[{"data":1,"prerenderedAt":4586},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/oktajacking":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"ogImage":118,"summary":1282,"title":1296,"subtitle":1297,"metaTitle":1297,"synopsis":1298,"hashTags":118,"publishedDate":1299,"slug":1300,"tagsCollection":1301,"relatedBlogPostsCollection":1311,"authorsCollection":3919,"content":3923,"_id":4581,"_type":4582,"_source":4583,"_file":4584,"_stem":4585,"_extension":4582},"/blog/oktajacking","blog",{"id":1280,"publishedAt":1281},"6ckZjBZzRgvEVpSScGWeZQ","2024-03-21T08:54:13.707Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1295},{},[1286],{"data":1287,"content":1288,"nodeType":1294},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"We’ll explore how Okta’s AD synchronization allows you to force Okta to capture credentials and keylog for you so you can launch convincing phishing attacks. Then we'll demonstrate how it can be used as a stealthy watering-hole style lateral movement attack.","text","paragraph","document","Oktajacking","Making Okta do keylogging for you","In this article, we'll show you how to use Okta to do keylogging for you, without needing to have your own malicious domain hosting your malicious SAML server. ","2023-12-06T00:00:00.000Z","oktajacking",{"items":1302},[1303,1307],{"sys":1304,"name":1306},{"id":1305},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1308,"name":1310},{"id":1309},"3pjES4THCIfSAwhGdNwBcy","Identity security",{"items":1312},[1313,2545,3021],{"__typename":1314,"sys":1315,"content":1317,"title":2525,"synopsis":2526,"hashTags":118,"publishedDate":2527,"slug":2528,"tagsCollection":2529,"authorsCollection":2537},"BlogPosts",{"id":1316},"1te7lpcknxuN73jdCdkXjd",{"json":1318},{"data":1319,"content":1320,"nodeType":1295},{},[1321,1328,1335,1343,1350,1357,1364,1373,1380,1387,1394,1493,1499,1506,1513,1520,1553,1560,1567,1574,1581,1587,1594,1601,1624,1631,1637,1643,1650,1657,1664,1672,1679,1686,1693,1699,1705,1713,1720,1727,1734,1741,1748,1755,1762,1769,1776,1783,1790,1797,1803,1810,1817,1824,1831,1837,1843,1850,1857,1864,1887,1894,1900,1906,1913,1919,1926,1933,1944,1951,1958,1965,1972,1979,1999,2107,2114,2121,2169,2175,2182,2189,2196,2203,2210,2217,2223,2230,2249,2256,2263,2270,2277,2284,2291,2334,2341,2399,2406,2413,2476,2483,2490,2497,2504,2511,2518],{"data":1322,"content":1323,"nodeType":1294},{},[1324],{"data":1325,"marks":1326,"value":1327,"nodeType":1293},{},[],"This blog post covers the implications of using SWA as an authentication method in Okta, with a particular focus on what security teams need to consider in an account breach and subsequent incident response scenario. ",{"data":1329,"content":1330,"nodeType":1294},{},[1331],{"data":1332,"marks":1333,"value":1334,"nodeType":1293},{},[],"Spoiler alert: we’ll make the case that the true value of an SSO solution like Okta is in the use of SAML and OIDC authentication methods, not convenience features like SWA.",{"data":1336,"content":1337,"nodeType":1342},{},[1338],{"data":1339,"marks":1340,"value":1341,"nodeType":1293},{},[],"Introduction","heading-1",{"data":1344,"content":1345,"nodeType":1294},{},[1346],{"data":1347,"marks":1348,"value":1349,"nodeType":1293},{},[],"To facilitate SSO logins to web applications, Okta allows the industry standard SAML and OIDC protocols for federated logins to be used with applications that support it. These represent the most secure and recommended options. However, Okta also offers a proprietary system called SWA to support apps that don’t support these protocols, or where they are otherwise unavailable due to licensing restrictions.     ",{"data":1351,"content":1352,"nodeType":1294},{},[1353],{"data":1354,"marks":1355,"value":1356,"nodeType":1293},{},[],"While SWA is referred to as an SSO login mechanism, functionally it’s a password manager. SWA stores username and password combinations for individual applications on a per-user basis and makes use of a browser extension to automate the login process on behalf of the user. ",{"data":1358,"content":1359,"nodeType":1294},{},[1360],{"data":1361,"marks":1362,"value":1363,"nodeType":1293},{},[],"The screenshot below shows an example of an application being configured to use SWA as opposed to SAML, in this case Salesforce:",{"data":1365,"content":1371,"nodeType":1372},{"target":1366},{"sys":1367},{"id":1368,"type":1369,"linkType":1370},"4wrRez2VpTG1vjsvNFlklK","Link","Entry",[],"embedded-entry-block",{"data":1374,"content":1375,"nodeType":1294},{},[1376],{"data":1377,"marks":1378,"value":1379,"nodeType":1293},{},[],"From this configuration screen it’s not obvious that there is a fundamental difference between some login methods like SWA and true federated identity methods like SAML 2.0. To better understand the difference and the risks of SWA, let’s look at it from an attacker’s perspective.",{"data":1381,"content":1382,"nodeType":1342},{},[1383],{"data":1384,"marks":1385,"value":1386,"nodeType":1293},{},[],"How are Okta accounts compromised?",{"data":1388,"content":1389,"nodeType":1294},{},[1390],{"data":1391,"marks":1392,"value":1393,"nodeType":1293},{},[],"While it’s common for Okta accounts to be protected using MFA, and sometimes device trust, there are still viable attack vectors. The two most prevalent attacks would be: ",{"data":1395,"content":1396,"nodeType":1492},{},[1397,1414],{"data":1398,"content":1399,"nodeType":1413},{},[1400],{"data":1401,"content":1402,"nodeType":1294},{},[1403,1409],{"data":1404,"marks":1405,"value":1408,"nodeType":1293},{},[1406],{"type":1407},"bold","Endpoint compromise",{"data":1410,"marks":1411,"value":1412,"nodeType":1293},{},[]," - In a traditional endpoint compromise scenario, an attacker will generally have full access to the user’s browser. This means they can hijack existing Okta sessions by stealing authentication tokens, which bypass all device trust and MFA protections. For persistent access, they can keylog credentials when the user next logs in and add MFA methods or enrol a new endpoint with device trust.","list-item",{"data":1415,"content":1416,"nodeType":1413},{},[1417],{"data":1418,"content":1419,"nodeType":1294},{},[1420,1425,1429,1440,1444,1453,1458,1462,1471,1476,1480,1489],{"data":1421,"marks":1422,"value":1424,"nodeType":1293},{},[1423],{"type":1407},"Phishing attacks/MFA proxying",{"data":1426,"marks":1427,"value":1428,"nodeType":1293},{},[]," - Traditional phishing attacks can be launched against Okta users to obtain credentials and/or authenticated sessions. Attacker-in-the-middle (AITM) attacks can be used to bypass common MFA mechanisms, and attacks against Okta users are typically carried out using tools such as ",{"data":1430,"content":1432,"nodeType":1439},{"uri":1431},"https://github.com/kgretzky/evilginx2",[1433],{"data":1434,"marks":1435,"value":1438,"nodeType":1293},{},[1436],{"type":1437},"underline","evilginx","hyperlink",{"data":1441,"marks":1442,"value":1443,"nodeType":1293},{},[],", ",{"data":1445,"content":1447,"nodeType":1439},{"uri":1446},"https://mrd0x.com/bypass-2fa-using-novnc/",[1448],{"data":1449,"marks":1450,"value":1452,"nodeType":1293},{},[1451],{"type":1437},"noVNC",{"data":1454,"marks":1455,"value":1457,"nodeType":1293},{},[1456],{"type":1407}," ",{"data":1459,"marks":1460,"value":1461,"nodeType":1293},{},[],"or ",{"data":1463,"content":1465,"nodeType":1439},{"uri":1464},"https://github.com/fkasler/cuddlephish",[1466],{"data":1467,"marks":1468,"value":1470,"nodeType":1293},{},[1469],{"type":1437},"cuddlephish",{"data":1472,"marks":1473,"value":1475,"nodeType":1293},{},[1474],{"type":1407},".",{"data":1477,"marks":1478,"value":1479,"nodeType":1293},{},[]," We’ve even seen groups using tooling specifically crafted to target Okta such as the notorious ",{"data":1481,"content":1483,"nodeType":1439},{"uri":1482},"https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/",[1484],{"data":1485,"marks":1486,"value":1488,"nodeType":1293},{},[1487],{"type":1437},"0ktapus group/campaign.",{"data":1490,"marks":1491,"value":37,"nodeType":1293},{},[],"unordered-list",{"data":1494,"content":1498,"nodeType":1372},{"target":1495},{"sys":1496},{"id":1497,"type":1369,"linkType":1370},"6iKFd9Qys2SSuNqKVQB7ka",[],{"data":1500,"content":1501,"nodeType":1342},{},[1502],{"data":1503,"marks":1504,"value":1505,"nodeType":1293},{},[],"What is Okta SWA?",{"data":1507,"content":1508,"nodeType":1294},{},[1509],{"data":1510,"marks":1511,"value":1512,"nodeType":1293},{},[],"Okta Secure Web Authentication (SWA) provides SSO-like functionality to web applications that don’t support federated protocols and is intended to be used only when SAML or OIDC federated logins cannot be used. ",{"data":1514,"content":1515,"nodeType":1294},{},[1516],{"data":1517,"marks":1518,"value":1519,"nodeType":1293},{},[],"It is SSO-like in the sense that:",{"data":1521,"content":1522,"nodeType":1492},{},[1523,1533,1543],{"data":1524,"content":1525,"nodeType":1413},{},[1526],{"data":1527,"content":1528,"nodeType":1294},{},[1529],{"data":1530,"marks":1531,"value":1532,"nodeType":1293},{},[],"A user enters their single Okta password to login to Okta, ",{"data":1534,"content":1535,"nodeType":1413},{},[1536],{"data":1537,"content":1538,"nodeType":1294},{},[1539],{"data":1540,"marks":1541,"value":1542,"nodeType":1293},{},[],"SWA then stores username/password combinations ",{"data":1544,"content":1545,"nodeType":1413},{},[1546],{"data":1547,"content":1548,"nodeType":1294},{},[1549],{"data":1550,"marks":1551,"value":1552,"nodeType":1293},{},[],"SWA then makes use of a browser extension to automatically login to applications using the credentials. ",{"data":1554,"content":1555,"nodeType":1294},{},[1556],{"data":1557,"marks":1558,"value":1559,"nodeType":1293},{},[],"In that sense, it’s essentially a password manager. Like any password manager, it can be a big security improvement over a user manually managing their accounts or reusing the same password everywhere.",{"data":1561,"content":1562,"nodeType":1294},{},[1563],{"data":1564,"marks":1565,"value":1566,"nodeType":1293},{},[],"There’s a good reason that true SSO is considered more secure than password managers, and this comes down to the identity. An SSO uses a single identity that is federated to other apps, where a password manager just better manages many discrete identities. So, when an employee leaves an organization and they’re using an SSO, a single identity needs to be disabled, but disabling access to a password manager does nothing to disable the identities inside it.",{"data":1568,"content":1569,"nodeType":1294},{},[1570],{"data":1571,"marks":1572,"value":1573,"nodeType":1293},{},[],"In the case of SWA, the use of a browser extension and a long list of supported applications with custom login scripts already written is a key value add. This means users don’t need to copy/paste credentials like they might with some password managers. ",{"data":1575,"content":1576,"nodeType":1294},{},[1577],{"data":1578,"marks":1579,"value":1580,"nodeType":1293},{},[],"However, unlike typical password managers, there isn’t just one type of SWA, administrators can actually pick between one of five configuration options. This is shown in the screenshot below:",{"data":1582,"content":1586,"nodeType":1372},{"target":1583},{"sys":1584},{"id":1585,"type":1369,"linkType":1370},"42kt5hDFjjVYLf85HnjlU8",[],{"data":1588,"content":1589,"nodeType":1294},{},[1590],{"data":1591,"marks":1592,"value":1593,"nodeType":1293},{},[],"So, it’s possible to configure SWA like a traditional password manager scenario where the user sets their own username and password. However, as you can see above, you can set it up so that administrators can fully control the credentials, including the use of shared credentials used by multiple users.",{"data":1595,"content":1596,"nodeType":1294},{},[1597],{"data":1598,"marks":1599,"value":1600,"nodeType":1293},{},[],"SWA can also control the default configuration of the password reveal capability:",{"data":1602,"content":1603,"nodeType":1492},{},[1604,1614],{"data":1605,"content":1606,"nodeType":1413},{},[1607],{"data":1608,"content":1609,"nodeType":1294},{},[1610],{"data":1611,"marks":1612,"value":1613,"nodeType":1293},{},[],"When configured to allow users to set their own credentials, password reveal is enabled by default. ",{"data":1615,"content":1616,"nodeType":1413},{},[1617],{"data":1618,"content":1619,"nodeType":1294},{},[1620],{"data":1621,"marks":1622,"value":1623,"nodeType":1293},{},[],"When administrators control the credentials, password reveal is disabled by default. ",{"data":1625,"content":1626,"nodeType":1294},{},[1627],{"data":1628,"marks":1629,"value":1630,"nodeType":1293},{},[],"Since Okta SWA performs logins automatically on behalf of the user, the user doesn’t technically need to be able to view or copy/paste the credentials. This makes it possible for Okta to support disabling password reveal. ",{"data":1632,"content":1636,"nodeType":1372},{"target":1633},{"sys":1634},{"id":1635,"type":1369,"linkType":1370},"3IE8neYJbh0H8Vc7Hd9p5W",[],{"data":1638,"content":1642,"nodeType":1372},{"target":1639},{"sys":1640},{"id":1641,"type":1369,"linkType":1370},"5C1lhoJtBEgdndiL9gSUbd",[],{"data":1644,"content":1645,"nodeType":1342},{},[1646],{"data":1647,"marks":1648,"value":1649,"nodeType":1293},{},[],"What are the security risks of using SWA?",{"data":1651,"content":1652,"nodeType":1294},{},[1653],{"data":1654,"marks":1655,"value":1656,"nodeType":1293},{},[],"While SWA may be a step up from users performing manual logins to a range of apps, it carries the same risk that any password manager solution has. If your account is compromised then all your usernames and passwords can be stolen in one go.",{"data":1658,"content":1659,"nodeType":1294},{},[1660],{"data":1661,"marks":1662,"value":1663,"nodeType":1293},{},[],"But how can that be if password reveal has been disabled",{"data":1665,"content":1666,"nodeType":1671},{},[1667],{"data":1668,"marks":1669,"value":1670,"nodeType":1293},{},[],"1. Bypassing password reveal restrictions","heading-2",{"data":1673,"content":1674,"nodeType":1294},{},[1675],{"data":1676,"marks":1677,"value":1678,"nodeType":1293},{},[],"Even if users don’t directly interact with their passwords themselves (e.g. via copy/paste), their browser needs access otherwise it wouldn’t be possible to login to apps. ",{"data":1680,"content":1681,"nodeType":1294},{},[1682],{"data":1683,"marks":1684,"value":1685,"nodeType":1293},{},[],"The Okta browser extension uses the user’s active Okta login session to request credentials in the background, then automatically logs in to apps without the user ever directly seeing those credentials. So, while disabling password reveal may defeat a low-skill attacker or normal user scenarios, it’s essentially a client-side control, and isn’t going to stop a more determined attacker or technical user from getting at the credentials. This isn’t a bug, it’s a technical limitation of how a password manager works.",{"data":1687,"content":1688,"nodeType":1294},{},[1689],{"data":1690,"marks":1691,"value":1692,"nodeType":1293},{},[],"For example, let’s say a user has Salesforce configured as an app with SWA and clicks the app tile in the extension to login. The browser extension will use the active user session to make a request like the following (headers and irrelevant data removed for clarity):",{"data":1694,"content":1698,"nodeType":1372},{"target":1695},{"sys":1696},{"id":1697,"type":1369,"linkType":1370},"2tiqg9EUoa9KxkTCduZoVe",[],{"data":1700,"content":1704,"nodeType":1372},{"target":1701},{"sys":1702},{"id":1703,"type":1369,"linkType":1370},"4ApkgD7IwPRC3jC09Jf2SJ",[],{"data":1706,"content":1707,"nodeType":1294},{},[1708],{"data":1709,"marks":1710,"value":1712,"nodeType":1293},{},[1711],{"type":312},"This response to the browser extension’s web request contains the username and password for Salesforce",{"data":1714,"content":1715,"nodeType":1294},{},[1716],{"data":1717,"marks":1718,"value":1719,"nodeType":1293},{},[],"This is the Salesforce-specific login script that allows the extension to automatically log the user in to Salesforce and includes their credentials. This request will include the credentials even if password reveal is disabled - the request above was captured using an intercepting proxy like Burp Suite.",{"data":1721,"content":1722,"nodeType":1671},{},[1723],{"data":1724,"marks":1725,"value":1726,"nodeType":1293},{},[],"2. Cross-account shared passwords",{"data":1728,"content":1729,"nodeType":1294},{},[1730],{"data":1731,"marks":1732,"value":1733,"nodeType":1293},{},[],"An additional risk with SWA is an operational one. Administrators can set passwords for users and also disable password reveal, which can encourage the use of shared passwords, since they don’t expect the users to see them. ",{"data":1735,"content":1736,"nodeType":1294},{},[1737],{"data":1738,"marks":1739,"value":1740,"nodeType":1293},{},[],"If administrators are auto-generating complex passwords for every single user account they create as a strong operational process, then there may be no issue. However, breach history would tell us that rarely do organizations have operational security practices as stringent as that.",{"data":1742,"content":1743,"nodeType":1294},{},[1744],{"data":1745,"marks":1746,"value":1747,"nodeType":1293},{},[],"An attacker compromising an Okta user account can not only extract valid credentials for all configured SWA apps for that user, but may uncover passwords that are valid for other user accounts configured by administrators, making this a likely vector for lateral movement.",{"data":1749,"content":1750,"nodeType":1671},{},[1751],{"data":1752,"marks":1753,"value":1754,"nodeType":1293},{},[],"3. Shared Okta passwords",{"data":1756,"content":1757,"nodeType":1294},{},[1758],{"data":1759,"marks":1760,"value":1761,"nodeType":1293},{},[],"One SWA option administrators can configure is to require the user to use their Okta password for the application (see earlier screenshot of configuration options). In this case, Okta lets the user set the password for the application, but it will confirm it matches the user’s Okta password and reject it otherwise.",{"data":1763,"content":1764,"nodeType":1294},{},[1765],{"data":1766,"marks":1767,"value":1768,"nodeType":1293},{},[],"This is a dangerous option, since it means the user’s Okta password is shared with other applications. So, if one of those applications is compromised, then their Okta password could be breached as well, which could allow both other applications and the user’s core Okta account to be compromised. It’s essentially enforcing password re-use, the exact opposite of what you want from an identity security perspective.",{"data":1770,"content":1771,"nodeType":1671},{},[1772],{"data":1773,"marks":1774,"value":1775,"nodeType":1293},{},[],"4. Persistent access to connected apps",{"data":1777,"content":1778,"nodeType":1294},{},[1779],{"data":1780,"marks":1781,"value":1782,"nodeType":1293},{},[],"Okta acts as an authentication gateway for access to other applications. Ideally, strong authentication policies will be in place such as strong password policies, MFA, account lockout and detection and response controls.",{"data":1784,"content":1785,"nodeType":1294},{},[1786],{"data":1787,"marks":1788,"value":1789,"nodeType":1293},{},[],"However, if even a temporary compromise of an Okta account is achieved (for example through an Okta session theft), an attacker extracting all credentials for SWA apps does not need to maintain access to Okta any further. Instead, they can maintain persistent access to all the downstream SWA apps by logging in manually, using the credentials they have extracted without using Okta. ",{"data":1791,"content":1792,"nodeType":1294},{},[1793],{"data":1794,"marks":1795,"value":1796,"nodeType":1293},{},[],"This greatly complicates incident response playbooks. Where an otherwise simple recovery action like disabling an Okta account, resetting the password and MFA methods, et cetera, would kick an attacker out of the Okta account - for a user using SWA the attacker will still have all the access to downstream SWA applications unless every single SWA app user account is recovered as well. This is where the value of a federated identity becomes clear.",{"data":1798,"content":1802,"nodeType":1372},{"target":1799},{"sys":1800},{"id":1801,"type":1369,"linkType":1370},"2y0INxqAi594O7rCAVKhTI",[],{"data":1804,"content":1805,"nodeType":1342},{},[1806],{"data":1807,"marks":1808,"value":1809,"nodeType":1293},{},[],"Dumping SWA credentials",{"data":1811,"content":1812,"nodeType":1294},{},[1813],{"data":1814,"marks":1815,"value":1816,"nodeType":1293},{},[],"Since Okta SWA functions as a password manager, and it’s also possible to bypass password reveal restrictions, an attacker who has gained temporary access to an Okta session can automate the extraction of all credentials stored via SWA for that account.",{"data":1818,"content":1819,"nodeType":1671},{},[1820],{"data":1821,"marks":1822,"value":1823,"nodeType":1293},{},[],"Using the password reveal API",{"data":1825,"content":1826,"nodeType":1294},{},[1827],{"data":1828,"marks":1829,"value":1830,"nodeType":1293},{},[],"One method would be to automate the password reveal API call in the dashboard for every app configured. This is the simplest, direct way to get credentials but has the disadvantage that it will not return credentials that have had password reveal disabled. The following screenshots show an example of the API call that is made:",{"data":1832,"content":1836,"nodeType":1372},{"target":1833},{"sys":1834},{"id":1835,"type":1369,"linkType":1370},"27xCaphfwy6zSNU7QDQZ1g",[],{"data":1838,"content":1842,"nodeType":1372},{"target":1839},{"sys":1840},{"id":1841,"type":1369,"linkType":1370},"begENC8Oxq4rwprZ0fGpG",[],{"data":1844,"content":1845,"nodeType":1671},{},[1846],{"data":1847,"marks":1848,"value":1849,"nodeType":1293},{},[],"Using the browser extension API",{"data":1851,"content":1852,"nodeType":1294},{},[1853],{"data":1854,"marks":1855,"value":1856,"nodeType":1293},{},[],"The more effective way for an attacker to dump credentials, and bypass password reveal restrictions, is to emulate the API calls made by the browser extension to retrieve the login scripts for each SWA application. ",{"data":1858,"content":1859,"nodeType":1294},{},[1860],{"data":1861,"marks":1862,"value":1863,"nodeType":1293},{},[],"For an attacker to make these calls, a valid Okta session is needed. Specifically, the tokens that need to be extracted from the browser for these calls are:",{"data":1865,"content":1866,"nodeType":1492},{},[1867,1877],{"data":1868,"content":1869,"nodeType":1413},{},[1870],{"data":1871,"content":1872,"nodeType":1294},{},[1873],{"data":1874,"marks":1875,"value":1876,"nodeType":1293},{},[],"The access token in “okta-token-storage” in browser local storage",{"data":1878,"content":1879,"nodeType":1413},{},[1880],{"data":1881,"content":1882,"nodeType":1294},{},[1883],{"data":1884,"marks":1885,"value":1886,"nodeType":1293},{},[],"The “idx” token in cookies",{"data":1888,"content":1889,"nodeType":1294},{},[1890],{"data":1891,"marks":1892,"value":1893,"nodeType":1293},{},[],"These can be seen below:",{"data":1895,"content":1899,"nodeType":1372},{"target":1896},{"sys":1897},{"id":1898,"type":1369,"linkType":1370},"4ooNI3TmnxqCAtw9MZuuVI",[],{"data":1901,"content":1905,"nodeType":1372},{"target":1902},{"sys":1903},{"id":1904,"type":1369,"linkType":1370},"6rbgLXHewT34SPH3qA24Fu",[],{"data":1907,"content":1908,"nodeType":1294},{},[1909],{"data":1910,"marks":1911,"value":1912,"nodeType":1293},{},[],"The following screenshot shows the use of a simple internal PoC we created to investigate logging detection opportunities. It gives a sense of the type of information that can be retrieved for a test Okta user account: ",{"data":1914,"content":1918,"nodeType":1372},{"target":1915},{"sys":1916},{"id":1917,"type":1369,"linkType":1370},"5lYhdtWKVqIch6CpksR7Dd",[],{"data":1920,"content":1921,"nodeType":1342},{},[1922],{"data":1923,"marks":1924,"value":1925,"nodeType":1293},{},[],"So if SWA can be risky, is SAML and OIDC safe?",{"data":1927,"content":1928,"nodeType":1294},{},[1929],{"data":1930,"marks":1931,"value":1932,"nodeType":1293},{},[],"In general, much more so, but as is unfortunately so often the case in security, the answer is “it depends.” The threat profile for federated SSO like SAML and OIDC is very different, and they don’t suffer from the risks highlighted with SWA use given above. ",{"data":1934,"content":1935,"nodeType":1294},{},[1936,1941],{"data":1937,"marks":1938,"value":1940,"nodeType":1293},{},[1939],{"type":1407},"Any organization using Okta should strive to use SAML/OIDC for as many applications as possible - this is the true power of a federated identity solution",{"data":1942,"marks":1943,"value":1475,"nodeType":1293},{},[],{"data":1945,"content":1946,"nodeType":1294},{},[1947],{"data":1948,"marks":1949,"value":1950,"nodeType":1293},{},[],"However, it’s important to remember that not even SAML/OIDC isn't a silver bullet.",{"data":1952,"content":1953,"nodeType":1294},{},[1954],{"data":1955,"marks":1956,"value":1957,"nodeType":1293},{},[],"For example, it’s still possible for an attacker achieving a temporary compromise of an Okta account to click every single SAML/OIDC application to establish authenticated sessions with all of them. While some sessions may be short-lived, depending on the application, these sessions may stay alive for longer periods such as 30 days or for some apps even indefinitely. ",{"data":1959,"content":1960,"nodeType":1294},{},[1961],{"data":1962,"marks":1963,"value":1964,"nodeType":1293},{},[],"While it may be simple for incident responders to disable an Okta account temporarily, it’s certainly much more difficult to disable all connected SaaS accounts and/or kill active sessions for all of them. ",{"data":1966,"content":1967,"nodeType":1294},{},[1968],{"data":1969,"marks":1970,"value":1971,"nodeType":1293},{},[],"Additionally, while active sessions won’t generally allow an attacker long-term access to an application like stolen SWA credentials often will, many different SaaS applications support methods that can be used to effectively backdoor access to them - though this is a risk to both SWA and federated identities.",{"data":1973,"content":1974,"nodeType":1294},{},[1975],{"data":1976,"marks":1977,"value":1978,"nodeType":1293},{},[],"This is another big challenge for incident responders to deal with, as it can allow attacks to maintain persistence without requiring valid credentials or active sessions. In other words, there are many ways to turn that short term access into persistent access outside Okta. ",{"data":1980,"content":1981,"nodeType":1294},{},[1982,1986,1995],{"data":1983,"marks":1984,"value":1985,"nodeType":1293},{},[],"While the full details of these persistence attacks are outside the scope of this article, more details on some key attacks can be found in a resource we created called the ",{"data":1987,"content":1989,"nodeType":1439},{"uri":1988},"https://github.com/pushsecurity/saas-attacks",[1990],{"data":1991,"marks":1992,"value":1994,"nodeType":1293},{},[1993],{"type":1437},"SaaS attacks matrix",{"data":1996,"marks":1997,"value":1998,"nodeType":1293},{},[],". Some of the most common techniques that apply here are:",{"data":2000,"content":2001,"nodeType":1492},{},[2002,2023,2044,2065,2086],{"data":2003,"content":2004,"nodeType":1413},{},[2005],{"data":2006,"content":2007,"nodeType":1294},{},[2008,2011,2020],{"data":2009,"marks":2010,"value":37,"nodeType":1293},{},[],{"data":2012,"content":2014,"nodeType":1439},{"uri":2013},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/api_keys/description.md",[2015],{"data":2016,"marks":2017,"value":2019,"nodeType":1293},{},[2018],{"type":1437},"SAT1004 - API keys",{"data":2021,"marks":2022,"value":37,"nodeType":1293},{},[],{"data":2024,"content":2025,"nodeType":1413},{},[2026],{"data":2027,"content":2028,"nodeType":1294},{},[2029,2032,2041],{"data":2030,"marks":2031,"value":37,"nodeType":1293},{},[],{"data":2033,"content":2035,"nodeType":1439},{"uri":2034},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/link_sharing/description.md",[2036],{"data":2037,"marks":2038,"value":2040,"nodeType":1293},{},[2039],{"type":1437},"SAT1022 - Link sharing",{"data":2042,"marks":2043,"value":37,"nodeType":1293},{},[],{"data":2045,"content":2046,"nodeType":1413},{},[2047],{"data":2048,"content":2049,"nodeType":1294},{},[2050,2053,2062],{"data":2051,"marks":2052,"value":37,"nodeType":1293},{},[],{"data":2054,"content":2056,"nodeType":1439},{"uri":2055},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/ghost_logins/description.md",[2057],{"data":2058,"marks":2059,"value":2061,"nodeType":1293},{},[2060],{"type":1437},"SAT1017 - Ghost logins",{"data":2063,"marks":2064,"value":37,"nodeType":1293},{},[],{"data":2066,"content":2067,"nodeType":1413},{},[2068],{"data":2069,"content":2070,"nodeType":1294},{},[2071,2074,2083],{"data":2072,"marks":2073,"value":37,"nodeType":1293},{},[],{"data":2075,"content":2077,"nodeType":1439},{"uri":2076},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/oauth_tokens/description.md",[2078],{"data":2079,"marks":2080,"value":2082,"nodeType":1293},{},[2081],{"type":1437},"SAT1027 - OAuth tokens",{"data":2084,"marks":2085,"value":37,"nodeType":1293},{},[],{"data":2087,"content":2088,"nodeType":1413},{},[2089],{"data":2090,"content":2091,"nodeType":1294},{},[2092,2095,2104],{"data":2093,"marks":2094,"value":37,"nodeType":1293},{},[],{"data":2096,"content":2098,"nodeType":1439},{"uri":2097},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/shadow_workflows/description.md",[2099],{"data":2100,"marks":2101,"value":2103,"nodeType":1293},{},[2102],{"type":1437},"SAT1033 - Shadow workflows",{"data":2105,"marks":2106,"value":37,"nodeType":1293},{},[],{"data":2108,"content":2109,"nodeType":1342},{},[2110],{"data":2111,"marks":2112,"value":2113,"nodeType":1293},{},[],"Investigating and detecting an Okta account compromise",{"data":2115,"content":2116,"nodeType":1294},{},[2117],{"data":2118,"marks":2119,"value":2120,"nodeType":1293},{},[],"The good news is there are multiple Okta log events that can be used for either investigating a breach or providing some detection mechanisms via a SIEM. Three key log events are as follows:",{"data":2122,"content":2123,"nodeType":1492},{},[2124,2139,2154],{"data":2125,"content":2126,"nodeType":1413},{},[2127],{"data":2128,"content":2129,"nodeType":1294},{},[2130,2135],{"data":2131,"marks":2132,"value":2134,"nodeType":1293},{},[2133],{"type":1407},"Show password event",{"data":2136,"marks":2137,"value":2138,"nodeType":1293},{},[]," - indicates when a user has clicked the reveal password button",{"data":2140,"content":2141,"nodeType":1413},{},[2142],{"data":2143,"content":2144,"nodeType":1294},{},[2145,2150],{"data":2146,"marks":2147,"value":2149,"nodeType":1293},{},[2148],{"type":1407},"Evaluation of sign-on policy",{"data":2151,"marks":2152,"value":2153,"nodeType":1293},{},[]," - occurs when the browser extension requests credentials",{"data":2155,"content":2156,"nodeType":1413},{},[2157],{"data":2158,"content":2159,"nodeType":1294},{},[2160,2165],{"data":2161,"marks":2162,"value":2164,"nodeType":1293},{},[2163],{"type":1407},"User single sign on to app",{"data":2166,"marks":2167,"value":2168,"nodeType":1293},{},[]," - occurs when a full app login is performed",{"data":2170,"content":2174,"nodeType":1372},{"target":2171},{"sys":2172},{"id":2173,"type":1369,"linkType":1370},"23G5QvwzgyTEJBJ33Ut7NJ",[],{"data":2176,"content":2177,"nodeType":1294},{},[2178],{"data":2179,"marks":2180,"value":2181,"nodeType":1293},{},[],"Using these events in a post-compromise situation could potentially significantly reduce the response actions required. If there is clear evidence that the attacker only accessed a limited number of applications, focus can be placed on disabling those accounts and removing potential backdoors, as opposed to having to perform containment procedures for every single application the user has access to.",{"data":2183,"content":2184,"nodeType":1671},{},[2185],{"data":2186,"marks":2187,"value":2188,"nodeType":1293},{},[],"Short time-window detection",{"data":2190,"content":2191,"nodeType":1294},{},[2192],{"data":2193,"marks":2194,"value":2195,"nodeType":1293},{},[],"While the events above are great for investigation, they are all expected events during normal use of Okta by a user. Perhaps the “show password” event may be rarer, but it would still not be completely unusual to see. ",{"data":2197,"content":2198,"nodeType":1294},{},[2199],{"data":2200,"marks":2201,"value":2202,"nodeType":1293},{},[],"This makes detection more difficult as defenders need to separate malicious logins from legitimate logins, a notoriously difficult task.",{"data":2204,"content":2205,"nodeType":1294},{},[2206],{"data":2207,"marks":2208,"value":2209,"nodeType":1293},{},[],"For proactive detection, one option would be to detect unusually large numbers of these events in a short time window for the same user account. This would be especially effective against automated tools. It would be much more unusual to see a legitimate user login to every app or reveal every password all in one go, or even all in one day. On the other hand, an attacker may seek to compromise all applications in a short time window.",{"data":2211,"content":2212,"nodeType":1294},{},[2213],{"data":2214,"marks":2215,"value":2216,"nodeType":1293},{},[],"Given below is an example of the flurry of logs generated by running our internal SWA password dumping tool shown earlier. You can see they are all generated in a very short time window:",{"data":2218,"content":2222,"nodeType":1372},{"target":2219},{"sys":2220},{"id":2221,"type":1369,"linkType":1370},"2PaCRx02gpTyYOiuJ85x9Y",[],{"data":2224,"content":2225,"nodeType":1294},{},[2226],{"data":2227,"marks":2228,"value":2229,"nodeType":1293},{},[],"The only difficulty here is picking sensible numbers for the minimum number of apps and maximum time window required in order to generate a detection event. This would likely need customizing to individual environments based on what number of applications are typical for a user to have access to.",{"data":2231,"content":2232,"nodeType":1294},{},[2233,2237,2246],{"data":2234,"marks":2235,"value":2236,"nodeType":1293},{},[],"For more general Okta detection rule options, consider checking out the Okta rules contained in the open-source ",{"data":2238,"content":2240,"nodeType":1439},{"uri":2239},"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta",[2241],{"data":2242,"marks":2243,"value":2245,"nodeType":1293},{},[2244],{"type":1437},"Sigma rule repository on GitHub",{"data":2247,"marks":2248,"value":1475,"nodeType":1293},{},[],{"data":2250,"content":2251,"nodeType":1342},{},[2252],{"data":2253,"marks":2254,"value":2255,"nodeType":1293},{},[],"Guidance for incident response",{"data":2257,"content":2258,"nodeType":1294},{},[2259],{"data":2260,"marks":2261,"value":2262,"nodeType":1293},{},[],"If there is one key takeaway from this article, it’s that responding to an Okta account compromise isn’t as simple as disabling the user’s Okta account and/or resetting passwords and MFA factors.",{"data":2264,"content":2265,"nodeType":1294},{},[2266],{"data":2267,"marks":2268,"value":2269,"nodeType":1293},{},[],"Once an attacker has compromised an Okta account, it should be initially assumed that all connected application accounts are also compromised, whether they use SAML, OIDC or SWA. ",{"data":2271,"content":2272,"nodeType":1294},{},[2273],{"data":2274,"marks":2275,"value":2276,"nodeType":1293},{},[],"If SWA is used, incident responders should also explore whether those passwords are compromised and whether any other accounts that potentially share those passwords are compromised. ",{"data":2278,"content":2279,"nodeType":1294},{},[2280],{"data":2281,"marks":2282,"value":2283,"nodeType":1293},{},[],"We’re going to assume all applications/credentials were accessed for the following containment advice, as it’s likely that even moderately-skilled attackers would have tools to automate this. ",{"data":2285,"content":2286,"nodeType":1294},{},[2287],{"data":2288,"marks":2289,"value":2290,"nodeType":1293},{},[],"A full belt and braces containment exercise would involve the following activities:",{"data":2292,"content":2293,"nodeType":1492},{},[2294,2304,2314,2324],{"data":2295,"content":2296,"nodeType":1413},{},[2297],{"data":2298,"content":2299,"nodeType":1294},{},[2300],{"data":2301,"marks":2302,"value":2303,"nodeType":1293},{},[],"Disabling/resetting the Okta account",{"data":2305,"content":2306,"nodeType":1413},{},[2307],{"data":2308,"content":2309,"nodeType":1294},{},[2310],{"data":2311,"marks":2312,"value":2313,"nodeType":1293},{},[],"Disabling/resetting every single connected application account",{"data":2315,"content":2316,"nodeType":1413},{},[2317],{"data":2318,"content":2319,"nodeType":1294},{},[2320],{"data":2321,"marks":2322,"value":2323,"nodeType":1293},{},[],"Identifying any other accounts that may share compromised SWA passwords for investigation and disabling/resetting",{"data":2325,"content":2326,"nodeType":1413},{},[2327],{"data":2328,"content":2329,"nodeType":1294},{},[2330],{"data":2331,"marks":2332,"value":2333,"nodeType":1293},{},[],"Investigating every connected application account for signs of backdooring through multiple persistence techniques",{"data":2335,"content":2336,"nodeType":1294},{},[2337],{"data":2338,"marks":2339,"value":2340,"nodeType":1293},{},[],"The last point on investigating potential backdoors is particularly important because of the following reasons:",{"data":2342,"content":2343,"nodeType":1492},{},[2344,2377],{"data":2345,"content":2346,"nodeType":1413},{},[2347],{"data":2348,"content":2349,"nodeType":1294},{},[2350,2354,2362,2366,2374],{"data":2351,"marks":2352,"value":2353,"nodeType":1293},{},[],"Even if every application user account is temporarily disabled while passwords are reset etc, re-enabling the account could re-activate the attacker’s access if they have made use of persistence techniques like ",{"data":2355,"content":2356,"nodeType":1439},{"uri":2013},[2357],{"data":2358,"marks":2359,"value":2361,"nodeType":1293},{},[2360],{"type":1437},"API keys",{"data":2363,"marks":2364,"value":2365,"nodeType":1293},{},[]," and ",{"data":2367,"content":2368,"nodeType":1439},{"uri":2055},[2369],{"data":2370,"marks":2371,"value":2373,"nodeType":1293},{},[2372],{"type":1437},"ghost logins",{"data":2375,"marks":2376,"value":37,"nodeType":1293},{},[],{"data":2378,"content":2379,"nodeType":1413},{},[2380],{"data":2381,"content":2382,"nodeType":1294},{},[2383,2387,2395],{"data":2384,"marks":2385,"value":2386,"nodeType":1293},{},[],"Even if all application user accounts are disabled, even permanently, techniques like ",{"data":2388,"content":2389,"nodeType":1439},{"uri":2034},[2390],{"data":2391,"marks":2392,"value":2394,"nodeType":1293},{},[2393],{"type":1437},"link sharing",{"data":2396,"marks":2397,"value":2398,"nodeType":1293},{},[]," can enable attackers to maintain access to data because link sharing decouples the access from being reliant on control of a user account.",{"data":2400,"content":2401,"nodeType":1342},{},[2402],{"data":2403,"marks":2404,"value":2405,"nodeType":1293},{},[],"Impact",{"data":2407,"content":2408,"nodeType":1294},{},[2409],{"data":2410,"marks":2411,"value":2412,"nodeType":1293},{},[],"We’ve covered a lot of ground here, so let’s take a quick step back to understand the key points of impact:",{"data":2414,"content":2415,"nodeType":1492},{},[2416,2426,2436,2446,2456,2466],{"data":2417,"content":2418,"nodeType":1413},{},[2419],{"data":2420,"content":2421,"nodeType":1294},{},[2422],{"data":2423,"marks":2424,"value":2425,"nodeType":1293},{},[],"Attackers can extract passwords for SWA apps, even if password reveal has been disabled - to be clear, this is not a bug, it’s just a technical limitation on how this style of password manager login has to work",{"data":2427,"content":2428,"nodeType":1413},{},[2429],{"data":2430,"content":2431,"nodeType":1294},{},[2432],{"data":2433,"marks":2434,"value":2435,"nodeType":1293},{},[],"SWA passwords set by administrators should not be considered secret from the users as they can be accessed via the extension API",{"data":2437,"content":2438,"nodeType":1413},{},[2439],{"data":2440,"content":2441,"nodeType":1294},{},[2442],{"data":2443,"marks":2444,"value":2445,"nodeType":1293},{},[],"Attackers gaining temporary control of an Okta user account can establish authenticated sessions with SAML/OIDC applications. ",{"data":2447,"content":2448,"nodeType":1413},{},[2449],{"data":2450,"content":2451,"nodeType":1294},{},[2452],{"data":2453,"marks":2454,"value":2455,"nodeType":1293},{},[],"These sessions won’t automatically be revoked if the Okta user account is disabled/reset in response to compromise",{"data":2457,"content":2458,"nodeType":1413},{},[2459],{"data":2460,"content":2461,"nodeType":1294},{},[2462],{"data":2463,"marks":2464,"value":2465,"nodeType":1293},{},[],"There are multiple common attack techniques to gain persistent access to SaaS applications.  ",{"data":2467,"content":2468,"nodeType":1413},{},[2469],{"data":2470,"content":2471,"nodeType":1294},{},[2472],{"data":2473,"marks":2474,"value":2475,"nodeType":1293},{},[],"An attacker can potentially gain permanent access to many connected Okta applications even if efforts are made to reset individual application accounts",{"data":2477,"content":2478,"nodeType":1342},{},[2479],{"data":2480,"marks":2481,"value":2482,"nodeType":1293},{},[],"Conclusion",{"data":2484,"content":2485,"nodeType":1294},{},[2486],{"data":2487,"marks":2488,"value":2489,"nodeType":1293},{},[],"While many of these attacks are not unique to Okta, it is one of the most widely used products because it supports many apps, but it supports these apps using methods that have very different risk profiles. ",{"data":2491,"content":2492,"nodeType":1294},{},[2493],{"data":2494,"marks":2495,"value":2496,"nodeType":1293},{},[],"From a security perspective (and whatever your chosen identity platform), our recommendation would be to use SAML (the strongest auth method) where possible. If that isn’t available, use OIDC. If neither is an option, use password managers (like SWA), which in practise leads to far less reused passwords. ",{"data":2498,"content":2499,"nodeType":1294},{},[2500],{"data":2501,"marks":2502,"value":2503,"nodeType":1293},{},[],"Unfortunately the state of modern cloud app landscape means that you will be paying a lot more to get many apps using federated SSO, and even then many will still not support this at any license tier, so the use of passwords is still going to be part of the solution.",{"data":2505,"content":2506,"nodeType":1294},{},[2507],{"data":2508,"marks":2509,"value":2510,"nodeType":1293},{},[],"As we have seen in this article, an attacker can use a compromised SSO session to perform a number of follow-up attacks. Whether using SWA or SAML/OIDC it’s possible to gain authenticated sessions on connected apps and also potentially backdoor access to them.",{"data":2512,"content":2513,"nodeType":1294},{},[2514],{"data":2515,"marks":2516,"value":2517,"nodeType":1293},{},[],"When using SWA, it’s additionally possible to extract SWA passwords even when password reveal is disabled and potentially gain access to passwords shared with other accounts. This requires additional actions as part of your breach recovery processes/play-books.",{"data":2519,"content":2520,"nodeType":1294},{},[2521],{"data":2522,"marks":2523,"value":2524,"nodeType":1293},{},[],"There are multiple log events that can be used by security teams to investigate and respond to Okta account compromises and potentially detect them too. Additionally, strong incident response procedures need to be in place for dealing with compromised Okta or any other SSO accounts that factor in the ability for an attacker to laterally move to all the connected applications. Therefore, plans need to include revoking their access to those as well and investigating them for signs of backdoor persistence techniques.","Abusing Okta's SWA authentication","We'll cover the implications of using Okta's SWA authentication method. Learn what security teams need to know in an account breach and IR scenario. ","2023-11-30T00:00:00.000Z","okta-swa",{"items":2530},[2531,2533],{"sys":2532,"name":1310},{"id":1309},{"sys":2534,"name":2536},{"id":2535},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":2538},[2539],{"fullName":2540,"firstName":2541,"jobTitle":2542,"profilePicture":2543},"Luke Jennings","Luke","Vice President, R&D",{"url":2544},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg",{"__typename":1314,"sys":2546,"content":2548,"title":3007,"synopsis":3008,"hashTags":118,"publishedDate":3009,"slug":3010,"tagsCollection":3011,"authorsCollection":3017},{"id":2547},"3F96pyn4qqkbVctSOH69vm",{"json":2549},{"data":2550,"content":2551,"nodeType":1295},{},[2552,2571,2578,2585,2592,2611,2618,2637,2644,2651,2658,2665,2672,2679,2686,2706,2713,2720,2726,2733,2740,2747,2753,2759,2765,2772,2779,2785,2792,2799,2806,2812,2819,2826,2833,2840,2847,2853,2860,2867,2873,2880,2887,2893,2899,2906,2973,2980,2986,2993,3000],{"data":2553,"content":2554,"nodeType":1294},{},[2555,2559,2567],{"data":2556,"marks":2557,"value":2558,"nodeType":1293},{},[],"We published the ",{"data":2560,"content":2561,"nodeType":1439},{"uri":1988},[2562],{"data":2563,"marks":2564,"value":2566,"nodeType":1293},{},[2565],{"type":1437},"SaaS attack matrix",{"data":2568,"marks":2569,"value":2570,"nodeType":1293},{},[]," on GitHub, which is an open-source research project to demonstrate the multitude of attacks that are possible against SaaS-native and hybrid SaaS organizations. On release day it contained 38 different techniques. ",{"data":2572,"content":2573,"nodeType":1294},{},[2574],{"data":2575,"marks":2576,"value":2577,"nodeType":1293},{},[],"However, we know it’s not just individual attack techniques and the phases of the cyber kill chain that matter - it’s also how you chain attacks together. Two lower risk vulnerabilities chained together could be a critical issue.",{"data":2579,"content":2580,"nodeType":1294},{},[2581],{"data":2582,"marks":2583,"value":2584,"nodeType":1293},{},[],"In this article, we’re going to demonstrate that by combining two of our favorite new SaaS attack techniques, poisoned tenants and SAMLjacking, you can make a simple, but effective attack chain.",{"data":2586,"content":2587,"nodeType":1342},{},[2588],{"data":2589,"marks":2590,"value":2591,"nodeType":1293},{},[],"What is a poisoned tenant?",{"data":2593,"content":2594,"nodeType":1294},{},[2595,2598,2607],{"data":2596,"marks":2597,"value":37,"nodeType":1293},{},[],{"data":2599,"content":2601,"nodeType":1439},{"uri":2600},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/poisoned_tenants/description.md",[2602],{"data":2603,"marks":2604,"value":2606,"nodeType":1293},{},[2605],{"type":1437},"Poisoned tenants",{"data":2608,"marks":2609,"value":2610,"nodeType":1293},{},[]," involve an adversary registering a tenant for a SaaS app they control and tricking target users to join it, often using built-in invite functionality. The end goal is to have some target users actively using a tenant you (as the adversary) control.",{"data":2612,"content":2613,"nodeType":1342},{},[2614],{"data":2615,"marks":2616,"value":2617,"nodeType":1293},{},[],"What the hell is SAMLjacking?",{"data":2619,"content":2620,"nodeType":1294},{},[2621,2624,2633],{"data":2622,"marks":2623,"value":37,"nodeType":1293},{},[],{"data":2625,"content":2627,"nodeType":1439},{"uri":2626},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/samljacking/description.md",[2628],{"data":2629,"marks":2630,"value":2632,"nodeType":1293},{},[2631],{"type":1437},"SAMLjacking",{"data":2634,"marks":2635,"value":2636,"nodeType":1293},{},[]," is where an attacker makes use of SAML SSO configuration settings for a SaaS tenant they control in order to redirect users to a malicious link of their choosing during the authentication process. This can be highly effective for phishing as the original URL will be a legitimate SaaS URL and users are expecting to provide credentials.",{"data":2638,"content":2639,"nodeType":1342},{},[2640],{"data":2641,"marks":2642,"value":2643,"nodeType":1293},{},[],"What’s the benefit of combining them?",{"data":2645,"content":2646,"nodeType":1294},{},[2647],{"data":2648,"marks":2649,"value":2650,"nodeType":1293},{},[],"A poisoned tenant on its own could be an epic supply chain attack if you get really lucky. Imagine discovering an organization was wanting to migrate to Slack and then catching some key teams with a Slack poisoned tenant and gradually getting the whole organization migrated over. You’d have a goldmine of information as an administrator of the platform.",{"data":2652,"content":2653,"nodeType":1294},{},[2654],{"data":2655,"marks":2656,"value":2657,"nodeType":1293},{},[],"However, it might be hard to trick a whole organization into using an attacker controlled slack instance without anyone realizing, but it could be a lot easier to successfully invite e.g. a marketing team into using/adopting a new marketing app that helps them do SEO. This might be easier to perform, but it doesn't really give the attacker valuable data in the poisoned tenant of the marketing app, so it seems a bit pointless.",{"data":2659,"content":2660,"nodeType":1294},{},[2661],{"data":2662,"marks":2663,"value":2664,"nodeType":1293},{},[],"On the other hand, what about SAMLjacking? It’s a great technique on its own, but you still need to get users to login to the app. Sure, you’ll be sending them a legitimate SaaS URL with a valid TLS certificate etc and so it’s going to pass the sniff test for many people and also bypass email security appliances and similar security tools. However, you’re still effectively phishing them for credentials, the one thing we train users to be most suspicious about, so there is still a possibility they will spot the attack. ",{"data":2666,"content":2667,"nodeType":1294},{},[2668],{"data":2669,"marks":2670,"value":2671,"nodeType":1293},{},[],"But what if you could combine these techniques so that a poisoned tenant didn’t need to be a big, juicy target to be useful and a SAMLjacking attack didn’t even necessarily require phishing someone directly? What if the attack could be successful just from a target accessing their own bookmarks or open tabs for an app they already use?",{"data":2673,"content":2674,"nodeType":1294},{},[2675],{"data":2676,"marks":2677,"value":2678,"nodeType":1293},{},[],"In a combination scenario, a user doesn't need to be phished for SAMLjacking. One day they go back to their tab and it's logged out and they get SAMLjacked while logging back in. They don't have to click a link in an email. That’s what we are talking about here, so let’s consider an example of this making use of the SaaS-based wiki, Nuclino.",{"data":2680,"content":2681,"nodeType":1342},{},[2682],{"data":2683,"marks":2684,"value":2685,"nodeType":1293},{},[],"An example attack - Nuclino",{"data":2687,"content":2688,"nodeType":1294},{},[2689,2693,2702],{"data":2690,"marks":2691,"value":2692,"nodeType":1293},{},[],"Before moving on, I’d just like to point out that this isn’t a vulnerability with ",{"data":2694,"content":2696,"nodeType":1439},{"uri":2695},"https://www.nuclino.com/",[2697],{"data":2698,"marks":2699,"value":2701,"nodeType":1293},{},[2700],{"type":1437},"Nuclino",{"data":2703,"marks":2704,"value":2705,"nodeType":1293},{},[]," per se and it won’t be limited to Nuclino either. I’ve used Nuclino as an example because it’s a great wiki platform we use at Push Security, so I’m familiar with it. ",{"data":2707,"content":2708,"nodeType":1294},{},[2709],{"data":2710,"marks":2711,"value":2712,"nodeType":1293},{},[],"It also allows custom SAML authentication, both as part of its free trial and as part of its lowest tier paid plan. This should be commended as many SaaS apps don’t support SAML or other forms of SSO, and many of those that do charge a huge premium via enterprise plans to gain access to it. We love you Nuclino, sorry!",{"data":2714,"content":2715,"nodeType":1294},{},[2716],{"data":2717,"marks":2718,"value":2719,"nodeType":1293},{},[],"We'll take a walkthrough of how the attack chain works now. However, if you'd like to jump straight to a demo of the attack then checkout the video here:",{"data":2721,"content":2725,"nodeType":1372},{"target":2722},{"sys":2723},{"id":2724,"type":1369,"linkType":1370},"3y6ZMPPsbh6PYlQ7IOxOzS",[],{"data":2727,"content":2728,"nodeType":1294},{},[2729],{"data":2730,"marks":2731,"value":2732,"nodeType":1293},{},[],"Next, we'll do a full walkthrough of the attack.",{"data":2734,"content":2735,"nodeType":1671},{},[2736],{"data":2737,"marks":2738,"value":2739,"nodeType":1293},{},[],"Step 1 - Setup a poisoned tenant and invite target users",{"data":2741,"content":2742,"nodeType":1294},{},[2743],{"data":2744,"marks":2745,"value":2746,"nodeType":1293},{},[],"The first step for an adversary is to set up their poisoned tenant and then make use of the invite functionality to target some employees of the target organization. With Nuclino, you can either do this by sending sharing links directly to the target or invite them through the Nuclino app, and it will send out legit email invitations on your behalf.",{"data":2748,"content":2752,"nodeType":1372},{"target":2749},{"sys":2750},{"id":2751,"type":1369,"linkType":1370},"740nQhGSFp2nFU1b4DP7Mp",[],{"data":2754,"content":2758,"nodeType":1372},{"target":2755},{"sys":2756},{"id":2757,"type":1369,"linkType":1370},"4GFL1L7Mmp3nnBODwC9SbH",[],{"data":2760,"content":2764,"nodeType":1372},{"target":2761},{"sys":2762},{"id":2763,"type":1369,"linkType":1370},"7KUWKFFlDyvBVoM3MEhPwR",[],{"data":2766,"content":2767,"nodeType":1671},{},[2768],{"data":2769,"marks":2770,"value":2771,"nodeType":1293},{},[],"Step 2 - Target responds to the invitation or later signs up for Nuclino",{"data":2773,"content":2774,"nodeType":1294},{},[2775],{"data":2776,"marks":2777,"value":2778,"nodeType":1293},{},[],"The interesting thing here is that whether the target signs up for Nuclino directly from the joining link or they sign up for an account separately in future, they get mapped to the workspace they have been invited to by default.",{"data":2780,"content":2784,"nodeType":1372},{"target":2781},{"sys":2782},{"id":2783,"type":1369,"linkType":1370},"2GlTHcT1cpQ44jb5lN9dr4",[],{"data":2786,"content":2787,"nodeType":1671},{},[2788],{"data":2789,"marks":2790,"value":2791,"nodeType":1293},{},[],"Step 3 - Configure a malicious SAML server",{"data":2793,"content":2794,"nodeType":1294},{},[2795],{"data":2796,"marks":2797,"value":2798,"nodeType":1293},{},[],"Once the adversary has a critical mass of users on their poisoned tenant, they can later engage the SAMLjacking attack. ",{"data":2800,"content":2801,"nodeType":1294},{},[2802],{"data":2803,"marks":2804,"value":2805,"nodeType":1293},{},[],"To do this, they need to configure a custom SAML server. You can point this to a fake authentication provider they control that mirrors the appearance of the SSO provider the target users are accustomed to using in order to capture credentials.",{"data":2807,"content":2811,"nodeType":1372},{"target":2808},{"sys":2809},{"id":2810,"type":1369,"linkType":1370},"1RbhUTZd5Ak4UvjiZhub4V",[],{"data":2813,"content":2814,"nodeType":1294},{},[2815],{"data":2816,"marks":2817,"value":2818,"nodeType":1293},{},[],"If you toggle the setting to require SSO, existing users will be sent emails prompting them to link their accounts to SSO. That leads to two possible paths to a user compromise.",{"data":2820,"content":2821,"nodeType":1342},{},[2822],{"data":2823,"marks":2824,"value":2825,"nodeType":1293},{},[],"Paths to user compromise ",{"data":2827,"content":2828,"nodeType":1671},{},[2829],{"data":2830,"marks":2831,"value":2832,"nodeType":1293},{},[],"The first possibility",{"data":2834,"content":2835,"nodeType":1294},{},[2836],{"data":2837,"marks":2838,"value":2839,"nodeType":1293},{},[],"This compromise occurs when the target sees the email that SSO has been configured and clicks the link in order to link their account to SSO. A smart adversary may improve the social engineering quality with an email sent out in advance informing users that the internal security team has requested Nuclino be linked to SSO. This makes the target expect the email and consider it legitimate. ",{"data":2841,"content":2842,"nodeType":1294},{},[2843],{"data":2844,"marks":2845,"value":2846,"nodeType":1293},{},[],"Even though the email is an official email from Nuclino and the link contained is an official Nuclino URL, it will immediately redirect to the malicious SAML server that has been configured, where credentials can then be captured.",{"data":2848,"content":2852,"nodeType":1372},{"target":2849},{"sys":2850},{"id":2851,"type":1369,"linkType":1370},"6zWiAfBx7aaUeo6t04AtUl",[],{"data":2854,"content":2855,"nodeType":1671},{},[2856],{"data":2857,"marks":2858,"value":2859,"nodeType":1293},{},[],"Second compromise possibility",{"data":2861,"content":2862,"nodeType":1294},{},[2863],{"data":2864,"marks":2865,"value":2866,"nodeType":1293},{},[],"If the user ignores the email, the other potential outcome occurs when their session expires and they need to login again to regain access. This is similar to a watering hole attack. When their session expires, the target’s open tabs or bookmarks will redirect back to the workspace specific login page, which will now look like this:",{"data":2868,"content":2872,"nodeType":1372},{"target":2869},{"sys":2870},{"id":2871,"type":1369,"linkType":1370},"580CvVtdyEpqdiK8T1lSfQ",[],{"data":2874,"content":2875,"nodeType":1294},{},[2876],{"data":2877,"marks":2878,"value":2879,"nodeType":1293},{},[],"Clicking the button to login with SSO will immediately redirect to the malicious SAML server and launch the attack. Alternatively, if the target attempts to login without SSO, the login will fail with an error message telling them to login with SSO.",{"data":2881,"content":2882,"nodeType":1294},{},[2883],{"data":2884,"marks":2885,"value":2886,"nodeType":1293},{},[],"Either way, once the SAMLjacking has taken effect, they’ll be faced with a familiar-looking SSO login page from a trusted source at a point they are expecting to enter their credentials - something even the most paranoid of users could easily fall for unknowingly. ",{"data":2888,"content":2892,"nodeType":1372},{"target":2889},{"sys":2890},{"id":2891,"type":1369,"linkType":1370},"5eFctGgFywtmhhjaXVraqN",[],{"data":2894,"content":2895,"nodeType":1342},{},[2896],{"data":2897,"marks":2898,"value":2405,"nodeType":1293},{},[],{"data":2900,"content":2901,"nodeType":1294},{},[2902],{"data":2903,"marks":2904,"value":2905,"nodeType":1293},{},[],"At this point, having compromised multiple user’s Google credentials, an adversary has a lot of options available:",{"data":2907,"content":2908,"nodeType":1492},{},[2909,2919,2929,2951],{"data":2910,"content":2911,"nodeType":1413},{},[2912],{"data":2913,"content":2914,"nodeType":1294},{},[2915],{"data":2916,"marks":2917,"value":2918,"nodeType":1293},{},[],"Access all data in Google apps like GMail, Google Drive etc",{"data":2920,"content":2921,"nodeType":1413},{},[2922],{"data":2923,"content":2924,"nodeType":1294},{},[2925],{"data":2926,"marks":2927,"value":2928,"nodeType":1293},{},[],"Access other SaaS apps that use SSO with the same Google account",{"data":2930,"content":2931,"nodeType":1413},{},[2932],{"data":2933,"content":2934,"nodeType":1294},{},[2935,2939,2948],{"data":2936,"marks":2937,"value":2938,"nodeType":1293},{},[],"Access other SaaS apps that use ",{"data":2940,"content":2942,"nodeType":1439},{"uri":2941},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/passwordless_logins/description.md",[2943],{"data":2944,"marks":2945,"value":2947,"nodeType":1293},{},[2946],{"type":1437},"passwordless logins",{"data":2949,"marks":2950,"value":37,"nodeType":1293},{},[],{"data":2952,"content":2953,"nodeType":1413},{},[2954],{"data":2955,"content":2956,"nodeType":1294},{},[2957,2961,2970],{"data":2958,"marks":2959,"value":2960,"nodeType":1293},{},[],"Access other SaaS apps via email ",{"data":2962,"content":2964,"nodeType":1439},{"uri":2963},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/account_recovery/description.md",[2965],{"data":2966,"marks":2967,"value":2969,"nodeType":1293},{},[2968],{"type":1437},"account recovery",{"data":2971,"marks":2972,"value":37,"nodeType":1293},{},[],{"data":2974,"content":2975,"nodeType":1294},{},[2976],{"data":2977,"marks":2978,"value":2979,"nodeType":1293},{},[],"Essentially, this can potentially lead to a compromise of every SaaS application accessible by the compromised user - all from the use of a poisoned tenant for an app with no particularly sensitive data or permissions.",{"data":2981,"content":2982,"nodeType":1671},{},[2983],{"data":2984,"marks":2985,"value":2482,"nodeType":1293},{},[],{"data":2987,"content":2988,"nodeType":1294},{},[2989],{"data":2990,"marks":2991,"value":2992,"nodeType":1293},{},[],"We have seen how two new SaaS-focused attack techniques can be combined into one more effective attack chain. This shows how a successful poisoned tenant attack for even a low risk app can still be a significant threat when combined with a SAMLjacking attack. ",{"data":2994,"content":2995,"nodeType":1294},{},[2996],{"data":2997,"marks":2998,"value":2999,"nodeType":1293},{},[],"This demonstrates even the least sensitive edge cases of SaaS sprawl can represent a vector to laterally move to compromise much more valuable assets. History taught us that protecting core production assets was not enough. Adversaries often achieved compromises via test systems and unsecured development resources. What we are seeing now is that this parallel exists in the SaaS-native world too. Therefore, we need to be protecting all SaaS resources with greater vigilance than their standalone sensitivity would indicate.",{"data":3001,"content":3002,"nodeType":1294},{},[3003],{"data":3004,"marks":3005,"value":3006,"nodeType":1293},{},[],"So what can be done about it? Well, like much in security, there is no silver bullet solution to this issue. SaaS apps are here to stay and are designed to be flexible, easy to sign up for and use. The key first step is always to get good visibility into the SaaS sprawl across your organization. If certain employees or teams start making use of a new SaaS app (or a new tenant for an existing one), that’s probably something your security team should be aware of so they can make sure it’s legitimate and being used as securely as possible. ","SAMLjacking a poisoned tenant","In this article, we’re going to demo combining two of our favorite new SaaS attack techniques to make a simple, but effective attack chain.\n","2023-08-17T00:00:00.000Z","samljacking-a-poisoned-tenant",{"items":3012},[3013,3015],{"sys":3014,"name":1306},{"id":1305},{"sys":3016,"name":2536},{"id":2535},{"items":3018},[3019],{"fullName":2540,"firstName":2541,"jobTitle":2542,"profilePicture":3020},{"url":2544},{"__typename":1314,"sys":3022,"content":3024,"title":3906,"synopsis":3032,"hashTags":118,"publishedDate":3907,"slug":3908,"tagsCollection":3909,"authorsCollection":3915},{"id":3023},"7ygI4NLJ2zpuiVwAlggkTG",{"json":3025},{"nodeType":1295,"data":3026,"content":3027},{},[3028,3035,3042,3074,3081,3088,3107,3114,3121,3128,3158,3164,3171,3187,3194,3201,3235,3242,3249,3256,3263,3270,3276,3283,3290,3297,3305,3312,3332,3339,3346,3353,3360,3367,3374,3381,3388,3395,3401,3408,3428,3435,3454,3460,3466,3472,3479,3486,3493,3499,3505,3512,3519,3526,3533,3540,3546,3564,3584,3591,3597,3603,3610,3617,3624,3631,3654,3660,3666,3673,3680,3687,3699,3705,3712,3718,3724,3731,3738,3745,3751,3757,3763,3770,3886,3892,3899],{"nodeType":1294,"data":3029,"content":3030},{},[3031],{"nodeType":1293,"value":3032,"marks":3033,"data":3034},"In this article, we’re going to demonstrate how combining two of our favorite new SaaS attack techniques makes a simple, but very stealthy persistence approach.",[],{},{"nodeType":1294,"data":3036,"content":3037},{},[3038],{"nodeType":1293,"value":3039,"marks":3040,"data":3041},"—----",[],{},{"nodeType":1294,"data":3043,"content":3044},{},[3045,3049,3056,3060,3070],{"nodeType":1293,"value":3046,"marks":3047,"data":3048},"This is the second post in a series on attack chains formed by combining techniques in the ",[],{},{"nodeType":1439,"data":3050,"content":3051},{"uri":1988},[3052],{"nodeType":1293,"value":2566,"marks":3053,"data":3055},[3054],{"type":1437},{},{"nodeType":1293,"value":3057,"marks":3058,"data":3059},". Last post we wrote about ",[],{},{"nodeType":3061,"data":3062,"content":3065},"entry-hyperlink",{"target":3063},{"sys":3064},{"id":2547,"type":1369,"linkType":1370},[3066],{"nodeType":1293,"value":3007,"marks":3067,"data":3069},[3068],{"type":1437},{},{"nodeType":1293,"value":3071,"marks":3072,"data":3073},". ",[],{},{"nodeType":1294,"data":3075,"content":3076},{},[3077],{"nodeType":1293,"value":3078,"marks":3079,"data":3080},"This time we’ll be looking at combining shadow workflows with an evil twin integration for an especially sneaky and flexible method of persistence. We’ll be using Zapier integrating with Azure as our primary example. ",[],{},{"nodeType":1342,"data":3082,"content":3083},{},[3084],{"nodeType":1293,"value":3085,"marks":3086,"data":3087},"What is a shadow workflow?",[],{},{"nodeType":1294,"data":3089,"content":3090},{},[3091,3095,3103],{"nodeType":1293,"value":3092,"marks":3093,"data":3094},"A ",[],{},{"nodeType":1439,"data":3096,"content":3097},{"uri":2097},[3098],{"nodeType":1293,"value":3099,"marks":3100,"data":3102},"shadow workflow ",[3101],{"type":1437},{},{"nodeType":1293,"value":3104,"marks":3105,"data":3106},"is a technique for using SaaS automation apps to provide a code execution-like method for conducting malicious actions from a legitimate source using OAuth integrations. This could be a daily export of files from shared cloud drives, automatic forwarding and deleting of emails, cloning instant messages, exporting user directories — basically anything that is possible using the target app’s API. ",[],{},{"nodeType":1294,"data":3108,"content":3109},{},[3110],{"nodeType":1293,"value":3111,"marks":3112,"data":3113},"The fact automation apps utilize OAuth integrations means they also function as a very effective method of maintaining persistence. Think of shadow workflows as the offensive PowerShell of the SaaS world. ",[],{},{"nodeType":1342,"data":3115,"content":3116},{},[3117],{"nodeType":1293,"value":3118,"marks":3119,"data":3120},"What’s an evil twin integration?",[],{},{"nodeType":1294,"data":3122,"content":3123},{},[3124],{"nodeType":1293,"value":3125,"marks":3126,"data":3127},"Creating a new OAuth integration, even if using a legitimate SaaS application, could be viewed as suspicious if seen by a security team or the affected user. This is especially true if an account compromise is discovered and an IR team sees a consent for a new OAuth integration in the log that the compromised user does not recognize. ",[],{},{"nodeType":1294,"data":3129,"content":3130},{},[3131,3135,3144,3148,3154],{"nodeType":1293,"value":3132,"marks":3133,"data":3134},"An ",[],{},{"nodeType":1439,"data":3136,"content":3138},{"uri":3137},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/evil_twin_integrations/description.md",[3139],{"nodeType":1293,"value":3140,"marks":3141,"data":3143},"evil twin integration",[3142],{"type":1437},{},{"nodeType":1293,"value":3145,"marks":3146,"data":3147},", however, reduces the chances of discovery by reusing an existing ",[],{},{"nodeType":1293,"value":3149,"marks":3150,"data":3153},"legitimate",[3151,3152],{"type":312},{"type":1407},{},{"nodeType":1293,"value":3155,"marks":3156,"data":3157}," integration for malicious purposes.",[],{},{"nodeType":1342,"data":3159,"content":3160},{},[3161],{"nodeType":1293,"value":2643,"marks":3162,"data":3163},[],{},{"nodeType":1294,"data":3165,"content":3166},{},[3167],{"nodeType":1293,"value":3168,"marks":3169,"data":3170},"While shadow workflows are incredibly powerful on their own, as malicious use of OAuth integrations becomes more common, security teams will start regularly checking for new, or unknown, integrations in response to security incidents. While automation apps are legitimate SaaS services, shadow workflow attacks could still raise question marks during incident response if it’s connected shortly after a compromise and/or if the affected user has no knowledge of it. ",[],{},{"nodeType":1294,"data":3172,"content":3173},{},[3174,3178,3183],{"nodeType":1293,"value":3175,"marks":3176,"data":3177},"Additionally, as use of security tools that ",[],{},{"nodeType":1293,"value":3179,"marks":3180,"data":3182},"provide visibility of OAuth integrations",[3181],{"type":1437},{},{"nodeType":1293,"value":3184,"marks":3185,"data":3186}," (check out our product) increases, it will become increasingly dangerous for an adversary to create a new OAuth integration. That’s because the target user and possibly even security teams may be notified.",[],{},{"nodeType":1294,"data":3188,"content":3189},{},[3190],{"nodeType":1293,"value":3191,"marks":3192,"data":3193},"This leads us on to evil twin integrations. Their power is in making use of existing integrations so they can avoid appearing as a new integration and getting flagged or sending alerts to security teams. That makes them much stealthier and increases the likelihood of a successful attack. ",[],{},{"nodeType":1294,"data":3195,"content":3196},{},[3197],{"nodeType":1293,"value":3198,"marks":3199,"data":3200},"There are three possibilities here that lead to two different levels of stealth for the attack:",[],{},{"nodeType":3202,"data":3203,"content":3204},"ordered-list",{},[3205,3215,3225],{"nodeType":1413,"data":3206,"content":3207},{},[3208],{"nodeType":1294,"data":3209,"content":3210},{},[3211],{"nodeType":1293,"value":3212,"marks":3213,"data":3214},"Medium stealth option: Making use of an automation app used legitimately by the organization, but not by the target user, specifically",[],{},{"nodeType":1413,"data":3216,"content":3217},{},[3218],{"nodeType":1294,"data":3219,"content":3220},{},[3221],{"nodeType":1293,"value":3222,"marks":3223,"data":3224},"High stealth option 1: Making use of an automation app used legitimately by the target user themselves",[],{},{"nodeType":1413,"data":3226,"content":3227},{},[3228],{"nodeType":1294,"data":3229,"content":3230},{},[3231],{"nodeType":1293,"value":3232,"marks":3233,"data":3234},"High stealth option 2: Making use of an automation app that has been granted admin consent",[],{},{"nodeType":1671,"data":3236,"content":3237},{},[3238],{"nodeType":1293,"value":3239,"marks":3240,"data":3241},"Medium stealth option: Pre-existing use by organization",[],{},{"nodeType":1294,"data":3243,"content":3244},{},[3245],{"nodeType":1293,"value":3246,"marks":3247,"data":3248},"This option is by far the most likely option to be applicable in a real-world situation. Here’s how it works:",[],{},{"nodeType":1294,"data":3250,"content":3251},{},[3252],{"nodeType":1293,"value":3253,"marks":3254,"data":3255},"The consent for the targeted user will be new and will generate an audit event to show that, but the integration itself will not be new inside the organization and may even be formally approved by the security team already. This will help evade general detection mechanisms as it won’t be seen as a brand new integration at the organization level that requires careful scrutiny. It’s much harder to evaluate new consents on a per-user basis for existing integrations if the organization is of any significant size.",[],{},{"nodeType":1294,"data":3257,"content":3258},{},[3259],{"nodeType":1293,"value":3260,"marks":3261,"data":3262},"The downside, however, is that this attack stands a greater chance of detection if notifications are delivered directly to the affected user. Alternatively, if the original compromise is discovered, incident responders are more likely to discover this consent during an investigation. That’s because the affected user would know they aren’t using the automation app and incident responders are likely to explore logs showing consents to new OAuth integrations and permissions shortly after a successful compromise.",[],{},{"nodeType":1294,"data":3264,"content":3265},{},[3266],{"nodeType":1293,"value":3267,"marks":3268,"data":3269},"Using Azure as an example, while no new service principal is created in this case, the audit logs still show a new consent for the targeted user to the existing Zapier app: ",[],{},{"nodeType":1372,"data":3271,"content":3275},{"target":3272},{"sys":3273},{"id":3274,"type":1369,"linkType":1370},"7m0E0sOulc348jhQguQLb1",[],{"nodeType":1671,"data":3277,"content":3278},{},[3279],{"nodeType":1293,"value":3280,"marks":3281,"data":3282},"High stealth option 1: Pre-existing use by targeted user",[],{},{"nodeType":1294,"data":3284,"content":3285},{},[3286],{"nodeType":1293,"value":3287,"marks":3288,"data":3289},"This is the holy grail option, but is likely to require more luck in the real world. It requires that the target user is already using an automation app, which the adversary could compromise and utilize. If the compromised user has already consented to permissions useful to the adversary, such as access to sensitive data like email and file stores, then new malicious workflows can be created without requiring the user to consent to new permissions. ",[],{},{"nodeType":1294,"data":3291,"content":3292},{},[3293],{"nodeType":1293,"value":3294,"marks":3295,"data":3296},"Consequently, there will be no new integration observed at the organization level, no new user-specific consents for sensitive permissions and the target user would indicate they’re just using a legitimate app if questioned by incident responders. ",[],{},{"nodeType":1294,"data":3298,"content":3299},{},[3300],{"nodeType":1293,"value":3301,"marks":3302,"data":3304},"None of the three audit log entries shown above would be present in this scenario either.",[3303],{"type":1407},{},{"nodeType":1671,"data":3306,"content":3307},{},[3308],{"nodeType":1293,"value":3309,"marks":3310,"data":3311},"High stealth option 2: Azure admin consented app",[],{},{"nodeType":1294,"data":3313,"content":3314},{},[3315,3319,3328],{"nodeType":1293,"value":3316,"marks":3317,"data":3318},"There is a mixed scenario when permissions for an automation app (or any app you want to use for an evil twin integration) have been granted tenant-wide ",[],{},{"nodeType":1439,"data":3320,"content":3322},{"uri":3321},"https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/user-admin-consent-overview#admin-consent",[3323],{"nodeType":1293,"value":3324,"marks":3325,"data":3327},"admin consent in Azure",[3326],{"type":1437},{},{"nodeType":1293,"value":3329,"marks":3330,"data":3331},". In this case, the administrator has effectively consented to permissions for all users, even if they aren’t currently active users of the app. ",[],{},{"nodeType":1294,"data":3333,"content":3334},{},[3335],{"nodeType":1293,"value":3336,"marks":3337,"data":3338},"This means when a new user integrates the app, it does not generate a new permission grant since it is effectively already granted. Consequently, the three log entries shown above would not be present in this scenario even if integrating the app for a user that has never used it before.",[],{},{"nodeType":1294,"data":3340,"content":3341},{},[3342],{"nodeType":1293,"value":3343,"marks":3344,"data":3345},"This gives the best level of flexibility for an adversary as they can avoid generating new permission grant logs for any user. However, it's not quite as stealthy as when the targeted user already makes use of the app as there is no history of legitimate app logins or activity for the user prior to the compromise to blend in with.",[],{},{"nodeType":1342,"data":3347,"content":3348},{},[3349],{"nodeType":1293,"value":3350,"marks":3351,"data":3352},"An example attack - Zapier",[],{},{"nodeType":1294,"data":3354,"content":3355},{},[3356],{"nodeType":1293,"value":3357,"marks":3358,"data":3359},"In this case, we’re going to use Zapier as our automation app example and Azure as the primary target for integrations and there will be no admin consent involved. We’ll also be using Google Workspace for data exfiltration. There are many other examples we could have used here, though - Make.com, IFTTT, Retool, Tines, Microsoft Power Automate and many other SaaS apps have powerful automation and integration capabilities and could be used for similar purposes. ",[],{},{"nodeType":1294,"data":3361,"content":3362},{},[3363],{"nodeType":1293,"value":3364,"marks":3365,"data":3366},"Azure and Google Workspace are also obvious juicy targets for integrations, but automation apps support integrations with vast numbers of other SaaS applications,so there are many possible targets.",[],{},{"nodeType":1294,"data":3368,"content":3369},{},[3370],{"nodeType":1293,"value":3371,"marks":3372,"data":3373},"So, let’s say we’ve compromised a target user’s Azure account. Perhaps we have conducted a successful credential stuffing attack, a phishing attack including MFA code proxying or even achieved a traditional endpoint compromise and have stolen the user’s session tokens.",[],{},{"nodeType":1294,"data":3375,"content":3376},{},[3377],{"nodeType":1293,"value":3378,"marks":3379,"data":3380},"Whatever the case, we have temporary control of the user’s account, either until the session expires or the user changes their password. If the original compromise is detected, that could happen quickly, so we want to conduct some malicious actions to make use of the access while we have it and to also gain persistence so we maintain our access beyond a password change.",[],{},{"nodeType":1294,"data":3382,"content":3383},{},[3384],{"nodeType":1293,"value":3385,"marks":3386,"data":3387},"We want to use an automation app, but we’d prefer to be as stealthy as possible by also making it an evil twin integration. We’d like to see if the target user has existing integrations with any apps we’d like to use - especially an automation app for that high stealth option we mentioned above. ",[],{},{"nodeType":1294,"data":3389,"content":3390},{},[3391],{"nodeType":1293,"value":3392,"marks":3393,"data":3394},"We’ve created a video demo of the full attack below. A step by step write up with more detail then follows:",[],{},{"nodeType":1372,"data":3396,"content":3400},{"target":3397},{"sys":3398},{"id":3399,"type":1369,"linkType":1370},"E1ZHBcjGLZAno0SRtJ3d3",[],{"nodeType":1342,"data":3402,"content":3403},{},[3404],{"nodeType":1293,"value":3405,"marks":3406,"data":3407},"Step 1 - Enumerating potential targets",[],{},{"nodeType":1294,"data":3409,"content":3410},{},[3411,3415,3424],{"nodeType":1293,"value":3412,"marks":3413,"data":3414},"We could perform something as simple as an email search for evidence of sign-ups, but that won’t necessarily show us if actual OAuth integrations have been configured and what permissions are in use. What we really need is a way to perform an ",[],{},{"nodeType":1439,"data":3416,"content":3418},{"uri":3417},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/oauth_token_enumeration/description.md",[3419],{"nodeType":1293,"value":3420,"marks":3421,"data":3423},"OAuth token enumeration",[3422],{"type":1437},{},{"nodeType":1293,"value":3425,"marks":3426,"data":3427}," attack.",[],{},{"nodeType":1671,"data":3429,"content":3430},{},[3431],{"nodeType":1293,"value":3432,"marks":3433,"data":3434},"The first method: myapps.microsoft.com",[],{},{"nodeType":1294,"data":3436,"content":3437},{},[3438,3442,3450],{"nodeType":1293,"value":3439,"marks":3440,"data":3441},"Make use of ",[],{},{"nodeType":1439,"data":3443,"content":3445},{"uri":3444},"https://myapps.microsoft.com",[3446],{"nodeType":1293,"value":3444,"marks":3447,"data":3449},[3448],{"type":1437},{},{"nodeType":1293,"value":3451,"marks":3452,"data":3453}," to see which apps are listed and which permissions have been granted. We can see Zapier is in use and the user has granted it access to their email and files, making it a great target.",[],{},{"nodeType":1372,"data":3455,"content":3459},{"target":3456},{"sys":3457},{"id":3458,"type":1369,"linkType":1370},"6dDez7xRZjliEJR6DAkWHa",[],{"nodeType":1372,"data":3461,"content":3465},{"target":3462},{"sys":3463},{"id":3464,"type":1369,"linkType":1370},"7M0imWv4n3z1RYQu3AdMF5",[],{"nodeType":1372,"data":3467,"content":3471},{"target":3468},{"sys":3469},{"id":3470,"type":1369,"linkType":1370},"3fwFBK03tc5g064k0IyADO",[],{"nodeType":1671,"data":3473,"content":3474},{},[3475],{"nodeType":1293,"value":3476,"marks":3477,"data":3478},"The second method: Microsoft’s graph API",[],{},{"nodeType":1294,"data":3480,"content":3481},{},[3482],{"nodeType":1293,"value":3483,"marks":3484,"data":3485},"\nMicrosoft’s graph API doesn’t make it possible to list out service principals without admin permissions, but you can enumerate individual OAuth permission grants and app role assignments for your own user account. ",[],{},{"nodeType":1294,"data":3487,"content":3488},{},[3489],{"nodeType":1293,"value":3490,"marks":3491,"data":3492},"The client ID listed for permission grants is actually the tenant-specific service principal ID, rather than the globally unique OAuth app ID, but the app role assignments call gives us the app display name. We can match up the IDs from the app role assignments with the OAuth permission grants to see which permissions have been granted to the given app. ",[],{},{"nodeType":1372,"data":3494,"content":3498},{"target":3495},{"sys":3496},{"id":3497,"type":1369,"linkType":1370},"519mlRMbaZYBAVdSADwop7",[],{"nodeType":1372,"data":3500,"content":3504},{"target":3501},{"sys":3502},{"id":3503,"type":1369,"linkType":1370},"3g4WBQBEvqx5mXXnZzZzUG",[],{"nodeType":1342,"data":3506,"content":3507},{},[3508],{"nodeType":1293,"value":3509,"marks":3510,"data":3511},"Step 2 - Create shadow workflows",[],{},{"nodeType":1294,"data":3513,"content":3514},{},[3515],{"nodeType":1293,"value":3516,"marks":3517,"data":3518},"Ok, so we’ve figured out the user already makes use of Zapier and they’ve even already granted access to their email and files - that’s a juicy target we can’t turn down! So the next step is to create our own malicious workflows, or shadow workflows if you will, to get Zapier to do our dirty work for us.",[],{},{"nodeType":1294,"data":3520,"content":3521},{},[3522],{"nodeType":1293,"value":3523,"marks":3524,"data":3525},"First of all, we’ll see if we can scope out the user’s existing Zapier account to better understand the setup. Then we’ll create a new Zapier account and link it to the target user’s account that we’ve compromised. Here’s how that would work:",[],{},{"nodeType":1671,"data":3527,"content":3528},{},[3529],{"nodeType":1293,"value":3530,"marks":3531,"data":3532},"Scope out the existing Zapier account",[],{},{"nodeType":1294,"data":3534,"content":3535},{},[3536],{"nodeType":1293,"value":3537,"marks":3538,"data":3539},"If the user uses SSO or social logins then we can login directly and, since we now control their Azure account, we can just log directly into their Zapier account!",[],{},{"nodeType":1372,"data":3541,"content":3545},{"target":3542},{"sys":3543},{"id":3544,"type":1369,"linkType":1370},"5IgmxUEm6n19OBL1cSZVkr",[],{"nodeType":1294,"data":3547,"content":3548},{},[3549,3553,3560],{"nodeType":1293,"value":3550,"marks":3551,"data":3552},"Alternatively, if they have created a standard password account, then we might already know the password if it’s the same used for their Azure account. Otherwise, we could potentially make use of an ",[],{},{"nodeType":1439,"data":3554,"content":3555},{"uri":2963},[3556],{"nodeType":1293,"value":2969,"marks":3557,"data":3559},[3558],{"type":1437},{},{"nodeType":1293,"value":3561,"marks":3562,"data":3563}," attack to gain access.",[],{},{"nodeType":1294,"data":3565,"content":3566},{},[3567,3571,3580],{"nodeType":1293,"value":3568,"marks":3569,"data":3570},"Once we have logged into their account, we can see their existing workflows and integrations. Technically, we could backdoor these or create new ones - a form of an ",[],{},{"nodeType":1439,"data":3572,"content":3574},{"uri":3573},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/abuse_existing_oauth_integrations/description.md",[3575],{"nodeType":1293,"value":3576,"marks":3577,"data":3579},"abuse existing OAuth integrations",[3578],{"type":1437},{},{"nodeType":1293,"value":3581,"marks":3582,"data":3583}," attack. However, that runs the risk of the user discovering our shadow workflows and also almost certainly being locked out of the account during the next password change. ",[],{},{"nodeType":1294,"data":3585,"content":3586},{},[3587],{"nodeType":1293,"value":3588,"marks":3589,"data":3590},"Instead, we can stick to an evil twin integration from our own Zapier account, which we’ll create later.",[],{},{"nodeType":1372,"data":3592,"content":3596},{"target":3593},{"sys":3594},{"id":3595,"type":1369,"linkType":1370},"2vhyTcVLq27QVa2HFFWBhH",[],{"nodeType":1372,"data":3598,"content":3602},{"target":3599},{"sys":3600},{"id":3601,"type":1369,"linkType":1370},"3jPSdBPSQgigA4yKK1udCV",[],{"nodeType":1294,"data":3604,"content":3605},{},[3606],{"nodeType":1293,"value":3607,"marks":3608,"data":3609},"Now we can see what the user was actually using Zapier for — they’ve set up an integration with both Outlook and OneDrive so they can forward emails related to their business expenses to a folder in their OneDrive. Probably a time-saving hack, which we can take advantage of since it won’t be unusual to see Zapier regularly accessing their Outlook and OneDrive. That means our attack will be extra stealthy.",[],{},{"nodeType":1671,"data":3611,"content":3612},{},[3613],{"nodeType":1293,"value":3614,"marks":3615,"data":3616},"Create our own malicious Zapier account",[],{},{"nodeType":1294,"data":3618,"content":3619},{},[3620],{"nodeType":1293,"value":3621,"marks":3622,"data":3623},"Given in this case we, at least temporarily, control the user’s Azure account there is nothing stopping us connecting this to our own malicious Zapier account completely separately from the user’s legitimate Zapier account. We then maintain full control over the Zapier account and the user will not be able to discover our shadow workflows as they won’t have any knowledge of our Zapier account: ",[],{},{"nodeType":1294,"data":3625,"content":3626},{},[3627],{"nodeType":1293,"value":3628,"marks":3629,"data":3630},"Let’s create our own shadow workflows:",[],{},{"nodeType":1492,"data":3632,"content":3633},{},[3634,3644],{"nodeType":1413,"data":3635,"content":3636},{},[3637],{"nodeType":1294,"data":3638,"content":3639},{},[3640],{"nodeType":1293,"value":3641,"marks":3642,"data":3643},"One that sends every new OneDrive file to our own separate Google Drive account. This allows us to maintain a complete view of the user’s files into the future. ",[],{},{"nodeType":1413,"data":3645,"content":3646},{},[3647],{"nodeType":1294,"data":3648,"content":3649},{},[3650],{"nodeType":1293,"value":3651,"marks":3652,"data":3653},"And one to forward every new Outlook email to our own GMail account.",[],{},{"nodeType":1372,"data":3655,"content":3659},{"target":3656},{"sys":3657},{"id":3658,"type":1369,"linkType":1370},"6eK8uNjPnkrfVjgFzl03SM",[],{"nodeType":1372,"data":3661,"content":3665},{"target":3662},{"sys":3663},{"id":3664,"type":1369,"linkType":1370},"6xJvuS374tbflAoNmhnqYP",[],{"nodeType":1294,"data":3667,"content":3668},{},[3669],{"nodeType":1293,"value":3670,"marks":3671,"data":3672},"We can now see we are logged in with a separate GMail account, but have created shadow workflows to forward emails from the user’s Outlook to our GMail account and harvest files from their OneDrive to our Google Drive.",[],{},{"nodeType":1294,"data":3674,"content":3675},{},[3676],{"nodeType":1293,"value":3677,"marks":3678,"data":3679},"The major benefit of creating our own Zapier account for an evil twin integration is that once we are locked out of the target user’s account via a password change or otherwise, not only do our existing shadow workflows continue to operate via OAuth, but we are able to create new shadow workflows and reuse the existing OAuth connections. That’s the power of having full control of the Zapier account. ",[],{},{"nodeType":1294,"data":3681,"content":3682},{},[3683],{"nodeType":1293,"value":3684,"marks":3685,"data":3686},"One small downside to this approach is that creating the new OAuth integrations inside a new Zapier account generates an interactive login event for the Zapier integrations from the adversary’s IP address. This occurs due to creating integrations from the new Zapier account, but because the user has already consented to all the relevant permissions for Zapier’s own OAuth apps there are no audit logs for new consents or applications, just the login event itself. ",[],{},{"nodeType":1294,"data":3688,"content":3689},{},[3690,3694],{"nodeType":1293,"value":3691,"marks":3692,"data":3693},"However, determining that a successful login to an app a user legitimately uses is actually malicious in this case is obviously extremely difficult to build detection logic for.   ",[],{},{"nodeType":1293,"value":3695,"marks":3696,"data":3698}," ",[3697],{"type":312},{},{"nodeType":1372,"data":3700,"content":3704},{"target":3701},{"sys":3702},{"id":3703,"type":1369,"linkType":1370},"1oZBtlL8rNl7TjmfJqRjUG",[],{"nodeType":1294,"data":3706,"content":3707},{},[3708],{"nodeType":1293,"value":3709,"marks":3710,"data":3711},"Beyond the initial login events, the only evidence of malicious activity in the future will be from the activity logs showing the actions conducted by our shadow workflows every time they are triggered to run. For example, the following screenshots show that the Zapier Todo app (ClientAppId 29246358-1970-4d6d-bc75-acf34edc758b) has been seen both uploading a file and downloading a file: \n",[],{},{"nodeType":1372,"data":3713,"content":3717},{"target":3714},{"sys":3715},{"id":3716,"type":1369,"linkType":1370},"2vYOSilB5W05aIHw2ZKqdC",[],{"nodeType":1372,"data":3719,"content":3723},{"target":3720},{"sys":3721},{"id":3722,"type":1369,"linkType":1370},"2fFwrdFO25BwY4vI7EKMA0",[],{"nodeType":1294,"data":3725,"content":3726},{},[3727],{"nodeType":1293,"value":3728,"marks":3729,"data":3730},"The file upload in this case relates to the legitimate workflow and the file download relates to the shadow workflow. The IP addresses relate to Zapier’s legitimate infrastructure so really only a very thorough and specific investigation is going to be able to uncover that one of these events is malicious.",[],{},{"nodeType":1342,"data":3732,"content":3733},{},[3734],{"nodeType":1293,"value":3735,"marks":3736,"data":3737},"Step 3 - Profit",[],{},{"nodeType":1294,"data":3739,"content":3740},{},[3741],{"nodeType":1293,"value":3742,"marks":3743,"data":3744},"Now we just need to sit back and let our shadow workflows do the work for us, 24/7 and from Zapier’s infrastructure via a legitimate OAuth integration. Here we can see files the user created in OneDrive and emails they received in Outlook mirrored to our own GMail and Google Drive via the magic of shadow workflows.",[],{},{"nodeType":1372,"data":3746,"content":3750},{"target":3747},{"sys":3748},{"id":3749,"type":1369,"linkType":1370},"4lJBrdJLEVnhBUjgtGo8T1",[],{"nodeType":1372,"data":3752,"content":3756},{"target":3753},{"sys":3754},{"id":3755,"type":1369,"linkType":1370},"azQ3IO0n4Idih5LDwOogV",[],{"nodeType":1342,"data":3758,"content":3759},{},[3760],{"nodeType":1293,"value":2405,"marks":3761,"data":3762},[],{},{"nodeType":1294,"data":3764,"content":3765},{},[3766],{"nodeType":1293,"value":3767,"marks":3768,"data":3769},"Ok, we’ve covered a lot of ground here so it’s worth taking a step back and considering the key impact points of this attack chain:",[],{},{"nodeType":1492,"data":3771,"content":3772},{},[3773,3783,3793,3803,3813,3866,3876],{"nodeType":1413,"data":3774,"content":3775},{},[3776],{"nodeType":1294,"data":3777,"content":3778},{},[3779],{"nodeType":1293,"value":3780,"marks":3781,"data":3782},"An adversary who has gained (temporary) access to a user account that supports OAuth integrations can use shadow workflows to execute malicious actions and to maintain persistence",[],{},{"nodeType":1413,"data":3784,"content":3785},{},[3786],{"nodeType":1294,"data":3787,"content":3788},{},[3789],{"nodeType":1293,"value":3790,"marks":3791,"data":3792},"This access will continue even if the user changes their password or resets MFA",[],{},{"nodeType":1413,"data":3794,"content":3795},{},[3796],{"nodeType":1294,"data":3797,"content":3798},{},[3799],{"nodeType":1293,"value":3800,"marks":3801,"data":3802},"Not only do existing shadow workflows continue to work after password changes, an adversary can continue to create new ones and reuse the existing integrations.",[],{},{"nodeType":1413,"data":3804,"content":3805},{},[3806],{"nodeType":1294,"data":3807,"content":3808},{},[3809],{"nodeType":1293,"value":3810,"marks":3811,"data":3812},"Any relevant logs will show access via legitimate IP addresses and OAuth integrations for SaaS automation apps ",[],{},{"nodeType":1413,"data":3814,"content":3815},{},[3816,3823],{"nodeType":1294,"data":3817,"content":3818},{},[3819],{"nodeType":1293,"value":3820,"marks":3821,"data":3822},"Automation apps are so flexible that an adversary can do pretty much anything - it’s basically the offensive PowerShell of the SaaS world. Just some examples:",[],{},{"nodeType":1492,"data":3824,"content":3825},{},[3826,3836,3846,3856],{"nodeType":1413,"data":3827,"content":3828},{},[3829],{"nodeType":1294,"data":3830,"content":3831},{},[3832],{"nodeType":1293,"value":3833,"marks":3834,"data":3835},"Monitor all emails and files the user creates",[],{},{"nodeType":1413,"data":3837,"content":3838},{},[3839],{"nodeType":1294,"data":3840,"content":3841},{},[3842],{"nodeType":1293,"value":3843,"marks":3844,"data":3845},"Delete email security alerts before the user sees them",[],{},{"nodeType":1413,"data":3847,"content":3848},{},[3849],{"nodeType":1294,"data":3850,"content":3851},{},[3852],{"nodeType":1293,"value":3853,"marks":3854,"data":3855},"Intercept password reset and passwordless login emails to access other apps",[],{},{"nodeType":1413,"data":3857,"content":3858},{},[3859],{"nodeType":1294,"data":3860,"content":3861},{},[3862],{"nodeType":1293,"value":3863,"marks":3864,"data":3865},"Monitor instant messaging apps and use it to send targeted internal social engineering emails",[],{},{"nodeType":1413,"data":3867,"content":3868},{},[3869],{"nodeType":1294,"data":3870,"content":3871},{},[3872],{"nodeType":1293,"value":3873,"marks":3874,"data":3875},"If targeted users are already using automation apps legitimately, it’s even more stealthy - you won’t even see any new integrations or permission grants appear as the user will have already granted these legitimately.",[],{},{"nodeType":1413,"data":3877,"content":3878},{},[3879],{"nodeType":1294,"data":3880,"content":3881},{},[3882],{"nodeType":1293,"value":3883,"marks":3884,"data":3885},"If admin consent has been granted to the automation app, any user can be targeted without generating new permission grant logs even if they have never used the app.",[],{},{"nodeType":1342,"data":3887,"content":3888},{},[3889],{"nodeType":1293,"value":2482,"marks":3890,"data":3891},[],{},{"nodeType":1294,"data":3893,"content":3894},{},[3895],{"nodeType":1293,"value":3896,"marks":3897,"data":3898},"We have seen how two new SaaS-focused attack techniques can be combined into one more effective attack chain - in this case, a particularly nasty and stealthy persistence technique. This shows how even if a user compromise is detected very early, with password and MFA resets immediately issued, adversaries can maintain control over the account regardless.",[],{},{"nodeType":1294,"data":3900,"content":3901},{},[3902],{"nodeType":1293,"value":3903,"marks":3904,"data":3905},"This shows how even legitimate SaaS applications have incredibly powerful offensive use cases and very careful attention needs to be paid to integrations with highly sensitive permissions, even when they are approved and vetted applications. Incident response teams especially need to be well aware of these techniques when investigating potential user account compromises as persistence approaches can extend much further than endpoint implants and stolen passwords.",[],{},"The shadow workflow’s evil twin: A nearly invisible attack chain","2023-09-11T00:00:00.000Z","nearly-invisible-attack-chain",{"items":3910},[3911,3913],{"sys":3912,"name":1306},{"id":1305},{"sys":3914,"name":2536},{"id":2535},{"items":3916},[3917],{"fullName":2540,"firstName":2541,"jobTitle":2542,"profilePicture":3918},{"url":2544},{"items":3920},[3921],{"fullName":2540,"firstName":2541,"jobTitle":2542,"profilePicture":3922},{"url":2544},{"json":3924,"links":4529},{"data":3925,"content":3926,"nodeType":1295},{},[3927,3947,3954,3961,3978,3984,3999,4006,4013,4046,4053,4060,4067,4074,4107,4112,4118,4137,4144,4151,4158,4191,4198,4205,4212,4229,4235,4241,4247,4254,4274,4281,4288,4295,4302,4365,4372,4415,4422,4428,4435,4451,4456,4462,4469,4502,4508,4515,4522],{"data":3928,"content":3929,"nodeType":1294},{},[3930,3934,3943],{"data":3931,"marks":3932,"value":3933,"nodeType":1293},{},[],"We have spoken previously about ",{"data":3935,"content":3937,"nodeType":1439},{"uri":3936},"https://pushsecurity.com/blog/samljacking-a-poisoned-tenant/",[3938],{"data":3939,"marks":3940,"value":3942,"nodeType":1293},{},[3941],{"type":1437},"SAMLjacking and poisoned tenants",{"data":3944,"marks":3945,"value":3946,"nodeType":1293},{},[],", particularly with regard to clever phishing attacks aimed at gaining initial access to some cloud identities. Today, we’ll look at how Okta’s AD synchronization is pretty much SAMLjacking on steroids. We’ll also consider how it can be used as a stealthy watering-hole style lateral movement attack too.",{"data":3948,"content":3949,"nodeType":1294},{},[3950],{"data":3951,"marks":3952,"value":3953,"nodeType":1293},{},[],"To be clear, this isn't a vulnerability in Okta that circumvents a security boundary and needs to be patched. This is offensive use of a product feature, the SaaS version of living off the land (LOTL). Let's call it living off the cloud (LOTC).",{"data":3955,"content":3956,"nodeType":1342},{},[3957],{"data":3958,"marks":3959,"value":3960,"nodeType":1293},{},[],"What is SAMLjacking?",{"data":3962,"content":3963,"nodeType":1294},{},[3964,3967,3974],{"data":3965,"marks":3966,"value":37,"nodeType":1293},{},[],{"data":3968,"content":3969,"nodeType":1439},{"uri":2626},[3970],{"data":3971,"marks":3972,"value":2632,"nodeType":1293},{},[3973],{"type":1437},{"data":3975,"marks":3976,"value":3977,"nodeType":1293},{},[]," is where an attacker makes use of SAML SSO configuration settings for a SaaS tenant they control in order to redirect users to a malicious link during the authentication process. This can be highly effective for phishing, as the original URL will be a legitimate SaaS URL and users will provide their credentials because they’re expecting that as part of the login process. ",{"data":3979,"content":3980,"nodeType":1342},{},[3981],{"data":3982,"marks":3983,"value":2591,"nodeType":1293},{},[],{"data":3985,"content":3986,"nodeType":1294},{},[3987,3990,3996],{"data":3988,"marks":3989,"value":37,"nodeType":1293},{},[],{"data":3991,"content":3992,"nodeType":1439},{"uri":2600},[3993],{"data":3994,"marks":3995,"value":2606,"nodeType":1293},{},[],{"data":3997,"marks":3998,"value":2610,"nodeType":1293},{},[],{"data":4000,"content":4001,"nodeType":1342},{},[4002],{"data":4003,"marks":4004,"value":4005,"nodeType":1293},{},[],"What is Oktajacking?",{"data":4007,"content":4008,"nodeType":1294},{},[4009],{"data":4010,"marks":4011,"value":4012,"nodeType":1293},{},[],"This is a name I’ve been using to refer to using Okta to do the credential capture/keylogging for you, without needing to have your own malicious domain hosting your malicious SAML server. This is even more effective than regular SAMLjacking as the user will only ever see legitimate SaaS domains, with the subdomain being the attacker-chosen part (e.g. https://attacker-tenant.okta.com).",{"data":4014,"content":4015,"nodeType":1294},{},[4016,4020,4029,4033,4042],{"data":4017,"marks":4018,"value":4019,"nodeType":1293},{},[],"However, the awesome research that underpins this technique was conducted by Adam Chester (",{"data":4021,"content":4023,"nodeType":1439},{"uri":4022},"https://twitter.com/_xpn_",[4024],{"data":4025,"marks":4026,"value":4028,"nodeType":1293},{},[4027],{"type":1437},"@_xpn_",{"data":4030,"marks":4031,"value":4032,"nodeType":1293},{},[],") and is covered in his excellent article, ",{"data":4034,"content":4036,"nodeType":1439},{"uri":4035},"https://blog.xpnsec.com/okta-for-redteamers/",[4037],{"data":4038,"marks":4039,"value":4041,"nodeType":1293},{},[4040],{"type":1437},"Okta for Red Teamers",{"data":4043,"marks":4044,"value":4045,"nodeType":1293},{},[],". If you haven’t already read that, you absolutely should. ",{"data":4047,"content":4048,"nodeType":1294},{},[4049],{"data":4050,"marks":4051,"value":4052,"nodeType":1293},{},[],"Adam identified that if you compromise a Windows domain that’s linked to Okta and/or compromise an Okta admin account for an Okta instance linked to a Windows domain, you can use the Okta AD agent to capture credentials during logins. There’s lots more, but that’s the key part we’ll build upon for this article. ",{"data":4054,"content":4055,"nodeType":1294},{},[4056],{"data":4057,"marks":4058,"value":4059,"nodeType":1293},{},[],"This attack works because Okta forwards credentials from logins for accounts tied to AD to its own AD agent that runs on the target network. Then, Okta allows the agent to report back to them about whether the login should be successful or not. This enables an attacker who has compromised an AD agent, or is able to emulate one, to both monitor login credentials for Okta users and provide skeleton key-like functionality to authenticate to Okta as any user they like. ",{"data":4061,"content":4062,"nodeType":1294},{},[4063],{"data":4064,"marks":4065,"value":4066,"nodeType":1293},{},[],"The context of this in Adam’s article was primarily a traditional Windows domain compromise scenario where an attacker could use this method as a form of incredibly powerful domain-level persistence or to move laterally to other accounts. This is applicable in late-stage kill chain phases, where the attacker has already achieved a total organization-level compromise. ",{"data":4068,"content":4069,"nodeType":1294},{},[4070],{"data":4071,"marks":4072,"value":4073,"nodeType":1293},{},[],"So, how can this technique be leveraged earlier in the kill chain? We’ll consider the following two scenarios for this article:",{"data":4075,"content":4076,"nodeType":1492},{},[4077,4092],{"data":4078,"content":4079,"nodeType":1413},{},[4080],{"data":4081,"content":4082,"nodeType":1294},{},[4083,4088],{"data":4084,"marks":4085,"value":4087,"nodeType":1293},{},[4086],{"type":1407},"Oktajacking for initial access",{"data":4089,"marks":4090,"value":4091,"nodeType":1293},{},[]," - directly phishing credentials via a valid Okta tenant we create",{"data":4093,"content":4094,"nodeType":1413},{},[4095],{"data":4096,"content":4097,"nodeType":1294},{},[4098,4103],{"data":4099,"marks":4100,"value":4102,"nodeType":1293},{},[4101],{"type":1407},"Oktajacking for lateral movement ",{"data":4104,"marks":4105,"value":4106,"nodeType":1293},{},[],"- capturing credentials via a watering hole attack when having admin-level compromised a SaaS application in use by the target organization",{"data":4108,"content":4111,"nodeType":1372},{"target":4109},{"sys":4110},{"id":1497,"type":1369,"linkType":1370},[],{"data":4113,"content":4114,"nodeType":1342},{},[4115],{"data":4116,"marks":4117,"value":4087,"nodeType":1293},{},[],{"data":4119,"content":4120,"nodeType":1294},{},[4121,4125,4134],{"data":4122,"marks":4123,"value":4124,"nodeType":1293},{},[],"The most common way someone might attack Okta-protected organizations would be to conduct traditional phishing attacks hosted on an attacker-controlled domain that emulate an Okta login page. A great article to check out on this would be Nick Vangilder’s article, ",{"data":4126,"content":4128,"nodeType":1439},{"uri":4127},"https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23",[4129],{"data":4130,"marks":4131,"value":4133,"nodeType":1293},{},[4132],{"type":1437},"Okta for Red Teamers - Perimeter Edition. ",{"data":4135,"marks":4136,"value":37,"nodeType":1293},{},[],{"data":4138,"content":4139,"nodeType":1294},{},[4140],{"data":4141,"marks":4142,"value":4143,"nodeType":1293},{},[],"However, as with most phishing attacks this involves the use of a malicious domain to host the phishing server. Okta AD synchronization allows us to use legitimate Okta domains to do the phishing for us. This attack can catch out even the most security conscious users.",{"data":4145,"content":4146,"nodeType":1294},{},[4147],{"data":4148,"marks":4149,"value":4150,"nodeType":1293},{},[],"To do this, we set up an attacker-controlled Okta tenant as a poisoned tenant and configure it for AD integration, using Adam Chester’s python script to harvest credentials. This enables actual Okta-owned domains to be used in phishing attacks to target users. A careful attacker would likely use a tenant name similar to the target organization’s real Okta tenant name. This is incredibly powerful and is likely to be effective against even the most security conscious users. ",{"data":4152,"content":4153,"nodeType":1294},{},[4154],{"data":4155,"marks":4156,"value":4157,"nodeType":1293},{},[],"A few prerequisites and tweaks are required in order to make this attack successful:",{"data":4159,"content":4160,"nodeType":1492},{},[4161,4171,4181],{"data":4162,"content":4163,"nodeType":1413},{},[4164],{"data":4165,"content":4166,"nodeType":1294},{},[4167],{"data":4168,"marks":4169,"value":4170,"nodeType":1293},{},[],"Import and activate accounts from AD that match the emails of users you want to target - this will ensure these emails are mapped to AD for authentication and cause Okta to send the credentials to the monitoring script.",{"data":4172,"content":4173,"nodeType":1413},{},[4174],{"data":4175,"content":4176,"nodeType":1294},{},[4177],{"data":4178,"marks":4179,"value":4180,"nodeType":1293},{},[],"Make a small modification to the python script to accept any password as valid, rather than a specific skeleton key. ",{"data":4182,"content":4183,"nodeType":1413},{},[4184],{"data":4185,"content":4186,"nodeType":1294},{},[4187],{"data":4188,"marks":4189,"value":4190,"nodeType":1293},{},[],"Modify the default authentication policy for Okta to allow single-factor password authentication for the target users - this will prevent them being prompted to use Okta Verify as part of the login process.",{"data":4192,"content":4193,"nodeType":1294},{},[4194],{"data":4195,"marks":4196,"value":4197,"nodeType":1293},{},[],"The goal for the last two actions above is to allow target users to authenticate legitimately and then redirect them elsewhere, while capturing their credentials. This is better achieved by having their first password accepted rather than them continually failing to authenticate, which may eventually raise alarm bells. ",{"data":4199,"content":4200,"nodeType":1294},{},[4201],{"data":4202,"marks":4203,"value":4204,"nodeType":1293},{},[],"In this case, we’ll use Okta’s bug bounty system as a test for our poisoned tenant, but in practice an attacker could set up a legitimate Okta tenant, pay for it and name it whatever they like. ",{"data":4206,"content":4207,"nodeType":1294},{},[4208],{"data":4209,"marks":4210,"value":4211,"nodeType":1293},{},[],"The end result is a legitimate Okta domain and login page that will capture credentials for the attacker, which can then be used in highly convincing phishing attacks. In this example, the following URL will capture credentials for us:",{"data":4213,"content":4214,"nodeType":1294},{},[4215,4218,4226],{"data":4216,"marks":4217,"value":37,"nodeType":1293},{},[],{"data":4219,"content":4221,"nodeType":1439},{"uri":4220},"https://bugcrowd-oie-lukejennings-1.oktapreview.com/",[4222],{"data":4223,"marks":4224,"value":4220,"nodeType":1293},{},[4225],{"type":1437},{"data":4227,"marks":4228,"value":37,"nodeType":1293},{},[],{"data":4230,"content":4234,"nodeType":1372},{"target":4231},{"sys":4232},{"id":4233,"type":1369,"linkType":1370},"2KBgFSFnmIdKqfpp8sPGb1",[],{"data":4236,"content":4240,"nodeType":1372},{"target":4237},{"sys":4238},{"id":4239,"type":1369,"linkType":1370},"5ef3me94SCAdM5vYXodqbF",[],{"data":4242,"content":4246,"nodeType":1372},{"target":4243},{"sys":4244},{"id":4245,"type":1369,"linkType":1370},"3OFjwQRQTJynaPme8WY9cp",[],{"data":4248,"content":4249,"nodeType":1342},{},[4250],{"data":4251,"marks":4252,"value":4253,"nodeType":1293},{},[],"Oktajacking for lateral movement",{"data":4255,"content":4256,"nodeType":1294},{},[4257,4261,4270],{"data":4258,"marks":4259,"value":4260,"nodeType":1293},{},[],"In both the previous section and our article on ",{"data":4262,"content":4265,"nodeType":3061},{"target":4263},{"sys":4264},{"id":2547,"type":1369,"linkType":1370},[4266],{"data":4267,"marks":4268,"value":2632,"nodeType":1293},{},[4269],{"type":1437},{"data":4271,"marks":4272,"value":4273,"nodeType":1293},{},[],", we focused on conducting highly convincing phishing attacks by sending URLs for legitimate SaaS domains that capture credentials. ",{"data":4275,"content":4276,"nodeType":1294},{},[4277],{"data":4278,"marks":4279,"value":4280,"nodeType":1293},{},[],"But what if we achieve an admin-level compromise of a SaaS app used by a target organization that authenticates via Okta already? How can we leverage that access to perform lateral movement?",{"data":4282,"content":4283,"nodeType":1294},{},[4284],{"data":4285,"marks":4286,"value":4287,"nodeType":1293},{},[],"We can change the SAML configuration in the compromised SaaS application to point to a different Okta instance that we control and then conduct the same credential capture attack we saw in the previous section. ",{"data":4289,"content":4290,"nodeType":1294},{},[4291],{"data":4292,"marks":4293,"value":4294,"nodeType":1293},{},[],"In other words, we can then authenticate to the target SaaS application as any user we like and also capture Okta credentials for all legitimate users also using that application without needing to send any phishing links. ",{"data":4296,"content":4297,"nodeType":1294},{},[4298],{"data":4299,"marks":4300,"value":4301,"nodeType":1293},{},[],"We’re going to use Datadog as a demo example for this - just because we need something real to target. To be crystal clear, this will work for basically any app that supports SAML. This is not a bug in SAML, or in Okta, or Datadog - it's the consequence of having privileged administrative access to an app, and the ability to change SSO configuration.\n\nTo set up the attack, we need to first:",{"data":4303,"content":4304,"nodeType":1492},{},[4305,4315,4325,4335,4345,4355],{"data":4306,"content":4307,"nodeType":1413},{},[4308],{"data":4309,"content":4310,"nodeType":1294},{},[4311],{"data":4312,"marks":4313,"value":4314,"nodeType":1293},{},[],"Compromise the organization’s Datadog tenant at admin-level",{"data":4316,"content":4317,"nodeType":1413},{},[4318],{"data":4319,"content":4320,"nodeType":1294},{},[4321],{"data":4322,"marks":4323,"value":4324,"nodeType":1293},{},[],"Create a malicious Okta tenant and connect it to an active directory instance with the same email domain as the target organization",{"data":4326,"content":4327,"nodeType":1413},{},[4328],{"data":4329,"content":4330,"nodeType":1294},{},[4331],{"data":4332,"marks":4333,"value":4334,"nodeType":1293},{},[],"Create AD accounts for all users that will be targeted so they can be imported into Okta as AD account - in practice, it would be best to copy the list of users from Datadog and replicate this in AD and Okta",{"data":4336,"content":4337,"nodeType":1413},{},[4338],{"data":4339,"content":4340,"nodeType":1294},{},[4341],{"data":4342,"marks":4343,"value":4344,"nodeType":1293},{},[],"Run Adam Chester’s python script to harvest credentials for Okta AD authentication and modify it to accept any password ",{"data":4346,"content":4347,"nodeType":1413},{},[4348],{"data":4349,"content":4350,"nodeType":1294},{},[4351],{"data":4352,"marks":4353,"value":4354,"nodeType":1293},{},[],"Modify the Datadog SAML configuration to point to the malicious Okta tenant, instead of the original legitimate Okta tenant",{"data":4356,"content":4357,"nodeType":1413},{},[4358],{"data":4359,"content":4360,"nodeType":1294},{},[4361],{"data":4362,"marks":4363,"value":4364,"nodeType":1293},{},[],"Sit back, relax, and watch the credentials coming in",{"data":4366,"content":4367,"nodeType":1294},{},[4368],{"data":4369,"marks":4370,"value":4371,"nodeType":1293},{},[],"Now we’ll explain what happens from the perspective of other users of the target organization’s Datadog tenant that has been compromised:",{"data":4373,"content":4374,"nodeType":1492},{},[4375,4385,4395,4405],{"data":4376,"content":4377,"nodeType":1413},{},[4378],{"data":4379,"content":4380,"nodeType":1294},{},[4381],{"data":4382,"marks":4383,"value":4384,"nodeType":1293},{},[],"Their Datadog session expires and they’re redirected back to the SAML login provider for re-authentication - in this case, to our malicious Okta tenant we have substituted for the real Okta tenant",{"data":4386,"content":4387,"nodeType":1413},{},[4388],{"data":4389,"content":4390,"nodeType":1294},{},[4391],{"data":4392,"marks":4393,"value":4394,"nodeType":1293},{},[],"The user enters their credentials into the login page for our malicious Okta tenant. Our instance of Adam Chester’s AD synchronization script harvests the user’s login credentials.",{"data":4396,"content":4397,"nodeType":1413},{},[4398],{"data":4399,"content":4400,"nodeType":1294},{},[4401],{"data":4402,"marks":4403,"value":4404,"nodeType":1293},{},[],"The user is already accustomed to using Okta to access Datadog, the Okta login page they are directed to is on a legitimate Okta domain and they haven’t clicked any links in emails/IM messages so there is no reason for suspicion.",{"data":4406,"content":4407,"nodeType":1413},{},[4408],{"data":4409,"content":4410,"nodeType":1294},{},[4411],{"data":4412,"marks":4413,"value":4414,"nodeType":1293},{},[],"The modification we made to accept any credentials means the script returns true to Okta and causes Okta to accept the authentication attempt. This causes the user to be logged into the legitimate Datadog tenant again, where they can carry on their work, unaware they have just had their Okta credentials stolen.",{"data":4416,"content":4417,"nodeType":1294},{},[4418],{"data":4419,"marks":4420,"value":4421,"nodeType":1293},{},[],"The following video shows what a login attempt to Datadog looks like after the SAML configuration has been modified to point to our malicious Okta tenant. You can see how all the URLs observed are legitimate Datadog and Okta domains, any password will be accepted and harvested and the target user will be logged into the legitimate Datadog tenant successfully at the end.",{"data":4423,"content":4427,"nodeType":1372},{"target":4424},{"sys":4425},{"id":4426,"type":1369,"linkType":1370},"dHVOdvHLdVzOEGai6qtSl",[],{"data":4429,"content":4430,"nodeType":1294},{},[4431],{"data":4432,"marks":4433,"value":4434,"nodeType":1293},{},[],"This type of attack sits somewhere in the middle of the kill chain between the initial access phishing we covered in the previous section and the full active directory/Okta domain compromise Adam Chester covered in his article. In this instance, we are looking at leveraging a more limited admin-level compromise of a single SaaS application to extend our access much further. ",{"data":4436,"content":4437,"nodeType":1294},{},[4438,4442,4447],{"data":4439,"marks":4440,"value":4441,"nodeType":1293},{},[],"When an organization relies on SaaS apps, it’s likely there may be some apps that are not considered particularly security critical and also may have “admins” that are actually just members of non-technical teams in the business. An admin-level compromise of ",{"data":4443,"marks":4444,"value":4446,"nodeType":1293},{},[4445],{"type":312},"any",{"data":4448,"marks":4449,"value":4450,"nodeType":1293},{},[]," SaaS application used by the organization can be used to conduct highly stealthy Okta credential capturing for all users. With those credentials, an attacker can expand their access and move laterally to other accounts and applications. ",{"data":4452,"content":4455,"nodeType":1372},{"target":4453},{"sys":4454},{"id":1801,"type":1369,"linkType":1370},[],{"data":4457,"content":4458,"nodeType":1342},{},[4459],{"data":4460,"marks":4461,"value":2405,"nodeType":1293},{},[],{"data":4463,"content":4464,"nodeType":1294},{},[4465],{"data":4466,"marks":4467,"value":4468,"nodeType":1293},{},[],"Let’s take a step back and consider the key points of impact here:",{"data":4470,"content":4471,"nodeType":1492},{},[4472,4482,4492],{"data":4473,"content":4474,"nodeType":1413},{},[4475],{"data":4476,"content":4477,"nodeType":1294},{},[4478],{"data":4479,"marks":4480,"value":4481,"nodeType":1293},{},[],"Attackers can send phishing links pointing to legitimate Okta domains and use those to capture credentials due to the way Okta AD synchronization works - this bypasses common user security training around checking domains are legitimate",{"data":4483,"content":4484,"nodeType":1413},{},[4485],{"data":4486,"content":4487,"nodeType":1294},{},[4488],{"data":4489,"marks":4490,"value":4491,"nodeType":1293},{},[],"If an attacker compromises a legitimate SaaS tenant in use by an organization protected by Okta, they can modify the SAML configuration to point to their own malicious Okta tenant and thus capture credentials using the same method",{"data":4493,"content":4494,"nodeType":1413},{},[4495],{"data":4496,"content":4497,"nodeType":1294},{},[4498],{"data":4499,"marks":4500,"value":4501,"nodeType":1293},{},[],"It would be extremely unlikely legitimate users would notice as it is part of the normal authentication flow, all domains observed would be legitimate SaaS and Okta domains, and they would be logged in successfully to the real SaaS tenant after entering their password",{"data":4503,"content":4504,"nodeType":1342},{},[4505],{"data":4506,"marks":4507,"value":2482,"nodeType":1293},{},[],{"data":4509,"content":4510,"nodeType":1294},{},[4511],{"data":4512,"marks":4513,"value":4514,"nodeType":1293},{},[],"Okta is an identity management service that can help manage and protect access to a large number of applications used by an organization. However, due to the manner in which Okta AD synchronization works, it’s possible to use phishing links pointing to legitimate Okta domains to capture users credentials.",{"data":4516,"content":4517,"nodeType":1294},{},[4518],{"data":4519,"marks":4520,"value":4521,"nodeType":1293},{},[],"Additionally, admin access to any application in use with Okta needs to be carefully considered even if the application itself is not particularly sensitive. This is because a compromise of that application, or of a user account with admin access to it, can be used to modify the existing Okta SAML configuration to point to a malicious Okta tenant and conduct an extremely stealthy credential harvesting attack of all users of the application. ",{"data":4523,"content":4524,"nodeType":1294},{},[4525],{"data":4526,"marks":4527,"value":4528,"nodeType":1293},{},[],"Defenders should carefully monitor user access to Okta URLs that do not match their own legitimate tenant as it could be a sign of credential capturing attacks.",{"entries":4530},{"inline":4531,"hyperlink":4532,"block":4535},[],[4533],{"sys":4534,"__typename":1314,"title":3007,"slug":3010},{"id":2547},[4536,4543,4552,4560,4568,4575],{"sys":4537,"__typename":4538,"type":4539,"ctaText":4540,"buttonLabel":4541,"buttonColour":4542,"buttonUrl":118},{"id":1497},"CtaWidget","Demo","Learn how Push can help you secure identities across your org","Book a demo!","sunny orange",{"sys":4544,"__typename":4545,"title":4546,"caption":4547,"layoutMode":118,"file":4548},{"id":4233},"Image","Oktajacking 1","Importing AD users we have setup on our custom AD domain into Okta",{"url":4549,"width":4550,"height":4551},"https://images.ctfassets.net/y1cdw1ablpvd/1yuQgvV0YqJHHosLP4l1tq/12ceb07dc8b3a326bf43140e05d974a6/image1.png",1036,495,{"sys":4553,"__typename":4545,"title":4554,"caption":4555,"layoutMode":118,"file":4556},{"id":4239},"Oktajacking 2"," Modifying Okta authentication rules to only require a password (remove Okta Verify requirement",{"url":4557,"width":4558,"height":4559},"https://images.ctfassets.net/y1cdw1ablpvd/2qdJ0DT6gR4SIgVIm8uqKm/94eb5ea6d8af37800fa1aaf9ced6ba8b/image3.png",1082,476,{"sys":4561,"__typename":4545,"title":4562,"caption":4563,"layoutMode":118,"file":4564},{"id":4245},"Oktajacking 3","Running a modified version of Adam Chester’s python script to accept any password in addition to capturing credentials",{"url":4565,"width":4566,"height":4567},"https://images.ctfassets.net/y1cdw1ablpvd/36TIC04qvQQZ6tpo4B11go/85501dfc97a0eeb779e9011f1219d8a4/image2.png",1366,680,{"sys":4569,"__typename":4545,"title":4570,"caption":118,"layoutMode":118,"file":4571},{"id":4426},"Oktajacking demo webp",{"url":4572,"width":4573,"height":4574},"https://downloads.ctfassets.net/y1cdw1ablpvd/6YXk94C8bRO5OEnkwPIVWJ/e6a2f1799e8d7e342c247643f8eefdfc/oktajacking__3_.webp",1920,1080,{"sys":4576,"__typename":4538,"type":4577,"ctaText":4578,"buttonLabel":4579,"buttonColour":4580,"buttonUrl":118},{"id":1801},"LinkedIn","See more original research and technical content from Push","Follow us on LinkedIn","orange","content:blog:oktajacking.json","json","content","blog/oktajacking.json","blog/oktajacking",1776359990037]