[{"data":1,"prerenderedAt":3596},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/phishing-with-active-directory-federation-services":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"ogImage":118,"summary":1282,"title":1296,"subtitle":118,"metaTitle":1297,"synopsis":1298,"hashTags":118,"publishedDate":1299,"slug":1300,"tagsCollection":1301,"relatedBlogPostsCollection":1311,"authorsCollection":2941,"content":2949,"_id":3591,"_type":3592,"_source":3593,"_file":3594,"_stem":3595,"_extension":3592},"/blog/phishing-with-active-directory-federation-services","blog",{"id":1280,"publishedAt":1281},"5y6UUG3mMTu1dFhtKO0AUT","2025-11-18T09:23:34.166Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1295},{},[1286],{"data":1287,"content":1288,"nodeType":1294},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"We recently identified a novel phishing attack combining the latest phishing detection evasion techniques —  including clever use of Active Directory Federation Services to get Microsoft to send victims to a phishing site using legitimate login URLs. ","text","paragraph","document","How attackers are using Active Directory Federation Services to phish with legit office.com links","Attackers are using legit Microsoft services for phishing","Push recently identified a novel phishing attack using Active Directory Federation Services to get Microsoft to send victims to a phishing site.","2025-08-12T00:00:00.000Z","phishing-with-active-directory-federation-services",{"items":1302},[1303,1307],{"sys":1304,"name":1306},{"id":1305},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"sys":1308,"name":1310},{"id":1309},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"items":1312},[1313,1799,2363],{"__typename":1314,"sys":1315,"content":1317,"title":1781,"synopsis":1782,"hashTags":118,"publishedDate":1783,"slug":1784,"tagsCollection":1785,"authorsCollection":1791},"BlogPosts",{"id":1316},"4vPEPmjd8MOlARD7oXfOrj",{"json":1318},{"nodeType":1295,"data":1319,"content":1320},{},[1321,1343,1360,1369,1376,1383,1387,1396,1415,1422,1428,1435,1441,1448,1454,1461,1467,1474,1480,1483,1491,1509,1515,1524,1544,1552,1585,1592,1600,1620,1628,1648,1654,1657,1665,1685,1692,1698,1701,1709,1728,1735,1742,1748],{"nodeType":1294,"data":1322,"content":1323},{},[1324,1328,1339],{"nodeType":1293,"value":1325,"marks":1326,"data":1327},"Push recently detected and blocked a high-risk LinkedIn phishing attack that demonstrated a number of crafty (and increasingly common) ",[],{},{"nodeType":1329,"data":1330,"content":1332},"hyperlink",{"uri":1331},"https://phishing-techniques.pushsecurity.com/",[1333],{"nodeType":1293,"value":1334,"marks":1335,"data":1338},"detection evasion techniques",[1336],{"type":1337},"underline",{},{"nodeType":1293,"value":1340,"marks":1341,"data":1342},". ",[],{},{"nodeType":1294,"data":1344,"content":1345},{},[1346,1350,1356],{"nodeType":1293,"value":1347,"marks":1348,"data":1349},"Phishing via LinkedIn is increasingly common, although it often goes undetected and unreported. This is to be expected when most of the industry’s data on phishing attacks comes from email security vendors and tools. In contrast to email-centric reporting, ",[],{},{"nodeType":1293,"value":1351,"marks":1352,"data":1355},"34% of the phishing attacks intercepted by Push last month came through non-email channels",[1353],{"type":1354},"bold",{},{"nodeType":1293,"value":1357,"marks":1358,"data":1359}," like social media, IM platforms, malicious search engine ads, and in-app communications. ",[],{},{"nodeType":1361,"data":1362,"content":1368},"embedded-entry-block",{"target":1363},{"sys":1364},{"id":1365,"type":1366,"linkType":1367},"7i8panfdFUqW9wqYkd9uDc","Link","Entry",[],{"nodeType":1294,"data":1370,"content":1371},{},[1372],{"nodeType":1293,"value":1373,"marks":1374,"data":1375},"Phishing via LinkedIn is a great way to catch victims unawares and evade traditionally email-based anti-phishing controls. While often used for work and commonly accessed from corporate devices, it sits outside the purview of enterprise security tools, exploiting a visibility and control blind spot. ",[],{},{"nodeType":1294,"data":1377,"content":1378},{},[1379],{"nodeType":1293,"value":1380,"marks":1381,"data":1382},"Let’s break it down. ",[],{},{"nodeType":1384,"data":1385,"content":1386},"hr",{},[],{"nodeType":1388,"data":1389,"content":1390},"heading-1",{},[1391],{"nodeType":1293,"value":1392,"marks":1393,"data":1395},"Phishing attack breakdown",[1394],{"type":1354},{},{"nodeType":1294,"data":1397,"content":1398},{},[1399,1403,1411],{"nodeType":1293,"value":1400,"marks":1401,"data":1402},"The victim was sent a malicious link via LinkedIn DM relating to a fake investment opportunity for executives ",[],{},{"nodeType":1329,"data":1404,"content":1406},{"uri":1405},"https://www.bleepingcomputer.com/news/security/linkedin-phishing-targets-finance-execs-with-fake-board-invites/",[1407],{"nodeType":1293,"value":1408,"marks":1409,"data":1410},"to join the executive board of a newly created \"Common Wealth\" investment fund.",[],{},{"nodeType":1293,"value":1412,"marks":1413,"data":1414}," ",[],{},{"nodeType":1294,"data":1416,"content":1417},{},[1418],{"nodeType":1293,"value":1419,"marks":1420,"data":1421},"After clicking the link, they were redirected three times — via Google Search, and then payrails-canaccord[.]icu/(redacted) — before being sent to a custom landing page hosted on firebasestorage.googleapis[.]com/(redacted). ",[],{},{"nodeType":1361,"data":1423,"content":1427},{"target":1424},{"sys":1425},{"id":1426,"type":1366,"linkType":1367},"65PeJOKzn6Ba7FDUQRae3Q",[],{"nodeType":1294,"data":1429,"content":1430},{},[1431],{"nodeType":1293,"value":1432,"marks":1433,"data":1434},"Upon clicking on one of the document links on the page, the victim is prompted to “view with Microsoft”. ",[],{},{"nodeType":1361,"data":1436,"content":1440},{"target":1437},{"sys":1438},{"id":1439,"type":1366,"linkType":1367},"4f27KuwTRx1Do59rs3JoVl",[],{"nodeType":1294,"data":1442,"content":1443},{},[1444],{"nodeType":1293,"value":1445,"marks":1446,"data":1447},"The user is then met with a Cloudflare Turnstile gate challenge at login.kggpho[.]icu before the page will fully render, and malicious content is loaded. ",[],{},{"nodeType":1361,"data":1449,"content":1453},{"target":1450},{"sys":1451},{"id":1452,"type":1366,"linkType":1367},"3lpVmLBZSocOSGdlCKhKnD",[],{"nodeType":1294,"data":1455,"content":1456},{},[1457],{"nodeType":1293,"value":1458,"marks":1459,"data":1460},"The Microsoft-impersonating AITM phishing page is then served to the victim. Entering credentials and completing the MFA check will result in their Microsoft session being stolen by the attacker. ",[],{},{"nodeType":1361,"data":1462,"content":1466},{"target":1463},{"sys":1464},{"id":1465,"type":1366,"linkType":1367},"5FCa4EJwyux13K9KBT3nd4",[],{"nodeType":1294,"data":1468,"content":1469},{},[1470],{"nodeType":1293,"value":1471,"marks":1472,"data":1473},"You can see the full timeline of events in the Detection Timeline below. ",[],{},{"nodeType":1361,"data":1475,"content":1479},{"target":1476},{"sys":1477},{"id":1478,"type":1366,"linkType":1367},"8lizkPJcGdZhtWFV2QEwQ",[],{"nodeType":1384,"data":1481,"content":1482},{},[],{"nodeType":1388,"data":1484,"content":1485},{},[1486],{"nodeType":1293,"value":1487,"marks":1488,"data":1490},"Detection evasion techniques observed",[1489],{"type":1354},{},{"nodeType":1294,"data":1492,"content":1493},{},[1494,1498,1505],{"nodeType":1293,"value":1495,"marks":1496,"data":1497},"The attacker used a number of ",[],{},{"nodeType":1329,"data":1499,"content":1500},{"uri":1331},[1501],{"nodeType":1293,"value":1334,"marks":1502,"data":1504},[1503],{"type":1337},{},{"nodeType":1293,"value":1506,"marks":1507,"data":1508}," to prevent the phishing site being analysed and detected by security tools. ",[],{},{"nodeType":1361,"data":1510,"content":1514},{"target":1511},{"sys":1512},{"id":1513,"type":1366,"linkType":1367},"7q9D1MREwTCCpnjvZZ5wk1",[],{"nodeType":1516,"data":1517,"content":1518},"heading-2",{},[1519],{"nodeType":1293,"value":1520,"marks":1521,"data":1523},"LinkedIn delivery",[1522],{"type":1354},{},{"nodeType":1294,"data":1525,"content":1526},{},[1527,1531,1540],{"nodeType":1293,"value":1528,"marks":1529,"data":1530},"As we mentioned above, sending phishing lures via ",[],{},{"nodeType":1329,"data":1532,"content":1534},{"uri":1533},"https://phishing-techniques.pushsecurity.com/techniques/social-media/",[1535],{"nodeType":1293,"value":1536,"marks":1537,"data":1539},"social media apps",[1538],{"type":1337},{},{"nodeType":1293,"value":1541,"marks":1542,"data":1543}," like LinkedIn is a great way to reach employees in a place that they expect to be contacted by people outside of their organization. By evading the traditional phishing control point altogether (email) attackers significantly reduce the risk of interception. ",[],{},{"nodeType":1516,"data":1545,"content":1546},{},[1547],{"nodeType":1293,"value":1548,"marks":1549,"data":1551},"Lengthy redirect chain through trusted sites",[1550],{"type":1354},{},{"nodeType":1294,"data":1553,"content":1554},{},[1555,1559,1568,1572,1581],{"nodeType":1293,"value":1556,"marks":1557,"data":1558},"Attackers use ",[],{},{"nodeType":1329,"data":1560,"content":1562},{"uri":1561},"https://phishing-techniques.pushsecurity.com/techniques/domain-rotation-redirection/",[1563],{"nodeType":1293,"value":1564,"marks":1565,"data":1567},"lengthy redirect chains",[1566],{"type":1337},{},{"nodeType":1293,"value":1569,"marks":1570,"data":1571}," in combination with hosting pages on ",[],{},{"nodeType":1329,"data":1573,"content":1575},{"uri":1574},"https://phishing-techniques.pushsecurity.com/techniques/trusted-website-hosting/",[1576],{"nodeType":1293,"value":1577,"marks":1578,"data":1580},"legitimate, trusted sites",[1579],{"type":1337},{},{"nodeType":1293,"value":1582,"marks":1583,"data":1584}," (in this case Firebase, Google’s app development platform). This is a technique we see a lot, with various Google and Microsoft sites cropping up time and again, including Google Forms, Google Sites, Google Script, Google AMP, Microsoft Dynamics, SharePoint, Azure Front Door, and many more, all used by attackers as part of their phishing attacks. ",[],{},{"nodeType":1294,"data":1586,"content":1587},{},[1588],{"nodeType":1293,"value":1589,"marks":1590,"data":1591},"Legitimate services are less likely to be flagged by link analysis tools and effectively cloak the initial URL delivered to the victim to increase the chance of successful delivery of and access to the link, while many services are excluded from page scanning tools owing to their association with trusted domains. ",[],{},{"nodeType":1516,"data":1593,"content":1594},{},[1595],{"nodeType":1293,"value":1596,"marks":1597,"data":1599},"Bot protection",[1598],{"type":1354},{},{"nodeType":1294,"data":1601,"content":1602},{},[1603,1607,1616],{"nodeType":1293,"value":1604,"marks":1605,"data":1606},"Attackers are using common ",[],{},{"nodeType":1329,"data":1608,"content":1610},{"uri":1609},"https://phishing-techniques.pushsecurity.com/techniques/bot-protection/",[1611],{"nodeType":1293,"value":1612,"marks":1613,"data":1615},"bot protection",[1614],{"type":1337},{},{"nodeType":1293,"value":1617,"marks":1618,"data":1619}," technologies like CAPTCHA and Cloudflare Turnstile to prevent security bots from accessing their web pages to be able to analyse them (and therefore block pages from being automatically flagged). This requires anyone visiting the page to pass a bot check/challenge before the page can be loaded, meaning the full page cannot be analysed by automated tools. ",[],{},{"nodeType":1516,"data":1621,"content":1622},{},[1623],{"nodeType":1293,"value":1624,"marks":1625,"data":1627},"Page obfuscation",[1626],{"type":1354},{},{"nodeType":1294,"data":1629,"content":1630},{},[1631,1635,1644],{"nodeType":1293,"value":1632,"marks":1633,"data":1634},"Phishing pages ",[],{},{"nodeType":1329,"data":1636,"content":1638},{"uri":1637},"https://phishing-techniques.pushsecurity.com/techniques/page-obfuscation/",[1639],{"nodeType":1293,"value":1640,"marks":1641,"data":1643},"change and even randomize elements of the page",[1642],{"type":1337},{},{"nodeType":1293,"value":1645,"marks":1646,"data":1647}," to avoid static fingerprints and defeat comparison-based checks against real pages. This includes the page title, text, images, backgrounds, logos, favicons, etc. — all of which may be signatured components using web page analysis tools. These elements can even be embedded in an encoded form so it isn’t present in the initial HTML, and is instead dynamically set at runtime when loaded. As an example, you can see that the page randomly generated the tab header text.",[],{},{"nodeType":1361,"data":1649,"content":1653},{"target":1650},{"sys":1651},{"id":1652,"type":1366,"linkType":1367},"2bbOZC9M4y69ACDy7bn209",[],{"nodeType":1384,"data":1655,"content":1656},{},[],{"nodeType":1388,"data":1658,"content":1659},{},[1660],{"nodeType":1293,"value":1661,"marks":1662,"data":1664},"Impact analysis",[1663],{"type":1354},{},{"nodeType":1294,"data":1666,"content":1667},{},[1668,1672,1681],{"nodeType":1293,"value":1669,"marks":1670,"data":1671},"We’re seeing ",[],{},{"nodeType":1329,"data":1673,"content":1675},{"uri":1674},"https://pushsecurity.com/blog/how-push-stopped-a-high-risk-linkedin-spear-phishing-attack/",[1676],{"nodeType":1293,"value":1677,"marks":1678,"data":1680},"many phishing campaigns pivoting to social media apps like LinkedIn",[1679],{"type":1337},{},{"nodeType":1293,"value":1682,"marks":1683,"data":1684}," and organizations should be on guard against this attack vector, which is highly effective at evading common anti-phishing controls.  ",[],{},{"nodeType":1294,"data":1686,"content":1687},{},[1688],{"nodeType":1293,"value":1689,"marks":1690,"data":1691},"Just because the attack happens over LinkedIn doesn’t lessen the impact — these are corporate credentials and accounts being targeted, even if it is nominally a “personal” application. Taking over a core identity like a Microsoft or Google account can have wide-ranging consequences, putting data at risk in both core apps and any downstream apps that can be accessed via SSO from the compromised account. ",[],{},{"nodeType":1361,"data":1693,"content":1697},{"target":1694},{"sys":1695},{"id":1696,"type":1366,"linkType":1367},"6QzB0BlVC5mstXwXHvy2c3",[],{"nodeType":1384,"data":1699,"content":1700},{},[],{"nodeType":1388,"data":1702,"content":1703},{},[1704],{"nodeType":1293,"value":1705,"marks":1706,"data":1708},"How Push stopped the attack",[1707],{"type":1354},{},{"nodeType":1294,"data":1710,"content":1711},{},[1712,1716,1724],{"nodeType":1293,"value":1713,"marks":1714,"data":1715},"Push doesn’t detect the redirect tricks or rely on outdated domain TI feeds. The reason we detect these attacks (which make it through all the other layers of phishing protection) is that Push sees what your users see. It doesn’t matter what ",[],{},{"nodeType":1329,"data":1717,"content":1718},{"uri":1331},[1719],{"nodeType":1293,"value":1720,"marks":1721,"data":1723},"delivery channel or camouflage methods are used",[1722],{"type":1337},{},{"nodeType":1293,"value":1725,"marks":1726,"data":1727},", Push shuts the attack down in real time, as the user loads the malicious page in their web browser.",[],{},{"nodeType":1294,"data":1729,"content":1730},{},[1731],{"nodeType":1293,"value":1732,"marks":1733,"data":1734},"This isn’t all we do: Push’s browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong — you can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.",[],{},{"nodeType":1294,"data":1736,"content":1737},{},[1738],{"nodeType":1293,"value":1739,"marks":1740,"data":1741},"Check out the demo below to see Push detect and block this attack in real-time. ",[],{},{"nodeType":1361,"data":1743,"content":1747},{"target":1744},{"sys":1745},{"id":1746,"type":1366,"linkType":1367},"5VsFECWlJ1HNGtC0jUcPjH",[],{"nodeType":1294,"data":1749,"content":1750},{},[1751,1755,1764,1768,1777],{"nodeType":1293,"value":1752,"marks":1753,"data":1754},"To learn more about Push, ",[],{},{"nodeType":1329,"data":1756,"content":1758},{"uri":1757},"https://pushsecurity.com/resources/product-brochure",[1759],{"nodeType":1293,"value":1760,"marks":1761,"data":1763},"check out our latest product overview",[1762],{"type":1337},{},{"nodeType":1293,"value":1765,"marks":1766,"data":1767}," or ",[],{},{"nodeType":1329,"data":1769,"content":1771},{"uri":1770},"https://pushsecurity.com/demo",[1772],{"nodeType":1293,"value":1773,"marks":1774,"data":1776},"book some time with one of our team for a live demo",[1775],{"type":1337},{},{"nodeType":1293,"value":1778,"marks":1779,"data":1780},".",[],{},"New phishing campaign identified targeting LinkedIn users","Diving into the latest sophisticated LinkedIn phishing campaign intercepted by Push. ","2025-10-30T00:00:00.000Z","new-phishing-campaign-identified-targeting-linkedin-users",{"items":1786},[1787,1789],{"sys":1788,"name":1306},{"id":1305},{"sys":1790,"name":1310},{"id":1309},{"items":1792},[1793],{"fullName":1794,"firstName":1795,"jobTitle":1796,"profilePicture":1797},"Dan Green","Dan","Threat Research",{"url":1798},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"__typename":1314,"sys":1800,"content":1802,"title":2349,"synopsis":2350,"hashTags":118,"publishedDate":2351,"slug":2352,"tagsCollection":2353,"authorsCollection":2359},{"id":1801},"6QLonRmBzbj9h88Y7jD0LU",{"json":1803},{"nodeType":1295,"data":1804,"content":1805},{},[1806,1813,1820,1851,1858,1865,1872,1875,1883,1903,1910,1916,1923,1929,1936,1942,1949,1955,1962,1968,1975,1982,1988,1991,1999,2019,2026,2033,2039,2057,2065,2081,2089,2108,2115,2121,2154,2162,2194,2202,2222,2227,2230,2238,2258,2264,2267,2275,2282,2289,2292,2300,2307,2314,2338,2343],{"nodeType":1294,"data":1807,"content":1808},{},[1809],{"nodeType":1293,"value":1810,"marks":1811,"data":1812},"PhaaS kits make up the vast majority of phishing sites intercepted by Push and dominate the phishing landscape, with kits like Tycoon, NakedPages, Flowerstorm, Salty2FA, and various Evilginx variations proving very popular among attackers targeting Push customers.",[],{},{"nodeType":1294,"data":1814,"content":1815},{},[1816],{"nodeType":1293,"value":1817,"marks":1818,"data":1819},"PhaaS kits are incredibly important to cybercrime because they make sophisticated and continuously evolving capabilities available to the criminal marketplace, lowering the barrier to entry for criminals running advanced phishing campaigns. This is not unique to phishing: Ransomware-as-a-Service, Credential Stuffing-as-a-Service, and many more for-hire tools and services exist for criminals to use for a fee. ",[],{},{"nodeType":1294,"data":1821,"content":1822},{},[1823,1827,1836,1840,1847],{"nodeType":1293,"value":1824,"marks":1825,"data":1826},"This competitive environment has fuelled attacker innovation, resulting in an environment in which MFA-bypass is table stakes, phishing-resistant authentication is being circumvented through ",[],{},{"nodeType":1329,"data":1828,"content":1830},{"uri":1829},"https://pushsecurity.com/blog/mfa-downgrade-attacks/",[1831],{"nodeType":1293,"value":1832,"marks":1833,"data":1835},"downgrade attacks",[1834],{"type":1337},{},{"nodeType":1293,"value":1837,"marks":1838,"data":1839},", and ",[],{},{"nodeType":1329,"data":1841,"content":1842},{"uri":1331},[1843],{"nodeType":1293,"value":1334,"marks":1844,"data":1846},[1845],{"type":1337},{},{"nodeType":1293,"value":1848,"marks":1849,"data":1850}," are being used to circumvent security tools — from email scanners, to web-crawling security tools, to web proxies analyzing network traffic.",[],{},{"nodeType":1294,"data":1852,"content":1853},{},[1854],{"nodeType":1293,"value":1855,"marks":1856,"data":1857},"Recently, we’ve noticed an increase in detections relating to Sneaky2FA, which operates through a fully-featured bot on Telegram. Customers reportedly receive access to a licensed, obfuscated version of the source code and deploy it independently.",[],{},{"nodeType":1294,"data":1859,"content":1860},{},[1861],{"nodeType":1293,"value":1862,"marks":1863,"data":1864},"This makes Sneaky2FA something that can be reliably profiled and tracked due to these codebase similarities — which is what we’re actively doing at Push. ",[],{},{"nodeType":1294,"data":1866,"content":1867},{},[1868],{"nodeType":1293,"value":1869,"marks":1870,"data":1871},"Why is this relevant? Well, the latest Sneaky2FA phish we identified was pretty interesting. ",[],{},{"nodeType":1384,"data":1873,"content":1874},{},[],{"nodeType":1388,"data":1876,"content":1877},{},[1878],{"nodeType":1293,"value":1879,"marks":1880,"data":1882},"Sneaky2FA adds BITB to its phishing toolkit",[1881],{"type":1354},{},{"nodeType":1294,"data":1884,"content":1885},{},[1886,1890,1899],{"nodeType":1293,"value":1887,"marks":1888,"data":1889},"We recently detected a Sneaky2FA server that is a bit different from the typical reverse-proxy ",[],{},{"nodeType":1329,"data":1891,"content":1893},{"uri":1892},"https://pushsecurity.com/blog/phishing-2-0-how-phishing-toolkits-are-evolving-with-aitm/",[1894],{"nodeType":1293,"value":1895,"marks":1896,"data":1898},"Attacker-in-the-Middle",[1897],{"type":1337},{},{"nodeType":1293,"value":1900,"marks":1901,"data":1902}," site, featuring an embedded browser window that contained the actual phishing page. ",[],{},{"nodeType":1294,"data":1904,"content":1905},{},[1906],{"nodeType":1293,"value":1907,"marks":1908,"data":1909},"You can see how the page loaded below in the video below.",[],{},{"nodeType":1361,"data":1911,"content":1915},{"target":1912},{"sys":1913},{"id":1914,"type":1366,"linkType":1367},"6L6Ban2xptI1uNA8OPJQzq",[],{"nodeType":1294,"data":1917,"content":1918},{},[1919],{"nodeType":1293,"value":1920,"marks":1921,"data":1922},"When the URL previewdoc[.]us is first accessed, a Cloudflare Turnstile check must be completed before the page loads. ",[],{},{"nodeType":1361,"data":1924,"content":1928},{"target":1925},{"sys":1926},{"id":1927,"type":1366,"linkType":1367},"QscI1SZ6dOpgMkrJPtqLD",[],{"nodeType":1294,"data":1930,"content":1931},{},[1932],{"nodeType":1293,"value":1933,"marks":1934,"data":1935},"The page then redirects to a subdomain of previewdoc[.]us, which prompts the user to “Sign in with Microsoft” in order to view a document, styled to look like Adobe Acrobat Reader. ",[],{},{"nodeType":1361,"data":1937,"content":1941},{"target":1938},{"sys":1939},{"id":1940,"type":1366,"linkType":1367},"7pkfAQquHrA6aUnCtj74iu",[],{"nodeType":1294,"data":1943,"content":1944},{},[1945],{"nodeType":1293,"value":1946,"marks":1947,"data":1948},"Upon clicking ‘Sign in with Microsoft” a reverse-proxy phishing page resembling a Microsoft login form is loaded in an embedded browser, with a custom background image designed to resemble a document library. ",[],{},{"nodeType":1361,"data":1950,"content":1954},{"target":1951},{"sys":1952},{"id":1953,"type":1366,"linkType":1367},"782tw14AqgJ9mqneVaOdHc",[],{"nodeType":1294,"data":1956,"content":1957},{},[1958],{"nodeType":1293,"value":1959,"marks":1960,"data":1961},"Interestingly, the pop-up window adjusts to the visitor’s OS and browser — you can see some different examples below.",[],{},{"nodeType":1361,"data":1963,"content":1967},{"target":1964},{"sys":1965},{"id":1966,"type":1366,"linkType":1367},"6lN9agEyeQ63LDHM1kaSqX",[],{"nodeType":1294,"data":1969,"content":1970},{},[1971],{"nodeType":1293,"value":1972,"marks":1973,"data":1974},"Completing authentication will result in the user’s Microsoft credentials and active session being stolen by the attacker, facilitating account takeover. ",[],{},{"nodeType":1294,"data":1976,"content":1977},{},[1978],{"nodeType":1293,"value":1979,"marks":1980,"data":1981},"You can see the sequence of pages loaded and Push detection events in the timeline below.",[],{},{"nodeType":1361,"data":1983,"content":1987},{"target":1984},{"sys":1985},{"id":1986,"type":1366,"linkType":1367},"1oPpha39PMiJGUaZSptx1f",[],{"nodeType":1384,"data":1989,"content":1990},{},[],{"nodeType":1388,"data":1992,"content":1993},{},[1994],{"nodeType":1293,"value":1995,"marks":1996,"data":1998},"Why Browser-in-the-Browser?",[1997],{"type":1354},{},{"nodeType":1294,"data":2000,"content":2001},{},[2002,2006,2015],{"nodeType":1293,"value":2003,"marks":2004,"data":2005},"BITB was first coined as a technique in 2022 by ",[],{},{"nodeType":1329,"data":2007,"content":2009},{"uri":2008},"https://mrd0x.com/browser-in-the-browser-phishing-attack/",[2010],{"nodeType":1293,"value":2011,"marks":2012,"data":2014},"mr.d0x",[2013],{"type":1337},{},{"nodeType":1293,"value":2016,"marks":2017,"data":2018},", but standard AITM phishing pages are far more frequently encountered in the wild, particularly when it comes to enterprise business targets.",[],{},{"nodeType":1294,"data":2020,"content":2021},{},[2022],{"nodeType":1293,"value":2023,"marks":2024,"data":2025},"BITB is principally designed to mask suspicious phishing URLs by simulating a pretty normal function of in-browser authentication — a pop-up login form. BITB phishing pages replicate the design of a pop-up window with an iframe pointing to a malicious server. ",[],{},{"nodeType":1294,"data":2027,"content":2028},{},[2029],{"nodeType":1293,"value":2030,"marks":2031,"data":2032},"The pop-up browser window shows a legitimate Microsoft login URL — this is in fact a fake URL that is designed to fool the user. ",[],{},{"nodeType":1361,"data":2034,"content":2038},{"target":2035},{"sys":2036},{"id":2037,"type":1366,"linkType":1367},"7kI5PHTr9XYQJ0xVJUnUDu",[],{"nodeType":1294,"data":2040,"content":2041},{},[2042,2046,2053],{"nodeType":1293,"value":2043,"marks":2044,"data":2045},"This BITB example shares many of the advantages of typical reverse-proxy based phishing pages, as well as the ",[],{},{"nodeType":1329,"data":2047,"content":2048},{"uri":1331},[2049],{"nodeType":1293,"value":1334,"marks":2050,"data":2052},[2051],{"type":1337},{},{"nodeType":1293,"value":2054,"marks":2055,"data":2056}," that are commonly used by attackers (and baked into PhaaS kits off-the-shelf). This includes:",[],{},{"nodeType":1516,"data":2058,"content":2059},{},[2060],{"nodeType":1293,"value":2061,"marks":2062,"data":2064},"Bot protection to defeat web scraping tools",[2063],{"type":1354},{},{"nodeType":1294,"data":2066,"content":2067},{},[2068,2071,2078],{"nodeType":1293,"value":1604,"marks":2069,"data":2070},[],{},{"nodeType":1329,"data":2072,"content":2073},{"uri":1609},[2074],{"nodeType":1293,"value":1612,"marks":2075,"data":2077},[2076],{"type":1337},{},{"nodeType":1293,"value":1617,"marks":2079,"data":2080},[],{},{"nodeType":1516,"data":2082,"content":2083},{},[2084],{"nodeType":1293,"value":2085,"marks":2086,"data":2088},"Stop unwanted visitors with conditional loading",[2087],{"type":1354},{},{"nodeType":1294,"data":2090,"content":2091},{},[2092,2095,2104],{"nodeType":1293,"value":37,"marks":2093,"data":2094},[],{},{"nodeType":1329,"data":2096,"content":2098},{"uri":2097},"https://phishing-techniques.pushsecurity.com/techniques/conditional-loading/",[2099],{"nodeType":1293,"value":2100,"marks":2101,"data":2103},"Conditional loading",[2102],{"type":1337},{},{"nodeType":1293,"value":2105,"marks":2106,"data":2107}," techniques are used to prevent unwanted visitors from accessing the phishing page — reducing the chance that it is detected and flagged and extending the longevity of the phish. This often includes known security vendor IPs, VPN/proxy services, but is often used to target specific organizations (or even specific users within an organization). ",[],{},{"nodeType":1294,"data":2109,"content":2110},{},[2111],{"nodeType":1293,"value":2112,"marks":2113,"data":2114},"In this case, where the correct parameters are not supplied or the phishing site detects an unwanted variable, it will redirect to a benign wikibooks page. ",[],{},{"nodeType":1361,"data":2116,"content":2120},{"target":2117},{"sys":2118},{"id":2119,"type":1366,"linkType":1367},"fN2XugiDIef8haTDapViT",[],{"nodeType":1294,"data":2122,"content":2123},{},[2124,2128,2137,2141,2150],{"nodeType":1293,"value":2125,"marks":2126,"data":2127},"Sneaky2FA has also been commonly observed using ",[],{},{"nodeType":1329,"data":2129,"content":2131},{"uri":2130},"https://phishing-techniques.pushsecurity.com/techniques/anti-sandbox/",[2132],{"nodeType":1293,"value":2133,"marks":2134,"data":2136},"anti-analysis",[2135],{"type":1337},{},{"nodeType":1293,"value":2138,"marks":2139,"data":2140}," techniques to detect or ",[],{},{"nodeType":1329,"data":2142,"content":2144},{"uri":2143},"https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/#:~:text=Sneaky%202FA%20pages%20use%20anti,we%20identified%20as%20Sneaky%202FA",[2145],{"nodeType":1293,"value":2146,"marks":2147,"data":2149},"disable browser developer tools",[2148],{"type":1337},{},{"nodeType":1293,"value":2151,"marks":2152,"data":2153}," to block attempts to analyse the page for malicious content. ",[],{},{"nodeType":1516,"data":2155,"content":2156},{},[2157],{"nodeType":1293,"value":2158,"marks":2159,"data":2161},"Page and code obfuscation",[2160],{"type":1354},{},{"nodeType":1294,"data":2163,"content":2164},{},[2165,2169,2177,2181,2190],{"nodeType":1293,"value":2166,"marks":2167,"data":2168},"The HTML and JavaScript of Sneaky2FA pages are ",[],{},{"nodeType":1329,"data":2170,"content":2171},{"uri":1637},[2172],{"nodeType":1293,"value":2173,"marks":2174,"data":2176},"heavily obfuscated",[2175],{"type":1337},{},{"nodeType":1293,"value":2178,"marks":2179,"data":2180}," to evade static detection and pattern-matching, ",[],{},{"nodeType":1329,"data":2182,"content":2184},{"uri":2183},"https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/#:~:text=,%E2%80%9CNo%20account%3F%E2%80%9D%20and%20%E2%80%9CSign%20in%E2%80%9D",[2185],{"nodeType":1293,"value":2186,"marks":2187,"data":2189},"such as",[2188],{"type":1337},{},{"nodeType":1293,"value":2191,"marks":2192,"data":2193}," breaking up UI text with invisible tags, embedding background and interface elements as encoded images instead of text, and other changes that are invisible to the user, but make it hard for scanning tools to fingerprint the page. ",[],{},{"nodeType":1516,"data":2195,"content":2196},{},[2197],{"nodeType":1293,"value":2198,"marks":2199,"data":2201},"Domain rotation and URL masking",[2200],{"type":1354},{},{"nodeType":1294,"data":2203,"content":2204},{},[2205,2209,2218],{"nodeType":1293,"value":2206,"marks":2207,"data":2208},"In addition to masking the phishing site URL presented to the user via the BITB window, Sneaky2FA has been seen using ",[],{},{"nodeType":1329,"data":2210,"content":2212},{"uri":2211},"https://www.centripetal.ai/threat-research/typhoon-versus-sneaky",[2213],{"nodeType":1293,"value":2214,"marks":2215,"data":2217},"stealthy hosting and domain tactics",[2216],{"type":1337},{},{"nodeType":1293,"value":2219,"marks":2220,"data":2221},". Each campaign uses a fresh, long, randomized URL (typically a 150-character path) on a benign-looking domain (often an old or compromised site). These domains are usually short-lived: many are taken down after just a few days or weeks. Analysts have observed that Sneaky2FA domains often lie dormant or serve harmless content until right before an attack, then quickly vanish after use. This “burn-and-replace” approach makes traditional defenses (which rely on domain reputation or pattern-matching) much weaker.",[],{},{"nodeType":1361,"data":2223,"content":2226},{"target":2224},{"sys":2225},{"id":1696,"type":1366,"linkType":1367},[],{"nodeType":1384,"data":2228,"content":2229},{},[],{"nodeType":1388,"data":2231,"content":2232},{},[2233],{"nodeType":1293,"value":2234,"marks":2235,"data":2237},"Are attackers moving to BITB? ",[2236],{"type":1354},{},{"nodeType":1294,"data":2239,"content":2240},{},[2241,2245,2254],{"nodeType":1293,"value":2242,"marks":2243,"data":2244},"There is evidence that Sneaky2FAs shift to BITB might not be an isolated change. Raccoon0365 is another PhaaS service that has been seen utilizing BITB functionality after ",[],{},{"nodeType":1329,"data":2246,"content":2248},{"uri":2247},"https://www.cloudflare.com/en-gb/threat-intelligence/research/report/cloudflare-participates-in-global-operation-to-disrupt-raccoono365/",[2249],{"nodeType":1293,"value":2250,"marks":2251,"data":2253},"announcing a “BITB mini-panel”",[2252],{"type":1337},{},{"nodeType":1293,"value":2255,"marks":2256,"data":2257}," would be added as part of a service revamp. ",[],{},{"nodeType":1361,"data":2259,"content":2263},{"target":2260},{"sys":2261},{"id":2262,"type":1366,"linkType":1367},"2sJUR9TVbZMU1v10Tq94Pz",[],{"nodeType":1384,"data":2265,"content":2266},{},[],{"nodeType":1388,"data":2268,"content":2269},{},[2270],{"nodeType":1293,"value":2271,"marks":2272,"data":2274},"Conclusion",[2273],{"type":1354},{},{"nodeType":1294,"data":2276,"content":2277},{},[2278],{"nodeType":1293,"value":2279,"marks":2280,"data":2281},"Attackers are continuously innovating their phishing techniques, particularly in the context of an increasingly professionalized PhaaS ecosystem. With identity-based attacks continuing to be the leading cause of breaches, attackers are incentivized to refine and enhance their phishing infrastructure. ",[],{},{"nodeType":1294,"data":2283,"content":2284},{},[2285],{"nodeType":1293,"value":2286,"marks":2287,"data":2288},"The addition of BITB, with the frequent iteration and improvement of detection evasion techniques, means that traditional security controls such as email gateways, web filters, and signature-based defenses will continue to be reliably bypassed. ",[],{},{"nodeType":1384,"data":2290,"content":2291},{},[],{"nodeType":1388,"data":2293,"content":2294},{},[2295],{"nodeType":1293,"value":2296,"marks":2297,"data":2299},"How Push can help",[2298],{"type":1354},{},{"nodeType":1294,"data":2301,"content":2302},{},[2303],{"nodeType":1293,"value":2304,"marks":2305,"data":2306},"Push researchers are continuously analysing and developing new detections based on the latest phishing kits and TTPs which enables us to stay two steps ahead of attackers.",[],{},{"nodeType":1294,"data":2308,"content":2309},{},[2310],{"nodeType":1293,"value":2311,"marks":2312,"data":2313},"Despite the various detection evasion techniques, and the use of BITB methods, Push still detected this toolkit running on the page, enabling any attack to be detected and blocked before the user could be phished. Because we can inspect the live page, we detect malicious content loaded in the browser in real time. ",[],{},{"nodeType":1294,"data":2315,"content":2316},{},[2317,2320,2326,2329,2335],{"nodeType":1293,"value":1752,"marks":2318,"data":2319},[],{},{"nodeType":1329,"data":2321,"content":2322},{"uri":1757},[2323],{"nodeType":1293,"value":1760,"marks":2324,"data":2325},[],{},{"nodeType":1293,"value":1765,"marks":2327,"data":2328},[],{},{"nodeType":1329,"data":2330,"content":2331},{"uri":1770},[2332],{"nodeType":1293,"value":1773,"marks":2333,"data":2334},[],{},{"nodeType":1293,"value":1778,"marks":2336,"data":2337},[],{},{"nodeType":1361,"data":2339,"content":2342},{"target":2340},{"sys":2341},{"id":1696,"type":1366,"linkType":1367},[],{"nodeType":1294,"data":2344,"content":2345},{},[2346],{"nodeType":1293,"value":37,"marks":2347,"data":2348},[],{},"Analyzing the latest Sneaky2FA Browser-in-the-Browser phishing page","Analyzing a BITB phishing page linked to the Sneaky2FA Phishing-as-a-Service operation. ","2025-11-18T00:00:00.000Z","analyzing-the-latest-sneaky2fa-phishing-page",{"items":2354},[2355,2357],{"sys":2356,"name":1310},{"id":1309},{"sys":2358,"name":1306},{"id":1305},{"items":2360},[2361],{"fullName":1794,"firstName":1795,"jobTitle":1796,"profilePicture":2362},{"url":1798},{"__typename":1314,"sys":2364,"content":2366,"title":2923,"synopsis":2924,"hashTags":118,"publishedDate":2925,"slug":2926,"tagsCollection":2927,"authorsCollection":2933},{"id":2365},"4XZ6qCr8pjJvcD7hi09x2Y",{"json":2367},{"data":2368,"content":2369,"nodeType":1295},{},[2370,2390,2397,2422,2429,2436,2443,2463,2469,2472,2480,2487,2507,2551,2596,2628,2648,2654,2657,2665,2672,2679,2686,2693,2816,2823,2826,2834,2851,2869,2872,2880,2898,2905],{"data":2371,"content":2372,"nodeType":1294},{},[2373,2377,2386],{"data":2374,"marks":2375,"value":2376,"nodeType":1293},{},[],"Almost two years ago, we released our ",{"data":2378,"content":2380,"nodeType":1329},{"uri":2379},"https://github.com/pushsecurity/saas-attacks",[2381],{"data":2382,"marks":2383,"value":2385,"nodeType":1293},{},[2384],{"type":1337},"SaaS attacks matrix",{"data":2387,"marks":2388,"value":2389,"nodeType":1293},{},[]," on GitHub. At the time, our research into modern attack patterns showed us that attackers were increasingly relying on cloud-native techniques, taking advantage of the shift in business IT from traditional on-premise networks to a web of third-party services accessed over the internet. ",{"data":2391,"content":2392,"nodeType":1294},{},[2393],{"data":2394,"marks":2395,"value":2396,"nodeType":1293},{},[],"As part of our work in maintaining and updating the SaaS attacks matrix in line with our own research and attacks in the wild, we identified that:",{"data":2398,"content":2399,"nodeType":2421},{},[2400,2411],{"data":2401,"content":2402,"nodeType":2410},{},[2403],{"data":2404,"content":2405,"nodeType":1294},{},[2406],{"data":2407,"marks":2408,"value":2409,"nodeType":1293},{},[],"The fastest growing category since day 1 has been initial access, which is entirely driven by identity-based techniques (i.e. logging into apps).","list-item",{"data":2412,"content":2413,"nodeType":2410},{},[2414],{"data":2415,"content":2416,"nodeType":1294},{},[2417],{"data":2418,"marks":2419,"value":2420,"nodeType":1293},{},[],"Phishing in various forms is the most widely used, and generally effective, of all the initial access techniques we encounter. ","unordered-list",{"data":2423,"content":2424,"nodeType":1294},{},[2425],{"data":2426,"marks":2427,"value":2428,"nodeType":1293},{},[],"It’s increasingly difficult to reflect a lot of the research we’re doing within the parameters of the SaaS attacks matrix when attackers are doing so much (and to varying levels) in how they architect their phishing sites, distribute links and lures, and find novel ways around authentication and access controls. ",{"data":2430,"content":2431,"nodeType":1294},{},[2432],{"data":2433,"marks":2434,"value":2435,"nodeType":1293},{},[],"Equally, while there’s a huge amount of valuable research and deep-dive analysis of how individual phishing kits are behaving produced by security firms, there’s a gap in how we’re bringing together this knowledge and understanding the broad strokes of why and how phishing attacks are still so successful.  ",{"data":2437,"content":2438,"nodeType":1294},{},[2439],{"data":2440,"marks":2441,"value":2442,"nodeType":1293},{},[],"We come across so many phishing attacks on a daily basis that it’s impossible to write a deep-dive teardown on every one — and to some extent it wouldn’t be useful to do so. What’s arguably more valuable is understanding the patterns and commonalities across phishing campaigns that can help us to understand, generally, how malicious tooling and tradecraft is evolving. ",{"data":2444,"content":2445,"nodeType":1294},{},[2446,2450,2459],{"data":2447,"marks":2448,"value":2449,"nodeType":1293},{},[],"So, we decided to ",{"data":2451,"content":2453,"nodeType":1329},{"uri":2452},"https://pushsecurity.github.io/phishing-techniques/",[2454],{"data":2455,"marks":2456,"value":2458,"nodeType":1293},{},[2457],{"type":1337},"create a new resource",{"data":2460,"marks":2461,"value":2462,"nodeType":1293},{},[]," giving phishing the space to breathe that it deserves. ",{"data":2464,"content":2468,"nodeType":1361},{"target":2465},{"sys":2466},{"id":2467,"type":1366,"linkType":1367},"7rK8RR8KKQ9DbBouZKnjs6",[],{"data":2470,"content":2471,"nodeType":1384},{},[],{"data":2473,"content":2474,"nodeType":1388},{},[2475],{"data":2476,"marks":2477,"value":2479,"nodeType":1293},{},[2478],{"type":1354},"How phishing has evolved",{"data":2481,"content":2482,"nodeType":1294},{},[2483],{"data":2484,"marks":2485,"value":2486,"nodeType":1293},{},[],"It’s easy to write off phishing as unsophisticated and simplistic, particularly when we think back to the first generation of phishing attacks — static HTML pages purely designed to steal your username and password, linked directly from an email. ",{"data":2488,"content":2489,"nodeType":1294},{},[2490,2494,2503],{"data":2491,"marks":2492,"value":2493,"nodeType":1293},{},[],"Modern phishing has changed a lot in the past decade or so. ",{"data":2495,"content":2497,"nodeType":1329},{"uri":2496},"https://phishing-techniques.pushsecurity.com/techniques/aitm-phishing/",[2498],{"data":2499,"marks":2500,"value":2502,"nodeType":1293},{},[2501],{"type":1337},"MFA-bypassing  Attacker-in-the-Middle (AitM) kits",{"data":2504,"marks":2505,"value":2506,"nodeType":1293},{},[]," are table stakes — anyone can pick up a copy of Evilginx and immediately blow past most email and network security solutions on the market.  ",{"data":2508,"content":2509,"nodeType":1294},{},[2510,2514,2523,2527,2535,2539,2547],{"data":2511,"marks":2512,"value":2513,"nodeType":1293},{},[],"But the most sophisticated attacks — the ones that usually hit the headlines in the form of major breaches — are doing much more than this. The latest generation of fully customized AitM phishing kits are ",{"data":2515,"content":2517,"nodeType":1329},{"uri":2516},"https://phishing-techniques.pushsecurity.com/techniques/code-obfuscation/",[2518],{"data":2519,"marks":2520,"value":2522,"nodeType":1293},{},[2521],{"type":1337},"dynamically obfuscating the code that loads the web page",{"data":2524,"marks":2525,"value":2526,"nodeType":1293},{},[],", implementing ",{"data":2528,"content":2529,"nodeType":1329},{"uri":1609},[2530],{"data":2531,"marks":2532,"value":2534,"nodeType":1293},{},[2533],{"type":1337},"bot protection through custom CAPTCHA",{"data":2536,"marks":2537,"value":2538,"nodeType":1293},{},[],", and using ",{"data":2540,"content":2541,"nodeType":1329},{"uri":2130},[2542],{"data":2543,"marks":2544,"value":2546,"nodeType":1293},{},[2545],{"type":1337},"runtime anti-analysis features",{"data":2548,"marks":2549,"value":2550,"nodeType":1293},{},[],", making them increasingly difficult to detect by the tools most enterprises are using to combat the problem. ",{"data":2552,"content":2553,"nodeType":1294},{},[2554,2558,2567,2571,2580,2584,2592],{"data":2555,"marks":2556,"value":2557,"nodeType":1293},{},[],"The techniques used by attackers to deliver phishing lures are also more sophisticated. Groups like Scattered Spider have been seen using ",{"data":2559,"content":2561,"nodeType":1329},{"uri":2560},"https://phishing-techniques.pushsecurity.com/techniques/malvertising/",[2562],{"data":2563,"marks":2564,"value":2566,"nodeType":1293},{},[2565],{"type":1337},"malvertising",{"data":2568,"marks":2569,"value":2570,"nodeType":1293},{},[]," techniques, delivering phishing links via paid Google ads, while phishing campaigns are frequently encountered in ",{"data":2572,"content":2574,"nodeType":1329},{"uri":2573},"https://phishing-techniques.pushsecurity.com/techniques/instant-messenger/",[2575],{"data":2576,"marks":2577,"value":2579,"nodeType":1293},{},[2578],{"type":1337},"IM apps",{"data":2581,"marks":2582,"value":2583,"nodeType":1293},{},[]," (such as Slack and Teams), as well as ",{"data":2585,"content":2586,"nodeType":1329},{"uri":1533},[2587],{"data":2588,"marks":2589,"value":2591,"nodeType":1293},{},[2590],{"type":1337},"public messaging services",{"data":2593,"marks":2594,"value":2595,"nodeType":1293},{},[]," like LinkedIn messenger and Reddit — bypassing email altogether. ",{"data":2597,"content":2598,"nodeType":1294},{},[2599,2603,2612,2616,2625],{"data":2600,"marks":2601,"value":2602,"nodeType":1293},{},[],"The latest trends indicate that attackers are responding to increasingly hardened IdP/SSO configuration by using alternative phishing techniques that circumvent MFA and passkeys, either by ",{"data":2604,"content":2606,"nodeType":1329},{"uri":2605},"https://phishing-techniques.pushsecurity.com/techniques/mfa-downgrade/",[2607],{"data":2608,"marks":2609,"value":2611,"nodeType":1293},{},[2610],{"type":1337},"downgrading to a backup (less secure) authentication method",{"data":2613,"marks":2614,"value":2615,"nodeType":1293},{},[],", or sidestepping the legitimate auth process entirely through methods like ",{"data":2617,"content":2619,"nodeType":1329},{"uri":2618},"https://phishing-techniques.pushsecurity.com/techniques/consent-phishing/",[2620],{"data":2621,"marks":2622,"value":2624,"nodeType":1293},{},[2623],{"type":1337},"consent phishing",{"data":2626,"marks":2627,"value":1340,"nodeType":1293},{},[],{"data":2629,"content":2630,"nodeType":1294},{},[2631,2635,2644],{"data":2632,"marks":2633,"value":2634,"nodeType":1293},{},[],"Attackers have also realized how much valuable data exists in Shadow SaaS highlighted by major SaaS breaches impacting apps like Snowflake. This is driving ",{"data":2636,"content":2638,"nodeType":1329},{"uri":2637},"https://phishing-techniques.pushsecurity.com/techniques/saas-admins/",[2639],{"data":2640,"marks":2641,"value":2643,"nodeType":1293},{},[2642],{"type":1337},"broader targeting against apps like Slack, Mailchimp, Postman, GitHub, and other commonly-used business apps directly",{"data":2645,"marks":2646,"value":2647,"nodeType":1293},{},[]," — bypassing IdPs (MS, Google, Okta, etc.) that typically have more robust authentication controls in place.",{"data":2649,"content":2653,"nodeType":1361},{"target":2650},{"sys":2651},{"id":2652,"type":1366,"linkType":1367},"1II2kHyOZcShLsexx1TAgy",[],{"data":2655,"content":2656,"nodeType":1384},{},[],{"data":2658,"content":2659,"nodeType":1388},{},[2660],{"data":2661,"marks":2662,"value":2664,"nodeType":1293},{},[2663],{"type":1354},"Using the phishing detection evasion techniques matrix",{"data":2666,"content":2667,"nodeType":1294},{},[2668],{"data":2669,"marks":2670,"value":2671,"nodeType":1293},{},[],"With so much attacker innovation happening in the phishing space, it’s tricky for security teams and solution vendors to have a big picture view of the subtle changes attackers are making to their phishing attacks, and precisely why they’re doing it — or more specifically, which detection techniques they’re evading. ",{"data":2673,"content":2674,"nodeType":1294},{},[2675],{"data":2676,"marks":2677,"value":2678,"nodeType":1293},{},[],"If you look at one of the many phishing kit teardowns found in security blogs online (including our own) it can be hard to see the wood for the trees when it comes to understanding why a phishing page behaves in the way it does — why is it behaving in this way? What control exactly is this trying to get around? ",{"data":2680,"content":2681,"nodeType":1294},{},[2682],{"data":2683,"marks":2684,"value":2685,"nodeType":1293},{},[],"By creating a simple framework breaking down the categories of a phishing attack into phases, each with its own specific attacker objective, we can better understand phishing kit behavior and track meaningful changes over time. This ensures that we understand how we need to adapt to as an industry in order to detect and block these attacks. ",{"data":2687,"content":2688,"nodeType":1294},{},[2689],{"data":2690,"marks":2691,"value":2692,"nodeType":1293},{},[],"The matrix covers the following categories:",{"data":2694,"content":2695,"nodeType":2421},{},[2696,2711,2726,2741,2756,2771,2786,2801],{"data":2697,"content":2698,"nodeType":2410},{},[2699],{"data":2700,"content":2701,"nodeType":1294},{},[2702,2707],{"data":2703,"marks":2704,"value":2706,"nodeType":1293},{},[2705],{"type":1354},"Phase 1: Targeting",{"data":2708,"marks":2709,"value":2710,"nodeType":1293},{},[]," — Identifying apps and users to evade security controls and achieve the shortest time-to-impact of a phishing attack. ",{"data":2712,"content":2713,"nodeType":2410},{},[2714],{"data":2715,"content":2716,"nodeType":1294},{},[2717,2722],{"data":2718,"marks":2719,"value":2721,"nodeType":1293},{},[2720],{"type":1354},"Phase 2: Link delivery",{"data":2723,"marks":2724,"value":2725,"nodeType":1293},{},[]," — Deliver links using phishing vectors that evade traditional security controls. ",{"data":2727,"content":2728,"nodeType":2410},{},[2729],{"data":2730,"content":2731,"nodeType":1294},{},[2732,2737],{"data":2733,"marks":2734,"value":2736,"nodeType":1293},{},[2735],{"type":1354},"Phase 3: Link camouflage",{"data":2738,"marks":2739,"value":2740,"nodeType":1293},{},[]," — Masking malicious links to prevent detection at the email, network proxy, or safe browsing layer. ",{"data":2742,"content":2743,"nodeType":2410},{},[2744],{"data":2745,"content":2746,"nodeType":1294},{},[2747,2752],{"data":2748,"marks":2749,"value":2751,"nodeType":1293},{},[2750],{"type":1354},"Phase 4: TI evasion ",{"data":2753,"marks":2754,"value":2755,"nodeType":1293},{},[],"— Preventing TI feeds from flagging and blocking known-bad domains by masking or changing elements likely to be flagged.",{"data":2757,"content":2758,"nodeType":2410},{},[2759],{"data":2760,"content":2761,"nodeType":1294},{},[2762,2767],{"data":2763,"marks":2764,"value":2766,"nodeType":1293},{},[2765],{"type":1354},"Phase 5: Anti-analysis",{"data":2768,"marks":2769,"value":2770,"nodeType":1293},{},[]," — Techniques to defeat automated “sandbox” analysis tools by preventing security teams and bots from accessing the page.",{"data":2772,"content":2773,"nodeType":2410},{},[2774],{"data":2775,"content":2776,"nodeType":1294},{},[2777,2782],{"data":2778,"marks":2779,"value":2781,"nodeType":1293},{},[2780],{"type":1354},"Phase 6: Page obfuscation",{"data":2783,"marks":2784,"value":2785,"nodeType":1293},{},[]," — Obfuscating page elements to break detection signatures analysing page content and code. ",{"data":2787,"content":2788,"nodeType":2410},{},[2789],{"data":2790,"content":2791,"nodeType":1294},{},[2792,2797],{"data":2793,"marks":2794,"value":2796,"nodeType":1293},{},[2795],{"type":1354},"Phase 7: Defeat MFA & CA",{"data":2798,"marks":2799,"value":2800,"nodeType":1293},{},[]," — Defeat authentication and access controls in order to successfully execute the phishing attack.",{"data":2802,"content":2803,"nodeType":2410},{},[2804],{"data":2805,"content":2806,"nodeType":1294},{},[2807,2812],{"data":2808,"marks":2809,"value":2811,"nodeType":1293},{},[2810],{"type":1354},"Phase 8: Account takeover",{"data":2813,"marks":2814,"value":2815,"nodeType":1293},{},[]," — Achieve a form of account takeover and conclude the identity attack, enabling further exploitation to take place.",{"data":2817,"content":2818,"nodeType":1294},{},[2819],{"data":2820,"marks":2821,"value":2822,"nodeType":1293},{},[],"Combining techniques and approaches from these categories is what enables attackers to bypass the majority of phishing detection controls they encounter today. You typically find that the more advanced the phishing kit / attacker, the more techniques they’ll leverage. And as phishing infrastructure becomes increasingly templated and commodified with as-a-Service or for-hire models, the average phishing attack will employ more of these measures to counter security controls. ",{"data":2824,"content":2825,"nodeType":1384},{},[],{"data":2827,"content":2828,"nodeType":1388},{},[2829],{"data":2830,"marks":2831,"value":2833,"nodeType":1293},{},[2832],{"type":1354},"Learn more",{"data":2835,"content":2836,"nodeType":1294},{},[2837,2840,2848],{"data":2838,"marks":2839,"value":37,"nodeType":1293},{},[],{"data":2841,"content":2842,"nodeType":1329},{"uri":2452},[2843],{"data":2844,"marks":2845,"value":2847,"nodeType":1293},{},[2846],{"type":1337},"You can find the matrix here.",{"data":2849,"marks":2850,"value":37,"nodeType":1293},{},[],{"data":2852,"content":2853,"nodeType":1294},{},[2854,2858,2866],{"data":2855,"marks":2856,"value":2857,"nodeType":1293},{},[],"If you want to learn more about the research that led us to this point, and our take on how and why phishing attacks have evolved, ",{"data":2859,"content":2861,"nodeType":1329},{"uri":2860},"https://pushsecurity.com/resources/phishing-evolution",[2862],{"data":2863,"marks":2864,"value":2865,"nodeType":1293},{},[],"you can also check out our latest whitepaper. ",{"data":2867,"marks":2868,"value":37,"nodeType":1293},{},[],{"data":2870,"content":2871,"nodeType":1384},{},[],{"data":2873,"content":2874,"nodeType":1388},{},[2875],{"data":2876,"marks":2877,"value":2879,"nodeType":1293},{},[2878],{"type":1354},"Get involved!",{"data":2881,"content":2882,"nodeType":1294},{},[2883,2887,2894],{"data":2884,"marks":2885,"value":2886,"nodeType":1293},{},[],"Like the ",{"data":2888,"content":2889,"nodeType":1329},{"uri":2379},[2890],{"data":2891,"marks":2892,"value":2893,"nodeType":1293},{},[],"SaaS attack matrix",{"data":2895,"marks":2896,"value":2897,"nodeType":1293},{},[],", we’d love to see the security community using and helping us to maintain this resource to ensure it stays up to date with techniques as they evolve. ",{"data":2899,"content":2900,"nodeType":1294},{},[2901],{"data":2902,"marks":2903,"value":2904,"nodeType":1293},{},[],"Unlike the SaaS matrix, which we’ve seen mostly leveraged by offensive security practitioners, phishing detection evasion techniques are most useful to blue teamers looking to assess current detection capabilities and understand why certain attacks got through existing defenses. ",{"data":2906,"content":2907,"nodeType":1294},{},[2908,2912,2920],{"data":2909,"marks":2910,"value":2911,"nodeType":1293},{},[],"If you’d like to add techniques you’ve observed or examples that you think demonstrate them, ",{"data":2913,"content":2915,"nodeType":1329},{"uri":2914},"https://github.com/pushsecurity/phishing-techniques",[2916],{"data":2917,"marks":2918,"value":2919,"nodeType":1293},{},[],"get involved on GitHub!",{"data":2921,"marks":2922,"value":37,"nodeType":1293},{},[],"Introducing our guide to phishing detection evasion techniques","Introducing our latest resource for security teams breaking down the techniques that modern phishing attacks are using to evade detection. ","2025-08-06T00:00:00.000Z","phishing-detection-evasion-launch",{"items":2928},[2929,2931],{"sys":2930,"name":1306},{"id":1305},{"sys":2932,"name":1310},{"id":1309},{"items":2934},[2935],{"fullName":2936,"firstName":2937,"jobTitle":2938,"profilePicture":2939},"Jacques Louw","Jacques","Co-founder / CRO",{"url":2940},"https://images.ctfassets.net/y1cdw1ablpvd/39m8bektV23lnCRcEq0G8h/2a08f6276a50744f1a4b499b273f6bb2/Push_Founders_at_Cahoots_October_28_2022_by_Doug_Coombe-21.jpg",{"items":2942},[2943],{"fullName":2944,"firstName":2945,"jobTitle":2946,"profilePicture":2947},"Luke Jennings","Luke","Vice President, R&D",{"url":2948},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg",{"json":2950,"links":3551},{"data":2951,"content":2952,"nodeType":1295},{},[2953,2960,2967,2987,2994,3014,3021,3024,3032,3039,3046,3052,3059,3104,3146,3154,3161,3181,3219,3225,3232,3238,3245,3253,3284,3290,3293,3301,3321,3341,3372,3377,3380,3388,3395,3490,3493,3501,3518,3525,3532],{"data":2954,"content":2955,"nodeType":1294},{},[2956],{"data":2957,"marks":2958,"value":2959,"nodeType":1293},{},[],"Everything we do at Push is research-driven. Our detections for phishing attacks were created through hands-on analysis of phishing kits that our customers have been targeted with. This gives us a steady supply of all manner of modern Attacker-in-the-Middle phishing kits to analyze — from the classic Evilginx-style phish kit to professionalized criminal as-a-Service infrastructure. ",{"data":2961,"content":2962,"nodeType":1294},{},[2963],{"data":2964,"marks":2965,"value":2966,"nodeType":1293},{},[],"In our most recent phish kit teardown, we encountered a standard reverse-proxy clone of a Microsoft login page — nothing unusual at first glance. But increasingly, a lot of the innovation comes outside of the phishing page itself. ",{"data":2968,"content":2969,"nodeType":1294},{},[2970,2974,2983],{"data":2971,"marks":2972,"value":2973,"nodeType":1293},{},[],"The art in detection evasion comes from being able to successfully deliver the page to a user and have them open the page without it being intercepted by an email security, proxy scanner, URL TI feed, or web analysis tool. To achieve this, the attacker found a way to redirect from a legitimate ",{"data":2975,"content":2977,"nodeType":1329},{"uri":2976},"http://outlook.office.com",[2978],{"data":2979,"marks":2980,"value":2982,"nodeType":1293},{},[2981],{"type":1337},"outlook.office.com",{"data":2984,"marks":2985,"value":2986,"nodeType":1293},{},[]," link to a phishing website. ",{"data":2988,"content":2989,"nodeType":1294},{},[2990],{"data":2991,"marks":2992,"value":2993,"nodeType":1293},{},[],"This is essentially an open redirect vulnerability — maybe not the classic example where someone has forgotten to do input sanitization on their website, but the outcome is the same.",{"data":2995,"content":2996,"nodeType":1294},{},[2997,3001,3010],{"data":2998,"marks":2999,"value":3000,"nodeType":1293},{},[],"Central to our analysis was the use of our timelines feature, ",{"data":3002,"content":3004,"nodeType":1329},{"uri":3003},"https://pushsecurity.com/blog/introducing-push-detections/",[3005],{"data":3006,"marks":3007,"value":3009,"nodeType":1293},{},[3008],{"type":1337},"part of our latest Detections feature release",{"data":3011,"marks":3012,"value":3013,"nodeType":1293},{},[],". I’m not going to talk in any detail about this, but the TL;DR is that it allows us to trace back the entire chain of browsing activity leading up to a detection — showing the full (sometimes lengthy) redirect chain from the initial link delivery source to the actual phishing page, tabs opened and closed, popup windows, forms submitted, passwords entered, and more. ",{"data":3015,"content":3016,"nodeType":1294},{},[3017],{"data":3018,"marks":3019,"value":3020,"nodeType":1293},{},[],"First, let’s go through the steps of my investigation before looking at the findings (and the implications for phishing detection evasion techniques). ",{"data":3022,"content":3023,"nodeType":1384},{},[],{"data":3025,"content":3026,"nodeType":1388},{},[3027],{"data":3028,"marks":3029,"value":3031,"nodeType":1293},{},[3030],{"type":1354},"Investigation walkthrough",{"data":3033,"content":3034,"nodeType":1294},{},[3035],{"data":3036,"marks":3037,"value":3038,"nodeType":1293},{},[],"As I opened with, there was nothing especially notable about the phishing page itself — a standard reverse-proxy AitM page designed to intercept the user’s session as they authenticate, bypassing MFA in the process. ",{"data":3040,"content":3041,"nodeType":1294},{},[3042],{"data":3043,"marks":3044,"value":3045,"nodeType":1293},{},[],"This was not targeted delivery — employees from several customers were impacted. I’ve included an example of how one user arrived at the site below.",{"data":3047,"content":3051,"nodeType":1361},{"target":3048},{"sys":3049},{"id":3050,"type":1366,"linkType":1367},"51MnOL9XqQDkllK2Jer4S9",[],{"data":3053,"content":3054,"nodeType":1294},{},[3055],{"data":3056,"marks":3057,"value":3058,"nodeType":1293},{},[],"This one stood out to me for a few reasons. ",{"data":3060,"content":3061,"nodeType":2421},{},[3062,3072,3094],{"data":3063,"content":3064,"nodeType":2410},{},[3065],{"data":3066,"content":3067,"nodeType":1294},{},[3068],{"data":3069,"marks":3070,"value":3071,"nodeType":1293},{},[],"The user had accessed the malicious link from Google search. They searched “Office 265\" (a typo presumably), clicked a link, and were taken to an Office login page.",{"data":3073,"content":3074,"nodeType":2410},{},[3075],{"data":3076,"content":3077,"nodeType":1294},{},[3078,3082,3090],{"data":3079,"marks":3080,"value":3081,"nodeType":1293},{},[],"The Outlook link had a number of Google Ads tracking parameters attached, meaning they clicked an ad, not an organic link — making this a ",{"data":3083,"content":3085,"nodeType":1329},{"uri":3084},"https://pushsecurity.github.io/phishing-techniques/techniques/malvertising/",[3086],{"data":3087,"marks":3088,"value":2566,"nodeType":1293},{},[3089],{"type":1337},{"data":3091,"marks":3092,"value":3093,"nodeType":1293},{},[]," attack. ",{"data":3095,"content":3096,"nodeType":2410},{},[3097],{"data":3098,"content":3099,"nodeType":1294},{},[3100],{"data":3101,"marks":3102,"value":3103,"nodeType":1293},{},[],"Another domain — bluegraintours[.]com — was in the URL path, after which they were redirected to the Microsoft-impersonating phishing site (login-microsoftonline[.]offirmtm[.]com ...). ",{"data":3105,"content":3106,"nodeType":1294},{},[3107,3111,3120,3124,3131,3135,3142],{"data":3108,"marks":3109,"value":3110,"nodeType":1293},{},[],"This got me wondering — how did they get ",{"data":3112,"content":3114,"nodeType":1329},{"uri":3113},"http://office.com",[3115],{"data":3116,"marks":3117,"value":3119,"nodeType":1293},{},[3118],{"type":1337},"office.com",{"data":3121,"marks":3122,"value":3123,"nodeType":1293},{},[]," to redirect to the phishing site, and why was the bluegraintours domain in the path of an ",{"data":3125,"content":3126,"nodeType":1329},{"uri":3113},[3127],{"data":3128,"marks":3129,"value":3119,"nodeType":1293},{},[3130],{"type":1337},{"data":3132,"marks":3133,"value":3134,"nodeType":1293},{},[]," link? There was no indication that an actual phishing email was interacted with, it seemed to all happen directly from the legitimate ",{"data":3136,"content":3137,"nodeType":1329},{"uri":3113},[3138],{"data":3139,"marks":3140,"value":3119,"nodeType":1293},{},[3141],{"type":1337},{"data":3143,"marks":3144,"value":3145,"nodeType":1293},{},[]," link. ",{"data":3147,"content":3148,"nodeType":1516},{},[3149],{"data":3150,"marks":3151,"value":3153,"nodeType":1293},{},[3152],{"type":1354},"Redirecting to a malicious login page via ADFS",{"data":3155,"content":3156,"nodeType":1294},{},[3157],{"data":3158,"marks":3159,"value":3160,"nodeType":1293},{},[],"From memory, I knew that the tenant name can appear in the URL when you’re accessing a specific Microsoft tenant for your organization — essentially a domain-specific landing page. ",{"data":3162,"content":3163,"nodeType":1294},{},[3164,3168,3177],{"data":3165,"marks":3166,"value":3167,"nodeType":1293},{},[],"It turns out the attacker had set up a custom Microsoft tenant with ",{"data":3169,"content":3171,"nodeType":1329},{"uri":3170},"https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/ad-fs-overview",[3172],{"data":3173,"marks":3174,"value":3176,"nodeType":1293},{},[3175],{"type":1337},"Active Directory Federation Services (ADFS)",{"data":3178,"marks":3179,"value":3180,"nodeType":1293},{},[]," configured. If you’re not familiar, ADFS is an SSO solution that is often used to connect on-premises Active Directory with cloud services like Microsoft 365 or Azure Active Directory. This means Microsoft will perform the redirect to the custom malicious domain. ",{"data":3182,"content":3183,"nodeType":1294},{},[3184,3188,3197,3201,3210,3214],{"data":3185,"marks":3186,"value":3187,"nodeType":1293},{},[],"This is strikingly similar to ",{"data":3189,"content":3191,"nodeType":1329},{"uri":3190},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/samljacking/description.md",[3192],{"data":3193,"marks":3194,"value":3196,"nodeType":1293},{},[3195],{"type":1337},"SAMLjacking",{"data":3198,"marks":3199,"value":3200,"nodeType":1293},{},[],", a technique I’ve ",{"data":3202,"content":3204,"nodeType":1329},{"uri":3203},"https://pushsecurity.com/blog/samljacking-a-poisoned-tenant/",[3205],{"data":3206,"marks":3207,"value":3209,"nodeType":1293},{},[3208],{"type":1337},"blogged about previously",{"data":3211,"marks":3212,"value":3213,"nodeType":1293},{},[]," which allows you to change the identity provider domain that an application’s users authenticate through. Attackers can change this link to their phishing page that proxies the legitimate site to phish users through legitimate sign-in links — ",{"data":3215,"marks":3216,"value":3218,"nodeType":1293},{},[3217],{"type":1354},"so I guess that makes this ADFSjacking?",{"data":3220,"content":3224,"nodeType":1361},{"target":3221},{"sys":3222},{"id":3223,"type":1366,"linkType":1367},"3BXyDhMC69355gLRqyIwQP",[],{"data":3226,"content":3227,"nodeType":1294},{},[3228],{"data":3229,"marks":3230,"value":3231,"nodeType":1293},{},[],"I had initially assumed that bluegraintours was a legitimate website that had been compromised by the attacker and used as a redirect, which is pretty common behavior for threat groups. However, it turns out that it’s actually a fake website that the attackers have probably vibe-coded. ",{"data":3233,"content":3237,"nodeType":1361},{"target":3234},{"sys":3235},{"id":3236,"type":1366,"linkType":1367},"1hnWJ0jgsPqRELDqUeFzf3",[],{"data":3239,"content":3240,"nodeType":1294},{},[3241],{"data":3242,"marks":3243,"value":3244,"nodeType":1293},{},[],"It’s worth noting that this isn’t something that the phishing victim would see as part of the attack — it’s purely used as an invisible redirect. This is most likely to be an attempt to mask the nature of the domain for domain categorization purposes, which is typical for proxy-based solutions to prevent users from browsing to unapproved things — this way, automated scanners will classify it as a travel blog. ",{"data":3246,"content":3247,"nodeType":1516},{},[3248],{"data":3249,"marks":3250,"value":3252,"nodeType":1293},{},[3251],{"type":1354},"Conditional loading interrupted the page analysis",{"data":3254,"content":3255,"nodeType":1294},{},[3256,3260,3269,3273,3280],{"data":3257,"marks":3258,"value":3259,"nodeType":1293},{},[],"While the user was taken to the phishing page at the end of the chain, ",{"data":3261,"content":3263,"nodeType":1329},{"uri":3262},"https://pushsecurity.github.io/phishing-techniques/techniques/conditional-loading/",[3264],{"data":3265,"marks":3266,"value":3268,"nodeType":1293},{},[3267],{"type":1337},"conditional loading",{"data":3270,"marks":3271,"value":3272,"nodeType":1293},{},[]," restrictions prevented us from recreating the full attack flow when loading the initial link clicked by the user. This happens when certain conditions of the page load aren’t met. Because the kit decides I’m not a valid target, I’m redirected back to ",{"data":3274,"content":3275,"nodeType":1329},{"uri":3113},[3276],{"data":3277,"marks":3278,"value":3119,"nodeType":1293},{},[3279],{"type":1337},{"data":3281,"marks":3282,"value":3283,"nodeType":1293},{},[],". However, we were able to skip ahead and bypass the conditional loading to access the phishing server directly. ",{"data":3285,"content":3289,"nodeType":1361},{"target":3286},{"sys":3287},{"id":3288,"type":1366,"linkType":1367},"68rW6CHJOJ2u3mCc08lGvZ",[],{"data":3291,"content":3292,"nodeType":1384},{},[],{"data":3294,"content":3295,"nodeType":1388},{},[3296],{"data":3297,"marks":3298,"value":3300,"nodeType":1293},{},[3299],{"type":1354},"Key takeaways",{"data":3302,"content":3303,"nodeType":1294},{},[3304,3308,3317],{"data":3305,"marks":3306,"value":3307,"nodeType":1293},{},[],"While this isn’t a vulnerability per se, the ability for attackers to add their own Microsoft ADFS server to host their phishing page and have Microsoft redirect to it is a concerning development that will make URL-based detections even more challenging than they already are. ",{"data":3309,"content":3311,"nodeType":1329},{"uri":3310},"https://pushsecurity.github.io/phishing-techniques/techniques/trusted-website-hosting/",[3312],{"data":3313,"marks":3314,"value":3316,"nodeType":1293},{},[3315],{"type":1337},"Hosting phishing links on trusted third-party websites",{"data":3318,"marks":3319,"value":3320,"nodeType":1293},{},[]," is a highly effective way of both bypassing URL-based detections and implementing layers of obfuscation in their phishing delivery chain that can break automated analysis tools.  ",{"data":3322,"content":3323,"nodeType":1294},{},[3324,3328,3337],{"data":3325,"marks":3326,"value":3327,"nodeType":1293},{},[],"This is basically the equivalent to ",{"data":3329,"content":3331,"nodeType":1329},{"uri":3330},"http://outlook.com",[3332],{"data":3333,"marks":3334,"value":3336,"nodeType":1293},{},[3335],{"type":1337},"Outlook.com",{"data":3338,"marks":3339,"value":3340,"nodeType":1293},{},[]," having an open redirect vulnerability, which would be a huge deal in the eyes of most security practitioners. In practice, it’s a little harder for the average attacker to make use of this, but anyone that is willing to create a Microsoft tenant and set up ADFS could create similar phishing infrastructure  — which only requires passing a credit card check. ",{"data":3342,"content":3343,"nodeType":1294},{},[3344,3348,3355,3359,3368],{"data":3345,"marks":3346,"value":3347,"nodeType":1293},{},[],"The other notable component to this attack is the use of ",{"data":3349,"content":3350,"nodeType":1329},{"uri":3084},[3351],{"data":3352,"marks":3353,"value":2566,"nodeType":1293},{},[3354],{"type":1337},{"data":3356,"marks":3357,"value":3358,"nodeType":1293},{},[]," as the lure delivery channel. This is a trend we spotted recently with ",{"data":3360,"content":3362,"nodeType":1329},{"uri":3361},"https://pushsecurity.com/blog/investigating-a-recent-malvertising-campaign-targeting-onfido-customers/",[3363],{"data":3364,"marks":3365,"value":3367,"nodeType":1293},{},[3366],{"type":1337},"Scattered Spider’s use of Onfido-based malvertising lures",{"data":3369,"marks":3370,"value":3371,"nodeType":1293},{},[],". Malvertising is a great way for attackers to sidestep phishing controls placed at the email layer (where the majority are) and, as in this case, can create a highly-convincing and difficult-to-spot phishing scenario.  ",{"data":3373,"content":3376,"nodeType":1361},{"target":3374},{"sys":3375},{"id":1696,"type":1366,"linkType":1367},[],{"data":3378,"content":3379,"nodeType":1384},{},[],{"data":3381,"content":3382,"nodeType":1388},{},[3383],{"data":3384,"marks":3385,"value":3387,"nodeType":1293},{},[3386],{"type":1354},"Detection recommendations",{"data":3389,"content":3390,"nodeType":1294},{},[3391],{"data":3392,"marks":3393,"value":3394,"nodeType":1293},{},[],"There are a couple of tool-agnostic hardening options that can used to limit exposure to the specifics of this attack:",{"data":3396,"content":3397,"nodeType":2421},{},[3398,3408,3429],{"data":3399,"content":3400,"nodeType":2410},{},[3401],{"data":3402,"content":3403,"nodeType":1294},{},[3404],{"data":3405,"marks":3406,"value":3407,"nodeType":1293},{},[],"Monitoring for ADFS redirects in proxy logs that could be malicious, i.e. login.microsoftonline.com redirecting to another domain with /adfs/ls/ in the path. Many organizations do not use ADFS, while those that do should be able to filter legitimate ones to their legitimate domain relatively easily. ",{"data":3409,"content":3410,"nodeType":2410},{},[3411],{"data":3412,"content":3413,"nodeType":1294},{},[3414,3418,3425],{"data":3415,"marks":3416,"value":3417,"nodeType":1293},{},[],"Monitoring for Google redirects to ",{"data":3419,"content":3420,"nodeType":1329},{"uri":3113},[3421],{"data":3422,"marks":3423,"value":3119,"nodeType":1293},{},[3424],{"type":1337},{"data":3426,"marks":3427,"value":3428,"nodeType":1293},{},[]," with Google ad parameters for more specific detection of malvertising + ADFS hijacking as in this example. ",{"data":3430,"content":3431,"nodeType":2410},{},[3432],{"data":3433,"content":3434,"nodeType":1294},{},[3435,3439,3448,3452,3461,3464,3473,3477,3486],{"data":3436,"marks":3437,"value":3438,"nodeType":1293},{},[],"Deploying ad blockers to all of your browsers to stop malvertising attacks — though this only serves to tackle one of the several possible delivery vectors, such as links delivered using ",{"data":3440,"content":3442,"nodeType":1329},{"uri":3441},"https://pushsecurity.github.io/phishing-techniques/techniques/email-legitimate-app/",[3443],{"data":3444,"marks":3445,"value":3447,"nodeType":1293},{},[3446],{"type":1337},"legitimate third-party services",{"data":3449,"marks":3450,"value":3451,"nodeType":1293},{},[],", ",{"data":3453,"content":3455,"nodeType":1329},{"uri":3454},"https://pushsecurity.github.io/phishing-techniques/techniques/social-media/",[3456],{"data":3457,"marks":3458,"value":3460,"nodeType":1293},{},[3459],{"type":1337},"social media",{"data":3462,"marks":3463,"value":3451,"nodeType":1293},{},[],{"data":3465,"content":3467,"nodeType":1329},{"uri":3466},"https://pushsecurity.github.io/phishing-techniques/techniques/instant-messenger/",[3468],{"data":3469,"marks":3470,"value":3472,"nodeType":1293},{},[3471],{"type":1337},"instant messenger",{"data":3474,"marks":3475,"value":3476,"nodeType":1293},{},[],", or ",{"data":3478,"content":3480,"nodeType":1329},{"uri":3479},"https://pushsecurity.github.io/phishing-techniques/techniques/email-attachment/",[3481],{"data":3482,"marks":3483,"value":3485,"nodeType":1293},{},[3484],{"type":1337},"email attachment",{"data":3487,"marks":3488,"value":3489,"nodeType":1293},{},[],". (This is one of the limitations of focusing on specific delivery mechanisms — attackers have more to choose from than ever before. It’s not just an email problem). ",{"data":3491,"content":3492,"nodeType":1384},{},[],{"data":3494,"content":3495,"nodeType":1388},{},[3496],{"data":3497,"marks":3498,"value":3500,"nodeType":1293},{},[3499],{"type":1354},"Learn more about Push",{"data":3502,"content":3503,"nodeType":1294},{},[3504,3508,3514],{"data":3505,"marks":3506,"value":3507,"nodeType":1293},{},[],"Push doesn’t detect the redirect tricks, or relies on outdated domain TI feeds. It doesn’t matter what ",{"data":3509,"content":3510,"nodeType":1329},{"uri":1331},[3511],{"data":3512,"marks":3513,"value":1720,"nodeType":1293},{},[],{"data":3515,"marks":3516,"value":3517,"nodeType":1293},{},[],", Push detects and blocks attacks by identifying the attack in real time, as the user loads the page in their web browser.",{"data":3519,"content":3520,"nodeType":1294},{},[3521],{"data":3522,"marks":3523,"value":3524,"nodeType":1293},{},[],"Push’s browser-based security platform provides comprehensive identity attack detection and response capabilities against techniques like AiTM phishing, credential stuffing, password spraying, and session hijacking using stolen session tokens. ",{"data":3526,"content":3527,"nodeType":1294},{},[3528],{"data":3529,"marks":3530,"value":3531,"nodeType":1293},{},[],"You can also use Push to find and fix identity vulnerabilities across every app that your employees use, including ghost logins; SSO coverage gaps; MFA gaps; weak, breached and reused passwords; risky OAuth integrations; and more.",{"data":3533,"content":3534,"nodeType":1294},{},[3535,3539,3548],{"data":3536,"marks":3537,"value":3538,"nodeType":1293},{},[],"If you want to learn more about how Push helps you to detect and defeat common identity attack techniques, ",{"data":3540,"content":3542,"nodeType":1329},{"uri":3541},"https://pushsecurity.com/demo/",[3543],{"data":3544,"marks":3545,"value":3547,"nodeType":1293},{},[3546],{"type":1337},"request a demo.",{"data":3549,"marks":3550,"value":37,"nodeType":1293},{},[],{"entries":3552},{"hyperlink":3553,"inline":3554,"block":3555},[],[],[3556,3564,3571,3577,3583],{"sys":3557,"__typename":3558,"title":3559,"caption":3559,"layoutMode":118,"file":3560},{"id":3050},"Image","Timeline from the detection event — in this case, the control was configured in “monitor” mode, so it was not automatically blocked. ",{"url":3561,"width":3562,"height":3563},"https://images.ctfassets.net/y1cdw1ablpvd/40mzFhR7ZwbsVhuVQBPtmo/ffb413710cdcde1879b1246b140528da/image4.png",1818,1536,{"sys":3565,"__typename":3558,"title":3566,"caption":3566,"layoutMode":118,"file":3567},{"id":3223},"The authorization request being passed to the ADFS server for bluegraintours.",{"url":3568,"width":3569,"height":3570},"https://images.ctfassets.net/y1cdw1ablpvd/29R1ECNuEmmzH61DIdZPNL/011f52d836662fb9e384880718ee6588/image2.png",1999,818,{"sys":3572,"__typename":3558,"title":3573,"caption":3573,"layoutMode":118,"file":3574},{"id":3236},"Screen capture of the bluegraintours site, includes a fake blog with entries from \"John Doe\" and \"Jane Smith\" as well as fake addresses which were definite giveaways that this is a fake, likely AI-generated site.",{"url":3575,"width":3569,"height":3576},"https://images.ctfassets.net/y1cdw1ablpvd/1W3XqoHwF8BrQ71EbiG0MH/a07ca08d9c4395007104109466b9a336/image1.png",861,{"sys":3578,"__typename":3558,"title":3579,"caption":3579,"layoutMode":118,"file":3580},{"id":3288},"The very standard-looking malicious Microsoft login page. ",{"url":3581,"width":3569,"height":3582},"https://images.ctfassets.net/y1cdw1ablpvd/4kchCJSXKscISpZir2PJA9/4eb30043165a6a6ad27a7c74326832a5/image3.png",1320,{"sys":3584,"__typename":3585,"type":3586,"ctaText":3587,"buttonLabel":3588,"buttonColour":3589,"buttonUrl":3590},{"id":1696},"CtaWidget","Custom","Learn how phishing evolved in 2025, showcasing the most sophisticated attacks and key trends uncovered by Push researchers","Register Now","sunny orange","https://pushsecurity.com/webinar/phishing-2025-review","content:blog:phishing-with-active-directory-federation-services.json","json","content","blog/phishing-with-active-directory-federation-services.json","blog/phishing-with-active-directory-federation-services",1776359983586]