata tag above) is the one you are looking at in your environment.",[],{},{"nodeType":1336,"data":1966,"content":1967},{},[1968],{"nodeType":1293,"value":1969,"marks":1970,"data":1971},"Apps with excessive privileges",[],{},{"nodeType":1344,"data":1973,"content":1974},{},[1975],{"nodeType":1293,"value":1348,"marks":1976,"data":1977},[],{},{"nodeType":1294,"data":1979,"content":1980},{},[1981],{"nodeType":1293,"value":1982,"marks":1983,"data":1984},"When you first start doing deep dives on permissions associated with apps in your environment, you find yourself looking at some apps and wonder out loud “we’re granting this vendor access to what?!",[],{},{"nodeType":1294,"data":1986,"content":1987},{},[1988],{"nodeType":1293,"value":1989,"marks":1990,"data":1991},"It’s a totally normal response, but don't worry, we’re here to help. Let’s take diagrams.net as an example:",[],{},{"nodeType":1385,"data":1993,"content":1997},{"target":1994},{"sys":1995},{"id":1996,"type":1364,"linkType":1365},"7DcPUSZ0nDYKmIy4E9xEHs",[],{"nodeType":1294,"data":1999,"content":2000},{},[2001],{"nodeType":1293,"value":2002,"marks":2003,"data":2004},"At first glance this doesn’t seem too bad. For the purposes of this example, let’s say the app was approved by 49 users. That means if diagrams.net got compromised, an attacker would potentially have access to 49 of your user’s OneDrive files. “That’s OK!” you say. “This will only affect a handful of files they’ve been working on locally. Our policy specifies that any company data, specifically data containing PII, be stored in SharePoint.”",[],{},{"nodeType":1294,"data":2006,"content":2007},{},[2008,2012,2017],{"nodeType":1293,"value":2009,"marks":2010,"data":2011},"And then comes the part where you notice the following permission: ",[],{},{"nodeType":1293,"value":2013,"marks":2014,"data":2016},"Sites.Read.All",[2015],{"type":312},{},{"nodeType":1293,"value":2018,"marks":2019,"data":2020},". This permission gives the application the ability to read every file across all SharePoint sites in your organization (that the users have permission to access.) Suddenly the scope of data access is much larger than you hoped.",[],{},{"nodeType":1344,"data":2022,"content":2023},{},[2024],{"nodeType":1293,"value":1395,"marks":2025,"data":2026},[],{},{"nodeType":1294,"data":2028,"content":2029},{},[2030],{"nodeType":1293,"value":2031,"marks":2032,"data":2033},"When faced with the dilemma of granting apps access to resources within your organization, the best course of action is to do a risk assessment.",[],{},{"nodeType":1294,"data":2035,"content":2036},{},[2037,2041,2050,2054,2063],{"nodeType":1293,"value":2038,"marks":2039,"data":2040},"This requires some good ol’ googling and reviewing the security policies of the app’s creator. You ideally also want to know who they use to process your data. Through this process, I found a ",[],{},{"nodeType":1420,"data":2042,"content":2044},{"uri":2043},"https://www.diagrams.net/blog/data-protection",[2045],{"nodeType":1293,"value":2046,"marks":2047,"data":2049},"blog post",[2048],{"type":1371},{},{"nodeType":1293,"value":2051,"marks":2052,"data":2053}," on diagrams.net detailing their approach to security and user privacy. They do make note that they don’t ",[],{},{"nodeType":1420,"data":2055,"content":2057},{"uri":2056},"https://www.diagrams.net/blog/data-protection#:~:text=Because%20your%20sensitive%20diagram%20data%20doesn%E2%80%99t%20leave%20your%20infrastructure%20and%20is%20never%20stored%20on%20the%20diagrams.net%20servers%2C%20diagrams.net%20is%20a%20tool%20which%20lets%20you%20comply%20with%20data%20protection%20certifications%20(ISO%2027000%2C%2027001%20and%2027002)%20and%20the%20GDPR.",[2058],{"nodeType":1293,"value":2059,"marks":2060,"data":2062},"store any sensitive customer data data on their servers",[2061],{"type":1371},{},{"nodeType":1293,"value":2064,"marks":2065,"data":2066},", and thus let you comply with GDPR, ISO 2700* etc. certifications if you use their services.",[],{},{"nodeType":1294,"data":2068,"content":2069},{},[2070],{"nodeType":1293,"value":2071,"marks":2072,"data":2073},"While this is great from a tick box exercise perspective, this doesn’t address the original concern – how much risk are you taking on by letting their app integrate with your environment? What could an attacker who compromises diagrams.net have access to and how do you lessen the risk while still allowing employees to use the app?",[],{},{"nodeType":1294,"data":2075,"content":2076},{},[2077,2081,2090],{"nodeType":1293,"value":2078,"marks":2079,"data":2080},"Further in the same blog post, they link to a GitHub ",[],{},{"nodeType":1420,"data":2082,"content":2084},{"uri":2083},"https://github.com/jgraph/security-privacy-legal",[2085],{"nodeType":1293,"value":2086,"marks":2087,"data":2089},"repository",[2088],{"type":1371},{},{"nodeType":1293,"value":2091,"marks":2092,"data":2093}," that contains their security and privacy processes, policies, and even some pentest reports. They do a great job of including this information, by the way, so cheers to diagrams.net!",[],{},{"nodeType":1294,"data":2095,"content":2096},{},[2097],{"nodeType":1293,"value":2098,"marks":2099,"data":2100},"At this point you should have a better understanding of the security of the vendor you’re integrating into your organization, and whether it’s okay to accept the risk. Documenting and adding the information you found to your risk register is also a good idea. Likely, you’ll be taking this information to your Information Security Manager for risk acceptance. ",[],{},{"nodeType":1294,"data":2102,"content":2103},{},[2104],{"nodeType":1293,"value":2105,"marks":2106,"data":2107},"We’re working on ways to provide this information to our clients through the Push app dashboard in future, too. Sign up or subscribe to our blog to get product updates when features like this are introduced. ",[],{},{"nodeType":1336,"data":2109,"content":2110},{},[2111],{"nodeType":1293,"value":2112,"marks":2113,"data":2114},"Hijackable urls and implicit grant flow",[],{},{"nodeType":1344,"data":2116,"content":2117},{},[2118],{"nodeType":1293,"value":1348,"marks":2119,"data":2120},[],{},{"nodeType":1294,"data":2122,"content":2123},{},[2124,2129,2139,2144,2154],{"nodeType":1293,"value":2125,"marks":2126,"data":2128},"Developer side note: The implicit grant flow is no longer recommended due to security-related concerns and that it won’t function where ",[2127],{"type":312},{},{"nodeType":1420,"data":2130,"content":2132},{"uri":2131},"https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-third-party-cookies-spas#:~:text=Many%20browsers%20block%20third%2Dparty%20cookies%2C%20cookies%20on%20requests%20to%20domains%20other%20than%20the%20domain%20shown%20in%20the%20browser%27s%20address%20bar.%20This%20block%20breaks%20the%20implicit%20flow%20and%20requires%20new%20authentication%20patterns%20to%20successfully%20sign%20in%20users.",[2133],{"nodeType":1293,"value":2134,"marks":2135,"data":2138},"3rd party cookies are blocked in browsers",[2136,2137],{"type":1371},{"type":312},{},{"nodeType":1293,"value":2140,"marks":2141,"data":2143},". Instead, you should switch to using the ",[2142],{"type":312},{},{"nodeType":1420,"data":2145,"content":2147},{"uri":2146},"https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow",[2148],{"nodeType":1293,"value":2149,"marks":2150,"data":2153},"authorization code flow",[2151,2152],{"type":1371},{"type":312},{},{"nodeType":1293,"value":2155,"marks":2156,"data":2158}," if applicable to your requirements.",[2157],{"type":312},{},{"nodeType":1294,"data":2160,"content":2161},{},[2162,2166,2175],{"nodeType":1293,"value":2163,"marks":2164,"data":2165},"Let’s quickly go over how OAuth2’s implicit grant flow works so you can better understand how to spot potentially risky apps and integrations, and why this can result in a security concern. Microsoft provides a great ",[],{},{"nodeType":1420,"data":2167,"content":2169},{"uri":2168},"https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow",[2170],{"nodeType":1293,"value":2171,"marks":2172,"data":2174},"breakdown",[2173],{"type":1371},{},{"nodeType":1293,"value":2176,"marks":2177,"data":2178}," of the implicit grant flow, however for the purposes of brevity (and simplicity), it does the following:",[],{},{"nodeType":2180,"data":2181,"content":2182},"ordered-list",{},[2183,2194,2204,2214,2224],{"nodeType":2184,"data":2185,"content":2186},"list-item",{},[2187],{"nodeType":1294,"data":2188,"content":2189},{},[2190],{"nodeType":1293,"value":2191,"marks":2192,"data":2193},"A user goes to a web app and clicks a login link",[],{},{"nodeType":2184,"data":2195,"content":2196},{},[2197],{"nodeType":1294,"data":2198,"content":2199},{},[2200],{"nodeType":1293,"value":2201,"marks":2202,"data":2203},"The web app redirects the user to authenticate and authorize the app. This is performed against your identity provider (in this example, Microsoft)",[],{},{"nodeType":2184,"data":2205,"content":2206},{},[2207],{"nodeType":1294,"data":2208,"content":2209},{},[2210],{"nodeType":1293,"value":2211,"marks":2212,"data":2213},"If this is the first time authorizing the app, the user is presented with a list of scopes (permissions) the app will need access to, and the user clicks “approve”",[],{},{"nodeType":2184,"data":2215,"content":2216},{},[2217],{"nodeType":1294,"data":2218,"content":2219},{},[2220],{"nodeType":1293,"value":2221,"marks":2222,"data":2223},"This responds with a token to one of the hard-coded reply urls associated with the app integration (e.g. https://apps.diagrams.net/microsoft as with the ‘Apps with excessive privileges’ example)",[],{},{"nodeType":2184,"data":2225,"content":2226},{},[2227],{"nodeType":1294,"data":2228,"content":2229},{},[2230],{"nodeType":1293,"value":2231,"marks":2232,"data":2233},"The app uses the token to access the user’s resources with the permissions approved in step 3",[],{},{"nodeType":1294,"data":2235,"content":2236},{},[2237],{"nodeType":1293,"value":2238,"marks":2239,"data":2240},"Based on the flow above, if an attacker gets their hands on the token from step 4, they can perform requests as the user, granting them access to your resources. To get the token, you need to control one of the hardcoded reply url endpoints, and convince a user to authenticate to the app – perhaps via a phishing attack.",[],{},{"nodeType":1294,"data":2242,"content":2243},{},[2244],{"nodeType":1293,"value":2245,"marks":2246,"data":2247},"As an example, some of the apps we’ve reviewed contained reply urls which were subdomains of azurewebsites.net and ngrok.io. These urls don’t appear problematic at first. However, the urls could have been used during the development process, and were forgotten about at the conclusion of the project. During the review process we follow at Push, we found multiple examples of such urls that were no longer in use.",[],{},{"nodeType":1294,"data":2249,"content":2250},{},[2251,2255,2264],{"nodeType":1293,"value":2252,"marks":2253,"data":2254},"This could allow an attacker to register the urls and perform phishing attacks against organizations that use these particular apps, granting the attacker access to previously- approved scopes and resources. The outcome of this attack would be similar to ",[],{},{"nodeType":1420,"data":2256,"content":2258},{"uri":2257},"https://www.oauth.com/oauth2-servers/authorization/security-considerations/#:~:text=Redirect%20URL%20Manipulation",[2259],{"nodeType":1293,"value":2260,"marks":2261,"data":2263},"redirect URL manipulation",[2262],{"type":1371},{},{"nodeType":1293,"value":2265,"marks":2266,"data":2267},", but instead of taking advantage of an open or misconfigured redirect, the attacker is in control of the endpoint where the token ends up.",[],{},{"nodeType":1294,"data":2269,"content":2270},{},[2271,2275,2283],{"nodeType":1293,"value":2272,"marks":2273,"data":2274},"How would you even go about detecting if an app makes use of the implicit grant flow? This requires getting your hands dirty with making authorization requests to your tenant for the specific app ID, and passing the “response_type=token” parameter in the url. This should return an error if the app is not configured with the implicit grant flow. If you’d like to test this yourself, you can follow the “Run in Postman” link at the top of ",[],{},{"nodeType":1420,"data":2276,"content":2277},{"uri":2168},[2278],{"nodeType":1293,"value":2279,"marks":2280,"data":2282},"this article",[2281],{"type":1371},{},{"nodeType":1293,"value":2284,"marks":2285,"data":2286}," to make this process a bit easier.",[],{},{"nodeType":1294,"data":2288,"content":2289},{},[2290],{"nodeType":1293,"value":2291,"marks":2292,"data":2293},"Another example of a hijackable url includes dangling DNS records. Let’s say your app includes a reply url pointing to a legacy server used for development (eg. apptesting-dev.ctrlaltsecure.com). This server was hosted on an EC2 instance in AWS, and has long since been decommissioned. However, the IP address associated with the instance is still pointing to the same address. A determined attacker could potentially gain access to the IP address by spinning up resources until it’s assigned to them.",[],{},{"nodeType":1294,"data":2295,"content":2296},{},[2297,2301,2310,2314,2323],{"nodeType":1293,"value":2298,"marks":2299,"data":2300},"OWASP has ",[],{},{"nodeType":1420,"data":2302,"content":2304},{"uri":2303},"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/10-Test_for_Subdomain_Takeover",[2305],{"nodeType":1293,"value":2306,"marks":2307,"data":2309},"published an article",[2308],{"type":1371},{},{"nodeType":1293,"value":2311,"marks":2312,"data":2313}," and HackerOne ",[],{},{"nodeType":1420,"data":2315,"content":2317},{"uri":2316},"https://www.hackerone.com/application-security/guide-subdomain-takeovers",[2318],{"nodeType":1293,"value":2319,"marks":2320,"data":2322},"posted a guide",[2321],{"type":1371},{},{"nodeType":1293,"value":2324,"marks":2325,"data":2326}," highlighting ways to take over subdomains , and it’s very easy to overlook.",[],{},{"nodeType":1344,"data":2328,"content":2329},{},[2330],{"nodeType":1293,"value":1395,"marks":2331,"data":2332},[],{},{"nodeType":1294,"data":2334,"content":2335},{},[2336],{"nodeType":1293,"value":2337,"marks":2338,"data":2339},"Unfortunately there is no elegant solution to this problem, and it’s not easy to spot as you would need to review each url to see if it’s still in use, in addition to figuring out if the app makes use of the implicit grant flow. Even then, is the active url being used by the developer, or has an attacker already claimed it.",[],{},{"nodeType":1294,"data":2341,"content":2342},{},[2343],{"nodeType":1293,"value":2344,"marks":2345,"data":2346},"The best course of action here is likely to make use of a proxy that prevents users from accessing unclassified urls, or urls with a low reputation. However, you will risk breaking applications and making your developers angry. This also does not solve the dangling DNS issue, as with the EC2 instance problem above.",[],{},{"nodeType":1294,"data":2348,"content":2349},{},[2350],{"nodeType":1293,"value":2351,"marks":2352,"data":2353},"Another option is to contact vendors of apps that you’ve noticed including such urls in their apps and ask them to remove the stale entries from their apps.",[],{},{"nodeType":1336,"data":2355,"content":2356},{},[2357],{"nodeType":1293,"value":2358,"marks":2359,"data":2360},"You think you’ve been compromised. Now what?",[],{},{"nodeType":1294,"data":2362,"content":2363},{},[2364],{"nodeType":1293,"value":2365,"marks":2366,"data":2367},"\nRegardless of the method of compromise, there’s a few steps you can take to review what happened and to prevent further access into your environment.",[],{},{"nodeType":1344,"data":2369,"content":2370},{},[2371],{"nodeType":1293,"value":2372,"marks":2373,"data":2374},"Review app sign-in logs",[],{},{"nodeType":1294,"data":2376,"content":2377},{},[2378,2382,2391],{"nodeType":1293,"value":2379,"marks":2380,"data":2381},"In Azure Active Directory, head to ",[],{},{"nodeType":1420,"data":2383,"content":2385},{"uri":2384},"https://portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId~/null",[2386],{"nodeType":1293,"value":2387,"marks":2388,"data":2390},"Enterprise applications",[2389],{"type":1371},{},{"nodeType":1293,"value":2392,"marks":2393,"data":2394}," and click on the app you want to review. In the new window, click on sign-in logs. You will be presented with a list of user sign-ins (interactive and non-interactive), service principal sign-ins, and managed identity sign-ins.",[],{},{"nodeType":1385,"data":2396,"content":2400},{"target":2397},{"sys":2398},{"id":2399,"type":1364,"linkType":1365},"2L7vf2zjZBelGMJSjP2inY",[],{"nodeType":1294,"data":2402,"content":2403},{},[2404],{"nodeType":1293,"value":2405,"marks":2406,"data":2407},"What you typically need to look for is non-interactive user sign-in logs. Non-interactive sign-ins are related to login events performed on behalf of a user where usernames and passwords were not used (read: tokens). You want to review the sign-ins to determine if there were authentication events from IP addresses unrelated to normal employee activity, which can include discrepancies in geographical locations, and out-of-hours activity. Service principal sign-ins would also be of interest, however it would be more difficult to determine odd behavior as you wouldn’t have user sign-ins to compare with.",[],{},{"nodeType":1294,"data":2409,"content":2410},{},[2411,2415,2423],{"nodeType":1293,"value":2412,"marks":2413,"data":2414},"You could also review Azure’s ",[],{},{"nodeType":1420,"data":2416,"content":2418},{"uri":2417},"https://portal.azure.com/#view/Microsoft_AAD_IAM/SecurityMenuBlade/~/RiskySignIns",[2419],{"nodeType":1293,"value":2420,"marks":2421,"data":2422},"risky sign-ins ",[],{},{"nodeType":1293,"value":2424,"marks":2425,"data":2426},"page, as these issues are likely to show up already classified. Just make sure your filters include non-interactive sign-in methods.",[],{},{"nodeType":1344,"data":2428,"content":2429},{},[2430],{"nodeType":1293,"value":2431,"marks":2432,"data":2433},"Review app audit logs",[],{},{"nodeType":1294,"data":2435,"content":2436},{},[2437],{"nodeType":1293,"value":2438,"marks":2439,"data":2440},"In the same window underneath sign-in logs, you’ll find the audit logs section. Audit logs will provide you with crucial information relating to when an app was integrated, by who, and which permissions were delegated.",[],{},{"nodeType":1385,"data":2442,"content":2446},{"target":2443},{"sys":2444},{"id":2445,"type":1364,"linkType":1365},"5HRLoa9zlIWZdZGLN84Yae",[],{"nodeType":1344,"data":2448,"content":2449},{},[2450],{"nodeType":1293,"value":2451,"marks":2452,"data":2453},"Disable the app",[],{},{"nodeType":1294,"data":2455,"content":2456},{},[2457],{"nodeType":1293,"value":2458,"marks":2459,"data":2460},"If you’ve determined that an app was involved in an incident, the first step would be to disable the app to prevent malicious actors from performing any further authentication. Under the application’s properties, change the setting “Enable for users to sign-in?” from “Yes” to “No”, followed by clicking “Save.”",[],{},{"nodeType":1385,"data":2462,"content":2466},{"target":2463},{"sys":2464},{"id":2465,"type":1364,"linkType":1365},"12NnJ8OhD3K27rFRJ48t6a",[],{"nodeType":1344,"data":2468,"content":2469},{},[2470],{"nodeType":1293,"value":2471,"marks":2472,"data":2473},"Revoke all refresh tokens",[],{},{"nodeType":1294,"data":2475,"content":2476},{},[2477,2481,2490,2494,2503,2507,2516],{"nodeType":1293,"value":2478,"marks":2479,"data":2480},"Disabling the app is not enough to prevent attackers from maintaining access to your environment. ",[],{},{"nodeType":1420,"data":2482,"content":2484},{"uri":2483},"https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens",[2485],{"nodeType":1293,"value":2486,"marks":2487,"data":2489},"Refresh tokens",[2488],{"type":1371},{},{"nodeType":1293,"value":2491,"marks":2492,"data":2493}," provide a way for apps to retrieve new access tokens without bugging users with pesky sign-in screens. Tokens are typically valid for between ",[],{},{"nodeType":1420,"data":2495,"content":2497},{"uri":2496},"https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#access-token-lifetime:~:text=The%20default%20lifetime%20of%20an%20access%20token%20is%20variable.%20When%20issued%2C%20the%20default%20lifetime%20of%20an%20access%20token%20is%20assigned%20a%20random%20value%20ranging%20between%2060%2D90%20minutes%20(75%20minutes%20on%20average).",[2498],{"nodeType":1293,"value":2499,"marks":2500,"data":2502},"60 to 90 minutes",[2501],{"type":1371},{},{"nodeType":1293,"value":2504,"marks":2505,"data":2506},", and if a refresh token has been issued, the token holder can request new tokens for ",[],{},{"nodeType":1420,"data":2508,"content":2510},{"uri":2509},"https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens#:~:text=The%20default%20lifetime%20for%20the%20refresh%20tokens%20is%2024%20hours%20for%20single%20page%20apps%20and%2090%20days%20for%20all%20other%20scenarios",[2511],{"nodeType":1293,"value":2512,"marks":2513,"data":2515},"up to 90 days",[2514],{"type":1371},{},{"nodeType":1293,"value":2517,"marks":2518,"data":2519},"! ",[],{},{"nodeType":1294,"data":2521,"content":2522},{},[2523],{"nodeType":1293,"value":2524,"marks":2525,"data":2526},"So, revoking refresh tokens is an important step as part of the mitigation and recovery steps. This step can be performed with some PowerShell – luckily Microsoft provides pre-generated scripts for you to copy and paste. Click on ‘Permissions’ for the app, followed by ‘Review permissions.’ ",[],{},{"nodeType":1385,"data":2528,"content":2532},{"target":2529},{"sys":2530},{"id":2531,"type":1364,"linkType":1365},"7vuFmlmZbzfNhWHPj8ToHm",[],{"nodeType":1294,"data":2534,"content":2535},{},[2536],{"nodeType":1293,"value":2537,"marks":2538,"data":2539},"In the new window, click on ‘This application is malicious and I’m compromised.’ This will present you with the necessary PowerShell scripts to remove users from the app, revoke all permissions granted to the app, and finally to revoke refresh tokens associated with the app.",[],{},{"nodeType":1385,"data":2541,"content":2545},{"target":2542},{"sys":2543},{"id":2544,"type":1364,"linkType":1365},"4NnD6WKRHlnzKE0F4GUDEm",[],{"nodeType":1344,"data":2547,"content":2548},{},[2549],{"nodeType":1293,"value":2550,"marks":2551,"data":2552},"What to do if the initial access token was stolen",[],{},{"nodeType":1294,"data":2554,"content":2555},{},[2556],{"nodeType":1293,"value":2557,"marks":2558,"data":2559},"The initial access token cannot be revoked. In practice, if an attacker has managed to steal an access token it will be valid for the remainder of its lifespan, which is typically one hour. This is true even if the account is disabled, the compromised app deleted, and all refresh tokens revoked. If you’re responding to an incident, you will need to keep an eye on audit logs for an hour or more after performing the above steps to make sure the valid access token wasn’t still being used to perform actions in the environment.",[],{},{"nodeType":1294,"data":2561,"content":2562},{},[2563,2567,2576,2580,2589],{"nodeType":1293,"value":2564,"marks":2565,"data":2566},"Microsoft’s response to this was to develop something called ",[],{},{"nodeType":1420,"data":2568,"content":2570},{"uri":2569},"https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation",[2571],{"nodeType":1293,"value":2572,"marks":2573,"data":2575},"continuous access evaluation",[2574],{"type":1371},{},{"nodeType":1293,"value":2577,"marks":2578,"data":2579},". However, they admit in the article that it does not address a scenario where an attacker exfiltrated the token outside of a ",[],{},{"nodeType":1420,"data":2581,"content":2583},{"uri":2582},"https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation#:~:text=Token%20export%20to%20a%20machine%20outside%20of%20a%20trusted%20network%20can%20be%20prevented%20with%20Conditional%20Access%20location%20policies",[2584],{"nodeType":1293,"value":2585,"marks":2586,"data":2588},"trusted network",[2587],{"type":1371},{},{"nodeType":1293,"value":2590,"marks":2591,"data":2592},", in which case conditional access policy enforcement would be required to address the issue. Continuous access evaluation is ideal for handling specific cases of user access into the environment such as employee contract termination, or scenarios where conditional access policies are violated.",[],{},{"nodeType":1336,"data":2594,"content":2595},{},[2596],{"nodeType":1293,"value":2597,"marks":2598,"data":2599},"Conclusion",[],{},{"nodeType":1294,"data":2601,"content":2602},{},[2603],{"nodeType":1293,"value":2604,"marks":2605,"data":2606},"This article should have given you a better understanding of the most common issues presented when reviewing SaaS apps integrated into your environment. ",[],{},{"nodeType":1294,"data":2608,"content":2609},{},[2610],{"nodeType":1293,"value":2611,"marks":2612,"data":2613},"Determining whether using an app would result in compromise is not a simple task, especially if you haven’t observed malicious behavior. As such, the best course of action is to consider all angles, which include the business case of users requiring its use, the permission scopes, and whether the vendor’s security practices are in line with your requirements.",[],{},{"nodeType":1294,"data":2615,"content":2616},{},[2617],{"nodeType":1293,"value":2618,"marks":2619,"data":2620},"SaaS is a new(ish) frontier that can be really daunting to defend against attackers, but it's not impossible to reduce risk without simply blocking access to SaaS. And, remember: denying users access to tools will make them find ways around the limitations.",[],{},{"nodeType":1294,"data":2622,"content":2623},{},[2624],{"nodeType":1293,"value":2625,"marks":2626,"data":2627},"We hope this article helps you get a better handle on how to determine if you’ve been compromised, and respond to incidents involving SaaS apps and/or OAuth integrations to your core work platforms.",[],{},{"nodeType":1385,"data":2629,"content":2633},{"target":2630},{"sys":2631},{"id":2632,"type":1364,"linkType":1365},"2y0INxqAi594O7rCAVKhTI",[],{"nodeType":1294,"data":2635,"content":2636},{},[2637],{"nodeType":1293,"value":37,"marks":2638,"data":2639},[],{},"How attackers compromise Azure organizations through SaaS apps ","2023-01-03T00:00:00.000Z","how-attackers-compromise-azure-organizations-through-saas-apps",{"items":2644},[2645,2649],{"sys":2646,"name":2648},{"id":2647},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":2650,"name":1310},{"id":1309},{"items":2652},[2653],{"fullName":2654,"firstName":2655,"jobTitle":2656,"profilePicture":2657},"Johann Scheepers","Johann","Senior Security Engineer",{"url":2658},"https://images.ctfassets.net/y1cdw1ablpvd/75IEOH93vR0hbvxuqTu1m3/f6222745ee6892ea07bc18727a5a5ae7/T016S22KZ96-U02LU3SKC2D-e1e755770536-512.png",{"__typename":1314,"sys":2660,"content":2662,"title":3396,"synopsis":3397,"hashTags":3398,"publishedDate":3400,"slug":3401,"tagsCollection":3402,"authorsCollection":3410},{"id":2661},"73JjdrO5GKRzYum97MqJ9q",{"json":2663},{"data":2664,"content":2665,"nodeType":1295},{},[2666,2683,2690,2734,2741,2786,2793,3153,3159,3165,3172,3179,3186,3192,3199,3206,3213,3220,3227,3234,3241,3248,3267,3274,3281,3288,3295,3302,3332,3339,3346,3353,3360,3367,3374,3378,3385,3390],{"data":2667,"content":2668,"nodeType":1294},{},[2669,2673,2679],{"data":2670,"marks":2671,"value":2672,"nodeType":1293},{},[],"Before we start, ",{"data":2674,"marks":2675,"value":2678,"nodeType":1293},{},[2676],{"type":2677},"bold","MFA with any method is better than no MFA at all",{"data":2680,"marks":2681,"value":2682,"nodeType":1293},{},[],". Although some methods are better than others, they're all leagues ahead of passwords alone. If, for whatever reason, you can only implement MFA using a weaker second factor, you should still do it. You can always improve later and you'll have made a significant improvement even with the weaker second factor.",{"data":2684,"content":2685,"nodeType":1294},{},[2686],{"data":2687,"marks":2688,"value":2689,"nodeType":1293},{},[],"So, how can one factor be better than others? Here's how we think about it:",{"data":2691,"content":2692,"nodeType":2733},{},[2693,2703,2713,2723],{"data":2694,"content":2695,"nodeType":2184},{},[2696],{"data":2697,"content":2698,"nodeType":1294},{},[2699],{"data":2700,"marks":2701,"value":2702,"nodeType":1293},{},[],"User experience: how easy is it to use?",{"data":2704,"content":2705,"nodeType":2184},{},[2706],{"data":2707,"content":2708,"nodeType":1294},{},[2709],{"data":2710,"marks":2711,"value":2712,"nodeType":1293},{},[],"Security: how easy is it for someone to compromise?",{"data":2714,"content":2715,"nodeType":2184},{},[2716],{"data":2717,"content":2718,"nodeType":1294},{},[2719],{"data":2720,"marks":2721,"value":2722,"nodeType":1293},{},[],"Cost: do you need to upgrade your SaaS license, or buy physical bits?",{"data":2724,"content":2725,"nodeType":2184},{},[2726],{"data":2727,"content":2728,"nodeType":1294},{},[2729],{"data":2730,"marks":2731,"value":2732,"nodeType":1293},{},[],"Support: how widely can it be used?","unordered-list",{"data":2735,"content":2736,"nodeType":1344},{},[2737],{"data":2738,"marks":2739,"value":2740,"nodeType":1293},{},[],"Just want the answers? ",{"data":2742,"content":2743,"nodeType":2733},{},[2744,2754,2776],{"data":2745,"content":2746,"nodeType":2184},{},[2747],{"data":2748,"content":2749,"nodeType":1294},{},[2750],{"data":2751,"marks":2752,"value":2753,"nodeType":1293},{},[],"Using an app on your phone, like Microsoft or Google Authenticator, to receive notifications or use a one-time password are the top all-round options today - they're free, intuitive for users, relatively easy to set up, and widely supported. ",{"data":2755,"content":2756,"nodeType":2184},{},[2757],{"data":2758,"content":2759,"nodeType":1294},{},[2760,2764,2772],{"data":2761,"marks":2762,"value":2763,"nodeType":1293},{},[],"The gold standard is a FIDO2-capable security key, like the ",{"data":2765,"content":2767,"nodeType":1420},{"uri":2766},"https://www.yubico.com/products/yubikey-5-overview/",[2768],{"data":2769,"marks":2770,"value":2771,"nodeType":1293},{},[],"YubiKey 5 series",{"data":2773,"marks":2774,"value":2775,"nodeType":1293},{},[],", or a security key built-in to your device, like Touch ID  - it's the most secure, provides the best user experience, but has an upfront cost as each user will need a key or a compatible device. The main drawback today is they aren't supported on all platforms yet so might not be an option everywhere.",{"data":2777,"content":2778,"nodeType":2184},{},[2779],{"data":2780,"content":2781,"nodeType":1294},{},[2782],{"data":2783,"marks":2784,"value":2785,"nodeType":1293},{},[],"Factors that rely on your phone number, such as SMS and phone calls should be avoided if possible as they are the least secure and provide the worst user experience.",{"data":2787,"content":2788,"nodeType":1294},{},[2789],{"data":2790,"marks":2791,"value":2792,"nodeType":1293},{},[],"Here's a summary:",{"data":2794,"content":2795,"nodeType":1462},{},[2796,2850,2902,2952,3004,3053,3104],{"data":2797,"content":2798,"nodeType":1466},{},[2799,2810,2820,2830,2840],{"data":2800,"content":2801,"nodeType":2809},{},[2802],{"data":2803,"content":2804,"nodeType":1294},{},[2805],{"data":2806,"marks":2807,"value":2808,"nodeType":1293},{},[],"Method","table-header-cell",{"data":2811,"content":2812,"nodeType":2809},{},[2813],{"data":2814,"content":2815,"nodeType":1294},{},[2816],{"data":2817,"marks":2818,"value":2819,"nodeType":1293},{},[],"User experience",{"data":2821,"content":2822,"nodeType":2809},{},[2823],{"data":2824,"content":2825,"nodeType":1294},{},[2826],{"data":2827,"marks":2828,"value":2829,"nodeType":1293},{},[],"Security",{"data":2831,"content":2832,"nodeType":2809},{},[2833],{"data":2834,"content":2835,"nodeType":1294},{},[2836],{"data":2837,"marks":2838,"value":2839,"nodeType":1293},{},[],"Cost",{"data":2841,"content":2842,"nodeType":2809},{},[2843],{"data":2844,"content":2845,"nodeType":1294},{},[2846],{"data":2847,"marks":2848,"value":2849,"nodeType":1293},{},[],"Support",{"data":2851,"content":2852,"nodeType":1466},{},[2853,2863,2873,2882,2892],{"data":2854,"content":2855,"nodeType":1470},{},[2856],{"data":2857,"content":2858,"nodeType":1294},{},[2859],{"data":2860,"marks":2861,"value":2862,"nodeType":1293},{},[],"App Notification",{"data":2864,"content":2865,"nodeType":1470},{},[2866],{"data":2867,"content":2868,"nodeType":1294},{},[2869],{"data":2870,"marks":2871,"value":2872,"nodeType":1293},{},[],"Good",{"data":2874,"content":2875,"nodeType":1470},{},[2876],{"data":2877,"content":2878,"nodeType":1294},{},[2879],{"data":2880,"marks":2881,"value":2872,"nodeType":1293},{},[],{"data":2883,"content":2884,"nodeType":1470},{},[2885],{"data":2886,"content":2887,"nodeType":1294},{},[2888],{"data":2889,"marks":2890,"value":2891,"nodeType":1293},{},[],"Free",{"data":2893,"content":2894,"nodeType":1470},{},[2895],{"data":2896,"content":2897,"nodeType":1294},{},[2898],{"data":2899,"marks":2900,"value":2901,"nodeType":1293},{},[],"Widely supported",{"data":2903,"content":2904,"nodeType":1466},{},[2905,2915,2925,2934,2943],{"data":2906,"content":2907,"nodeType":1470},{},[2908],{"data":2909,"content":2910,"nodeType":1294},{},[2911],{"data":2912,"marks":2913,"value":2914,"nodeType":1293},{},[],"App code",{"data":2916,"content":2917,"nodeType":1470},{},[2918],{"data":2919,"content":2920,"nodeType":1294},{},[2921],{"data":2922,"marks":2923,"value":2924,"nodeType":1293},{},[],"Moderate",{"data":2926,"content":2927,"nodeType":1470},{},[2928],{"data":2929,"content":2930,"nodeType":1294},{},[2931],{"data":2932,"marks":2933,"value":2872,"nodeType":1293},{},[],{"data":2935,"content":2936,"nodeType":1470},{},[2937],{"data":2938,"content":2939,"nodeType":1294},{},[2940],{"data":2941,"marks":2942,"value":2891,"nodeType":1293},{},[],{"data":2944,"content":2945,"nodeType":1470},{},[2946],{"data":2947,"content":2948,"nodeType":1294},{},[2949],{"data":2950,"marks":2951,"value":2901,"nodeType":1293},{},[],{"data":2953,"content":2954,"nodeType":1466},{},[2955,2965,2975,2984,2994],{"data":2956,"content":2957,"nodeType":1470},{},[2958],{"data":2959,"content":2960,"nodeType":1294},{},[2961],{"data":2962,"marks":2963,"value":2964,"nodeType":1293},{},[],"Security key (external)",{"data":2966,"content":2967,"nodeType":1470},{},[2968],{"data":2969,"content":2970,"nodeType":1294},{},[2971],{"data":2972,"marks":2973,"value":2974,"nodeType":1293},{},[],"Best",{"data":2976,"content":2977,"nodeType":1470},{},[2978],{"data":2979,"content":2980,"nodeType":1294},{},[2981],{"data":2982,"marks":2983,"value":2974,"nodeType":1293},{},[],{"data":2985,"content":2986,"nodeType":1470},{},[2987],{"data":2988,"content":2989,"nodeType":1294},{},[2990],{"data":2991,"marks":2992,"value":2993,"nodeType":1293},{},[],"Expensive",{"data":2995,"content":2996,"nodeType":1470},{},[2997],{"data":2998,"content":2999,"nodeType":1294},{},[3000],{"data":3001,"marks":3002,"value":3003,"nodeType":1293},{},[],"Some platforms",{"data":3005,"content":3006,"nodeType":1466},{},[3007,3017,3026,3035,3044],{"data":3008,"content":3009,"nodeType":1470},{},[3010],{"data":3011,"content":3012,"nodeType":1294},{},[3013],{"data":3014,"marks":3015,"value":3016,"nodeType":1293},{},[],"Security key (internal)",{"data":3018,"content":3019,"nodeType":1470},{},[3020],{"data":3021,"content":3022,"nodeType":1294},{},[3023],{"data":3024,"marks":3025,"value":2974,"nodeType":1293},{},[],{"data":3027,"content":3028,"nodeType":1470},{},[3029],{"data":3030,"content":3031,"nodeType":1294},{},[3032],{"data":3033,"marks":3034,"value":2974,"nodeType":1293},{},[],{"data":3036,"content":3037,"nodeType":1470},{},[3038],{"data":3039,"content":3040,"nodeType":1294},{},[3041],{"data":3042,"marks":3043,"value":2891,"nodeType":1293},{},[],{"data":3045,"content":3046,"nodeType":1470},{},[3047],{"data":3048,"content":3049,"nodeType":1294},{},[3050],{"data":3051,"marks":3052,"value":3003,"nodeType":1293},{},[],{"data":3054,"content":3055,"nodeType":1466},{},[3056,3066,3076,3085,3095],{"data":3057,"content":3058,"nodeType":1470},{},[3059],{"data":3060,"content":3061,"nodeType":1294},{},[3062],{"data":3063,"marks":3064,"value":3065,"nodeType":1293},{},[],"SMS",{"data":3067,"content":3068,"nodeType":1470},{},[3069],{"data":3070,"content":3071,"nodeType":1294},{},[3072],{"data":3073,"marks":3074,"value":3075,"nodeType":1293},{},[],"Poor",{"data":3077,"content":3078,"nodeType":1470},{},[3079],{"data":3080,"content":3081,"nodeType":1294},{},[3082],{"data":3083,"marks":3084,"value":3075,"nodeType":1293},{},[],{"data":3086,"content":3087,"nodeType":1470},{},[3088],{"data":3089,"content":3090,"nodeType":1294},{},[3091],{"data":3092,"marks":3093,"value":3094,"nodeType":1293},{},[],"Cheap",{"data":3096,"content":3097,"nodeType":1470},{},[3098],{"data":3099,"content":3100,"nodeType":1294},{},[3101],{"data":3102,"marks":3103,"value":2901,"nodeType":1293},{},[],{"data":3105,"content":3106,"nodeType":1466},{},[3107,3117,3126,3135,3144],{"data":3108,"content":3109,"nodeType":1470},{},[3110],{"data":3111,"content":3112,"nodeType":1294},{},[3113],{"data":3114,"marks":3115,"value":3116,"nodeType":1293},{},[],"Phone call",{"data":3118,"content":3119,"nodeType":1470},{},[3120],{"data":3121,"content":3122,"nodeType":1294},{},[3123],{"data":3124,"marks":3125,"value":3075,"nodeType":1293},{},[],{"data":3127,"content":3128,"nodeType":1470},{},[3129],{"data":3130,"content":3131,"nodeType":1294},{},[3132],{"data":3133,"marks":3134,"value":3075,"nodeType":1293},{},[],{"data":3136,"content":3137,"nodeType":1470},{},[3138],{"data":3139,"content":3140,"nodeType":1294},{},[3141],{"data":3142,"marks":3143,"value":3094,"nodeType":1293},{},[],{"data":3145,"content":3146,"nodeType":1470},{},[3147],{"data":3148,"content":3149,"nodeType":1294},{},[3150],{"data":3151,"marks":3152,"value":2901,"nodeType":1293},{},[],{"data":3154,"content":3158,"nodeType":1385},{"target":3155},{"sys":3156},{"id":3157,"type":1364,"linkType":1365},"7rgrP5FFAKG63lscwhAsW1",[],{"data":3160,"content":3161,"nodeType":1344},{},[3162],{"data":3163,"marks":3164,"value":2862,"nodeType":1293},{},[],{"data":3166,"content":3167,"nodeType":1294},{},[3168],{"data":3169,"marks":3170,"value":3171,"nodeType":1293},{},[],"One of the most common methods today is the app notification. Using an app on your phone, like Microsoft Authenticator, to receive a push notification when you login.",{"data":3173,"content":3174,"nodeType":1294},{},[3175],{"data":3176,"marks":3177,"value":3178,"nodeType":1293},{},[],"Free, easy to use, and secure - this is a good choice if your users all have devices to install the app on and will reliably have a network connection to receive the notification.",{"data":3180,"content":3181,"nodeType":1294},{},[3182],{"data":3183,"marks":3184,"value":3185,"nodeType":1293},{},[],"Your challenges with using this method will be getting the app setup on everyone's device, getting everyone enrolled, and making sure users understand to only hit approve when they actually performed a login (seriously).",{"data":3187,"content":3191,"nodeType":1385},{"target":3188},{"sys":3189},{"id":3190,"type":1364,"linkType":1365},"4ybLnYAdHltdWCluLbr4di",[],{"data":3193,"content":3194,"nodeType":1344},{},[3195],{"data":3196,"marks":3197,"value":3198,"nodeType":1293},{},[],"App Code",{"data":3200,"content":3201,"nodeType":1294},{},[3202],{"data":3203,"marks":3204,"value":3205,"nodeType":1293},{},[],"The early days of MFA looked like RSA tokens; those devices you used to have to carry on a key chain with a code that changed every minute. Those devices worked by having a \"seed\" value that both the device and the server knew which changed predictably. So long as that seed value stayed safe, this provided a convenient second factor for users that was difficult to compromise.",{"data":3207,"content":3208,"nodeType":1294},{},[3209],{"data":3210,"marks":3211,"value":3212,"nodeType":1293},{},[],"Today, this approach is more common via an app, where the app provides a code that changes every minute, but the concept is exactly the same.",{"data":3214,"content":3215,"nodeType":1294},{},[3216],{"data":3217,"marks":3218,"value":3219,"nodeType":1293},{},[],"This approach uses what is officially called One Time Passwords (OTP) but is often just referred to as an app code. It has some advantages, such as not needing signal after setup which can be handy if that's a concern. ",{"data":3221,"content":3222,"nodeType":1294},{},[3223],{"data":3224,"marks":3225,"value":3226,"nodeType":1293},{},[],"However, as was true of the RSA tokens of the past, if the seed value is compromised all future values can be predicted. The odds of this happening in practice are exceptionally low so this remains a good choice.",{"data":3228,"content":3229,"nodeType":1294},{},[3230],{"data":3231,"marks":3232,"value":3233,"nodeType":1293},{},[],"Your challenges with using this method will again be mostly in rolling it out to all users and getting everyone setup.",{"data":3235,"content":3236,"nodeType":1344},{},[3237],{"data":3238,"marks":3239,"value":3240,"nodeType":1293},{},[],"Text message / phone call",{"data":3242,"content":3243,"nodeType":1294},{},[3244],{"data":3245,"marks":3246,"value":3247,"nodeType":1293},{},[],"As MFA gained popularity, receiving a code via text message (SMS), or sometimes a phone call, quickly became the de-facto method. Before everyone had smartphones and therefore the ability to install apps, using text messages or phone calls was the only way to implement MFA without having to provision RSA tokens for everyone in the team.",{"data":3249,"content":3250,"nodeType":1294},{},[3251,3255,3263],{"data":3252,"marks":3253,"value":3254,"nodeType":1293},{},[],"The major downside to using these methods is their reliance on the security of the phone number. If attackers really want to target an account, and they know the phone number used for MFA, they can try something called ",{"data":3256,"content":3258,"nodeType":1420},{"uri":3257},"https://en.wikipedia.org/wiki/SIM_swap_scam",[3259],{"data":3260,"marks":3261,"value":3262,"nodeType":1293},{},[],"SIM-swapping",{"data":3264,"marks":3265,"value":3266,"nodeType":1293},{},[]," to hijack the phone number, and hence nullify the MFA.",{"data":3268,"content":3269,"nodeType":1294},{},[3270],{"data":3271,"marks":3272,"value":3273,"nodeType":1293},{},[],"The most important thing to note in that scenario is how targeted it is. With no MFA, any attacker on the Internet can simply guess passwords on an account - the cost is extremely low. To bypass SMS or phone call MFA using SIM swapping has a significantly higher cost. The attack is definitely practical, but would only happen when you're specifically targeted.",{"data":3275,"content":3276,"nodeType":1294},{},[3277],{"data":3278,"marks":3279,"value":3280,"nodeType":1293},{},[],"Additionally, the user experience isn't as good. Firstly, the user must have mobile signal to receive the SMS or call. Secondly, there can often be a delay in delivery, due to the less-reliable mobile network. Finally, there is almost always a usage cost associated with these methods, since it costs money to send SMSs or make phone calls.",{"data":3282,"content":3283,"nodeType":1294},{},[3284],{"data":3285,"marks":3286,"value":3287,"nodeType":1293},{},[],"Because of this, SMS or phone calls are often considered least desirable MFA methods today.",{"data":3289,"content":3290,"nodeType":1344},{},[3291],{"data":3292,"marks":3293,"value":3294,"nodeType":1293},{},[],"Security keys",{"data":3296,"content":3297,"nodeType":1294},{},[3298],{"data":3299,"marks":3300,"value":3301,"nodeType":1293},{},[],"FIDO2 is the name for a set of authentication protocols and standards developed by a consortium of tech companies to be the future of authentication. FIDO2 solves a lot of the problems we've dealt with in the past: it's secure, usable, impossible to spoof.",{"data":3303,"content":3304,"nodeType":1294},{},[3305,3309,3317,3321,3328],{"data":3306,"marks":3307,"value":3308,"nodeType":1293},{},[],"Without digging into the weeds of how that works (",{"data":3310,"content":3312,"nodeType":1420},{"uri":3311},"https://fidoalliance.org/fido2/",[3313],{"data":3314,"marks":3315,"value":3316,"nodeType":1293},{},[],"the official page from the FIDO alliance is worth a read if you're interested",{"data":3318,"marks":3319,"value":3320,"nodeType":1293},{},[],"), you will need what's commonly referred to as a \"security key\" to make use of it. This is a small physical device, often plugged into your USB port - modern devices that understand FIDO2, like the ",{"data":3322,"content":3323,"nodeType":1420},{"uri":2766},[3324],{"data":3325,"marks":3326,"value":3327,"nodeType":1293},{},[],"YubiKey 5 Series",{"data":3329,"marks":3330,"value":3331,"nodeType":1293},{},[],", are preferable. Once setup, you simply touch the key on login and the magic of cryptography ensures a high degree of security.",{"data":3333,"content":3334,"nodeType":1294},{},[3335],{"data":3336,"marks":3337,"value":3338,"nodeType":1293},{},[],"In fact, this approach is so secure, it is the basis of a \"passwordless\" revolution, where this strong factor of authentication can feasibly be used as a single-factor of authentication, and users don't even need to remember passwords anymore. Though in its infancy at the moment, expect to hear more about that in the coming years.",{"data":3340,"content":3341,"nodeType":1294},{},[3342],{"data":3343,"marks":3344,"value":3345,"nodeType":1293},{},[],"The primary drawback of this method is the cost, with devices typically costing around $50 each. Also, although you can expect them to be supported on major platforms, they aren't supported as widely as other methods just yet.",{"data":3347,"content":3348,"nodeType":1294},{},[3349],{"data":3350,"marks":3351,"value":3352,"nodeType":1293},{},[],"If you are unable to justify their cost for all users, a common implementation is to use security keys for high privilege accounts.",{"data":3354,"content":3355,"nodeType":1344},{},[3356],{"data":3357,"marks":3358,"value":3359,"nodeType":1293},{},[],"Built-in security keys",{"data":3361,"content":3362,"nodeType":1294},{},[3363],{"data":3364,"marks":3365,"value":3366,"nodeType":1293},{},[],"Many modern mobile devices like laptops, tablets and phones have built-in security keys (e.g. Apple TouchId,  Android phones, and Windows Hello). These have many of the advantages of stand-alone security keys, but without the cost!",{"data":3368,"content":3369,"nodeType":1294},{},[3370],{"data":3371,"marks":3372,"value":3373,"nodeType":1293},{},[],"Support for these keys is a fairly recent development and is still ongoing but opens up an exciting future where users will increasingly be able to very easily add a second factor, or even go passwordless, in a secure way, without much effort or thought.",{"data":3375,"content":3376,"nodeType":3377},{},[],"hr",{"data":3379,"content":3380,"nodeType":1294},{},[3381],{"data":3382,"marks":3383,"value":3384,"nodeType":1293},{},[],"In conclusion there are multiple options you can choose from to fit almost any scenario you have. While some options are better than others, even the worst option is still a massive improvement on passwords alone. In the end, the best MFA method is the one you can start rolling out today, you can always improve down the line.",{"data":3386,"content":3389,"nodeType":1385},{"target":3387},{"sys":3388},{"id":2632,"type":1364,"linkType":1365},[],{"data":3391,"content":3392,"nodeType":1294},{},[3393],{"data":3394,"marks":3395,"value":37,"nodeType":1293},{},[],"Which MFA methods should you use?","SMS, Authenticator apps, Security Keys, and more! We compare them from a user experience, security, cost, and security aspect.",[3399],"MFA","2021-03-15T00:00:00.000+01:00","which-mfa-methods-should-you-use",{"items":3403},[3404,3408],{"sys":3405,"name":3407},{"id":3406},"1gZi8NrRy2v9OqPV7C4dwD","Risk management",{"sys":3409,"name":1306},{"id":1305},{"items":3411},[3412],{"fullName":3413,"firstName":3414,"jobTitle":3415,"profilePicture":3416},"Andy Waugh","Andy","VP Product",{"url":3417},"https://images.ctfassets.net/y1cdw1ablpvd/3Rf76rJn6S9inMb4dUnAIJ/0a787f8141d05b95300e2fe77c4493fa/DSC_6868.jpg",{"__typename":1314,"sys":3419,"content":3420,"title":3604,"synopsis":3605,"hashTags":118,"publishedDate":3606,"slug":3607,"tagsCollection":3608,"authorsCollection":3614},{"id":1363},{"json":3421},{"nodeType":1295,"data":3422,"content":3423},{},[3424,3431,3438,3444,3460,3466,3473,3480,3511,3517,3536,3554,3573],{"nodeType":1294,"data":3425,"content":3426},{},[3427],{"nodeType":1293,"value":3428,"marks":3429,"data":3430},"With more platforms adding support for Multi-factor Authentication (MFA) and users increasingly adopting it to secure their accounts, attackers are adapting and moving to new methods of compromising user accounts. In this post we’ll take a look at consent phishing and how it is being used to bypass MFA and also skirt key attributes of phishing that are taught in traditional user awareness campaigns, such as links to untrusted domains.",[],{},{"nodeType":1294,"data":3432,"content":3433},{},[3434],{"nodeType":1293,"value":3435,"marks":3436,"data":3437},"Imagine yourself sitting down at your desk first thing on a Monday morning, cup of coffee steaming next to your keyboard as you click through your backlog of emails. You open the below email and you see that Karl has shared a financial report with you. ",[],{},{"nodeType":1385,"data":3439,"content":3443},{"target":3440},{"sys":3441},{"id":3442,"type":1364,"linkType":1365},"7zysXleQdpE6isqi9OU56l",[],{"nodeType":1294,"data":3445,"content":3446},{},[3447,3451,3456],{"nodeType":1293,"value":3448,"marks":3449,"data":3450},"Maybe you’ve been waiting for the latest financials or you suspect this was sent erroneously but you’re curious and want to take a peek. When you click the link you are presented with a prompt that with your Monday brain looks just like the “Yes give me access” prompt you’ve clicked through a thousand times. I mean, it's a ",[],{},{"nodeType":1293,"value":3452,"marks":3453,"data":3455},"microsoftonline.com",[3454],{"type":2677},{},{"nodeType":1293,"value":3457,"marks":3458,"data":3459}," domain, it's https and there’s a green tick in the corner so everything looks fine. ",[],{},{"nodeType":1385,"data":3461,"content":3465},{"target":3462},{"sys":3463},{"id":3464,"type":1364,"linkType":1365},"6nPueTKEjLphqlytbQ0gcx",[],{"nodeType":1294,"data":3467,"content":3468},{},[3469],{"nodeType":1293,"value":3470,"marks":3471,"data":3472},"If you’d looked closely you may have noticed that this was in fact asking you to approve access rather than granting you access. But with your muscle memory in full control you click “Accept” before even glancing at the screen. You wait for the spreadsheet to open but are presented with a generic “File does not exist” error page. Oh well, apparently Karl realised his mistake and deleted the file or revoked your access. Onto the next email.",[],{},{"nodeType":1294,"data":3474,"content":3475},{},[3476],{"nodeType":1293,"value":3477,"marks":3478,"data":3479},"And just like that you’ve been consent phished. You’ve just granted the attackers permanent access to your account, which they retain even if you change your password or have MFA enabled. Chances are the attacker’s tools will immediately start downloading every piece of data you just granted them access to, which they can then explore at their leisure. ",[],{},{"nodeType":1294,"data":3481,"content":3482},{},[3483,3487,3495,3499,3507],{"nodeType":1293,"value":3484,"marks":3485,"data":3486},"To spot this you need to audit the apps you’ve approved, something you are doing regularly, right? Seriously though, this isn’t something many people check. These integrations are designed to be as seamless as possible and not to get in your way. But if this has piqued your interest you can check what access you have personally granted on ",[],{},{"nodeType":1420,"data":3488,"content":3490},{"uri":3489},"https://myaccount.google.com/permissions",[3491],{"nodeType":1293,"value":3492,"marks":3493,"data":3494},"Google Workspace",[],{},{"nodeType":1293,"value":3496,"marks":3497,"data":3498}," and ",[],{},{"nodeType":1420,"data":3500,"content":3502},{"uri":3501},"https://myapps.microsoft.com/",[3503],{"nodeType":1293,"value":3504,"marks":3505,"data":3506},"Microsoft 365",[],{},{"nodeType":1293,"value":3508,"marks":3509,"data":3510},".",[],{},{"nodeType":1385,"data":3512,"content":3516},{"target":3513},{"sys":3514},{"id":3515,"type":1364,"linkType":1365},"BPIX02LWblUNnkQw1TFWD",[],{"nodeType":1294,"data":3518,"content":3519},{},[3520,3524,3532],{"nodeType":1293,"value":3521,"marks":3522,"data":3523},"If you’d been paying attention when you clicked “Accept” you might have noticed that you were granting some pretty serious permissions here. These permissions allow the attackers to read and write any files you have access to - they could download all these files and then delete them. The attackers also got permission to send emails as you. They could send emails to your colleagues from you and phish them too, this isn’t impersonation where the email just “looks” like it came from you, the email DID come from you. Lastly the attackers asked for permission to manipulate your Outlook settings, with this they could set up a ",[],{},{"nodeType":1420,"data":3525,"content":3527},{"uri":3526},"/features/detect-malicious-mail-rules/",[3528],{"nodeType":1293,"value":3529,"marks":3530,"data":3531},"mail forwarding rule",[],{},{"nodeType":1293,"value":3533,"marks":3534,"data":3535}," so that they get copies of all your emails forwarded to them directly without even having to log in. And all of this happens until you delete the underlying OAuth app.",[],{},{"nodeType":1294,"data":3537,"content":3538},{},[3539,3543,3550],{"nodeType":1293,"value":3540,"marks":3541,"data":3542},"In a ",[],{},{"nodeType":1420,"data":3544,"content":3546},{"uri":3545},"https://www.microsoft.com/security/blog/2020/07/08/protecting-remote-workforce-application-attacks-consent-phishing/",[3547],{"nodeType":1293,"value":2046,"marks":3548,"data":3549},[],{},{"nodeType":1293,"value":3551,"marks":3552,"data":3553}," Microsoft warns that these attacks are on the rise. One notable example of this comes from the SANS Institute. They reported in August of 2020 that they had fallen victim to one of these attacks. As part of the investigation they produced a report with details on how the attackers managed to convince an employee to install a malicious Microsoft 365 add-in to gain access. ",[],{},{"nodeType":1294,"data":3555,"content":3556},{},[3557,3561,3569],{"nodeType":1293,"value":3558,"marks":3559,"data":3560},"So what can you do about this threat today? The only fool proof method of preventing this kind of attack is to prevent users from granting access to third party apps. This is terrible for users though, and you’ll be missing out on all the productivity benefits these apps can bring. A more balanced approach is to let users find and request apps, but have administrators approve the apps. More and more platforms (including Microsoft 365 and Slack) are offering built-in “admin consent” workflows to make getting a second pair of eyes on new apps even easier. You can also make it even easier for users  by pre-approving widely used apps from trusted publishers and users won’t even notice there is new protection in place 99% of the time. We are also actively working on this problem and if you would like to join our ",[],{},{"nodeType":1420,"data":3562,"content":3564},{"uri":3563},"/features/secure-oauth-permissions-and-applications/",[3565],{"nodeType":1293,"value":3566,"marks":3567,"data":3568},"early access program",[],{},{"nodeType":1293,"value":3570,"marks":3571,"data":3572}," please get in touch.",[],{},{"nodeType":1294,"data":3574,"content":3575},{},[3576,3580,3588,3592,3600],{"nodeType":1293,"value":3577,"marks":3578,"data":3579},"Consent phishing is still an emerging technique and we believe that it has not reached peak usage by attackers yet. We are actively researching this attack technique as it continues to evolve. Follow us on Twitter ",[],{},{"nodeType":1420,"data":3581,"content":3583},{"uri":3582},"https://twitter.com/PushSecurity",[3584],{"nodeType":1293,"value":3585,"marks":3586,"data":3587},"@pushsecurity",[],{},{"nodeType":1293,"value":3589,"marks":3590,"data":3591},", ",[],{},{"nodeType":1420,"data":3593,"content":3595},{"uri":3594},"https://www.linkedin.com/company/push-security",[3596],{"nodeType":1293,"value":3597,"marks":3598,"data":3599},"LinkedIn",[],{},{"nodeType":1293,"value":3601,"marks":3602,"data":3603}," or subscribe to our mailing list below to get the latest updates and tips for managing this for your users.",[],{},"Consent phishing: the emerging phishing technique that can bypass 2FA","Consent phishing is an emerging technique attackers are using to compromise user accounts, even if they have Multi-factor Authentication (MFA or 2FA) enabled.","2021-07-06T00:00:00.000+01:00","consent-phishing-the-emerging-phishing-technique-that-can-bypass-2fa",{"items":3609},[3610,3612],{"sys":3611,"name":2648},{"id":2647},{"sys":3613,"name":1310},{"id":1309},{"items":3615},[3616],{"fullName":3617,"firstName":3618,"jobTitle":3619,"profilePicture":3620},"Alex Triaca","Alex","Chief Architect",{"url":3621},"https://images.ctfassets.net/y1cdw1ablpvd/LmC3LyTH5V9NthbqKuqA2/8291887e41c15613bf98f6fd55773817/117-0-2.jpg",{"items":3623},[3624],{"fullName":3625,"firstName":3626,"jobTitle":3627,"profilePicture":3628},"Luke Jennings","Luke","Vice President, R&D",{"url":3629},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg",{"json":3631,"links":4823},{"data":3632,"content":3633,"nodeType":1295},{},[3634,3641,3648,3655,3662,3669,3676,3682,3689,3696,3703,3795,3801,3808,3815,3822,3855,3862,3869,3876,3883,3889,3896,3903,3926,3933,3939,3945,3952,3959,3966,3973,3980,3987,3994,4000,4006,4014,4021,4028,4035,4042,4049,4056,4063,4070,4077,4084,4091,4098,4103,4110,4117,4124,4131,4137,4143,4150,4157,4164,4187,4194,4200,4206,4213,4219,4226,4233,4244,4251,4258,4265,4272,4279,4299,4407,4414,4421,4469,4475,4482,4489,4496,4503,4510,4517,4523,4530,4549,4556,4563,4570,4577,4584,4591,4634,4641,4698,4705,4712,4775,4781,4788,4795,4802,4809,4816],{"data":3635,"content":3636,"nodeType":1294},{},[3637],{"data":3638,"marks":3639,"value":3640,"nodeType":1293},{},[],"This blog post covers the implications of using SWA as an authentication method in Okta, with a particular focus on what security teams need to consider in an account breach and subsequent incident response scenario. ",{"data":3642,"content":3643,"nodeType":1294},{},[3644],{"data":3645,"marks":3646,"value":3647,"nodeType":1293},{},[],"Spoiler alert: we’ll make the case that the true value of an SSO solution like Okta is in the use of SAML and OIDC authentication methods, not convenience features like SWA.",{"data":3649,"content":3650,"nodeType":1336},{},[3651],{"data":3652,"marks":3653,"value":3654,"nodeType":1293},{},[],"Introduction",{"data":3656,"content":3657,"nodeType":1294},{},[3658],{"data":3659,"marks":3660,"value":3661,"nodeType":1293},{},[],"To facilitate SSO logins to web applications, Okta allows the industry standard SAML and OIDC protocols for federated logins to be used with applications that support it. These represent the most secure and recommended options. However, Okta also offers a proprietary system called SWA to support apps that don’t support these protocols, or where they are otherwise unavailable due to licensing restrictions.     ",{"data":3663,"content":3664,"nodeType":1294},{},[3665],{"data":3666,"marks":3667,"value":3668,"nodeType":1293},{},[],"While SWA is referred to as an SSO login mechanism, functionally it’s a password manager. SWA stores username and password combinations for individual applications on a per-user basis and makes use of a browser extension to automate the login process on behalf of the user. ",{"data":3670,"content":3671,"nodeType":1294},{},[3672],{"data":3673,"marks":3674,"value":3675,"nodeType":1293},{},[],"The screenshot below shows an example of an application being configured to use SWA as opposed to SAML, in this case Salesforce:",{"data":3677,"content":3681,"nodeType":1385},{"target":3678},{"sys":3679},{"id":3680,"type":1364,"linkType":1365},"4wrRez2VpTG1vjsvNFlklK",[],{"data":3683,"content":3684,"nodeType":1294},{},[3685],{"data":3686,"marks":3687,"value":3688,"nodeType":1293},{},[],"From this configuration screen it’s not obvious that there is a fundamental difference between some login methods like SWA and true federated identity methods like SAML 2.0. To better understand the difference and the risks of SWA, let’s look at it from an attacker’s perspective.",{"data":3690,"content":3691,"nodeType":1336},{},[3692],{"data":3693,"marks":3694,"value":3695,"nodeType":1293},{},[],"How are Okta accounts compromised?",{"data":3697,"content":3698,"nodeType":1294},{},[3699],{"data":3700,"marks":3701,"value":3702,"nodeType":1293},{},[],"While it’s common for Okta accounts to be protected using MFA, and sometimes device trust, there are still viable attack vectors. The two most prevalent attacks would be: ",{"data":3704,"content":3705,"nodeType":2733},{},[3706,3721],{"data":3707,"content":3708,"nodeType":2184},{},[3709],{"data":3710,"content":3711,"nodeType":1294},{},[3712,3717],{"data":3713,"marks":3714,"value":3716,"nodeType":1293},{},[3715],{"type":2677},"Endpoint compromise",{"data":3718,"marks":3719,"value":3720,"nodeType":1293},{},[]," - In a traditional endpoint compromise scenario, an attacker will generally have full access to the user’s browser. This means they can hijack existing Okta sessions by stealing authentication tokens, which bypass all device trust and MFA protections. For persistent access, they can keylog credentials when the user next logs in and add MFA methods or enrol a new endpoint with device trust.",{"data":3722,"content":3723,"nodeType":2184},{},[3724],{"data":3725,"content":3726,"nodeType":1294},{},[3727,3732,3736,3745,3748,3757,3762,3766,3775,3779,3783,3792],{"data":3728,"marks":3729,"value":3731,"nodeType":1293},{},[3730],{"type":2677},"Phishing attacks/MFA proxying",{"data":3733,"marks":3734,"value":3735,"nodeType":1293},{},[]," - Traditional phishing attacks can be launched against Okta users to obtain credentials and/or authenticated sessions. Attacker-in-the-middle (AITM) attacks can be used to bypass common MFA mechanisms, and attacks against Okta users are typically carried out using tools such as ",{"data":3737,"content":3739,"nodeType":1420},{"uri":3738},"https://github.com/kgretzky/evilginx2",[3740],{"data":3741,"marks":3742,"value":3744,"nodeType":1293},{},[3743],{"type":1371},"evilginx",{"data":3746,"marks":3747,"value":3589,"nodeType":1293},{},[],{"data":3749,"content":3751,"nodeType":1420},{"uri":3750},"https://mrd0x.com/bypass-2fa-using-novnc/",[3752],{"data":3753,"marks":3754,"value":3756,"nodeType":1293},{},[3755],{"type":1371},"noVNC",{"data":3758,"marks":3759,"value":3761,"nodeType":1293},{},[3760],{"type":2677}," ",{"data":3763,"marks":3764,"value":3765,"nodeType":1293},{},[],"or ",{"data":3767,"content":3769,"nodeType":1420},{"uri":3768},"https://github.com/fkasler/cuddlephish",[3770],{"data":3771,"marks":3772,"value":3774,"nodeType":1293},{},[3773],{"type":1371},"cuddlephish",{"data":3776,"marks":3777,"value":3508,"nodeType":1293},{},[3778],{"type":2677},{"data":3780,"marks":3781,"value":3782,"nodeType":1293},{},[]," We’ve even seen groups using tooling specifically crafted to target Okta such as the notorious ",{"data":3784,"content":3786,"nodeType":1420},{"uri":3785},"https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/",[3787],{"data":3788,"marks":3789,"value":3791,"nodeType":1293},{},[3790],{"type":1371},"0ktapus group/campaign.",{"data":3793,"marks":3794,"value":37,"nodeType":1293},{},[],{"data":3796,"content":3800,"nodeType":1385},{"target":3797},{"sys":3798},{"id":3799,"type":1364,"linkType":1365},"6iKFd9Qys2SSuNqKVQB7ka",[],{"data":3802,"content":3803,"nodeType":1336},{},[3804],{"data":3805,"marks":3806,"value":3807,"nodeType":1293},{},[],"What is Okta SWA?",{"data":3809,"content":3810,"nodeType":1294},{},[3811],{"data":3812,"marks":3813,"value":3814,"nodeType":1293},{},[],"Okta Secure Web Authentication (SWA) provides SSO-like functionality to web applications that don’t support federated protocols and is intended to be used only when SAML or OIDC federated logins cannot be used. ",{"data":3816,"content":3817,"nodeType":1294},{},[3818],{"data":3819,"marks":3820,"value":3821,"nodeType":1293},{},[],"It is SSO-like in the sense that:",{"data":3823,"content":3824,"nodeType":2733},{},[3825,3835,3845],{"data":3826,"content":3827,"nodeType":2184},{},[3828],{"data":3829,"content":3830,"nodeType":1294},{},[3831],{"data":3832,"marks":3833,"value":3834,"nodeType":1293},{},[],"A user enters their single Okta password to login to Okta, ",{"data":3836,"content":3837,"nodeType":2184},{},[3838],{"data":3839,"content":3840,"nodeType":1294},{},[3841],{"data":3842,"marks":3843,"value":3844,"nodeType":1293},{},[],"SWA then stores username/password combinations ",{"data":3846,"content":3847,"nodeType":2184},{},[3848],{"data":3849,"content":3850,"nodeType":1294},{},[3851],{"data":3852,"marks":3853,"value":3854,"nodeType":1293},{},[],"SWA then makes use of a browser extension to automatically login to applications using the credentials. ",{"data":3856,"content":3857,"nodeType":1294},{},[3858],{"data":3859,"marks":3860,"value":3861,"nodeType":1293},{},[],"In that sense, it’s essentially a password manager. Like any password manager, it can be a big security improvement over a user manually managing their accounts or reusing the same password everywhere.",{"data":3863,"content":3864,"nodeType":1294},{},[3865],{"data":3866,"marks":3867,"value":3868,"nodeType":1293},{},[],"There’s a good reason that true SSO is considered more secure than password managers, and this comes down to the identity. An SSO uses a single identity that is federated to other apps, where a password manager just better manages many discrete identities. So, when an employee leaves an organization and they’re using an SSO, a single identity needs to be disabled, but disabling access to a password manager does nothing to disable the identities inside it.",{"data":3870,"content":3871,"nodeType":1294},{},[3872],{"data":3873,"marks":3874,"value":3875,"nodeType":1293},{},[],"In the case of SWA, the use of a browser extension and a long list of supported applications with custom login scripts already written is a key value add. This means users don’t need to copy/paste credentials like they might with some password managers. ",{"data":3877,"content":3878,"nodeType":1294},{},[3879],{"data":3880,"marks":3881,"value":3882,"nodeType":1293},{},[],"However, unlike typical password managers, there isn’t just one type of SWA, administrators can actually pick between one of five configuration options. This is shown in the screenshot below:",{"data":3884,"content":3888,"nodeType":1385},{"target":3885},{"sys":3886},{"id":3887,"type":1364,"linkType":1365},"42kt5hDFjjVYLf85HnjlU8",[],{"data":3890,"content":3891,"nodeType":1294},{},[3892],{"data":3893,"marks":3894,"value":3895,"nodeType":1293},{},[],"So, it’s possible to configure SWA like a traditional password manager scenario where the user sets their own username and password. However, as you can see above, you can set it up so that administrators can fully control the credentials, including the use of shared credentials used by multiple users.",{"data":3897,"content":3898,"nodeType":1294},{},[3899],{"data":3900,"marks":3901,"value":3902,"nodeType":1293},{},[],"SWA can also control the default configuration of the password reveal capability:",{"data":3904,"content":3905,"nodeType":2733},{},[3906,3916],{"data":3907,"content":3908,"nodeType":2184},{},[3909],{"data":3910,"content":3911,"nodeType":1294},{},[3912],{"data":3913,"marks":3914,"value":3915,"nodeType":1293},{},[],"When configured to allow users to set their own credentials, password reveal is enabled by default. ",{"data":3917,"content":3918,"nodeType":2184},{},[3919],{"data":3920,"content":3921,"nodeType":1294},{},[3922],{"data":3923,"marks":3924,"value":3925,"nodeType":1293},{},[],"When administrators control the credentials, password reveal is disabled by default. ",{"data":3927,"content":3928,"nodeType":1294},{},[3929],{"data":3930,"marks":3931,"value":3932,"nodeType":1293},{},[],"Since Okta SWA performs logins automatically on behalf of the user, the user doesn’t technically need to be able to view or copy/paste the credentials. This makes it possible for Okta to support disabling password reveal. ",{"data":3934,"content":3938,"nodeType":1385},{"target":3935},{"sys":3936},{"id":3937,"type":1364,"linkType":1365},"3IE8neYJbh0H8Vc7Hd9p5W",[],{"data":3940,"content":3944,"nodeType":1385},{"target":3941},{"sys":3942},{"id":3943,"type":1364,"linkType":1365},"5C1lhoJtBEgdndiL9gSUbd",[],{"data":3946,"content":3947,"nodeType":1336},{},[3948],{"data":3949,"marks":3950,"value":3951,"nodeType":1293},{},[],"What are the security risks of using SWA?",{"data":3953,"content":3954,"nodeType":1294},{},[3955],{"data":3956,"marks":3957,"value":3958,"nodeType":1293},{},[],"While SWA may be a step up from users performing manual logins to a range of apps, it carries the same risk that any password manager solution has. If your account is compromised then all your usernames and passwords can be stolen in one go.",{"data":3960,"content":3961,"nodeType":1294},{},[3962],{"data":3963,"marks":3964,"value":3965,"nodeType":1293},{},[],"But how can that be if password reveal has been disabled",{"data":3967,"content":3968,"nodeType":1344},{},[3969],{"data":3970,"marks":3971,"value":3972,"nodeType":1293},{},[],"1. Bypassing password reveal restrictions",{"data":3974,"content":3975,"nodeType":1294},{},[3976],{"data":3977,"marks":3978,"value":3979,"nodeType":1293},{},[],"Even if users don’t directly interact with their passwords themselves (e.g. via copy/paste), their browser needs access otherwise it wouldn’t be possible to login to apps. ",{"data":3981,"content":3982,"nodeType":1294},{},[3983],{"data":3984,"marks":3985,"value":3986,"nodeType":1293},{},[],"The Okta browser extension uses the user’s active Okta login session to request credentials in the background, then automatically logs in to apps without the user ever directly seeing those credentials. So, while disabling password reveal may defeat a low-skill attacker or normal user scenarios, it’s essentially a client-side control, and isn’t going to stop a more determined attacker or technical user from getting at the credentials. This isn’t a bug, it’s a technical limitation of how a password manager works.",{"data":3988,"content":3989,"nodeType":1294},{},[3990],{"data":3991,"marks":3992,"value":3993,"nodeType":1293},{},[],"For example, let’s say a user has Salesforce configured as an app with SWA and clicks the app tile in the extension to login. The browser extension will use the active user session to make a request like the following (headers and irrelevant data removed for clarity):",{"data":3995,"content":3999,"nodeType":1385},{"target":3996},{"sys":3997},{"id":3998,"type":1364,"linkType":1365},"2tiqg9EUoa9KxkTCduZoVe",[],{"data":4001,"content":4005,"nodeType":1385},{"target":4002},{"sys":4003},{"id":4004,"type":1364,"linkType":1365},"4ApkgD7IwPRC3jC09Jf2SJ",[],{"data":4007,"content":4008,"nodeType":1294},{},[4009],{"data":4010,"marks":4011,"value":4013,"nodeType":1293},{},[4012],{"type":312},"This response to the browser extension’s web request contains the username and password for Salesforce",{"data":4015,"content":4016,"nodeType":1294},{},[4017],{"data":4018,"marks":4019,"value":4020,"nodeType":1293},{},[],"This is the Salesforce-specific login script that allows the extension to automatically log the user in to Salesforce and includes their credentials. This request will include the credentials even if password reveal is disabled - the request above was captured using an intercepting proxy like Burp Suite.",{"data":4022,"content":4023,"nodeType":1344},{},[4024],{"data":4025,"marks":4026,"value":4027,"nodeType":1293},{},[],"2. Cross-account shared passwords",{"data":4029,"content":4030,"nodeType":1294},{},[4031],{"data":4032,"marks":4033,"value":4034,"nodeType":1293},{},[],"An additional risk with SWA is an operational one. Administrators can set passwords for users and also disable password reveal, which can encourage the use of shared passwords, since they don’t expect the users to see them. ",{"data":4036,"content":4037,"nodeType":1294},{},[4038],{"data":4039,"marks":4040,"value":4041,"nodeType":1293},{},[],"If administrators are auto-generating complex passwords for every single user account they create as a strong operational process, then there may be no issue. However, breach history would tell us that rarely do organizations have operational security practices as stringent as that.",{"data":4043,"content":4044,"nodeType":1294},{},[4045],{"data":4046,"marks":4047,"value":4048,"nodeType":1293},{},[],"An attacker compromising an Okta user account can not only extract valid credentials for all configured SWA apps for that user, but may uncover passwords that are valid for other user accounts configured by administrators, making this a likely vector for lateral movement.",{"data":4050,"content":4051,"nodeType":1344},{},[4052],{"data":4053,"marks":4054,"value":4055,"nodeType":1293},{},[],"3. Shared Okta passwords",{"data":4057,"content":4058,"nodeType":1294},{},[4059],{"data":4060,"marks":4061,"value":4062,"nodeType":1293},{},[],"One SWA option administrators can configure is to require the user to use their Okta password for the application (see earlier screenshot of configuration options). In this case, Okta lets the user set the password for the application, but it will confirm it matches the user’s Okta password and reject it otherwise.",{"data":4064,"content":4065,"nodeType":1294},{},[4066],{"data":4067,"marks":4068,"value":4069,"nodeType":1293},{},[],"This is a dangerous option, since it means the user’s Okta password is shared with other applications. So, if one of those applications is compromised, then their Okta password could be breached as well, which could allow both other applications and the user’s core Okta account to be compromised. It’s essentially enforcing password re-use, the exact opposite of what you want from an identity security perspective.",{"data":4071,"content":4072,"nodeType":1344},{},[4073],{"data":4074,"marks":4075,"value":4076,"nodeType":1293},{},[],"4. Persistent access to connected apps",{"data":4078,"content":4079,"nodeType":1294},{},[4080],{"data":4081,"marks":4082,"value":4083,"nodeType":1293},{},[],"Okta acts as an authentication gateway for access to other applications. Ideally, strong authentication policies will be in place such as strong password policies, MFA, account lockout and detection and response controls.",{"data":4085,"content":4086,"nodeType":1294},{},[4087],{"data":4088,"marks":4089,"value":4090,"nodeType":1293},{},[],"However, if even a temporary compromise of an Okta account is achieved (for example through an Okta session theft), an attacker extracting all credentials for SWA apps does not need to maintain access to Okta any further. Instead, they can maintain persistent access to all the downstream SWA apps by logging in manually, using the credentials they have extracted without using Okta. ",{"data":4092,"content":4093,"nodeType":1294},{},[4094],{"data":4095,"marks":4096,"value":4097,"nodeType":1293},{},[],"This greatly complicates incident response playbooks. Where an otherwise simple recovery action like disabling an Okta account, resetting the password and MFA methods, et cetera, would kick an attacker out of the Okta account - for a user using SWA the attacker will still have all the access to downstream SWA applications unless every single SWA app user account is recovered as well. This is where the value of a federated identity becomes clear.",{"data":4099,"content":4102,"nodeType":1385},{"target":4100},{"sys":4101},{"id":2632,"type":1364,"linkType":1365},[],{"data":4104,"content":4105,"nodeType":1336},{},[4106],{"data":4107,"marks":4108,"value":4109,"nodeType":1293},{},[],"Dumping SWA credentials",{"data":4111,"content":4112,"nodeType":1294},{},[4113],{"data":4114,"marks":4115,"value":4116,"nodeType":1293},{},[],"Since Okta SWA functions as a password manager, and it’s also possible to bypass password reveal restrictions, an attacker who has gained temporary access to an Okta session can automate the extraction of all credentials stored via SWA for that account.",{"data":4118,"content":4119,"nodeType":1344},{},[4120],{"data":4121,"marks":4122,"value":4123,"nodeType":1293},{},[],"Using the password reveal API",{"data":4125,"content":4126,"nodeType":1294},{},[4127],{"data":4128,"marks":4129,"value":4130,"nodeType":1293},{},[],"One method would be to automate the password reveal API call in the dashboard for every app configured. This is the simplest, direct way to get credentials but has the disadvantage that it will not return credentials that have had password reveal disabled. The following screenshots show an example of the API call that is made:",{"data":4132,"content":4136,"nodeType":1385},{"target":4133},{"sys":4134},{"id":4135,"type":1364,"linkType":1365},"27xCaphfwy6zSNU7QDQZ1g",[],{"data":4138,"content":4142,"nodeType":1385},{"target":4139},{"sys":4140},{"id":4141,"type":1364,"linkType":1365},"begENC8Oxq4rwprZ0fGpG",[],{"data":4144,"content":4145,"nodeType":1344},{},[4146],{"data":4147,"marks":4148,"value":4149,"nodeType":1293},{},[],"Using the browser extension API",{"data":4151,"content":4152,"nodeType":1294},{},[4153],{"data":4154,"marks":4155,"value":4156,"nodeType":1293},{},[],"The more effective way for an attacker to dump credentials, and bypass password reveal restrictions, is to emulate the API calls made by the browser extension to retrieve the login scripts for each SWA application. ",{"data":4158,"content":4159,"nodeType":1294},{},[4160],{"data":4161,"marks":4162,"value":4163,"nodeType":1293},{},[],"For an attacker to make these calls, a valid Okta session is needed. Specifically, the tokens that need to be extracted from the browser for these calls are:",{"data":4165,"content":4166,"nodeType":2733},{},[4167,4177],{"data":4168,"content":4169,"nodeType":2184},{},[4170],{"data":4171,"content":4172,"nodeType":1294},{},[4173],{"data":4174,"marks":4175,"value":4176,"nodeType":1293},{},[],"The access token in “okta-token-storage” in browser local storage",{"data":4178,"content":4179,"nodeType":2184},{},[4180],{"data":4181,"content":4182,"nodeType":1294},{},[4183],{"data":4184,"marks":4185,"value":4186,"nodeType":1293},{},[],"The “idx” token in cookies",{"data":4188,"content":4189,"nodeType":1294},{},[4190],{"data":4191,"marks":4192,"value":4193,"nodeType":1293},{},[],"These can be seen below:",{"data":4195,"content":4199,"nodeType":1385},{"target":4196},{"sys":4197},{"id":4198,"type":1364,"linkType":1365},"4ooNI3TmnxqCAtw9MZuuVI",[],{"data":4201,"content":4205,"nodeType":1385},{"target":4202},{"sys":4203},{"id":4204,"type":1364,"linkType":1365},"6rbgLXHewT34SPH3qA24Fu",[],{"data":4207,"content":4208,"nodeType":1294},{},[4209],{"data":4210,"marks":4211,"value":4212,"nodeType":1293},{},[],"The following screenshot shows the use of a simple internal PoC we created to investigate logging detection opportunities. It gives a sense of the type of information that can be retrieved for a test Okta user account: ",{"data":4214,"content":4218,"nodeType":1385},{"target":4215},{"sys":4216},{"id":4217,"type":1364,"linkType":1365},"5lYhdtWKVqIch6CpksR7Dd",[],{"data":4220,"content":4221,"nodeType":1336},{},[4222],{"data":4223,"marks":4224,"value":4225,"nodeType":1293},{},[],"So if SWA can be risky, is SAML and OIDC safe?",{"data":4227,"content":4228,"nodeType":1294},{},[4229],{"data":4230,"marks":4231,"value":4232,"nodeType":1293},{},[],"In general, much more so, but as is unfortunately so often the case in security, the answer is “it depends.” The threat profile for federated SSO like SAML and OIDC is very different, and they don’t suffer from the risks highlighted with SWA use given above. ",{"data":4234,"content":4235,"nodeType":1294},{},[4236,4241],{"data":4237,"marks":4238,"value":4240,"nodeType":1293},{},[4239],{"type":2677},"Any organization using Okta should strive to use SAML/OIDC for as many applications as possible - this is the true power of a federated identity solution",{"data":4242,"marks":4243,"value":3508,"nodeType":1293},{},[],{"data":4245,"content":4246,"nodeType":1294},{},[4247],{"data":4248,"marks":4249,"value":4250,"nodeType":1293},{},[],"However, it’s important to remember that not even SAML/OIDC isn't a silver bullet.",{"data":4252,"content":4253,"nodeType":1294},{},[4254],{"data":4255,"marks":4256,"value":4257,"nodeType":1293},{},[],"For example, it’s still possible for an attacker achieving a temporary compromise of an Okta account to click every single SAML/OIDC application to establish authenticated sessions with all of them. While some sessions may be short-lived, depending on the application, these sessions may stay alive for longer periods such as 30 days or for some apps even indefinitely. ",{"data":4259,"content":4260,"nodeType":1294},{},[4261],{"data":4262,"marks":4263,"value":4264,"nodeType":1293},{},[],"While it may be simple for incident responders to disable an Okta account temporarily, it’s certainly much more difficult to disable all connected SaaS accounts and/or kill active sessions for all of them. ",{"data":4266,"content":4267,"nodeType":1294},{},[4268],{"data":4269,"marks":4270,"value":4271,"nodeType":1293},{},[],"Additionally, while active sessions won’t generally allow an attacker long-term access to an application like stolen SWA credentials often will, many different SaaS applications support methods that can be used to effectively backdoor access to them - though this is a risk to both SWA and federated identities.",{"data":4273,"content":4274,"nodeType":1294},{},[4275],{"data":4276,"marks":4277,"value":4278,"nodeType":1293},{},[],"This is another big challenge for incident responders to deal with, as it can allow attacks to maintain persistence without requiring valid credentials or active sessions. In other words, there are many ways to turn that short term access into persistent access outside Okta. ",{"data":4280,"content":4281,"nodeType":1294},{},[4282,4286,4295],{"data":4283,"marks":4284,"value":4285,"nodeType":1293},{},[],"While the full details of these persistence attacks are outside the scope of this article, more details on some key attacks can be found in a resource we created called the ",{"data":4287,"content":4289,"nodeType":1420},{"uri":4288},"https://github.com/pushsecurity/saas-attacks",[4290],{"data":4291,"marks":4292,"value":4294,"nodeType":1293},{},[4293],{"type":1371},"SaaS attacks matrix",{"data":4296,"marks":4297,"value":4298,"nodeType":1293},{},[],". Some of the most common techniques that apply here are:",{"data":4300,"content":4301,"nodeType":2733},{},[4302,4323,4344,4365,4386],{"data":4303,"content":4304,"nodeType":2184},{},[4305],{"data":4306,"content":4307,"nodeType":1294},{},[4308,4311,4320],{"data":4309,"marks":4310,"value":37,"nodeType":1293},{},[],{"data":4312,"content":4314,"nodeType":1420},{"uri":4313},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/api_keys/description.md",[4315],{"data":4316,"marks":4317,"value":4319,"nodeType":1293},{},[4318],{"type":1371},"SAT1004 - API keys",{"data":4321,"marks":4322,"value":37,"nodeType":1293},{},[],{"data":4324,"content":4325,"nodeType":2184},{},[4326],{"data":4327,"content":4328,"nodeType":1294},{},[4329,4332,4341],{"data":4330,"marks":4331,"value":37,"nodeType":1293},{},[],{"data":4333,"content":4335,"nodeType":1420},{"uri":4334},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/link_sharing/description.md",[4336],{"data":4337,"marks":4338,"value":4340,"nodeType":1293},{},[4339],{"type":1371},"SAT1022 - Link sharing",{"data":4342,"marks":4343,"value":37,"nodeType":1293},{},[],{"data":4345,"content":4346,"nodeType":2184},{},[4347],{"data":4348,"content":4349,"nodeType":1294},{},[4350,4353,4362],{"data":4351,"marks":4352,"value":37,"nodeType":1293},{},[],{"data":4354,"content":4356,"nodeType":1420},{"uri":4355},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/ghost_logins/description.md",[4357],{"data":4358,"marks":4359,"value":4361,"nodeType":1293},{},[4360],{"type":1371},"SAT1017 - Ghost logins",{"data":4363,"marks":4364,"value":37,"nodeType":1293},{},[],{"data":4366,"content":4367,"nodeType":2184},{},[4368],{"data":4369,"content":4370,"nodeType":1294},{},[4371,4374,4383],{"data":4372,"marks":4373,"value":37,"nodeType":1293},{},[],{"data":4375,"content":4377,"nodeType":1420},{"uri":4376},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/oauth_tokens/description.md",[4378],{"data":4379,"marks":4380,"value":4382,"nodeType":1293},{},[4381],{"type":1371},"SAT1027 - OAuth tokens",{"data":4384,"marks":4385,"value":37,"nodeType":1293},{},[],{"data":4387,"content":4388,"nodeType":2184},{},[4389],{"data":4390,"content":4391,"nodeType":1294},{},[4392,4395,4404],{"data":4393,"marks":4394,"value":37,"nodeType":1293},{},[],{"data":4396,"content":4398,"nodeType":1420},{"uri":4397},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/shadow_workflows/description.md",[4399],{"data":4400,"marks":4401,"value":4403,"nodeType":1293},{},[4402],{"type":1371},"SAT1033 - Shadow workflows",{"data":4405,"marks":4406,"value":37,"nodeType":1293},{},[],{"data":4408,"content":4409,"nodeType":1336},{},[4410],{"data":4411,"marks":4412,"value":4413,"nodeType":1293},{},[],"Investigating and detecting an Okta account compromise",{"data":4415,"content":4416,"nodeType":1294},{},[4417],{"data":4418,"marks":4419,"value":4420,"nodeType":1293},{},[],"The good news is there are multiple Okta log events that can be used for either investigating a breach or providing some detection mechanisms via a SIEM. Three key log events are as follows:",{"data":4422,"content":4423,"nodeType":2733},{},[4424,4439,4454],{"data":4425,"content":4426,"nodeType":2184},{},[4427],{"data":4428,"content":4429,"nodeType":1294},{},[4430,4435],{"data":4431,"marks":4432,"value":4434,"nodeType":1293},{},[4433],{"type":2677},"Show password event",{"data":4436,"marks":4437,"value":4438,"nodeType":1293},{},[]," - indicates when a user has clicked the reveal password button",{"data":4440,"content":4441,"nodeType":2184},{},[4442],{"data":4443,"content":4444,"nodeType":1294},{},[4445,4450],{"data":4446,"marks":4447,"value":4449,"nodeType":1293},{},[4448],{"type":2677},"Evaluation of sign-on policy",{"data":4451,"marks":4452,"value":4453,"nodeType":1293},{},[]," - occurs when the browser extension requests credentials",{"data":4455,"content":4456,"nodeType":2184},{},[4457],{"data":4458,"content":4459,"nodeType":1294},{},[4460,4465],{"data":4461,"marks":4462,"value":4464,"nodeType":1293},{},[4463],{"type":2677},"User single sign on to app",{"data":4466,"marks":4467,"value":4468,"nodeType":1293},{},[]," - occurs when a full app login is performed",{"data":4470,"content":4474,"nodeType":1385},{"target":4471},{"sys":4472},{"id":4473,"type":1364,"linkType":1365},"23G5QvwzgyTEJBJ33Ut7NJ",[],{"data":4476,"content":4477,"nodeType":1294},{},[4478],{"data":4479,"marks":4480,"value":4481,"nodeType":1293},{},[],"Using these events in a post-compromise situation could potentially significantly reduce the response actions required. If there is clear evidence that the attacker only accessed a limited number of applications, focus can be placed on disabling those accounts and removing potential backdoors, as opposed to having to perform containment procedures for every single application the user has access to.",{"data":4483,"content":4484,"nodeType":1344},{},[4485],{"data":4486,"marks":4487,"value":4488,"nodeType":1293},{},[],"Short time-window detection",{"data":4490,"content":4491,"nodeType":1294},{},[4492],{"data":4493,"marks":4494,"value":4495,"nodeType":1293},{},[],"While the events above are great for investigation, they are all expected events during normal use of Okta by a user. Perhaps the “show password” event may be rarer, but it would still not be completely unusual to see. ",{"data":4497,"content":4498,"nodeType":1294},{},[4499],{"data":4500,"marks":4501,"value":4502,"nodeType":1293},{},[],"This makes detection more difficult as defenders need to separate malicious logins from legitimate logins, a notoriously difficult task.",{"data":4504,"content":4505,"nodeType":1294},{},[4506],{"data":4507,"marks":4508,"value":4509,"nodeType":1293},{},[],"For proactive detection, one option would be to detect unusually large numbers of these events in a short time window for the same user account. This would be especially effective against automated tools. It would be much more unusual to see a legitimate user login to every app or reveal every password all in one go, or even all in one day. On the other hand, an attacker may seek to compromise all applications in a short time window.",{"data":4511,"content":4512,"nodeType":1294},{},[4513],{"data":4514,"marks":4515,"value":4516,"nodeType":1293},{},[],"Given below is an example of the flurry of logs generated by running our internal SWA password dumping tool shown earlier. You can see they are all generated in a very short time window:",{"data":4518,"content":4522,"nodeType":1385},{"target":4519},{"sys":4520},{"id":4521,"type":1364,"linkType":1365},"2PaCRx02gpTyYOiuJ85x9Y",[],{"data":4524,"content":4525,"nodeType":1294},{},[4526],{"data":4527,"marks":4528,"value":4529,"nodeType":1293},{},[],"The only difficulty here is picking sensible numbers for the minimum number of apps and maximum time window required in order to generate a detection event. This would likely need customizing to individual environments based on what number of applications are typical for a user to have access to.",{"data":4531,"content":4532,"nodeType":1294},{},[4533,4537,4546],{"data":4534,"marks":4535,"value":4536,"nodeType":1293},{},[],"For more general Okta detection rule options, consider checking out the Okta rules contained in the open-source ",{"data":4538,"content":4540,"nodeType":1420},{"uri":4539},"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta",[4541],{"data":4542,"marks":4543,"value":4545,"nodeType":1293},{},[4544],{"type":1371},"Sigma rule repository on GitHub",{"data":4547,"marks":4548,"value":3508,"nodeType":1293},{},[],{"data":4550,"content":4551,"nodeType":1336},{},[4552],{"data":4553,"marks":4554,"value":4555,"nodeType":1293},{},[],"Guidance for incident response",{"data":4557,"content":4558,"nodeType":1294},{},[4559],{"data":4560,"marks":4561,"value":4562,"nodeType":1293},{},[],"If there is one key takeaway from this article, it’s that responding to an Okta account compromise isn’t as simple as disabling the user’s Okta account and/or resetting passwords and MFA factors.",{"data":4564,"content":4565,"nodeType":1294},{},[4566],{"data":4567,"marks":4568,"value":4569,"nodeType":1293},{},[],"Once an attacker has compromised an Okta account, it should be initially assumed that all connected application accounts are also compromised, whether they use SAML, OIDC or SWA. ",{"data":4571,"content":4572,"nodeType":1294},{},[4573],{"data":4574,"marks":4575,"value":4576,"nodeType":1293},{},[],"If SWA is used, incident responders should also explore whether those passwords are compromised and whether any other accounts that potentially share those passwords are compromised. ",{"data":4578,"content":4579,"nodeType":1294},{},[4580],{"data":4581,"marks":4582,"value":4583,"nodeType":1293},{},[],"We’re going to assume all applications/credentials were accessed for the following containment advice, as it’s likely that even moderately-skilled attackers would have tools to automate this. ",{"data":4585,"content":4586,"nodeType":1294},{},[4587],{"data":4588,"marks":4589,"value":4590,"nodeType":1293},{},[],"A full belt and braces containment exercise would involve the following activities:",{"data":4592,"content":4593,"nodeType":2733},{},[4594,4604,4614,4624],{"data":4595,"content":4596,"nodeType":2184},{},[4597],{"data":4598,"content":4599,"nodeType":1294},{},[4600],{"data":4601,"marks":4602,"value":4603,"nodeType":1293},{},[],"Disabling/resetting the Okta account",{"data":4605,"content":4606,"nodeType":2184},{},[4607],{"data":4608,"content":4609,"nodeType":1294},{},[4610],{"data":4611,"marks":4612,"value":4613,"nodeType":1293},{},[],"Disabling/resetting every single connected application account",{"data":4615,"content":4616,"nodeType":2184},{},[4617],{"data":4618,"content":4619,"nodeType":1294},{},[4620],{"data":4621,"marks":4622,"value":4623,"nodeType":1293},{},[],"Identifying any other accounts that may share compromised SWA passwords for investigation and disabling/resetting",{"data":4625,"content":4626,"nodeType":2184},{},[4627],{"data":4628,"content":4629,"nodeType":1294},{},[4630],{"data":4631,"marks":4632,"value":4633,"nodeType":1293},{},[],"Investigating every connected application account for signs of backdooring through multiple persistence techniques",{"data":4635,"content":4636,"nodeType":1294},{},[4637],{"data":4638,"marks":4639,"value":4640,"nodeType":1293},{},[],"The last point on investigating potential backdoors is particularly important because of the following reasons:",{"data":4642,"content":4643,"nodeType":2733},{},[4644,4676],{"data":4645,"content":4646,"nodeType":2184},{},[4647],{"data":4648,"content":4649,"nodeType":1294},{},[4650,4654,4662,4665,4673],{"data":4651,"marks":4652,"value":4653,"nodeType":1293},{},[],"Even if every application user account is temporarily disabled while passwords are reset etc, re-enabling the account could re-activate the attacker’s access if they have made use of persistence techniques like ",{"data":4655,"content":4656,"nodeType":1420},{"uri":4313},[4657],{"data":4658,"marks":4659,"value":4661,"nodeType":1293},{},[4660],{"type":1371},"API keys",{"data":4663,"marks":4664,"value":3496,"nodeType":1293},{},[],{"data":4666,"content":4667,"nodeType":1420},{"uri":4355},[4668],{"data":4669,"marks":4670,"value":4672,"nodeType":1293},{},[4671],{"type":1371},"ghost logins",{"data":4674,"marks":4675,"value":37,"nodeType":1293},{},[],{"data":4677,"content":4678,"nodeType":2184},{},[4679],{"data":4680,"content":4681,"nodeType":1294},{},[4682,4686,4694],{"data":4683,"marks":4684,"value":4685,"nodeType":1293},{},[],"Even if all application user accounts are disabled, even permanently, techniques like ",{"data":4687,"content":4688,"nodeType":1420},{"uri":4334},[4689],{"data":4690,"marks":4691,"value":4693,"nodeType":1293},{},[4692],{"type":1371},"link sharing",{"data":4695,"marks":4696,"value":4697,"nodeType":1293},{},[]," can enable attackers to maintain access to data because link sharing decouples the access from being reliant on control of a user account.",{"data":4699,"content":4700,"nodeType":1336},{},[4701],{"data":4702,"marks":4703,"value":4704,"nodeType":1293},{},[],"Impact",{"data":4706,"content":4707,"nodeType":1294},{},[4708],{"data":4709,"marks":4710,"value":4711,"nodeType":1293},{},[],"We’ve covered a lot of ground here, so let’s take a quick step back to understand the key points of impact:",{"data":4713,"content":4714,"nodeType":2733},{},[4715,4725,4735,4745,4755,4765],{"data":4716,"content":4717,"nodeType":2184},{},[4718],{"data":4719,"content":4720,"nodeType":1294},{},[4721],{"data":4722,"marks":4723,"value":4724,"nodeType":1293},{},[],"Attackers can extract passwords for SWA apps, even if password reveal has been disabled - to be clear, this is not a bug, it’s just a technical limitation on how this style of password manager login has to work",{"data":4726,"content":4727,"nodeType":2184},{},[4728],{"data":4729,"content":4730,"nodeType":1294},{},[4731],{"data":4732,"marks":4733,"value":4734,"nodeType":1293},{},[],"SWA passwords set by administrators should not be considered secret from the users as they can be accessed via the extension API",{"data":4736,"content":4737,"nodeType":2184},{},[4738],{"data":4739,"content":4740,"nodeType":1294},{},[4741],{"data":4742,"marks":4743,"value":4744,"nodeType":1293},{},[],"Attackers gaining temporary control of an Okta user account can establish authenticated sessions with SAML/OIDC applications. ",{"data":4746,"content":4747,"nodeType":2184},{},[4748],{"data":4749,"content":4750,"nodeType":1294},{},[4751],{"data":4752,"marks":4753,"value":4754,"nodeType":1293},{},[],"These sessions won’t automatically be revoked if the Okta user account is disabled/reset in response to compromise",{"data":4756,"content":4757,"nodeType":2184},{},[4758],{"data":4759,"content":4760,"nodeType":1294},{},[4761],{"data":4762,"marks":4763,"value":4764,"nodeType":1293},{},[],"There are multiple common attack techniques to gain persistent access to SaaS applications.  ",{"data":4766,"content":4767,"nodeType":2184},{},[4768],{"data":4769,"content":4770,"nodeType":1294},{},[4771],{"data":4772,"marks":4773,"value":4774,"nodeType":1293},{},[],"An attacker can potentially gain permanent access to many connected Okta applications even if efforts are made to reset individual application accounts",{"data":4776,"content":4777,"nodeType":1336},{},[4778],{"data":4779,"marks":4780,"value":2597,"nodeType":1293},{},[],{"data":4782,"content":4783,"nodeType":1294},{},[4784],{"data":4785,"marks":4786,"value":4787,"nodeType":1293},{},[],"While many of these attacks are not unique to Okta, it is one of the most widely used products because it supports many apps, but it supports these apps using methods that have very different risk profiles. ",{"data":4789,"content":4790,"nodeType":1294},{},[4791],{"data":4792,"marks":4793,"value":4794,"nodeType":1293},{},[],"From a security perspective (and whatever your chosen identity platform), our recommendation would be to use SAML (the strongest auth method) where possible. If that isn’t available, use OIDC. If neither is an option, use password managers (like SWA), which in practise leads to far less reused passwords. ",{"data":4796,"content":4797,"nodeType":1294},{},[4798],{"data":4799,"marks":4800,"value":4801,"nodeType":1293},{},[],"Unfortunately the state of modern cloud app landscape means that you will be paying a lot more to get many apps using federated SSO, and even then many will still not support this at any license tier, so the use of passwords is still going to be part of the solution.",{"data":4803,"content":4804,"nodeType":1294},{},[4805],{"data":4806,"marks":4807,"value":4808,"nodeType":1293},{},[],"As we have seen in this article, an attacker can use a compromised SSO session to perform a number of follow-up attacks. Whether using SWA or SAML/OIDC it’s possible to gain authenticated sessions on connected apps and also potentially backdoor access to them.",{"data":4810,"content":4811,"nodeType":1294},{},[4812],{"data":4813,"marks":4814,"value":4815,"nodeType":1293},{},[],"When using SWA, it’s additionally possible to extract SWA passwords even when password reveal is disabled and potentially gain access to passwords shared with other accounts. This requires additional actions as part of your breach recovery processes/play-books.",{"data":4817,"content":4818,"nodeType":1294},{},[4819],{"data":4820,"marks":4821,"value":4822,"nodeType":1293},{},[],"There are multiple log events that can be used by security teams to investigate and respond to Okta account compromises and potentially detect them too. Additionally, strong incident response procedures need to be in place for dealing with compromised Okta or any other SSO accounts that factor in the ability for an attacker to laterally move to all the connected applications. Therefore, plans need to include revoking their access to those as well and investigating them for signs of backdoor persistence techniques.",{"entries":4824},{"hyperlink":4825,"inline":4826,"block":4827},[],[],[4828,4836,4843,4850,4858,4866,4874,4880,4885,4892,4899,4906,4913,4920,4927],{"sys":4829,"__typename":4830,"title":4831,"caption":118,"layoutMode":118,"file":4832},{"id":3680},"Image","SWA for Salesforce ",{"url":4833,"width":4834,"height":4835},"https://images.ctfassets.net/y1cdw1ablpvd/3aoL5dRRGM3VL3k6GDXmHg/db100cfc57bf0fa34bd822d5f475984f/image10.png",1053,1007,{"sys":4837,"__typename":4838,"type":4839,"ctaText":4840,"buttonLabel":4841,"buttonColour":4842,"buttonUrl":118},{"id":3799},"CtaWidget","Demo","Learn how Push can help you secure identities across your org","Book a demo!","sunny orange",{"sys":4844,"__typename":4830,"title":4845,"caption":118,"layoutMode":118,"file":4846},{"id":3887},"SWA configuration",{"url":4847,"width":4848,"height":4849},"https://images.ctfassets.net/y1cdw1ablpvd/78s95OShHAzkXFlc7e14Hd/b6ac238115249a5fe71080bf0142a9dc/image13.png",682,293,{"sys":4851,"__typename":4830,"title":4852,"caption":4853,"layoutMode":118,"file":4854},{"id":3937},"SWA credential details","Administrators can disable password reveal on a per-app basis, as can be seen by unchecking the box here",{"url":4855,"width":4856,"height":4857},"https://images.ctfassets.net/y1cdw1ablpvd/3FrFNvcjFdBXGtf0ynfLZ/b4d0f5d15787e8a084faeca8512e2725/image8.png",684,243,{"sys":4859,"__typename":4830,"title":4860,"caption":4861,"layoutMode":118,"file":4862},{"id":3943},"Salesforce login","When password reveal is disabled, users see this message and cannot request the credentials",{"url":4863,"width":4864,"height":4865},"https://images.ctfassets.net/y1cdw1ablpvd/6q0nLXJSCURTJWZblqT9vq/a69e68276777f1a9f3ad7ebe89ebc139/image6.png",326,532,{"sys":4867,"__typename":4830,"title":4868,"caption":4869,"layoutMode":118,"file":4870},{"id":3998},"Okta extension","Clicking the Salesforce login button triggers a web request which returns the data shown below (and which is visible to the user through for example the browser’s built-in devtools)",{"url":4871,"width":4872,"height":4873},"https://images.ctfassets.net/y1cdw1ablpvd/LyjRr43VyfcQWpzlV3EQ5/56081e155d8a3fcb8d3aa80def11ff26/image7.png",453,504,{"sys":4875,"__typename":4876,"name":4877,"type":4878,"syntax":4879},{"id":4004},"CodeBlockComponent","Salesforce web request data","json","GET /api/plugin/2/app/salesforce/0oa5ybnree2VPL6EA0x7/flow?plugin_version=6.20.0-73.101.0 HTTP/2\n\n\n{\n  \"scripts\": {\n    \"script\": [\n      {\n        \"action\": [\n          {\n            \"id\": \"username\",\n            \"value\": \"lukejennings@bugcrowdninja.com\",\n            ...\n          },\n          {\n                        \"id\": \"password\",\n                       \"value\": \"MySalesforcePassword1\",\n            ...\n          },\n          {\n            \"type\": \"click\",\n\n\n\n            \"element\": \"css=input[id=\\\"Login\\\"]\",\n            ...\n          }\n        ],\n        \"name\": \"Login\"\n      }\n    ]\n  },\n  \"urls\": {\n    \"match\": [\n      {\n        \"exact\": false,\n        \"isRegex\": false,\n        \"matchFrames\": false,\n        \"url\": \"https://login.salesforce.com\",\n        \"scriptName\": \"Login\"\n      }\n    ]\n  },\n  \"annotated\": false,\n  \"hasEncryptedValues\": false,\n  \"appName\": \"salesforce\",\n  \"signOnModeType\": \"BROWSER_PLUGIN\"\n}\n",{"sys":4881,"__typename":4838,"type":3597,"ctaText":4882,"buttonLabel":4883,"buttonColour":4884,"buttonUrl":118},{"id":2632},"See more original research and technical content from Push","Follow us on LinkedIn","orange",{"sys":4886,"__typename":4830,"title":4887,"caption":118,"layoutMode":118,"file":4888},{"id":4135},"Password reveal API",{"url":4889,"width":4890,"height":4891},"https://images.ctfassets.net/y1cdw1ablpvd/4mqIfbFwKPhLepm4he2skV/194964f3261c5a9e564899068049e54d/image3.png",676,130,{"sys":4893,"__typename":4830,"title":4894,"caption":118,"layoutMode":118,"file":4895},{"id":4141},"Password reveal API 2",{"url":4896,"width":4897,"height":4898},"https://images.ctfassets.net/y1cdw1ablpvd/66tquT2FlW6ZEkzwu3eGH1/292c902f9a364e2dc3b25506ac4ecb13/image11.png",1069,463,{"sys":4900,"__typename":4830,"title":4901,"caption":118,"layoutMode":118,"file":4902},{"id":4198},"Okta token storage",{"url":4903,"width":4904,"height":4905},"https://images.ctfassets.net/y1cdw1ablpvd/3JyyiqyemQR7HeztvdB98u/a35a82a49e4ef168579a52de66ea6892/image14.png",906,404,{"sys":4907,"__typename":4830,"title":4908,"caption":118,"layoutMode":118,"file":4909},{"id":4204},"Okta token storage 2",{"url":4910,"width":4911,"height":4912},"https://images.ctfassets.net/y1cdw1ablpvd/1gUig6FNPvlAqGaqSoBrbM/36afab96a0c4d2a1ec4ac64a7c34f066/image4.png",898,361,{"sys":4914,"__typename":4830,"title":4915,"caption":118,"layoutMode":118,"file":4916},{"id":4217},"Okta internal POC",{"url":4917,"width":4918,"height":4919},"https://images.ctfassets.net/y1cdw1ablpvd/naYWcydapvxMisBc4I0d2/41e0b5e816b38927354e39d39414d97f/image5.png",1999,350,{"sys":4921,"__typename":4830,"title":4922,"caption":118,"layoutMode":118,"file":4923},{"id":4473},"Okta log events",{"url":4924,"width":4925,"height":4926},"https://images.ctfassets.net/y1cdw1ablpvd/7g9KCqO9mqC9mxaJH4O8u5/8062fc4441cd42371c0a97642a6d8de5/image2.png",999,283,{"sys":4928,"__typename":4830,"title":4929,"caption":118,"layoutMode":118,"file":4930},{"id":4521},"Logs generated by our internal SWA password dumping tool",{"url":4931,"width":4932,"height":4933},"https://images.ctfassets.net/y1cdw1ablpvd/3Ok01IBCObf6bsLmOeWLA1/727605fae8500d4e9c2284299ea82617/image1.png",1016,724,"content:blog:okta-swa.json","content","blog/okta-swa.json","blog/okta-swa",1776359990263]