[{"data":1,"prerenderedAt":4194},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"use-case-page":155,"blog/scattered-lapsus-hunters":1175},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"n0c69wxpcx","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"brpv9ps5x2",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-dloynz89rbq","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","vvf0k1j1pre",[156,340,459,578,696,816,936,1056],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":167,"variations":328,"lastUpdated":329,"firstPublished":330,"testRatio":33,"screenshot":331,"createdBy":34,"lastUpdatedBy":332,"folders":333,"meta":334,"rev":339},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[162],{"@type":163,"property":164,"operator":165,"value":166},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":168,"customFonts":169,"seoTitle":217,"title":217,"tsCode":37,"seoDescription":218,"fontAwesomeIcon":219,"jsCode":37,"blocks":220,"url":166,"state":325},[],[170],{"family":171,"kind":172,"version":173,"lastModified":174,"files":175,"category":194,"menu":195,"subsets":196,"variants":199},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":176,"200":177,"300":178,"500":179,"600":180,"700":181,"800":182,"900":183,"800italic":184,"900italic":185,"700italic":186,"100italic":187,"italic":188,"regular":189,"200italic":190,"500italic":191,"300italic":192,"600italic":193},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[197,198],"latin","latin-ext",[200,201,202,203,204,205,128,206,207,208,209,210,211,212,213,214,215,216],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[221,320],{"@type":106,"@version":107,"tagName":222,"id":223,"children":224},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[225,242,250,257,269,284,295,306,312],{"@type":106,"@version":107,"layerName":226,"id":227,"component":228,"responsiveStyles":239},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":226,"options":229,"isRSC":118},{"title":217,"description":230,"points":231,"video":238},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[232,234,236],{"item":233},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":235},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":237},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":240},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":241},"transparent",{"@type":106,"@version":107,"id":243,"component":244,"responsiveStyles":247},"builder-96634044407e491299e291ed64669e39",{"name":245,"options":246,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":248},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":249},"#000",{"@type":106,"@version":107,"id":251,"component":252,"responsiveStyles":255},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":253,"options":254,"isRSC":118},"Diagonal",{"darkMode":41},{"large":256},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":258,"id":259,"component":260,"responsiveStyles":267},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":258,"tag":258,"options":261,"isRSC":118},{"darkMode":6,"maxWidth":262,"maxTextWidth":263,"title":264,"description":265,"animatedTitle":37,"image":266,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":268},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":270,"component":271,"responsiveStyles":279},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":272,"options":273,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":275,"title":276,"description":277,"reverse":41,"image":278},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":280},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":281,"paddingTop":282,"marginTop":283},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":285,"component":286,"responsiveStyles":292},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":272,"options":287,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":288,"title":289,"description":290,"reverse":6,"image":291},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":293},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":294},"36px",{"@type":106,"@version":107,"layerName":272,"id":296,"component":297,"responsiveStyles":303},"builder-42c32198083f4880acb37c5cb76934da",{"name":272,"options":298,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":299,"title":300,"description":301,"reverse":41,"image":302},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":304},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":305},"47px",{"@type":106,"@version":107,"id":307,"component":308,"responsiveStyles":310},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":253,"options":309,"isRSC":118},{"darkMode":6},{"large":311},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":313,"component":314,"responsiveStyles":318},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":315,"tag":315,"options":316,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":317},"bg-black",{"large":319},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":321,"@type":106,"tagName":131,"properties":322,"responsiveStyles":323},"builder-pixel-h6onu0ubr9",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":324},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":326},{"path":37,"query":327},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":335,"winningTest":118,"breakpoints":336,"kind":337,"hasLinks":6,"originalContentId":338,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","wjcv5yvqyja",{"createdDate":341,"id":342,"name":343,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":344,"data":347,"variations":451,"lastUpdated":452,"firstPublished":453,"testRatio":33,"screenshot":454,"createdBy":34,"lastUpdatedBy":332,"folders":455,"meta":456,"rev":339},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[345],{"@type":163,"property":164,"operator":165,"value":346},"/uc/browser-extension-security",{"seoDescription":348,"jsCode":37,"fontAwesomeIcon":349,"tsCode":37,"title":343,"seoTitle":343,"customFonts":350,"inputs":355,"blocks":356,"url":346,"state":448},"Shine a light on risky browser extensions.","faPuzzlePiece",[351],{"kind":172,"family":171,"version":173,"files":352,"category":194,"lastModified":174,"subsets":353,"variants":354,"menu":195},{"100":176,"200":177,"300":178,"500":179,"600":180,"700":181,"800":182,"900":183,"100italic":187,"italic":188,"regular":189,"900italic":185,"800italic":184,"700italic":186,"200italic":190,"300italic":192,"500italic":191,"600italic":193},[197,198],[200,201,202,203,204,205,128,206,207,208,209,210,211,212,213,214,215,216],[],[357,443],{"@type":106,"@version":107,"tagName":222,"id":358,"meta":359,"children":360},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":223},[361,377,384,391,400,410,420,430,437],{"@type":106,"@version":107,"id":362,"meta":363,"component":364,"responsiveStyles":375},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":227},{"name":226,"options":365,"isRSC":118},{"title":343,"description":366,"points":367,"video":374},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[368,370,372],{"item":369},"Discover every browser extension in use",{"item":371},"Spot risky or unsanctioned behavior",{"item":373},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":376},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":241},{"@type":106,"@version":107,"id":378,"meta":379,"component":380,"responsiveStyles":382},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":243},{"name":245,"options":381,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":383},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":249},{"@type":106,"@version":107,"id":385,"meta":386,"component":387,"responsiveStyles":389},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":251},{"name":253,"options":388,"isRSC":118},{"darkMode":41},{"large":390},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":258,"id":392,"component":393,"responsiveStyles":398},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":258,"tag":258,"options":394,"isRSC":118},{"darkMode":6,"maxWidth":262,"maxTextWidth":263,"title":395,"description":396,"image":397,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":399},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":401,"meta":402,"component":403,"responsiveStyles":408},"builder-93738f98109a4009affb349afd7bb182",{"previousId":270},{"name":272,"options":404,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":275,"title":405,"description":406,"reverse":41,"image":407},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":409},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":281,"paddingTop":282,"marginTop":283},{"@type":106,"@version":107,"id":411,"meta":412,"component":413,"responsiveStyles":418},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":285},{"name":272,"options":414,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":288,"title":415,"description":416,"reverse":6,"image":417},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":419},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":294},{"@type":106,"@version":107,"layerName":272,"id":421,"meta":422,"component":423,"responsiveStyles":428},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":296},{"name":272,"options":424,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":299,"title":425,"description":426,"reverse":41,"image":427},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":429},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":305},{"@type":106,"@version":107,"id":431,"meta":432,"component":433,"responsiveStyles":435},"builder-1a689287d1a1418997d57db578a71105",{"previousId":307},{"name":253,"options":434,"isRSC":118},{"darkMode":6},{"large":436},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":438,"component":439,"responsiveStyles":441},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":315,"tag":315,"options":440,"isRSC":118},{"sectionHeading":37,"customClass":317},{"large":442},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":444,"@type":106,"tagName":131,"properties":445,"responsiveStyles":446},"builder-pixel-jc4lv2mnufo",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":447},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":449},{"path":37,"query":450},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":337,"winningTest":118,"breakpoints":457,"lastPreviewUrl":458,"hasLinks":6,"originalContentId":158,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":460,"id":461,"name":462,"modelId":160,"published":13,"query":463,"data":466,"variations":569,"lastUpdated":570,"firstPublished":571,"testRatio":33,"screenshot":572,"createdBy":34,"lastUpdatedBy":573,"folders":574,"meta":575,"rev":339},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[464],{"@type":163,"property":164,"operator":165,"value":465},"/uc/account-takeover-detection",{"title":462,"customFonts":467,"jsCode":37,"seoTitle":462,"seoDescription":472,"fontAwesomeIcon":473,"tsCode":37,"blocks":474,"url":465,"state":566},[468],{"kind":172,"category":194,"variants":469,"menu":195,"files":470,"family":171,"subsets":471,"version":173,"lastModified":174},[200,201,202,203,204,205,128,206,207,208,209,210,211,212,213,214,215,216],{"100":176,"200":177,"300":178,"500":179,"600":180,"700":181,"800":182,"900":183,"300italic":192,"500italic":191,"800italic":184,"700italic":186,"italic":188,"900italic":185,"600italic":193,"200italic":190,"regular":189,"100italic":187},[197,198],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[475,561],{"@type":106,"@version":107,"tagName":222,"id":476,"meta":477,"children":478},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":223},[479,495,502,509,518,528,538,548,555],{"@type":106,"@version":107,"id":480,"meta":481,"component":482,"responsiveStyles":493},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":227},{"name":226,"options":483,"isRSC":118},{"title":462,"description":484,"points":485,"video":492},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[486,488,490],{"item":487},"Identify credential-based ATO as it unfolds",{"item":489},"Surface hijacked sessions and token misuse",{"item":491},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":494},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":241},{"@type":106,"@version":107,"id":496,"meta":497,"component":498,"responsiveStyles":500},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":243},{"name":245,"options":499,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":501},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":249},{"@type":106,"@version":107,"id":503,"meta":504,"component":505,"responsiveStyles":507},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":251},{"name":253,"options":506,"isRSC":118},{"darkMode":41},{"large":508},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":510,"component":511,"responsiveStyles":516},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":258,"tag":258,"options":512,"isRSC":118},{"darkMode":6,"maxWidth":262,"maxTextWidth":263,"title":513,"description":514,"image":515,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":517},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":519,"meta":520,"component":521,"responsiveStyles":526},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":270},{"name":272,"options":522,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":275,"title":523,"description":524,"reverse":41,"image":525},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":527},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":281,"paddingTop":283,"marginTop":283},{"@type":106,"@version":107,"id":529,"meta":530,"component":531,"responsiveStyles":536},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":285},{"name":272,"options":532,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":288,"title":533,"description":534,"reverse":6,"image":535},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":294},{"@type":106,"@version":107,"layerName":272,"id":539,"meta":540,"component":541,"responsiveStyles":546},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":296},{"name":272,"options":542,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":299,"title":543,"description":544,"reverse":41,"image":545},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":547},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":305},{"@type":106,"@version":107,"id":549,"meta":550,"component":551,"responsiveStyles":553},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":307},{"name":253,"options":552,"isRSC":118},{"darkMode":6},{"large":554},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":556,"component":557,"responsiveStyles":559},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":315,"tag":315,"options":558,"isRSC":118},{"sectionHeading":37,"customClass":317},{"large":560},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":562,"@type":106,"tagName":131,"properties":563,"responsiveStyles":564},"builder-pixel-bp9ni6h4vze",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":565},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":567},{"path":37,"query":568},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":576,"hasLinks":6,"originalContentId":158,"breakpoints":577,"winningTest":118,"kind":337,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":579,"id":580,"name":581,"modelId":160,"published":13,"query":582,"data":585,"variations":688,"lastUpdated":689,"firstPublished":690,"testRatio":33,"screenshot":691,"createdBy":34,"lastUpdatedBy":573,"folders":692,"meta":693,"rev":339},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[583],{"@type":163,"property":164,"operator":165,"value":584},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":586,"jsCode":37,"customFonts":587,"fontAwesomeIcon":592,"seoTitle":581,"title":581,"blocks":593,"url":584,"state":685},"Harden access paths with visibility,  detection, and guardrails.",[588],{"kind":172,"files":589,"version":173,"lastModified":174,"subsets":590,"menu":195,"category":194,"variants":591,"family":171},{"100":176,"200":177,"300":178,"500":179,"600":180,"700":181,"800":182,"900":183,"regular":189,"italic":188,"800italic":184,"500italic":191,"600italic":193,"200italic":190,"900italic":185,"700italic":186,"100italic":187,"300italic":192},[197,198],[200,201,202,203,204,205,128,206,207,208,209,210,211,212,213,214,215,216],"faRadar",[594,680],{"@type":106,"@version":107,"tagName":222,"id":595,"meta":596,"children":597},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":476},[598,614,621,628,637,647,657,667,674],{"@type":106,"@version":107,"id":599,"meta":600,"component":601,"responsiveStyles":612},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":480},{"name":226,"options":602,"isRSC":118},{"title":581,"description":603,"points":604,"video":611},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[605,607,609],{"item":606},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":608},"Monitor how users actually log in across apps, flows, and tools",{"item":610},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":613},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":241},{"@type":106,"@version":107,"id":615,"meta":616,"component":617,"responsiveStyles":619},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":496},{"name":245,"options":618,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":620},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":249},{"@type":106,"@version":107,"id":622,"meta":623,"component":624,"responsiveStyles":626},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":503},{"name":253,"options":625,"isRSC":118},{"darkMode":41},{"large":627},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":629,"component":630,"responsiveStyles":635},"builder-dec0246085e1485c803f7152b1922a81",{"name":258,"tag":258,"options":631,"isRSC":118},{"darkMode":6,"maxWidth":262,"maxTextWidth":263,"title":632,"description":633,"image":634,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":636},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":638,"meta":639,"component":640,"responsiveStyles":645},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":519},{"name":272,"options":641,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":275,"title":642,"description":643,"reverse":41,"image":644},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":646},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":281,"paddingTop":282,"marginTop":283},{"@type":106,"@version":107,"id":648,"meta":649,"component":650,"responsiveStyles":655},"builder-431d175c59004669b0b2776b07d71737",{"previousId":529},{"name":272,"options":651,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":288,"title":652,"description":653,"reverse":6,"image":654},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":656},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":294},{"@type":106,"@version":107,"layerName":272,"id":658,"meta":659,"component":660,"responsiveStyles":665},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":539},{"name":272,"options":661,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":299,"title":662,"description":663,"reverse":41,"image":664},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":666},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":305},{"@type":106,"@version":107,"id":668,"meta":669,"component":670,"responsiveStyles":672},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":549},{"name":253,"options":671,"isRSC":118},{"darkMode":6},{"large":673},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":675,"component":676,"responsiveStyles":678},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":315,"tag":315,"options":677,"isRSC":118},{"sectionHeading":37,"customClass":317},{"large":679},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":681,"@type":106,"tagName":131,"properties":682,"responsiveStyles":683},"builder-pixel-hqgadf1h59w",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":684},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":686},{"path":37,"query":687},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":337,"lastPreviewUrl":694,"breakpoints":695,"hasLinks":6,"originalContentId":461,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":697,"id":698,"name":699,"modelId":160,"published":13,"query":700,"data":703,"variations":808,"lastUpdated":809,"firstPublished":810,"testRatio":33,"screenshot":811,"createdBy":34,"lastUpdatedBy":573,"folders":812,"meta":813,"rev":339},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[701],{"@type":163,"property":164,"operator":165,"value":702},"/uc/clickfix-protection",{"seoDescription":704,"fontAwesomeIcon":705,"customFonts":706,"seoTitle":711,"jsCode":37,"tsCode":37,"title":711,"blocks":712,"url":702,"state":805},"Block attacks that trick users into running malicious code.","faLaptopCode",[707],{"files":708,"subsets":709,"menu":195,"version":173,"kind":172,"family":171,"lastModified":174,"variants":710,"category":194},{"100":176,"200":177,"300":178,"500":179,"600":180,"700":181,"800":182,"900":183,"200italic":190,"800italic":184,"700italic":186,"600italic":193,"100italic":187,"italic":188,"regular":189,"300italic":192,"500italic":191,"900italic":185},[197,198],[200,201,202,203,204,205,128,206,207,208,209,210,211,212,213,214,215,216],"ClickFix protection",[713,800],{"@type":106,"@version":107,"tagName":222,"id":714,"meta":715,"children":716},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":595},[717,733,740,747,757,767,777,787,794],{"@type":106,"@version":107,"id":718,"meta":719,"component":720,"responsiveStyles":731},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":599},{"name":226,"options":721,"isRSC":118},{"title":711,"description":722,"points":723,"image":730},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[724,726,728],{"item":725},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":727},"Block malicious copy-and-paste actions before code is executed",{"item":729},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":732},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":241},{"@type":106,"@version":107,"id":734,"meta":735,"component":736,"responsiveStyles":738},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":615},{"name":245,"options":737,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":739},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":249},{"@type":106,"@version":107,"id":741,"meta":742,"component":743,"responsiveStyles":745},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":622},{"name":253,"options":744,"isRSC":118},{"darkMode":41},{"large":746},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":748,"meta":749,"component":750,"responsiveStyles":755},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":629},{"name":258,"tag":258,"options":751,"isRSC":118},{"darkMode":6,"maxWidth":262,"maxTextWidth":263,"title":752,"description":753,"reverse":6,"image":754},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":756},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":758,"meta":759,"component":760,"responsiveStyles":765},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":638},{"name":272,"options":761,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":275,"title":762,"description":763,"reverse":41,"image":764},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":766},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":281,"paddingTop":282,"marginTop":283},{"@type":106,"@version":107,"id":768,"meta":769,"component":770,"responsiveStyles":775},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":648},{"name":272,"options":771,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":288,"title":772,"description":773,"reverse":6,"image":774},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":776},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":294},{"@type":106,"@version":107,"layerName":272,"id":778,"meta":779,"component":780,"responsiveStyles":785},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":658},{"name":272,"options":781,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":299,"title":782,"description":783,"reverse":41,"image":784},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":786},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":305},{"@type":106,"@version":107,"id":788,"meta":789,"component":790,"responsiveStyles":792},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":668},{"name":253,"options":791,"isRSC":118},{"darkMode":6},{"large":793},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":795,"component":796,"responsiveStyles":798},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":315,"tag":315,"options":797,"isRSC":118},{"sectionHeading":37,"customClass":317},{"large":799},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":801,"@type":106,"tagName":131,"properties":802,"responsiveStyles":803},"builder-pixel-jb7i4u6v2mk",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":804},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":806},{"path":37,"query":807},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":814,"originalContentId":580,"winningTest":118,"hasLinks":6,"kind":337,"breakpoints":815,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":817,"id":818,"name":819,"modelId":160,"published":13,"query":820,"data":823,"variations":928,"lastUpdated":929,"firstPublished":930,"testRatio":33,"screenshot":931,"createdBy":34,"lastUpdatedBy":573,"folders":932,"meta":933,"rev":339},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[821],{"@type":163,"property":164,"operator":165,"value":822},"/uc/incident-response",{"seoDescription":824,"customFonts":825,"title":819,"jsCode":37,"fontAwesomeIcon":830,"seoTitle":831,"tsCode":37,"blocks":832,"url":822,"state":925},"Investigate and respond faster with unique browser telemetry.",[826],{"kind":172,"subsets":827,"menu":195,"variants":828,"category":194,"family":171,"version":173,"lastModified":174,"files":829},[197,198],[200,201,202,203,204,205,128,206,207,208,209,210,211,212,213,214,215,216],{"100":176,"200":177,"300":178,"500":179,"600":180,"700":181,"800":182,"900":183,"900italic":185,"600italic":193,"200italic":190,"300italic":192,"100italic":187,"700italic":186,"800italic":184,"regular":189,"italic":188,"500italic":191},"faSatelliteDish","Browser based incident response",[833,920],{"@type":106,"@version":107,"tagName":222,"id":834,"meta":835,"children":836},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":595},[837,854,861,868,877,887,897,907,914],{"@type":106,"@version":107,"id":838,"meta":839,"component":840,"responsiveStyles":852},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":599},{"name":226,"options":841,"isRSC":118},{"title":842,"description":843,"points":844,"video":851},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[845,847,849],{"item":846},"Reconstruct what happened with real browser session context",{"item":848},"Investigate faster with real-world session context",{"item":850},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":853},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":241},{"@type":106,"@version":107,"id":855,"meta":856,"component":857,"responsiveStyles":859},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":615},{"name":245,"options":858,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":860},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":249},{"@type":106,"@version":107,"id":862,"meta":863,"component":864,"responsiveStyles":866},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":622},{"name":253,"options":865,"isRSC":118},{"darkMode":41},{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":869,"component":870,"responsiveStyles":875},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":258,"tag":258,"options":871,"isRSC":118},{"darkMode":6,"maxWidth":262,"maxTextWidth":263,"title":872,"description":873,"image":874,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":876},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":878,"meta":879,"component":880,"responsiveStyles":885},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":638},{"name":272,"options":881,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":275,"title":882,"description":883,"reverse":41,"image":884},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":886},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":281,"paddingTop":283,"marginTop":283},{"@type":106,"@version":107,"id":888,"meta":889,"component":890,"responsiveStyles":895},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":648},{"name":272,"options":891,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":288,"title":892,"description":893,"reverse":6,"image":894},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":896},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":294},{"@type":106,"@version":107,"layerName":272,"id":898,"meta":899,"component":900,"responsiveStyles":905},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":658},{"name":272,"options":901,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":299,"title":902,"description":903,"reverse":41,"image":904},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":906},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":305},{"@type":106,"@version":107,"id":908,"meta":909,"component":910,"responsiveStyles":912},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":668},{"name":253,"options":911,"isRSC":118},{"darkMode":6},{"large":913},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":915,"component":916,"responsiveStyles":918},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":315,"tag":315,"options":917,"isRSC":118},{"sectionHeading":37,"customClass":317},{"large":919},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":921,"@type":106,"tagName":131,"properties":922,"responsiveStyles":923},"builder-pixel-t20dmmgkd7",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":924},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":926},{"path":37,"query":927},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":337,"breakpoints":934,"originalContentId":580,"winningTest":118,"lastPreviewUrl":935,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":937,"id":938,"name":939,"modelId":160,"published":13,"query":940,"data":943,"variations":1048,"lastUpdated":1049,"firstPublished":1050,"testRatio":33,"screenshot":1051,"createdBy":34,"lastUpdatedBy":573,"folders":1052,"meta":1053,"rev":339},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[941],{"@type":163,"property":164,"operator":165,"value":942},"/uc/shadow-saas",{"seoTitle":944,"seoDescription":945,"customFonts":946,"fontAwesomeIcon":951,"title":952,"jsCode":37,"tsCode":37,"blocks":953,"url":942,"state":1045},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[947],{"kind":172,"variants":948,"files":949,"family":171,"version":173,"subsets":950,"lastModified":174,"category":194,"menu":195},[200,201,202,203,204,205,128,206,207,208,209,210,211,212,213,214,215,216],{"100":176,"200":177,"300":178,"500":179,"600":180,"700":181,"800":182,"900":183,"300italic":192,"500italic":191,"regular":189,"900italic":185,"italic":188,"100italic":187,"200italic":190,"600italic":193,"700italic":186,"800italic":184},[197,198],"faShieldCheck","Secure shadow SaaS",[954,1040],{"@type":106,"@version":107,"tagName":222,"id":955,"meta":956,"children":957},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":834},[958,974,981,988,997,1007,1017,1027,1034],{"@type":106,"@version":107,"id":959,"meta":960,"component":961,"responsiveStyles":972},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":838},{"name":226,"options":962,"isRSC":118},{"title":944,"description":963,"points":964,"video":971},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[965,967,969],{"item":966},"Discover every SaaS app users access, managed or not",{"item":968},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":970},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":973},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":241},{"@type":106,"@version":107,"id":975,"meta":976,"component":977,"responsiveStyles":979},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":855},{"name":245,"options":978,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":980},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":249},{"@type":106,"@version":107,"id":982,"meta":983,"component":984,"responsiveStyles":986},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":862},{"name":253,"options":985,"isRSC":118},{"darkMode":41},{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":989,"component":990,"responsiveStyles":995},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":258,"tag":258,"options":991,"isRSC":118},{"darkMode":6,"maxWidth":262,"maxTextWidth":263,"title":992,"description":993,"image":994,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":996},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":998,"meta":999,"component":1000,"responsiveStyles":1005},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":878},{"name":272,"options":1001,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":275,"title":1002,"description":1003,"reverse":41,"image":1004},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1006},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":281,"paddingTop":283,"marginTop":283},{"@type":106,"@version":107,"id":1008,"meta":1009,"component":1010,"responsiveStyles":1015},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":888},{"name":272,"options":1011,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":288,"title":1012,"description":1013,"reverse":6,"image":1014},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1016},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":294},{"@type":106,"@version":107,"layerName":272,"id":1018,"meta":1019,"component":1020,"responsiveStyles":1025},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":898},{"name":272,"options":1021,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":299,"title":1022,"description":1023,"reverse":41,"image":1024},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1026},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":305},{"@type":106,"@version":107,"id":1028,"meta":1029,"component":1030,"responsiveStyles":1032},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":908},{"name":253,"options":1031,"isRSC":118},{"darkMode":6},{"large":1033},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1035,"component":1036,"responsiveStyles":1038},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":315,"tag":315,"options":1037,"isRSC":118},{"sectionHeading":37,"customClass":317},{"large":1039},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1041,"@type":106,"tagName":131,"properties":1042,"responsiveStyles":1043},"builder-pixel-225hg4jfk9t",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1044},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1046},{"path":37,"query":1047},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":818,"winningTest":118,"lastPreviewUrl":1054,"breakpoints":1055,"kind":337,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1057,"id":1058,"name":1059,"modelId":160,"published":13,"query":1060,"data":1063,"variations":1167,"lastUpdated":1168,"firstPublished":1169,"testRatio":33,"screenshot":1170,"createdBy":34,"lastUpdatedBy":573,"folders":1171,"meta":1172,"rev":339},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1061],{"@type":163,"property":164,"operator":165,"value":1062},"/uc/shadow-ai",{"fontAwesomeIcon":1064,"seoTitle":1065,"jsCode":37,"customFonts":1066,"title":1071,"tsCode":37,"seoDescription":1072,"blocks":1073,"url":1062,"state":1164},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1067],{"variants":1068,"category":194,"files":1069,"subsets":1070,"family":171,"kind":172,"menu":195,"lastModified":174,"version":173},[200,201,202,203,204,205,128,206,207,208,209,210,211,212,213,214,215,216],{"100":176,"200":177,"300":178,"500":179,"600":180,"700":181,"800":182,"900":183,"800italic":184,"regular":189,"700italic":186,"200italic":190,"italic":188,"500italic":191,"600italic":193,"300italic":192,"100italic":187,"900italic":185},[197,198],"Secure shadow AI","See and control shadow AI apps in the browser.",[1074,1159],{"@type":106,"@version":107,"tagName":222,"id":1075,"meta":1076,"children":1077},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":955},[1078,1094,1101,1108,1118,1127,1136,1146,1153],{"@type":106,"@version":107,"id":1079,"meta":1080,"component":1081,"responsiveStyles":1092},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":959},{"name":226,"options":1082,"isRSC":118},{"title":1071,"description":1083,"points":1084,"image":1091},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1085,1087,1089],{"item":1086},"Map every AI tool used across your workforce",{"item":1088},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1090},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1093},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":241},{"@type":106,"@version":107,"id":1095,"meta":1096,"component":1097,"responsiveStyles":1099},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":975},{"name":245,"options":1098,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1100},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":249},{"@type":106,"@version":107,"id":1102,"meta":1103,"component":1104,"responsiveStyles":1106},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":982},{"name":253,"options":1105,"isRSC":118},{"darkMode":41},{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":989},{"name":258,"tag":258,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":262,"maxTextWidth":263,"title":1113,"description":1114,"image":1115,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1125},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":998},{"name":272,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":275,"title":1123,"description":1124,"reverse":41,"image":1014},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1126},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":281,"paddingTop":283,"marginTop":283},{"@type":106,"@version":107,"id":1128,"meta":1129,"component":1130,"responsiveStyles":1134},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1008},{"name":272,"options":1131,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":288,"title":1132,"description":1133,"reverse":6,"image":1024},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1135},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":294},{"@type":106,"@version":107,"layerName":272,"id":1137,"meta":1138,"component":1139,"responsiveStyles":1144},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1018},{"name":272,"options":1140,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":299,"title":1141,"description":1142,"reverse":41,"image":1143},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1145},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":305},{"@type":106,"@version":107,"id":1147,"meta":1148,"component":1149,"responsiveStyles":1151},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1028},{"name":253,"options":1150,"isRSC":118},{"darkMode":6},{"large":1152},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1154,"component":1155,"responsiveStyles":1157},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":315,"tag":315,"options":1156,"isRSC":118},{"sectionHeading":37,"customClass":317},{"large":1158},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1160,"@type":106,"tagName":131,"properties":1161,"responsiveStyles":1162},"builder-pixel-gvb5hb3oa9q",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1163},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1165},{"path":37,"query":1166},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1173,"originalContentId":938,"kind":337,"lastPreviewUrl":1174,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1176,"_dir":1177,"_draft":6,"_partial":6,"_locale":37,"sys":1178,"ogImage":118,"summary":1181,"title":1195,"subtitle":118,"metaTitle":1196,"synopsis":1197,"hashTags":118,"publishedDate":1198,"slug":1199,"tagsCollection":1200,"relatedBlogPostsCollection":1210,"authorsCollection":3060,"content":3064,"_id":4189,"_type":4190,"_source":4191,"_file":4192,"_stem":4193,"_extension":4190},"/blog/scattered-lapsus-hunters","blog",{"id":1179,"publishedAt":1180},"2sFCww9xnI8okIxhtOaiY1","2026-03-25T11:16:23.439Z",{"json":1182},{"data":1183,"content":1184,"nodeType":1194},{},[1185],{"data":1186,"content":1187,"nodeType":1193},{},[1188],{"data":1189,"marks":1190,"value":1191,"nodeType":1192},{},[],"In this blog post, we’ll be taking a closer look at the breaches linked to Scattered Lapsus$ Hunters, the evolution of TTPs that makes them so successful, and how they’re shaping the current and next generation of cyber criminals.","text","paragraph","document","\"Scattered Lapsus$ Hunters\" — how modern attackers exploit the gaps in your security stack ","Analyzing \"Scattered Lapsus$ Hunters\" breaches since 2021","How Scattered Lapsus$ Hunters breaches demonstrate the evolution of attacker TTPs, shaping the future of cyber attacks.","2025-11-13T00:00:00.000Z","scattered-lapsus-hunters",{"items":1201},[1202,1206],{"sys":1203,"name":1205},{"id":1204},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1207,"name":1209},{"id":1208},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1211},[1212,1899,2368],{"__typename":1213,"sys":1214,"content":1216,"title":1881,"synopsis":1882,"hashTags":118,"publishedDate":1883,"slug":1884,"tagsCollection":1885,"authorsCollection":1891},"BlogPosts",{"id":1215},"62Zyr35VUmijkpupWk3hoD",{"json":1217},{"data":1218,"content":1219,"nodeType":1194},{},[1220,1236,1243,1247,1257,1264,1271,1293,1302,1309,1316,1323,1330,1333,1341,1348,1354,1361,1370,1377,1384,1390,1410,1416,1423,1430,1437,1443,1446,1454,1474,1481,1514,1521,1528,1534,1541,1548,1555,1558,1566,1585,1591,1598,1605,1611,1618,1625,1628,1636,1643,1663,1708,1715,1722,1729,1732,1740,1747,1754,1761,1764,1772,1779,1810,1830,1837,1840,1848,1855,1862],{"data":1221,"content":1222,"nodeType":1193},{},[1223,1227,1232],{"data":1224,"marks":1225,"value":1226,"nodeType":1192},{},[],"The view that \"the browser is the new endpoint\" and \"the new battleground for cyber attacks\" is becoming increasingly advocated by security leaders. But what does this ",{"data":1228,"marks":1229,"value":1231,"nodeType":1192},{},[1230],{"type":211},"actually",{"data":1233,"marks":1234,"value":1235,"nodeType":1192},{},[]," mean for security teams? ",{"data":1237,"content":1238,"nodeType":1193},{},[1239],{"data":1240,"marks":1241,"value":1242,"nodeType":1192},{},[],"In this article, we’re cutting out the jargon to explore what a browser-based attack is, and what’s required for effective detection and response. ",{"data":1244,"content":1245,"nodeType":1246},{},[],"hr",{"data":1248,"content":1249,"nodeType":1256},{},[1250],{"data":1251,"marks":1252,"value":1255,"nodeType":1192},{},[1253],{"type":1254},"bold","What is the goal of a browser-based attack?   ","heading-1",{"data":1258,"content":1259,"nodeType":1193},{},[1260],{"data":1261,"marks":1262,"value":1263,"nodeType":1192},{},[],"First, it’s important to establish what the point of a browser-based attack is.",{"data":1265,"content":1266,"nodeType":1193},{},[1267],{"data":1268,"marks":1269,"value":1270,"nodeType":1192},{},[],"In most scenarios, attackers don’t think of themselves as attacking your web browser. Their end-goal is to compromise your business apps and data. That means going after the third-party apps and services that are now the backbone of business IT — and therefore the top target for attackers. ",{"data":1272,"content":1273,"nodeType":1193},{},[1274,1278,1289],{"data":1275,"marks":1276,"value":1277,"nodeType":1192},{},[],"The most common attack path today sees attackers log into third-party services, dump the data, and monetize it through extortion. You need only look at last year’s ",{"data":1279,"content":1281,"nodeType":1288},{"uri":1280},"https://pushsecurity.com/blog/snowflake-retro?utm_source=bleeping-computer&utm_medium=sponsored-content&utm_term=article",[1282],{"data":1283,"marks":1284,"value":1287,"nodeType":1192},{},[1285],{"type":1286},"underline","Snowflake","hyperlink",{"data":1290,"marks":1291,"value":1292,"nodeType":1192},{},[]," customer breaches or the still-ongoing Salesforce attacks to see the impact.",{"data":1294,"content":1300,"nodeType":1301},{"target":1295},{"sys":1296},{"id":1297,"type":1298,"linkType":1299},"5agrVXzEdwALmew2F5SPDp","Link","Entry",[],"embedded-entry-block",{"data":1303,"content":1304,"nodeType":1193},{},[1305],{"data":1306,"marks":1307,"value":1308,"nodeType":1192},{},[],"The most logical way to do this is by targeting users of those apps. And because of the changes to working practices, your users are more accessible than ever to external attackers.",{"data":1310,"content":1311,"nodeType":1193},{},[1312],{"data":1313,"marks":1314,"value":1315,"nodeType":1192},{},[],"Once upon a time, email was the primary communication channel with the wider world, and work happened locally — on your device, and inside your locked-down network environment. This made email and the endpoint the highest priority from a security perspective. But now, with modern work happening across a network of decentralized internet apps, and more varied communication channels outside of email, it’s harder to stop users from interacting with malicious content (at least, without significantly impeding their ability to do their jobs).",{"data":1317,"content":1318,"nodeType":1193},{},[1319],{"data":1320,"marks":1321,"value":1322,"nodeType":1192},{},[],"Given that the browser is the place where business apps are accessed and used, it makes sense that attacks are increasingly playing out there too. ",{"data":1324,"content":1325,"nodeType":1193},{},[1326],{"data":1327,"marks":1328,"value":1329,"nodeType":1192},{},[],"With that covered off, let’s take a closer look at the most prevalent browser-based attack techniques being used by attackers in the wild today.",{"data":1331,"content":1332,"nodeType":1246},{},[],{"data":1334,"content":1335,"nodeType":1256},{},[1336],{"data":1337,"marks":1338,"value":1340,"nodeType":1192},{},[1339],{"type":1254},"The 6 key browser-based attacks that security teams need to know about",{"data":1342,"content":1343,"nodeType":1193},{},[1344],{"data":1345,"marks":1346,"value":1347,"nodeType":1192},{},[],"Attacks that target users in their web browsers have seen an unprecedented rise in recent years. ",{"data":1349,"content":1353,"nodeType":1301},{"target":1350},{"sys":1351},{"id":1352,"type":1298,"linkType":1299},"4ogNqZdObSIJXavHP44lom",[],{"data":1355,"content":1356,"nodeType":1193},{},[1357],{"data":1358,"marks":1359,"value":1360,"nodeType":1192},{},[],"Here's our breakdown of the top 6 browser-based attacks that should be on every security team's radar right now. ",{"data":1362,"content":1363,"nodeType":1369},{},[1364],{"data":1365,"marks":1366,"value":1368,"nodeType":1192},{},[1367],{"type":1254},"1. Phishing for credentials and sessions","heading-2",{"data":1371,"content":1372,"nodeType":1193},{},[1373],{"data":1374,"marks":1375,"value":1376,"nodeType":1192},{},[],"The most direct way for an attacker to compromise a business application is to phish a user of that app. You might not necessarily think of phishing as a browser-based attack, but that’s exactly what it is today. ",{"data":1378,"content":1379,"nodeType":1193},{},[1380],{"data":1381,"marks":1382,"value":1383,"nodeType":1192},{},[],"Phishing tooling and infrastructure has evolved a lot in the past decade, while the changes to business IT means there are both many more vectors for phishing attack delivery, and apps and identities to target. Attackers can deliver links over instant messenger apps, social media, SMS, malicious ads, and using in-app messenger functionality, as well as sending emails directly from SaaS services to bypass email-based checks. Likewise, there are now hundreds of apps per enterprise to target, with varying levels of account security configuration. ",{"data":1385,"content":1389,"nodeType":1301},{"target":1386},{"sys":1387},{"id":1388,"type":1298,"linkType":1299},"3SrKOgpedLMQRpKIZqUQur",[],{"data":1391,"content":1392,"nodeType":1193},{},[1393,1397,1406],{"data":1394,"marks":1395,"value":1396,"nodeType":1192},{},[],"Whereas phishing was once entirely focused on credential theft, modern phishing attacks see the attacker intercept the victim’s session on the target app, using reverse-proxy Attacker-in-the-Middle kits that are the standard choice for attackers today. This means most forms of MFA can be bypassed, with the exception of passkeys (though attackers are finding ways to work around passkeys using ",{"data":1398,"content":1400,"nodeType":1288},{"uri":1399},"https://pushsecurity.com/blog/mfa-downgrade-attacks/?utm_source=bleeping-computer&utm_medium=sponsored-content&utm_term=article",[1401],{"data":1402,"marks":1403,"value":1405,"nodeType":1192},{},[1404],{"type":1286},"downgrade attacks",{"data":1407,"marks":1408,"value":1409,"nodeType":1192},{},[],"). ",{"data":1411,"content":1415,"nodeType":1301},{"target":1412},{"sys":1413},{"id":1414,"type":1298,"linkType":1299},"2sOFEdAwQZjWOGzNAlGavb",[],{"data":1417,"content":1418,"nodeType":1193},{},[1419],{"data":1420,"marks":1421,"value":1422,"nodeType":1192},{},[],"There are other key differences to be aware of too. Today, phishing operates on an industrial scale, using an array of obfuscation and detection evasion techniques. The latest generation of fully customized AitM phishing kits are dynamically obfuscating the code that loads the web page, implementing custom bot protection (e.g. CAPTCHA or Cloudflare Turnstile), using runtime anti-analysis features, and using legitimate SaaS and cloud services to host and deliver phishing links to cover their tracks.",{"data":1424,"content":1425,"nodeType":1193},{},[1426],{"data":1427,"marks":1428,"value":1429,"nodeType":1192},{},[],"This means that traditional anti-phishing tools at the email and network layer are struggling to keep up, with many attacks evading email-based detections (or bypassing email altogether). At the same time, proxy-based solutions now see a garbled mess of JavaScript code without the necessary context of what is actually happening in the browser to be able to piece it together effectively. Even if they don’t realize it, this means many organizations are now relying solely on blocking known-bad sites and hosts — a wildly ineffective solution in 2025 with the rate that attackers refresh and rotate their phishing infrastructure. ",{"data":1431,"content":1432,"nodeType":1193},{},[1433],{"data":1434,"marks":1435,"value":1436,"nodeType":1192},{},[],"These changes make phishing more effective than ever, and increasingly difficult to detect and block without being able to observe and analyze web pages that a user interacts with in real time — something only possible with browser-level visibility. ",{"data":1438,"content":1442,"nodeType":1301},{"target":1439},{"sys":1440},{"id":1441,"type":1298,"linkType":1299},"1II2kHyOZcShLsexx1TAgy",[],{"data":1444,"content":1445,"nodeType":1246},{},[],{"data":1447,"content":1448,"nodeType":1369},{},[1449],{"data":1450,"marks":1451,"value":1453,"nodeType":1192},{},[1452],{"type":1254},"2. Malicious copy and paste (aka. ClickFix, FileFix, etc.)",{"data":1455,"content":1456,"nodeType":1193},{},[1457,1461,1470],{"data":1458,"marks":1459,"value":1460,"nodeType":1192},{},[],"One of the biggest security trends in the past year has been the emergence of the attack technique known as ",{"data":1462,"content":1464,"nodeType":1288},{"uri":1463},"https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/",[1465],{"data":1466,"marks":1467,"value":1469,"nodeType":1192},{},[1468],{"type":1286},"ClickFix",{"data":1471,"marks":1472,"value":1473,"nodeType":1192},{},[],". ",{"data":1475,"content":1476,"nodeType":1193},{},[1477],{"data":1478,"marks":1479,"value":1480,"nodeType":1192},{},[],"Originally known as “Fake CAPTCHA”, these attacks attempt to trick users into running malicious commands on their device — typically by solving some form of verification challenge in the browser. ",{"data":1482,"content":1483,"nodeType":1193},{},[1484,1488,1497,1501,1510],{"data":1485,"marks":1486,"value":1487,"nodeType":1192},{},[],"In reality, by solving the challenge, the victim is actually copying malicious code from the page clipboard and running it on their device. It typically gives the victim instructions that involve clicking prompts and copying, pasting, and running commands directly in the Windows Run dialog box, Terminal, or PowerShell. Variants such as ",{"data":1489,"content":1491,"nodeType":1288},{"uri":1490},"https://mrd0x.com/filefix-clickfix-alternative/",[1492],{"data":1493,"marks":1494,"value":1496,"nodeType":1192},{},[1495],{"type":1286},"FileFix",{"data":1498,"marks":1499,"value":1500,"nodeType":1192},{},[]," have also emerged which instead uses the File Explorer Address Bar to execute OS commands, while recent examples have seen this attack branch out to ",{"data":1502,"content":1504,"nodeType":1288},{"uri":1503},"https://www.bleepingcomputer.com/news/security/fake-mac-fixes-trick-users-into-installing-new-shamos-infostealer/",[1505],{"data":1506,"marks":1507,"value":1509,"nodeType":1192},{},[1508],{"type":1286},"Mac via the macOS terminal",{"data":1511,"marks":1512,"value":1513,"nodeType":1192},{},[],".",{"data":1515,"content":1516,"nodeType":1193},{},[1517],{"data":1518,"marks":1519,"value":1520,"nodeType":1192},{},[],"Most commonly, these attacks are used to deliver infostealer malware, using stolen session cookies and credentials to access business apps and services. ",{"data":1522,"content":1523,"nodeType":1193},{},[1524],{"data":1525,"marks":1526,"value":1527,"nodeType":1192},{},[],"Like modern credential and session phishing, links to malicious pages are distributed over various delivery channels and using a variety of lures, including impersonating CAPTCHA, Cloudflare Turnstile, simulating an error loading a webpage, and many more. ",{"data":1529,"content":1533,"nodeType":1301},{"target":1530},{"sys":1531},{"id":1532,"type":1298,"linkType":1299},"6O9YiOfhpGFCDsTil9F3On",[],{"data":1535,"content":1536,"nodeType":1193},{},[1537],{"data":1538,"marks":1539,"value":1540,"nodeType":1192},{},[],"The variance in lure, and differences between different versions of the same lure, can make it difficult to fingerprint and detect based on visual elements alone. Also, many of the same protections being used to obfuscate and prevent analysis of phishing pages also apply to ClickFix pages, making it equally challenging to detect and block them. ",{"data":1542,"content":1543,"nodeType":1193},{},[1544],{"data":1545,"marks":1546,"value":1547,"nodeType":1192},{},[],"This leaves most of the detection and blocking down to endpoint-layer controls around user-level code execution and malware running on a device. The quantity of ClickFix-related headlines in the news would indicate that endpoint controls are being routinely bypassed, or perhaps evaded altogether by targeting personal or BYOD devices. ",{"data":1549,"content":1550,"nodeType":1193},{},[1551],{"data":1552,"marks":1553,"value":1554,"nodeType":1192},{},[],"There is a significant opportunity to detect these attacks in the browser and stop them at the earliest opportunity, before they reach the endpoint. Every ClickFix attack and variant has a key action in common — malicious code is copied from the page’s clipboard. In some cases, this happens without any user interaction (where the only requirement on the user is to run code that has been silently copied behind the scenes), presenting a strong indicator of malicious behavior that can be observed in the browser. ",{"data":1556,"content":1557,"nodeType":1246},{},[],{"data":1559,"content":1560,"nodeType":1369},{},[1561],{"data":1562,"marks":1563,"value":1565,"nodeType":1192},{},[1564],{"type":1254},"3. Malicious OAuth integrations",{"data":1567,"content":1568,"nodeType":1193},{},[1569,1573,1581],{"data":1570,"marks":1571,"value":1572,"nodeType":1192},{},[],"Malicious OAuth integrations are another way for attackers to compromise an app by tricking a user into authorizing an integration with a malicious, attacker-controlled app, with the level of data access and functionality dictated by the scopes authorized in the request. This is also known as ",{"data":1574,"content":1576,"nodeType":1288},{"uri":1575},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/consent_phishing/description.md",[1577],{"data":1578,"marks":1579,"value":1580,"nodeType":1192},{},[],"consent phishing",{"data":1582,"marks":1583,"value":1584,"nodeType":1192},{},[],". ",{"data":1586,"content":1590,"nodeType":1301},{"target":1587},{"sys":1588},{"id":1589,"type":1298,"linkType":1299},"5JaP4WSfFsFSbvaa9BQBOq",[],{"data":1592,"content":1593,"nodeType":1193},{},[1594],{"data":1595,"marks":1596,"value":1597,"nodeType":1192},{},[],"This is an effective way for attackers to bypass hardened authentication and access controls by sidestepping the typical login process to take over an account and compromise business apps. This includes phishing-resistant MFA methods like passkeys — since the standard login process does not apply. ",{"data":1599,"content":1600,"nodeType":1193},{},[1601],{"data":1602,"marks":1603,"value":1604,"nodeType":1192},{},[],"A variant of this attack has dominated the headlines recently with the ongoing Salesforce breaches. In this scenario, the attacker tricked the victim into authorizing an attacker-controlled OAuth app via the device code authorization flow in Salesforce, which requires the user to enter an 8-digit code in place of a password or MFA factor.",{"data":1606,"content":1610,"nodeType":1301},{"target":1607},{"sys":1608},{"id":1609,"type":1298,"linkType":1299},"3odEFcUcpKN553gHh2P5yr",[],{"data":1612,"content":1613,"nodeType":1193},{},[1614],{"data":1615,"marks":1616,"value":1617,"nodeType":1192},{},[],"Preventing malicious OAuth grants being authorized requires tight in-app management of user permissions and tenant security settings. This is no mean feat when considering the 100s of apps in use across the modern enterprise, many of which are not centrally managed by IT and security teams (or in some cases, are completely unknown to them). Even then, you’re limited by the controls made available by the app vendor. In this case, Salesforce has announced planned changes to OAuth app authorization in order to improve security prompted by these attacks — but many more apps with insecure configs exist for attackers to take advantage of in future. ",{"data":1619,"content":1620,"nodeType":1193},{},[1621],{"data":1622,"marks":1623,"value":1624,"nodeType":1192},{},[],"However, unlike app-specific integrations, browser-based security tools are well positioned to observe OAuth grants across all apps accessed in the browser — even the ones the security team doesn’t manage or know about, or without needing to pay for the app’s special security add-on to get visibility.",{"data":1626,"content":1627,"nodeType":1246},{},[],{"data":1629,"content":1630,"nodeType":1369},{},[1631],{"data":1632,"marks":1633,"value":1635,"nodeType":1192},{},[1634],{"type":1254},"4. Malicious browser extensions",{"data":1637,"content":1638,"nodeType":1193},{},[1639],{"data":1640,"marks":1641,"value":1642,"nodeType":1192},{},[],"Malicious browser extensions are another way for attackers to compromise your business apps by observing and capturing logins as they happen, and/or extracting session cookies and credentials saved in the browser cache and password manager. ",{"data":1644,"content":1645,"nodeType":1193},{},[1646,1650,1659],{"data":1647,"marks":1648,"value":1649,"nodeType":1192},{},[],"Attackers do this by creating their own malicious extension and tricking your users into installing it, or taking over an existing extension to gain access to browsers where it is already installed (",{"data":1651,"content":1653,"nodeType":1288},{"uri":1652},"https://secureannex.com/blog/buying-browser-extensions/",[1654],{"data":1655,"marks":1656,"value":1658,"nodeType":1192},{},[1657],{"type":1286},"it’s very easy for attackers to buy and add malicious updates to existing extensions",{"data":1660,"marks":1661,"value":1662,"nodeType":1192},{},[],", easily passing extension web store security checks). ",{"data":1664,"content":1665,"nodeType":1193},{},[1666,1670,1679,1683,1692,1696,1705],{"data":1667,"marks":1668,"value":1669,"nodeType":1192},{},[],"The news around extension-based compromises has been on the rise since the ",{"data":1671,"content":1673,"nodeType":1288},{"uri":1672},"https://www.bleepingcomputer.com/news/security/new-details-reveal-how-hackers-hijacked-35-google-chrome-extensions/",[1674],{"data":1675,"marks":1676,"value":1678,"nodeType":1192},{},[1677],{"type":1286},"Cyberhaven extension",{"data":1680,"marks":1681,"value":1682,"nodeType":1192},{},[]," was hacked in December 2024, along with at least 35 other extensions. Since then, there has been regular reporting on data-stealing extensions ",{"data":1684,"content":1686,"nodeType":1288},{"uri":1685},"https://www.bleepingcomputer.com/news/security/data-stealing-chrome-extensions-impersonate-fortinet-youtube-vpns/",[1687],{"data":1688,"marks":1689,"value":1691,"nodeType":1192},{},[1690],{"type":1286},"impersonating legitimate brands",{"data":1693,"marks":1694,"value":1695,"nodeType":1192},{},[],", and ",{"data":1697,"content":1699,"nodeType":1288},{"uri":1698},"https://www.bleepingcomputer.com/news/security/chrome-extensions-with-6-million-installs-have-hidden-tracking-code/",[1700],{"data":1701,"marks":1702,"value":1704,"nodeType":1192},{},[1703],{"type":1286},"impacting millions of users",{"data":1706,"marks":1707,"value":1513,"nodeType":1192},{},[],{"data":1709,"content":1710,"nodeType":1193},{},[1711],{"data":1712,"marks":1713,"value":1714,"nodeType":1192},{},[],"Risky browser extension permissions include broad data access, the ability to modify website content, track user activity, capture screenshots, and manage tabs or network requests. Permissions like \"read and change all data on all websites\" or access to cookies and browsing history are particularly dangerous as they can be exploited for session hijacking, data theft, malware injection, or phishing.",{"data":1716,"content":1717,"nodeType":1193},{},[1718],{"data":1719,"marks":1720,"value":1721,"nodeType":1192},{},[],"Generally, your employees should not be randomly installing browser extensions unless pre-approved by your security team. The reality, however, is that many organizations have very little visibility of the extensions their employees are using, and the potential risk they’re exposed to as a result. ",{"data":1723,"content":1724,"nodeType":1193},{},[1725],{"data":1726,"marks":1727,"value":1728,"nodeType":1192},{},[],"To tackle malicious extensions, security tools operating in the browser can track the browser extensions deployed, highlight risky permissions, compare with known-malicious extensions, identify fraudulent/unofficial versions of a legitimate extension, and highlight other risky properties commonly associated with malicious extensions (e.g. “Developer” extensions). ",{"data":1730,"content":1731,"nodeType":1246},{},[],{"data":1733,"content":1734,"nodeType":1369},{},[1735],{"data":1736,"marks":1737,"value":1739,"nodeType":1192},{},[1738],{"type":1254},"5. Malicious file delivery",{"data":1741,"content":1742,"nodeType":1193},{},[1743],{"data":1744,"marks":1745,"value":1746,"nodeType":1192},{},[],"Malicious files have been a core part of malware delivery and credential theft for many years. Just as non-email channels like malvertising and drive-by attacks are used to deliver phishing and ClickFix lures, malicious files are also distributed through similar means — leaving malicious file detection to basic known-bad checks, sandbox analysis using a proxy (not that useful in the context of sandbox-aware malware) or runtime analysis on the endpoint. ",{"data":1748,"content":1749,"nodeType":1193},{},[1750],{"data":1751,"marks":1752,"value":1753,"nodeType":1192},{},[],"This doesn’t just have to be malicious executables directly dropping malware onto the device. File downloads can also contain additional links taking the user to malicious content. In fact, one of the most common types of downloadable content are HTML Applications (HTAs), commonly used to spawn local phishing pages to stealthily capture credentials. More recently, attackers have been weaponizing SVG files for a similar purpose, running as self-contained phishing pages that render fake login portals entirely client-side. ",{"data":1755,"content":1756,"nodeType":1193},{},[1757],{"data":1758,"marks":1759,"value":1760,"nodeType":1192},{},[],"Even if malicious content cannot always be flagged from surface-level inspection of a file, recording file downloads in the browser is a useful addition to endpoint-based malware protection, and provides another layer of defense against file downloads that perform client-side attacks, or redirect the user to malicious web-based content. ",{"data":1762,"content":1763,"nodeType":1246},{},[],{"data":1765,"content":1766,"nodeType":1369},{},[1767],{"data":1768,"marks":1769,"value":1771,"nodeType":1192},{},[1770],{"type":1254},"6. Stolen credentials and MFA gaps",{"data":1773,"content":1774,"nodeType":1193},{},[1775],{"data":1776,"marks":1777,"value":1778,"nodeType":1192},{},[],"This last one isn’t so much a browser-based attack, but it is a product of them. When credentials are stolen through phishing or infostealer malware they can be used to take over accounts missing MFA. ",{"data":1780,"content":1781,"nodeType":1193},{},[1782,1786,1793,1797,1806],{"data":1783,"marks":1784,"value":1785,"nodeType":1192},{},[],"This isn’t the most sophisticated attack, but it’s very effective. You need only look at last year’s ",{"data":1787,"content":1788,"nodeType":1288},{"uri":1280},[1789],{"data":1790,"marks":1791,"value":1287,"nodeType":1192},{},[1792],{"type":1286},{"data":1794,"marks":1795,"value":1796,"nodeType":1192},{},[]," account compromises or the ",{"data":1798,"content":1800,"nodeType":1288},{"uri":1799},"https://pushsecurity.com/blog/why-attackers-are-targeting-jira-with-stolen-credentials?utm_source=bleeping-computer&utm_medium=sponsored-content&utm_term=article",[1801],{"data":1802,"marks":1803,"value":1805,"nodeType":1192},{},[1804],{"type":1286},"Jira",{"data":1807,"marks":1808,"value":1809,"nodeType":1192},{},[]," attacks earlier this year to see how attackers harness stolen credentials at scale. ",{"data":1811,"content":1812,"nodeType":1193},{},[1813,1817,1826],{"data":1814,"marks":1815,"value":1816,"nodeType":1192},{},[],"With the modern enterprise using hundreds of apps, the likelihood that an app hasn’t been configured for mandatory MFA (if possible) is high. And even when an app has been configured for SSO and connected to your primary corporate identity, ",{"data":1818,"content":1820,"nodeType":1288},{"uri":1819},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have/?utm_source=bleeping-computer&utm_medium=sponsored-content&utm_term=sidebar",[1821],{"data":1822,"marks":1823,"value":1825,"nodeType":1192},{},[1824],{"type":1286},"local “ghost logins” can continue to exist",{"data":1827,"marks":1828,"value":1829,"nodeType":1192},{},[],", accepting passwords with no MFA required. Just having visibility of your primary Identity Provider accounts (e.g. Google, Microsoft, Okta) and SSO-connected apps doesn't give you a full picture of your identity surface.",{"data":1831,"content":1832,"nodeType":1193},{},[1833],{"data":1834,"marks":1835,"value":1836,"nodeType":1192},{},[],"Logins can also be observed in the browser — in fact, it’s as close to a universal source of truth as you’re going to get about how your employees are actually logging in, which apps they’re using, and whether MFA is present, enabling security teams to find and fix vulnerable logins before they can be exploited by attackers. ",{"data":1838,"content":1839,"nodeType":1246},{},[],{"data":1841,"content":1842,"nodeType":1256},{},[1843],{"data":1844,"marks":1845,"value":1847,"nodeType":1192},{},[1846],{"type":1254},"Conclusion",{"data":1849,"content":1850,"nodeType":1193},{},[1851],{"data":1852,"marks":1853,"value":1854,"nodeType":1192},{},[],"Attacks are increasingly happening in the browser. That makes it the perfect place to detect and respond to these attacks. But right now, the browser is a blind-spot for most security teams. ",{"data":1856,"content":1857,"nodeType":1193},{},[1858],{"data":1859,"marks":1860,"value":1861,"nodeType":1192},{},[],"Push Security’s browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks browser-based attacks like AiTM phishing, credential stuffing, password spraying and session hijacking using stolen session tokens. You can also use Push to find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, risky OAuth integrations, and more to harden your identity attack surface.",{"data":1863,"content":1864,"nodeType":1193},{},[1865,1869,1878],{"data":1866,"marks":1867,"value":1868,"nodeType":1192},{},[],"If you want to learn more about how Push helps you to detect and stop attacks in the browser, ",{"data":1870,"content":1872,"nodeType":1288},{"uri":1871},"https://pushsecurity.com/demo?utm_source=bleeping-computer&utm_medium=sponsored-content&utm_term=article",[1873],{"data":1874,"marks":1875,"value":1877,"nodeType":1192},{},[1876],{"type":1286},"book some time with one of our team for a live demo",{"data":1879,"marks":1880,"value":1513,"nodeType":1192},{},[],"6 browser-based attacks every security team should be prepared for","What security teams need to know about the browser-based attack techniques that are the leading cause of breaches.","2025-09-05T00:00:00.000Z","6-browser-based-attacks-every-security-team-should-be-prepared-for",{"items":1886},[1887,1889],{"sys":1888,"name":1205},{"id":1204},{"sys":1890,"name":1209},{"id":1208},{"items":1892},[1893],{"fullName":1894,"firstName":1895,"jobTitle":1896,"profilePicture":1897},"Dan Green","Dan","Threat Research",{"url":1898},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"__typename":1213,"sys":1900,"content":1902,"title":2354,"synopsis":2355,"hashTags":118,"publishedDate":2356,"slug":2357,"tagsCollection":2358,"authorsCollection":2364},{"id":1901},"4vPEPmjd8MOlARD7oXfOrj",{"json":1903},{"nodeType":1194,"data":1904,"content":1905},{},[1906,1925,1941,1947,1954,1961,1964,1972,1991,1998,2004,2011,2017,2024,2030,2037,2043,2050,2056,2059,2067,2085,2091,2099,2119,2127,2160,2167,2175,2195,2203,2223,2229,2232,2240,2260,2267,2273,2276,2284,2303,2310,2317,2323],{"nodeType":1193,"data":1907,"content":1908},{},[1909,1913,1922],{"nodeType":1192,"value":1910,"marks":1911,"data":1912},"Push recently detected and blocked a high-risk LinkedIn phishing attack that demonstrated a number of crafty (and increasingly common) ",[],{},{"nodeType":1288,"data":1914,"content":1916},{"uri":1915},"https://phishing-techniques.pushsecurity.com/",[1917],{"nodeType":1192,"value":1918,"marks":1919,"data":1921},"detection evasion techniques",[1920],{"type":1286},{},{"nodeType":1192,"value":1473,"marks":1923,"data":1924},[],{},{"nodeType":1193,"data":1926,"content":1927},{},[1928,1932,1937],{"nodeType":1192,"value":1929,"marks":1930,"data":1931},"Phishing via LinkedIn is increasingly common, although it often goes undetected and unreported. This is to be expected when most of the industry’s data on phishing attacks comes from email security vendors and tools. In contrast to email-centric reporting, ",[],{},{"nodeType":1192,"value":1933,"marks":1934,"data":1936},"34% of the phishing attacks intercepted by Push last month came through non-email channels",[1935],{"type":1254},{},{"nodeType":1192,"value":1938,"marks":1939,"data":1940}," like social media, IM platforms, malicious search engine ads, and in-app communications. ",[],{},{"nodeType":1301,"data":1942,"content":1946},{"target":1943},{"sys":1944},{"id":1945,"type":1298,"linkType":1299},"7i8panfdFUqW9wqYkd9uDc",[],{"nodeType":1193,"data":1948,"content":1949},{},[1950],{"nodeType":1192,"value":1951,"marks":1952,"data":1953},"Phishing via LinkedIn is a great way to catch victims unawares and evade traditionally email-based anti-phishing controls. While often used for work and commonly accessed from corporate devices, it sits outside the purview of enterprise security tools, exploiting a visibility and control blind spot. ",[],{},{"nodeType":1193,"data":1955,"content":1956},{},[1957],{"nodeType":1192,"value":1958,"marks":1959,"data":1960},"Let’s break it down. ",[],{},{"nodeType":1246,"data":1962,"content":1963},{},[],{"nodeType":1256,"data":1965,"content":1966},{},[1967],{"nodeType":1192,"value":1968,"marks":1969,"data":1971},"Phishing attack breakdown",[1970],{"type":1254},{},{"nodeType":1193,"data":1973,"content":1974},{},[1975,1979,1987],{"nodeType":1192,"value":1976,"marks":1977,"data":1978},"The victim was sent a malicious link via LinkedIn DM relating to a fake investment opportunity for executives ",[],{},{"nodeType":1288,"data":1980,"content":1982},{"uri":1981},"https://www.bleepingcomputer.com/news/security/linkedin-phishing-targets-finance-execs-with-fake-board-invites/",[1983],{"nodeType":1192,"value":1984,"marks":1985,"data":1986},"to join the executive board of a newly created \"Common Wealth\" investment fund.",[],{},{"nodeType":1192,"value":1988,"marks":1989,"data":1990}," ",[],{},{"nodeType":1193,"data":1992,"content":1993},{},[1994],{"nodeType":1192,"value":1995,"marks":1996,"data":1997},"After clicking the link, they were redirected three times — via Google Search, and then payrails-canaccord[.]icu/(redacted) — before being sent to a custom landing page hosted on firebasestorage.googleapis[.]com/(redacted). ",[],{},{"nodeType":1301,"data":1999,"content":2003},{"target":2000},{"sys":2001},{"id":2002,"type":1298,"linkType":1299},"65PeJOKzn6Ba7FDUQRae3Q",[],{"nodeType":1193,"data":2005,"content":2006},{},[2007],{"nodeType":1192,"value":2008,"marks":2009,"data":2010},"Upon clicking on one of the document links on the page, the victim is prompted to “view with Microsoft”. ",[],{},{"nodeType":1301,"data":2012,"content":2016},{"target":2013},{"sys":2014},{"id":2015,"type":1298,"linkType":1299},"4f27KuwTRx1Do59rs3JoVl",[],{"nodeType":1193,"data":2018,"content":2019},{},[2020],{"nodeType":1192,"value":2021,"marks":2022,"data":2023},"The user is then met with a Cloudflare Turnstile gate challenge at login.kggpho[.]icu before the page will fully render, and malicious content is loaded. ",[],{},{"nodeType":1301,"data":2025,"content":2029},{"target":2026},{"sys":2027},{"id":2028,"type":1298,"linkType":1299},"3lpVmLBZSocOSGdlCKhKnD",[],{"nodeType":1193,"data":2031,"content":2032},{},[2033],{"nodeType":1192,"value":2034,"marks":2035,"data":2036},"The Microsoft-impersonating AITM phishing page is then served to the victim. Entering credentials and completing the MFA check will result in their Microsoft session being stolen by the attacker. ",[],{},{"nodeType":1301,"data":2038,"content":2042},{"target":2039},{"sys":2040},{"id":2041,"type":1298,"linkType":1299},"5FCa4EJwyux13K9KBT3nd4",[],{"nodeType":1193,"data":2044,"content":2045},{},[2046],{"nodeType":1192,"value":2047,"marks":2048,"data":2049},"You can see the full timeline of events in the Detection Timeline below. ",[],{},{"nodeType":1301,"data":2051,"content":2055},{"target":2052},{"sys":2053},{"id":2054,"type":1298,"linkType":1299},"8lizkPJcGdZhtWFV2QEwQ",[],{"nodeType":1246,"data":2057,"content":2058},{},[],{"nodeType":1256,"data":2060,"content":2061},{},[2062],{"nodeType":1192,"value":2063,"marks":2064,"data":2066},"Detection evasion techniques observed",[2065],{"type":1254},{},{"nodeType":1193,"data":2068,"content":2069},{},[2070,2074,2081],{"nodeType":1192,"value":2071,"marks":2072,"data":2073},"The attacker used a number of ",[],{},{"nodeType":1288,"data":2075,"content":2076},{"uri":1915},[2077],{"nodeType":1192,"value":1918,"marks":2078,"data":2080},[2079],{"type":1286},{},{"nodeType":1192,"value":2082,"marks":2083,"data":2084}," to prevent the phishing site being analysed and detected by security tools. ",[],{},{"nodeType":1301,"data":2086,"content":2090},{"target":2087},{"sys":2088},{"id":2089,"type":1298,"linkType":1299},"7q9D1MREwTCCpnjvZZ5wk1",[],{"nodeType":1369,"data":2092,"content":2093},{},[2094],{"nodeType":1192,"value":2095,"marks":2096,"data":2098},"LinkedIn delivery",[2097],{"type":1254},{},{"nodeType":1193,"data":2100,"content":2101},{},[2102,2106,2115],{"nodeType":1192,"value":2103,"marks":2104,"data":2105},"As we mentioned above, sending phishing lures via ",[],{},{"nodeType":1288,"data":2107,"content":2109},{"uri":2108},"https://phishing-techniques.pushsecurity.com/techniques/social-media/",[2110],{"nodeType":1192,"value":2111,"marks":2112,"data":2114},"social media apps",[2113],{"type":1286},{},{"nodeType":1192,"value":2116,"marks":2117,"data":2118}," like LinkedIn is a great way to reach employees in a place that they expect to be contacted by people outside of their organization. By evading the traditional phishing control point altogether (email) attackers significantly reduce the risk of interception. ",[],{},{"nodeType":1369,"data":2120,"content":2121},{},[2122],{"nodeType":1192,"value":2123,"marks":2124,"data":2126},"Lengthy redirect chain through trusted sites",[2125],{"type":1254},{},{"nodeType":1193,"data":2128,"content":2129},{},[2130,2134,2143,2147,2156],{"nodeType":1192,"value":2131,"marks":2132,"data":2133},"Attackers use ",[],{},{"nodeType":1288,"data":2135,"content":2137},{"uri":2136},"https://phishing-techniques.pushsecurity.com/techniques/domain-rotation-redirection/",[2138],{"nodeType":1192,"value":2139,"marks":2140,"data":2142},"lengthy redirect chains",[2141],{"type":1286},{},{"nodeType":1192,"value":2144,"marks":2145,"data":2146}," in combination with hosting pages on ",[],{},{"nodeType":1288,"data":2148,"content":2150},{"uri":2149},"https://phishing-techniques.pushsecurity.com/techniques/trusted-website-hosting/",[2151],{"nodeType":1192,"value":2152,"marks":2153,"data":2155},"legitimate, trusted sites",[2154],{"type":1286},{},{"nodeType":1192,"value":2157,"marks":2158,"data":2159}," (in this case Firebase, Google’s app development platform). This is a technique we see a lot, with various Google and Microsoft sites cropping up time and again, including Google Forms, Google Sites, Google Script, Google AMP, Microsoft Dynamics, SharePoint, Azure Front Door, and many more, all used by attackers as part of their phishing attacks. ",[],{},{"nodeType":1193,"data":2161,"content":2162},{},[2163],{"nodeType":1192,"value":2164,"marks":2165,"data":2166},"Legitimate services are less likely to be flagged by link analysis tools and effectively cloak the initial URL delivered to the victim to increase the chance of successful delivery of and access to the link, while many services are excluded from page scanning tools owing to their association with trusted domains. ",[],{},{"nodeType":1369,"data":2168,"content":2169},{},[2170],{"nodeType":1192,"value":2171,"marks":2172,"data":2174},"Bot protection",[2173],{"type":1254},{},{"nodeType":1193,"data":2176,"content":2177},{},[2178,2182,2191],{"nodeType":1192,"value":2179,"marks":2180,"data":2181},"Attackers are using common ",[],{},{"nodeType":1288,"data":2183,"content":2185},{"uri":2184},"https://phishing-techniques.pushsecurity.com/techniques/bot-protection/",[2186],{"nodeType":1192,"value":2187,"marks":2188,"data":2190},"bot protection",[2189],{"type":1286},{},{"nodeType":1192,"value":2192,"marks":2193,"data":2194}," technologies like CAPTCHA and Cloudflare Turnstile to prevent security bots from accessing their web pages to be able to analyse them (and therefore block pages from being automatically flagged). This requires anyone visiting the page to pass a bot check/challenge before the page can be loaded, meaning the full page cannot be analysed by automated tools. ",[],{},{"nodeType":1369,"data":2196,"content":2197},{},[2198],{"nodeType":1192,"value":2199,"marks":2200,"data":2202},"Page obfuscation",[2201],{"type":1254},{},{"nodeType":1193,"data":2204,"content":2205},{},[2206,2210,2219],{"nodeType":1192,"value":2207,"marks":2208,"data":2209},"Phishing pages ",[],{},{"nodeType":1288,"data":2211,"content":2213},{"uri":2212},"https://phishing-techniques.pushsecurity.com/techniques/page-obfuscation/",[2214],{"nodeType":1192,"value":2215,"marks":2216,"data":2218},"change and even randomize elements of the page",[2217],{"type":1286},{},{"nodeType":1192,"value":2220,"marks":2221,"data":2222}," to avoid static fingerprints and defeat comparison-based checks against real pages. This includes the page title, text, images, backgrounds, logos, favicons, etc. — all of which may be signatured components using web page analysis tools. These elements can even be embedded in an encoded form so it isn’t present in the initial HTML, and is instead dynamically set at runtime when loaded. As an example, you can see that the page randomly generated the tab header text.",[],{},{"nodeType":1301,"data":2224,"content":2228},{"target":2225},{"sys":2226},{"id":2227,"type":1298,"linkType":1299},"2bbOZC9M4y69ACDy7bn209",[],{"nodeType":1246,"data":2230,"content":2231},{},[],{"nodeType":1256,"data":2233,"content":2234},{},[2235],{"nodeType":1192,"value":2236,"marks":2237,"data":2239},"Impact analysis",[2238],{"type":1254},{},{"nodeType":1193,"data":2241,"content":2242},{},[2243,2247,2256],{"nodeType":1192,"value":2244,"marks":2245,"data":2246},"We’re seeing ",[],{},{"nodeType":1288,"data":2248,"content":2250},{"uri":2249},"https://pushsecurity.com/blog/how-push-stopped-a-high-risk-linkedin-spear-phishing-attack/",[2251],{"nodeType":1192,"value":2252,"marks":2253,"data":2255},"many phishing campaigns pivoting to social media apps like LinkedIn",[2254],{"type":1286},{},{"nodeType":1192,"value":2257,"marks":2258,"data":2259}," and organizations should be on guard against this attack vector, which is highly effective at evading common anti-phishing controls.  ",[],{},{"nodeType":1193,"data":2261,"content":2262},{},[2263],{"nodeType":1192,"value":2264,"marks":2265,"data":2266},"Just because the attack happens over LinkedIn doesn’t lessen the impact — these are corporate credentials and accounts being targeted, even if it is nominally a “personal” application. Taking over a core identity like a Microsoft or Google account can have wide-ranging consequences, putting data at risk in both core apps and any downstream apps that can be accessed via SSO from the compromised account. ",[],{},{"nodeType":1301,"data":2268,"content":2272},{"target":2269},{"sys":2270},{"id":2271,"type":1298,"linkType":1299},"6QzB0BlVC5mstXwXHvy2c3",[],{"nodeType":1246,"data":2274,"content":2275},{},[],{"nodeType":1256,"data":2277,"content":2278},{},[2279],{"nodeType":1192,"value":2280,"marks":2281,"data":2283},"How Push stopped the attack",[2282],{"type":1254},{},{"nodeType":1193,"data":2285,"content":2286},{},[2287,2291,2299],{"nodeType":1192,"value":2288,"marks":2289,"data":2290},"Push doesn’t detect the redirect tricks or rely on outdated domain TI feeds. The reason we detect these attacks (which make it through all the other layers of phishing protection) is that Push sees what your users see. It doesn’t matter what ",[],{},{"nodeType":1288,"data":2292,"content":2293},{"uri":1915},[2294],{"nodeType":1192,"value":2295,"marks":2296,"data":2298},"delivery channel or camouflage methods are used",[2297],{"type":1286},{},{"nodeType":1192,"value":2300,"marks":2301,"data":2302},", Push shuts the attack down in real time, as the user loads the malicious page in their web browser.",[],{},{"nodeType":1193,"data":2304,"content":2305},{},[2306],{"nodeType":1192,"value":2307,"marks":2308,"data":2309},"This isn’t all we do: Push’s browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong — you can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.",[],{},{"nodeType":1193,"data":2311,"content":2312},{},[2313],{"nodeType":1192,"value":2314,"marks":2315,"data":2316},"Check out the demo below to see Push detect and block this attack in real-time. ",[],{},{"nodeType":1301,"data":2318,"content":2322},{"target":2319},{"sys":2320},{"id":2321,"type":1298,"linkType":1299},"5VsFECWlJ1HNGtC0jUcPjH",[],{"nodeType":1193,"data":2324,"content":2325},{},[2326,2330,2339,2343,2351],{"nodeType":1192,"value":2327,"marks":2328,"data":2329},"To learn more about Push, ",[],{},{"nodeType":1288,"data":2331,"content":2333},{"uri":2332},"https://pushsecurity.com/resources/product-brochure",[2334],{"nodeType":1192,"value":2335,"marks":2336,"data":2338},"check out our latest product overview",[2337],{"type":1286},{},{"nodeType":1192,"value":2340,"marks":2341,"data":2342}," or ",[],{},{"nodeType":1288,"data":2344,"content":2346},{"uri":2345},"https://pushsecurity.com/demo",[2347],{"nodeType":1192,"value":1877,"marks":2348,"data":2350},[2349],{"type":1286},{},{"nodeType":1192,"value":1513,"marks":2352,"data":2353},[],{},"New phishing campaign identified targeting LinkedIn users","Diving into the latest sophisticated LinkedIn phishing campaign intercepted by Push. ","2025-10-30T00:00:00.000Z","new-phishing-campaign-identified-targeting-linkedin-users",{"items":2359},[2360,2362],{"sys":2361,"name":1209},{"id":1208},{"sys":2363,"name":1205},{"id":1204},{"items":2365},[2366],{"fullName":1894,"firstName":1895,"jobTitle":1896,"profilePicture":2367},{"url":1898},{"__typename":1213,"sys":2369,"content":2371,"title":3042,"synopsis":3043,"hashTags":118,"publishedDate":3044,"slug":3045,"tagsCollection":3046,"authorsCollection":3052},{"id":2370},"7dqGkFzSMA00bIJ94rW4na",{"json":2372},{"nodeType":1194,"data":2373,"content":2374},{},[2375,2382,2389,2395,2420,2440,2443,2451,2458,2465,2473,2493,2496,2504,2511,2517,2524,2530,2533,2541,2548,2555,2580,2587,2620,2627,2635,2655,2662,2668,2697,2730,2738,2745,2752,2785,2788,2796,2816,2823,2846,2853,2859,2862,2870,2877,3006,3009,3017,3024],{"nodeType":1193,"data":2376,"content":2377},{},[2378],{"nodeType":1192,"value":2379,"marks":2380,"data":2381},"As awareness grows around many MFA methods being “phishable” (i.e. not phishing resistant), passwordless authentication methods are being increasingly advocated. ",[],{},{"nodeType":1193,"data":2383,"content":2384},{},[2385],{"nodeType":1192,"value":2386,"marks":2387,"data":2388},"This is a good thing. The most commonly used MFA factors (like SMS codes, push notifications, and app-based OTP) are routinely bypassed, with modern reverse-proxy phishing kits the most common method. ",[],{},{"nodeType":1301,"data":2390,"content":2394},{"target":2391},{"sys":2392},{"id":2393,"type":1298,"linkType":1299},"ImwzE2R9qaHaqlWn0GqIa",[],{"nodeType":1193,"data":2396,"content":2397},{},[2398,2402,2407,2411,2416],{"nodeType":1192,"value":2399,"marks":2400,"data":2401},"Often referred to as a “passkey”, passwordless authentication typically consists of a hardware security device that is built-into your laptop (e.g. the fingerprint sensor on a laptop) or something you plug into your device (e.g. a Yubikey). Because passkey-based logins are domain-bound, trying to use a passkey for ",[],{},{"nodeType":1192,"value":2403,"marks":2404,"data":2406},"microsoft.com",[2405],{"type":1286},{},{"nodeType":1192,"value":2408,"marks":2409,"data":2410}," on ",[],{},{"nodeType":1192,"value":2412,"marks":2413,"data":2415},"phishing.com",[2414],{"type":1286},{},{"nodeType":1192,"value":2417,"marks":2418,"data":2419}," simply won’t generate the correct value to pass the authentication check, even when proxied using an AitM kit. ",[],{},{"nodeType":1193,"data":2421,"content":2422},{},[2423,2427,2437],{"nodeType":1192,"value":2424,"marks":2425,"data":2426},"However, attackers have realized that even as these new phishing-resistant methods are starting to become used, most users still have alternative MFA methods active. The attacker can then do what’s called a ",[],{},{"nodeType":1288,"data":2428,"content":2430},{"uri":2429},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/mfa_downgrade/description.md",[2431],{"nodeType":1192,"value":2432,"marks":2433,"data":2436},"downgrade attack",[2434,2435],{"type":1286},{"type":1254},{},{"nodeType":1192,"value":1513,"marks":2438,"data":2439},[],{},{"nodeType":1246,"data":2441,"content":2442},{},[],{"nodeType":1256,"data":2444,"content":2445},{},[2446],{"nodeType":1192,"value":2447,"marks":2448,"data":2450},"Downgrade attacks 101",[2449],{"type":1254},{},{"nodeType":1193,"data":2452,"content":2453},{},[2454],{"nodeType":1192,"value":2455,"marks":2456,"data":2457},"When conducting an Attacker-in-the-Middle phishing attack, the attacker doesn’t need to relay 100% of the messages accurately. Instead, they can alter some of them. The app might ask the user “You need to MFA — do you want to use your passkey, or your backup authenticator code?”, but the phishing website might modify this page to say “You need to MFA — use your backup authenticator code” not giving you the option to use your secure passkey. This is called a downgrade attack.",[],{},{"nodeType":1193,"data":2459,"content":2460},{},[2461],{"nodeType":1192,"value":2462,"marks":2463,"data":2464},"This can also be applied to accounts that use SSO as the default login method. In this scenario, the phish kit can select a backup username and password option to allow the phishing attack to proceed.  ",[],{},{"nodeType":1193,"data":2466,"content":2467},{},[2468],{"nodeType":1192,"value":2469,"marks":2470,"data":2472},"So, you have a situation where even if a phishing-resistant login method exists, the presence of a less secure backup method means the account is still vulnerable to phishing attacks. ",[2471],{"type":1254},{},{"nodeType":1193,"data":2474,"content":2475},{},[2476,2480,2489],{"nodeType":1192,"value":2477,"marks":2478,"data":2479},"These attacks are effective across a number of sites and login methods that support passkey-based logins, for example, Windows Hello, Okta FastPass, and Google Workspace. As an example, here’s a link to a ",[],{},{"nodeType":1288,"data":2481,"content":2483},{"uri":2482},"https://github.com/yudasm/WHfB-o365-Phishlet",[2484],{"nodeType":1192,"value":2485,"marks":2486,"data":2488},"custom phishlet for Evilginx",[2487],{"type":1286},{},{"nodeType":1192,"value":2490,"marks":2491,"data":2492}," targeting Windows Hello for Business. A small caveat is that changes made by Microsoft have since broken this plugin, but we were able to write our own custom phishlet to achieve the same outcome. ",[],{},{"nodeType":1246,"data":2494,"content":2495},{},[],{"nodeType":1256,"data":2497,"content":2498},{},[2499],{"nodeType":1192,"value":2500,"marks":2501,"data":2503},"MFA downgrade in action",[2502],{"type":1254},{},{"nodeType":1193,"data":2505,"content":2506},{},[2507],{"nodeType":1192,"value":2508,"marks":2509,"data":2510},"Check out the video below to see an example of using Evilginx with a custom phishlet to downgrade authentication for a Microsoft account using Windows Hello. ",[],{},{"nodeType":1301,"data":2512,"content":2516},{"target":2513},{"sys":2514},{"id":2515,"type":1298,"linkType":1299},"54I3YQ2gK26a8FIocQ3WYT",[],{"nodeType":1193,"data":2518,"content":2519},{},[2520],{"nodeType":1192,"value":2521,"marks":2522,"data":2523},"We’ve encountered similar functionality in criminal phishing platforms we’ve investigated such as Tycoon — in this case, targeting Google accounts. This snippet is notable in that it includes JavaScript to abuse UI features to bypass passkeys.",[],{},{"nodeType":1301,"data":2525,"content":2529},{"target":2526},{"sys":2527},{"id":2528,"type":1298,"linkType":1299},"5Vya1VApSisr0000HuTLY2",[],{"nodeType":1246,"data":2531,"content":2532},{},[],{"nodeType":1256,"data":2534,"content":2535},{},[2536],{"nodeType":1192,"value":2537,"marks":2538,"data":2540},"Mitigations (and challenges)",[2539],{"type":1254},{},{"nodeType":1193,"data":2542,"content":2543},{},[2544],{"nodeType":1192,"value":2545,"marks":2546,"data":2547},"MFA downgrade is made possible by the existence of backup authentication methods. So the obvious solution is to remove backup/unused login and MFA methods from your accounts, ensuring you’re accessing apps using SSO from a hardened Identity Provider (IdP) account (e.g. Okta, Entra, Google Workspace). ",[],{},{"nodeType":1193,"data":2549,"content":2550},{},[2551],{"nodeType":1192,"value":2552,"marks":2553,"data":2554},"In the ideal world, you’d be:",[],{},{"nodeType":2556,"data":2557,"content":2558},"unordered-list",{},[2559,2570],{"nodeType":2560,"data":2561,"content":2562},"list-item",{},[2563],{"nodeType":1193,"data":2564,"content":2565},{},[2566],{"nodeType":1192,"value":2567,"marks":2568,"data":2569},"Using only one IdP account, which you access via passkey, with no backup methods.",[],{},{"nodeType":2560,"data":2571,"content":2572},{},[2573],{"nodeType":1193,"data":2574,"content":2575},{},[2576],{"nodeType":1192,"value":2577,"marks":2578,"data":2579},"Accessing all business apps using SSO from your locked-down IdP account. ",[],{},{"nodeType":1193,"data":2581,"content":2582},{},[2583],{"nodeType":1192,"value":2584,"marks":2585,"data":2586},"The reality is way different, though. Because going totally passwordless is hard. It requires a large investment of time, money, and training for end-users. You’ll find many cautionary tales of companies starting on their passkey adoption journey and ultimately failing to make it a reality. This is largely because:",[],{},{"nodeType":2556,"data":2588,"content":2589},{},[2590,2600,2610],{"nodeType":2560,"data":2591,"content":2592},{},[2593],{"nodeType":1193,"data":2594,"content":2595},{},[2596],{"nodeType":1192,"value":2597,"marks":2598,"data":2599},"In environments with a mix of older and newer infrastructure, it can be challenging to get complete coverage. ",[],{},{"nodeType":2560,"data":2601,"content":2602},{},[2603],{"nodeType":1193,"data":2604,"content":2605},{},[2606],{"nodeType":1192,"value":2607,"marks":2608,"data":2609},"Not every device comes with an in-built biometric identification method, so you need to use a second device — which employees may struggle with (especially when they lose it and aren’t familiar with how to regain account access).",[],{},{"nodeType":2560,"data":2611,"content":2612},{},[2613],{"nodeType":1193,"data":2614,"content":2615},{},[2616],{"nodeType":1192,"value":2617,"marks":2618,"data":2619},"Most apps don’t allow you to log in directly with a passkey, meaning you need to SSO from your IdP account. But many apps don’t support every preferred SSO provider, and fail to provide SAML support, so there can be gaps.  ",[],{},{"nodeType":1193,"data":2621,"content":2622},{},[2623],{"nodeType":1192,"value":2624,"marks":2625,"data":2626},"And ultimately, because of the self-service, product-led growth fuelled nature of most online services today, it’s easy for users to slip back into using passwords — and hard for security teams to find and remove them (particularly if an app isn’t centrally managed). And the level of support that different apps provide users and administrators to secure how they access their services varies significantly. ",[],{},{"nodeType":1369,"data":2628,"content":2629},{},[2630],{"nodeType":1192,"value":2631,"marks":2632,"data":2634},"Most apps make removing phishable authentication hard",[2633],{"type":1254},{},{"nodeType":1193,"data":2636,"content":2637},{},[2638,2642,2651],{"nodeType":1192,"value":2639,"marks":2640,"data":2641},"While some providers are taking steps to go passwordless by default, which makes it easier to remove passwords (e.g. ",[],{},{"nodeType":1288,"data":2643,"content":2645},{"uri":2644},"https://techcommunity.microsoft.com/blog/microsoft-entra-blog/introducing-password-removal-for-microsoft-accounts/2747280",[2646],{"nodeType":1192,"value":2647,"marks":2648,"data":2650},"Microsoft",[2649],{"type":1286},{},{"nodeType":1192,"value":2652,"marks":2653,"data":2654}," recently made a big deal of its desire to get rid of passwords), the quality of identity security management functionality varies significantly from app to app. ",[],{},{"nodeType":1193,"data":2656,"content":2657},{},[2658],{"nodeType":1192,"value":2659,"marks":2660,"data":2661},"Many apps default to the most recently used or strongest login method, but very few automatically lock you in to using the strongest method available. Most of the time, these kinds of controls also need to be configured in the app — which can be challenging if your security team doesn’t manage it (or simply isn’t aware of it). ",[],{},{"nodeType":1301,"data":2663,"content":2667},{"target":2664},{"sys":2665},{"id":2666,"type":1298,"linkType":1299},"4X9MR0CbSMltOmw767XNOm",[],{"nodeType":1193,"data":2669,"content":2670},{},[2671,2675,2680,2684,2693],{"nodeType":1192,"value":2672,"marks":2673,"data":2674},"Finally, configuring MFA is often an additive process — you start by adding a phone number, then you add an authenticator app or a passkey. Just like we find that most accounts with SSO ",[],{},{"nodeType":1192,"value":2676,"marks":2677,"data":2679},"also",[2678],{"type":1254},{},{"nodeType":1192,"value":2681,"marks":2682,"data":2683}," have a password login configured (also known as ",[],{},{"nodeType":1288,"data":2685,"content":2687},{"uri":2686},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/ghost_logins/description.md",[2688],{"nodeType":1192,"value":2689,"marks":2690,"data":2692},"ghost logins",[2691],{"type":1286},{},{"nodeType":1192,"value":2694,"marks":2695,"data":2696},"), most accounts with MFA typically have multiple methods attached to their account. ",[],{},{"nodeType":1193,"data":2698,"content":2699},{},[2700,2704,2713,2717,2726],{"nodeType":1192,"value":2701,"marks":2702,"data":2703},"The result is that even if you can successfully lock down a handful of apps, many more will continue to be susceptible to phishing attacks using commonly available downgrade functionality. And as attackers diversify the apps they target (such as these recent examples targeting ",[],{},{"nodeType":1288,"data":2705,"content":2707},{"uri":2706},"https://pushsecurity.com/blog/investigating-a-recent-malvertising-campaign-targeting-onfido-customers/",[2708],{"nodeType":1192,"value":2709,"marks":2710,"data":2712},"Onfido",[2711],{"type":1286},{},{"nodeType":1192,"value":2714,"marks":2715,"data":2716}," and ",[],{},{"nodeType":1288,"data":2718,"content":2720},{"uri":2719},"https://pushsecurity.com/blog/dissecting-a-recent-mailchimp-phishing-attack/",[2721],{"nodeType":1192,"value":2722,"marks":2723,"data":2725},"MailChimp",[2724],{"type":1286},{},{"nodeType":1192,"value":2727,"marks":2728,"data":2729},"), this becomes increasingly likely. ",[],{},{"nodeType":1369,"data":2731,"content":2732},{},[2733],{"nodeType":1192,"value":2734,"marks":2735,"data":2737},"Conditional access is a useful mitigation if configured properly, but only on apps which support it",[2736],{"type":1254},{},{"nodeType":1193,"data":2739,"content":2740},{},[2741],{"nodeType":1192,"value":2742,"marks":2743,"data":2744},"Conditional access policies are a useful last line of defense against account takeover attacks by denying logins that don't meet certain criteria, even if they user is able to authenticate. In larger IdP platforms that typically support more granular conditional access policies, this is a useful addition when configured correctly. However, many apps simply don't support conditional access, so will be vulnerable to attackers targeting them directly (as opposed to first logging into e.g. Microsoft or Google, and then accessing downstream apps via SSO). ",[],{},{"nodeType":1193,"data":2746,"content":2747},{},[2748],{"nodeType":1192,"value":2749,"marks":2750,"data":2751},"That said, locking down your core IdP platforms with robust conditional access should be a top priority for security teams. Useful policies that should be configured include:",[],{},{"nodeType":2556,"data":2753,"content":2754},{},[2755,2765,2775],{"nodeType":2560,"data":2756,"content":2757},{},[2758],{"nodeType":1193,"data":2759,"content":2760},{},[2761],{"nodeType":1192,"value":2762,"marks":2763,"data":2764},"Limiting logins to domain-joined devices.",[],{},{"nodeType":2560,"data":2766,"content":2767},{},[2768],{"nodeType":1193,"data":2769,"content":2770},{},[2771],{"nodeType":1192,"value":2772,"marks":2773,"data":2774},"Set phishing-resistant MFA as required. ",[],{},{"nodeType":2560,"data":2776,"content":2777},{},[2778],{"nodeType":1193,"data":2779,"content":2780},{},[2781],{"nodeType":1192,"value":2782,"marks":2783,"data":2784},"(Where possible) limit logins to trusted IP ranges. ",[],{},{"nodeType":1246,"data":2786,"content":2787},{},[],{"nodeType":1256,"data":2789,"content":2790},{},[2791],{"nodeType":1192,"value":2792,"marks":2793,"data":2795},"Tackling MFA downgrade with Push Security",[2794],{"type":1254},{},{"nodeType":1193,"data":2797,"content":2798},{},[2799,2803,2812],{"nodeType":1192,"value":2800,"marks":2801,"data":2802},"Phishing-resistant authentication methods like passkeys are key to the future of enterprise identity security, but organizations need to recognize that adopting passkeys isn’t a silver bullet. Ensuring that passkeys are the only authentication method supported by your business apps is no mean feat, considering ",[],{},{"nodeType":1288,"data":2804,"content":2806},{"uri":2805},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have/",[2807],{"nodeType":1192,"value":2808,"marks":2809,"data":2811},"most organizations are using hundreds of them",[2810],{"type":1286},{},{"nodeType":1192,"value":2813,"marks":2814,"data":2815}," — all with their own specific ways of handling and administering identities. ",[],{},{"nodeType":1193,"data":2817,"content":2818},{},[2819],{"nodeType":1192,"value":2820,"marks":2821,"data":2822},"That’s why we support a layered defense, providing last-mile protection by:",[],{},{"nodeType":2556,"data":2824,"content":2825},{},[2826,2836],{"nodeType":2560,"data":2827,"content":2828},{},[2829],{"nodeType":1193,"data":2830,"content":2831},{},[2832],{"nodeType":1192,"value":2833,"marks":2834,"data":2835},"Intercepting and blocking phishing attacks in the browser to prevent AiTM attacks using downgrade techniques.",[],{},{"nodeType":2560,"data":2837,"content":2838},{},[2839],{"nodeType":1193,"data":2840,"content":2841},{},[2842],{"nodeType":1192,"value":2843,"marks":2844,"data":2845},"Identifying backup MFA and login methods across the business apps your employees use, so they can be removed (individually or through app-level configuration changes).",[],{},{"nodeType":1193,"data":2847,"content":2848},{},[2849],{"nodeType":1192,"value":2850,"marks":2851,"data":2852},"Here’s how it works.",[],{},{"nodeType":1301,"data":2854,"content":2858},{"target":2855},{"sys":2856},{"id":2857,"type":1298,"linkType":1299},"2uvItnfaOQZHa4a9BIIhRn",[],{"nodeType":1246,"data":2860,"content":2861},{},[],{"nodeType":1256,"data":2863,"content":2864},{},[2865],{"nodeType":1192,"value":2866,"marks":2867,"data":2869},"Further reading",[2868],{"type":1254},{},{"nodeType":1193,"data":2871,"content":2872},{},[2873],{"nodeType":1192,"value":2874,"marks":2875,"data":2876},"MFA downgrade is just one method of getting into an otherwise locked-down account. Attackers are also finding ways to bypass the standard authentication process entirely, through: ",[],{},{"nodeType":2556,"data":2878,"content":2879},{},[2880,2915,2949,2971],{"nodeType":2560,"data":2881,"content":2882},{},[2883],{"nodeType":1193,"data":2884,"content":2885},{},[2886,2889,2898,2902,2911],{"nodeType":1192,"value":37,"marks":2887,"data":2888},[],{},{"nodeType":1288,"data":2890,"content":2892},{"uri":2891},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/app_specific_password_phishing/description.md",[2893],{"nodeType":1192,"value":2894,"marks":2895,"data":2897},"App-specific password phishing",[2896],{"type":1286},{},{"nodeType":1192,"value":2899,"marks":2900,"data":2901},", where attackers can abuse functionality designed to enable users to log into apps that don’t support modern authentication. (",[],{},{"nodeType":1288,"data":2903,"content":2905},{"uri":2904},"https://pushsecurity.com/blog/app-specific-password-phishing/",[2906],{"nodeType":1192,"value":2907,"marks":2908,"data":2910},"Read the article for more information here",[2909],{"type":1286},{},{"nodeType":1192,"value":2912,"marks":2913,"data":2914},").",[],{},{"nodeType":2560,"data":2916,"content":2917},{},[2918],{"nodeType":1193,"data":2919,"content":2920},{},[2921,2924,2932,2936,2945],{"nodeType":1192,"value":37,"marks":2922,"data":2923},[],{},{"nodeType":1288,"data":2925,"content":2926},{"uri":1575},[2927],{"nodeType":1192,"value":2928,"marks":2929,"data":2931},"Consent phishing",[2930],{"type":1286},{},{"nodeType":1192,"value":2933,"marks":2934,"data":2935},", which sees the victim accept OAuth scopes for an attacker-controlled app integration granting access to the account without needing to directly compromise it. (",[],{},{"nodeType":1288,"data":2937,"content":2939},{"uri":2938},"https://pushsecurity.com/blog/how-consent-phishing-is-evolving/",[2940],{"nodeType":1192,"value":2941,"marks":2942,"data":2944},"You can read more about recent examples here",[2943],{"type":1286},{},{"nodeType":1192,"value":2946,"marks":2947,"data":2948},".) ",[],{},{"nodeType":2560,"data":2950,"content":2951},{},[2952],{"nodeType":1193,"data":2953,"content":2954},{},[2955,2958,2967],{"nodeType":1192,"value":37,"marks":2956,"data":2957},[],{},{"nodeType":1288,"data":2959,"content":2961},{"uri":2960},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/device_code_phishing/description.md",[2962],{"nodeType":1192,"value":2963,"marks":2964,"data":2966},"Device code phishing",[2965],{"type":1286},{},{"nodeType":1192,"value":2968,"marks":2969,"data":2970},", functionally very similar to consent phishing but involving the victim entering a code for authorization. ",[],{},{"nodeType":2560,"data":2972,"content":2973},{},[2974],{"nodeType":1193,"data":2975,"content":2976},{},[2977,2980,2989,2993,3002],{"nodeType":1192,"value":37,"marks":2978,"data":2979},[],{},{"nodeType":1288,"data":2981,"content":2983},{"uri":2982},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/cross-idp_impersonation/description.md",[2984],{"nodeType":1192,"value":2985,"marks":2986,"data":2988},"Cross-IdP impersonation",[2987],{"type":1286},{},{"nodeType":1192,"value":2990,"marks":2991,"data":2992},", which sees the attacker register a new IdP connected to the victim’s email account that can be used to access connected apps via SSO without directly compromising the primary IdP. (",[],{},{"nodeType":1288,"data":2994,"content":2996},{"uri":2995},"https://pushsecurity.com/blog/a-new-class-of-phishing-verification-phishing-and-cross-idp-impersonation/",[2997],{"nodeType":1192,"value":2998,"marks":2999,"data":3001},"You can read more about this here",[3000],{"type":1286},{},{"nodeType":1192,"value":3003,"marks":3004,"data":3005},".)",[],{},{"nodeType":1246,"data":3007,"content":3008},{},[],{"nodeType":1256,"data":3010,"content":3011},{},[3012],{"nodeType":1192,"value":3013,"marks":3014,"data":3016},"Learn more",[3015],{"type":1254},{},{"nodeType":1193,"data":3018,"content":3019},{},[3020],{"nodeType":1192,"value":3021,"marks":3022,"data":3023},"Push Security’s browser-based security platform provides comprehensive identity attack detection and response capabilities against techniques like AiTM phishing, credential stuffing, password spraying and session hijacking using stolen session tokens. You can also use Push to find and fix identity vulnerabilities across every app that your employees use, like: ghost logins; SSO coverage gaps; MFA gaps; weak, breached and reused passwords; risky OAuth integrations; and more.",[],{},{"nodeType":1193,"data":3025,"content":3026},{},[3027,3031,3039],{"nodeType":1192,"value":3028,"marks":3029,"data":3030},"If you want to learn more about how Push helps you to detect and defeat common identity attack techniques, ",[],{},{"nodeType":1288,"data":3032,"content":3034},{"uri":3033},"https://pushsecurity.com/demo/",[3035],{"nodeType":1192,"value":1877,"marks":3036,"data":3038},[3037],{"type":1286},{},{"nodeType":1192,"value":1513,"marks":3040,"data":3041},[],{},"MFA downgrade: How attackers are getting around phishing-resistant authentication","MFA downgrade attacks are an increasingly common technique used by attackers to bypass phishing-resistant authentication methods registered to an account.","2025-07-21T00:00:00.000Z","mfa-downgrade-attacks",{"items":3047},[3048,3050],{"sys":3049,"name":1209},{"id":1208},{"sys":3051,"name":1205},{"id":1204},{"items":3053},[3054],{"fullName":3055,"firstName":3056,"jobTitle":3057,"profilePicture":3058},"Luke Jennings","Luke","Vice President, R&D",{"url":3059},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg",{"items":3061},[3062],{"fullName":1894,"firstName":1895,"jobTitle":1896,"profilePicture":3063},{"url":1898},{"json":3065,"links":4013},{"nodeType":1194,"data":3066,"content":3067},{},[3068,3075,3082,3089,3092,3100,3107,3114,3120,3127,3133,3153,3160,3172,3175,3183,3190,3206,3213,3225,3231,3234,3242,3250,3256,3265,3285,3294,3301,3310,3329,3338,3345,3354,3385,3394,3401,3410,3428,3434,3443,3450,3459,3501,3504,3512,3521,3541,3550,3557,3566,3599,3605,3614,3621,3627,3630,3638,3647,3654,3714,3720,3723,3731,3740,3747,3753,3756,3764,3771,3778,3847,3854,3917,3924,3927,3935,3942,3949,3955,3958,3966,3973,3980,3987],{"nodeType":1193,"data":3069,"content":3070},{},[3071],{"nodeType":1192,"value":3072,"marks":3073,"data":3074},"The biggest cybersecurity story this year (so far) has been the emergence of “Scattered Lapsus$ Hunters” and their record-breaking worldwide hacking spree. ",[],{},{"nodeType":1193,"data":3076,"content":3077},{},[3078],{"nodeType":1192,"value":3079,"marks":3080,"data":3081},"Scattered Lapsus$ Hunters is part of “The Com”, the name for the broad community of English-speaking cybercriminals with international criminal connections — including with nation-state sponsored groups. They are also known to collaborate with a range of cybercrime “as-a-Service” organizations for phishing, initial access, ransomware, and more. ",[],{},{"nodeType":1193,"data":3083,"content":3084},{},[3085],{"nodeType":1192,"value":3086,"marks":3087,"data":3088},"It’s difficult to pin down exactly who the individuals are that make up this criminal collective. But what is known is their MO — making money through extortion by means of account takeover, mass data theft, and ransomware deployment. ",[],{},{"nodeType":1246,"data":3090,"content":3091},{},[],{"nodeType":1256,"data":3093,"content":3094},{},[3095],{"nodeType":1192,"value":3096,"marks":3097,"data":3099},"How did we get here? ",[3098],{"type":1254},{},{"nodeType":1193,"data":3101,"content":3102},{},[3103],{"nodeType":1192,"value":3104,"marks":3105,"data":3106},"Earlier this year, the threat group known to most analysts as Scattered Spider (also tracked as 0ktapus, Octo Tempest, Scatter Swine, Muddled Libra, and UNC3944) re-emerged after a series of arrests in late 2024. ",[],{},{"nodeType":1193,"data":3108,"content":3109},{},[3110],{"nodeType":1192,"value":3111,"marks":3112,"data":3113},"This group has been active in peaks and troughs over the years, but are mainly known for high-profile ransomware attacks on Caesars and MGM Resorts in 2024. ",[],{},{"nodeType":1301,"data":3115,"content":3119},{"target":3116},{"sys":3117},{"id":3118,"type":1298,"linkType":1299},"1Vt269d7n6IGMzOrJs1FDx",[],{"nodeType":1193,"data":3121,"content":3122},{},[3123],{"nodeType":1192,"value":3124,"marks":3125,"data":3126},"Scattered Spider hit the headlines again in April 2025 with attacks on UK retailers Marks & Spencer and Co-op, which resulted in significant, prolonged disruption, and a serious downstream impact on the retail supply chain. ",[],{},{"nodeType":1301,"data":3128,"content":3132},{"target":3129},{"sys":3130},{"id":3131,"type":1298,"linkType":1299},"3kvcGV2zZZUPnM8IK04Y1O",[],{"nodeType":1193,"data":3134,"content":3135},{},[3136,3140,3149],{"nodeType":1192,"value":3137,"marks":3138,"data":3139},"It didn’t stop there, though. What followed was a wide-scale campaign targeting Salesforce customers, with the attackers claiming to have stolen ",[],{},{"nodeType":1288,"data":3141,"content":3143},{"uri":3142},"https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/",[3144],{"nodeType":1192,"value":3145,"marks":3146,"data":3148},"over 1.5 billion records from 1000+ companies",[3147],{"type":1286},{},{"nodeType":1192,"value":3150,"marks":3151,"data":3152}," across multiple verticals, including heavyweights like Google, Cloudflare, Workday, Adidas, FedEx, Disney, LVMH, and many more.",[],{},{"nodeType":1193,"data":3154,"content":3155},{},[3156],{"nodeType":1192,"value":3157,"marks":3158,"data":3159},"Around this time, the attackers began to refer to themselves as part of a wider collective, assuming the moniker “Scattered Lapsus$ Hunters” (a mash-up of names given by analysts and self-adopted by attackers — Scattered Spider, ShinyHunters, and Lapsus$).",[],{},{"nodeType":1193,"data":3161,"content":3162},{},[3163,3167],{"nodeType":1192,"value":3164,"marks":3165,"data":3166},"The most significant breach this year to-date impacted Jaguar Land Rover. A ransomware attack resulted in months of disruption that directly impacted the UK’s GDP, with the government underwriting a $1.5B loan to alleviate the supply chain impact. ",[],{},{"nodeType":1192,"value":3168,"marks":3169,"data":3171},"In fact, this was the most economically consequential cyber attack yet recorded in a G7 economy. ",[3170],{"type":1254},{},{"nodeType":1246,"data":3173,"content":3174},{},[],{"nodeType":1256,"data":3176,"content":3177},{},[3178],{"nodeType":1192,"value":3179,"marks":3180,"data":3182},"2025 wasn’t a one-off",[3181],{"type":1254},{},{"nodeType":1193,"data":3184,"content":3185},{},[3186],{"nodeType":1192,"value":3187,"marks":3188,"data":3189},"The developments through 2025 have presented a stronger picture than ever before that cybercriminal operations are heavily interlinked. Groups overlap considerably, and individuals freely move between different cells. ",[],{},{"nodeType":1193,"data":3191,"content":3192},{},[3193,3197,3202],{"nodeType":1192,"value":3194,"marks":3195,"data":3196},"When we scratch beneath the surface, this is evident in the tactics, techniques and procedures (TTPs) used by these attackers — even stretching as far back as 2021 with the initial rise of Lapsus$. This is not an accident. ",[],{},{"nodeType":1192,"value":3198,"marks":3199,"data":3201},"The TTPs used show a conscious move by attackers to move away from environments that are well-protected by traditional security tools. ",[3200],{"type":1254},{},{"nodeType":1192,"value":3203,"marks":3204,"data":3205},"This means avoiding targeting endpoints with malware, and not relying on software-based exploits. Instead, these attackers look to take over apps and services directly over the internet. ",[],{},{"nodeType":1193,"data":3207,"content":3208},{},[3209],{"nodeType":1192,"value":3210,"marks":3211,"data":3212},"Most of the time, this is as simple as logging in to a SaaS app, or an enterprise SSO account (e.g. Microsoft, Okta, or Google) and dumping the data. For attackers that want to take it further, they can abuse the sprawl of interconnected apps that make up modern business IT, seeking out specific data or exploitable functionality. Or, they can leverage internet-accessible management portals to chart a path back to your on-premise assets, giving them everything they need to pivot toward more conventional methods such as ransomware deployment. ",[],{},{"nodeType":1193,"data":3214,"content":3215},{},[3216,3220],{"nodeType":1192,"value":3217,"marks":3218,"data":3219},"When we look at historical breaches, the pattern is clear. ",[],{},{"nodeType":1192,"value":3221,"marks":3222,"data":3224},"Not one of the attacks attributed to Scattered Lapsus$ Hunters, or its predecessors, started with an endpoint or network attack — they all began with account takeover. ",[3223],{"type":1254},{},{"nodeType":1301,"data":3226,"content":3230},{"target":3227},{"sys":3228},{"id":3229,"type":1298,"linkType":1299},"6poP5VM2ARrEvwKEG42HgK",[],{"nodeType":1246,"data":3232,"content":3233},{},[],{"nodeType":1256,"data":3235,"content":3236},{},[3237],{"nodeType":1192,"value":3238,"marks":3239,"data":3241},"TTP breakdown: Analysing the top “Scattered Lapsus$ Hunters” breaches since 2021",[3240],{"type":1254},{},{"nodeType":1369,"data":3243,"content":3244},{},[3245],{"nodeType":1192,"value":3246,"marks":3247,"data":3249},"Phishing and stolen credentials",[3248],{"type":1254},{},{"nodeType":1301,"data":3251,"content":3255},{"target":3252},{"sys":3253},{"id":3254,"type":1298,"linkType":1299},"4SNOanDIdGZsvRRnMYQVSo",[],{"nodeType":1193,"data":3257,"content":3258},{},[3259],{"nodeType":1192,"value":3260,"marks":3261,"data":3264},"EA Games (2021)",[3262,3263],{"type":1254},{"type":1286},{},{"nodeType":1193,"data":3266,"content":3267},{},[3268,3272,3281],{"nodeType":1192,"value":3269,"marks":3270,"data":3271},"Attackers used stolen session cookies to log into EA’s Slack instance, purchased on a criminal forum. Combined with ",[],{},{"nodeType":1288,"data":3273,"content":3275},{"uri":3274},"https://pushsecurity.com/blog/phishing-slack-persistence/",[3276],{"nodeType":1192,"value":3277,"marks":3278,"data":3280},"social engineering via Slack",[3279],{"type":1286},{},{"nodeType":1192,"value":3282,"marks":3283,"data":3284},", this was used to steal 750GB of data, including video game source code. ",[],{},{"nodeType":1193,"data":3286,"content":3287},{},[3288],{"nodeType":1192,"value":3289,"marks":3290,"data":3293},"Nvidia (2022)",[3291,3292],{"type":1254},{"type":1286},{},{"nodeType":1193,"data":3295,"content":3296},{},[3297],{"nodeType":1192,"value":3298,"marks":3299,"data":3300},"Attackers used stolen credentials to steal 1TB of data from Nvidia’s internal shares, including a significant amount of sensitive information about the designs of Nvidia graphics cards, source code, and the usernames and passwords of more than 71,000 Nvidia employees.",[],{},{"nodeType":1193,"data":3302,"content":3303},{},[3304],{"nodeType":1192,"value":3305,"marks":3306,"data":3309},"Microsoft (2022)",[3307,3308],{"type":1254},{"type":1286},{},{"nodeType":1193,"data":3311,"content":3312},{},[3313,3317,3325],{"nodeType":1192,"value":3314,"marks":3315,"data":3316},"Attackers used stolen credentials combined with SIM swapping and ",[],{},{"nodeType":1288,"data":3318,"content":3320},{"uri":3319},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/mfa_fatigue/description.md",[3321],{"nodeType":1192,"value":3322,"marks":3323,"data":3324},"MFA fatigue",[],{},{"nodeType":1192,"value":3326,"marks":3327,"data":3328}," attacks to steal Azure DevOps source code — leaked a 9GB archive of Microsoft source code – including ~90% of Bing and 45% of Cortana code. ",[],{},{"nodeType":1193,"data":3330,"content":3331},{},[3332],{"nodeType":1192,"value":3333,"marks":3334,"data":3337},"T-Mobile (2022)",[3335,3336],{"type":1254},{"type":1286},{},{"nodeType":1193,"data":3339,"content":3340},{},[3341],{"nodeType":1192,"value":3342,"marks":3343,"data":3344},"Attackers used stolen credentials to establish initial access, coupled with social engineering T-Mobile staff into approving the attacker’s device for VPN access. This resulted in source code being stolen from over 30,000 repositories. ",[],{},{"nodeType":1193,"data":3346,"content":3347},{},[3348],{"nodeType":1192,"value":3349,"marks":3350,"data":3353},"Snowflake (165 customers) (2024)",[3351,3352],{"type":1254},{"type":1286},{},{"nodeType":1193,"data":3355,"content":3356},{},[3357,3361,3370,3374,3381],{"nodeType":1192,"value":3358,"marks":3359,"data":3360},"Attackers targeted ",[],{},{"nodeType":1288,"data":3362,"content":3364},{"uri":3363},"https://pushsecurity.com/blog/snowflake-retro/",[3365],{"nodeType":1192,"value":3366,"marks":3367,"data":3369},"165 Snowflake customers",[3368],{"type":1286},{},{"nodeType":1192,"value":3371,"marks":3372,"data":3373}," using stolen credentials from credential breaches dating back as far as 2020. Due to widespread MFA gaps and the presence of ",[],{},{"nodeType":1288,"data":3375,"content":3376},{"uri":2686},[3377],{"nodeType":1192,"value":2689,"marks":3378,"data":3380},[3379],{"type":1286},{},{"nodeType":1192,"value":3382,"marks":3383,"data":3384},", attackers were able to simply log in to individual customer tenants, dump the data, and use it to extort the companies. In total, 9 public victims were named following the breach, with over 1B breached customer records. ",[],{},{"nodeType":1193,"data":3386,"content":3387},{},[3388],{"nodeType":1192,"value":3389,"marks":3390,"data":3393},"PowerSchool (2024)",[3391,3392],{"type":1254},{"type":1286},{},{"nodeType":1193,"data":3395,"content":3396},{},[3397],{"nodeType":1192,"value":3398,"marks":3399,"data":3400},"Attackers gained access to a community-focused customer support portal, PowerSource, using compromised credentials and stole data using an \"export data manager\" customer support tool, stealing the data of 62.4 million students and 9.5 million teachers. PowerSchool paid an undisclosed ransom fee, but hackers returned later to extort schools and individuals separately anyway.",[],{},{"nodeType":1193,"data":3402,"content":3403},{},[3404],{"nodeType":1192,"value":3405,"marks":3406,"data":3409},"Red Hat (2025)",[3407,3408],{"type":1254},{"type":1286},{},{"nodeType":1193,"data":3411,"content":3412},{},[3413,3417,3424],{"nodeType":1192,"value":3414,"marks":3415,"data":3416},"Attackers breached Red Hat’s GitLab instance via a compromised account — the result of ",[],{},{"nodeType":1288,"data":3418,"content":3419},{"uri":2686},[3420],{"nodeType":1192,"value":2689,"marks":3421,"data":3423},[3422],{"type":1286},{},{"nodeType":1192,"value":3425,"marks":3426,"data":3427}," providing a backdoor to access an otherwise secure, SSO-connected account. Stolen data included approximately 800 Customer Engagement Reports (CERs), authentication tokens, full database URIs, and other private information in Red Hat code and CERs, which they claimed to use to gain access to downstream customer infrastructure. ",[],{},{"nodeType":1301,"data":3429,"content":3433},{"target":3430},{"sys":3431},{"id":3432,"type":1298,"linkType":1299},"G1V7d5Dvevmr9p0YXElPX",[],{"nodeType":1193,"data":3435,"content":3436},{},[3437],{"nodeType":1192,"value":3438,"marks":3439,"data":3442},"Discord (2025)",[3440,3441],{"type":1254},{"type":1286},{},{"nodeType":1193,"data":3444,"content":3445},{},[3446],{"nodeType":1192,"value":3447,"marks":3448,"data":3449},"Attackers compromised a Zendesk customer support account, stealing 1.6TB of data. The hackers say this consisted of roughly 8.4 million tickets affecting 5.5 million unique users, and that about 580,000 users contained payment information.",[],{},{"nodeType":1193,"data":3451,"content":3452},{},[3453],{"nodeType":1192,"value":3454,"marks":3455,"data":3458},"SoundCloud, MatchGroup, Crunchbase, Betterment... (2026)",[3456,3457],{"type":1254},{"type":1286},{},{"nodeType":1193,"data":3460,"content":3461},{},[3462,3466,3474,3477,3485,3489,3497],{"nodeType":1192,"value":3463,"marks":3464,"data":3465},"Scattered Lapsus$ Hunters have already claimed several public victims in 2026, with over 60 million breached records. ",[],{},{"nodeType":1288,"data":3467,"content":3469},{"uri":3468},"https://www.bleepingcomputer.com/news/security/shinyhunters-claim-to-be-behind-sso-account-data-theft-attacks/",[3470],{"nodeType":1192,"value":3471,"marks":3472,"data":3473},"SoundCloud, Betterment, Crunchbase",[],{},{"nodeType":1192,"value":2714,"marks":3475,"data":3476},[],{},{"nodeType":1288,"data":3478,"content":3480},{"uri":3479},"https://www.bleepingcomputer.com/news/security/match-group-breach-exposes-data-from-hinge-tinder-okcupid-and-match/",[3481],{"nodeType":1192,"value":3482,"marks":3483,"data":3484},"MatchGroup",[],{},{"nodeType":1192,"value":3486,"marks":3487,"data":3488}," have all reported breaches this month, powered by a brand ",[],{},{"nodeType":1288,"data":3490,"content":3492},{"uri":3491},"https://pushsecurity.com/blog/unpacking-the-latest-slh-campaign/",[3493],{"nodeType":1192,"value":3494,"marks":3495,"data":3496},"new real-time-operated AiTM phishing kit",[],{},{"nodeType":1192,"value":3498,"marks":3499,"data":3500}," targeting Okta, Entra, and Google SSO accounts. This is a developing situation, with more victims expected to be announced publicly soon.",[],{},{"nodeType":1246,"data":3502,"content":3503},{},[],{"nodeType":1369,"data":3505,"content":3506},{},[3507],{"nodeType":1192,"value":3508,"marks":3509,"data":3511},"Vishing and help desk scams",[3510],{"type":1254},{},{"nodeType":1193,"data":3513,"content":3514},{},[3515],{"nodeType":1192,"value":3516,"marks":3517,"data":3520},"MGM Resorts & Caesars (2023)",[3518,3519],{"type":1254},{"type":1286},{},{"nodeType":1193,"data":3522,"content":3523},{},[3524,3528,3537],{"nodeType":1192,"value":3525,"marks":3526,"data":3527},"MGM Resorts and Caesars were hit with twin breaches in 2023. Attackers socially engineered help desk personnel to take over accounts with Super Administrator privileges within MGM Resorts’ Okta tenant, which they then used to register a second, attacker-controlled IdP via ",[],{},{"nodeType":1288,"data":3529,"content":3531},{"uri":3530},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/inbound_federation/description.md",[3532],{"nodeType":1192,"value":3533,"marks":3534,"data":3536},"inbound federation",[3535],{"type":1286},{},{"nodeType":1192,"value":3538,"marks":3539,"data":3540}," — granting comprehensive access that was used to deploy ransomware. ",[],{},{"nodeType":1193,"data":3542,"content":3543},{},[3544],{"nodeType":1192,"value":3545,"marks":3546,"data":3549},"Transport for London (2024)",[3547,3548],{"type":1254},{"type":1286},{},{"nodeType":1193,"data":3551,"content":3552},{},[3553],{"nodeType":1192,"value":3554,"marks":3555,"data":3556},"Attackers socially engineered the Transport for London help desk to gain privileged access to the IT environment, resulting in prolonged disruption to key online services underpinning London’s public transport network, theft of 5,000 users bank details, and all 30,000 staff members having to reset their online credentials in person.",[],{},{"nodeType":1193,"data":3558,"content":3559},{},[3560],{"nodeType":1192,"value":3561,"marks":3562,"data":3565},"Marks & Spencer (2025)",[3563,3564],{"type":1254},{"type":1286},{},{"nodeType":1193,"data":3567,"content":3568},{},[3569,3573,3582,3586,3595],{"nodeType":1192,"value":3570,"marks":3571,"data":3572},"Attackers compromised a Microsoft Entra account belonging to a privileged user via a ",[],{},{"nodeType":1288,"data":3574,"content":3576},{"uri":3575},"https://pushsecurity.com/blog/scattered-spider-defending-against-help-desk-scams/",[3577],{"nodeType":1192,"value":3578,"marks":3579,"data":3581},"help desk scam",[3580],{"type":1286},{},{"nodeType":1192,"value":3583,"marks":3584,"data":3585},", which enabled them to steal sensitive data from cloud environments, as well as pivot to deploy ransomware via the ",[],{},{"nodeType":1288,"data":3587,"content":3589},{"uri":3588},"https://cloud.google.com/blog/topics/threat-intelligence/vsphere-active-directory-integration-risks",[3590],{"nodeType":1192,"value":3591,"marks":3592,"data":3594},"VMware admin console",[3593],{"type":1286},{},{"nodeType":1192,"value":3596,"marks":3597,"data":3598},". This enabled ransomware to be deployed at the hypervisor layer, evading host-based protections like EDR. ",[],{},{"nodeType":1301,"data":3600,"content":3604},{"target":3601},{"sys":3602},{"id":3603,"type":1298,"linkType":1299},"7hBdHG74NaA3bQfOMpYA9o",[],{"nodeType":1193,"data":3606,"content":3607},{},[3608],{"nodeType":1192,"value":3609,"marks":3610,"data":3613},"Jaguar Land Rover (2025)",[3611,3612],{"type":1254},{"type":1286},{},{"nodeType":1193,"data":3615,"content":3616},{},[3617],{"nodeType":1192,"value":3618,"marks":3619,"data":3620},"Attackers compromised highly privileged admin accounts via a help desk scam, which they leveraged to access and deploy ransomware to all aspects of Jaguar’s business, from CAD and engineering software, to payments tracking, to customer car delivery, using similar techniques to the Marks & Spencer breach. ",[],{},{"nodeType":1301,"data":3622,"content":3626},{"target":3623},{"sys":3624},{"id":3625,"type":1298,"linkType":1299},"6s1X2fo4K9EeVLBmHm4YXb",[],{"nodeType":1246,"data":3628,"content":3629},{},[],{"nodeType":1369,"data":3631,"content":3632},{},[3633],{"nodeType":1192,"value":3634,"marks":3635,"data":3637},"Malicious OAuth integrations",[3636],{"type":1254},{},{"nodeType":1193,"data":3639,"content":3640},{},[3641],{"nodeType":1192,"value":3642,"marks":3643,"data":3646},"Salesforce & Salesloft (1000+ customers) (2025)",[3644,3645],{"type":1254},{"type":1286},{},{"nodeType":1193,"data":3648,"content":3649},{},[3650],{"nodeType":1192,"value":3651,"marks":3652,"data":3653},"A vast campaign against Salesforce customers resulted in the compromise of 1000+ Salesforce tenants (according to the attacker) with more than 1.5 billion records stolen. This campaign can consisted of three phases:",[],{},{"nodeType":2556,"data":3655,"content":3656},{},[3657,3672,3687],{"nodeType":2560,"data":3658,"content":3659},{},[3660],{"nodeType":1193,"data":3661,"content":3662},{},[3663,3668],{"nodeType":1192,"value":3664,"marks":3665,"data":3667},"Phase 1:",[3666],{"type":1254},{},{"nodeType":1192,"value":3669,"marks":3670,"data":3671}," The attacker conducted a large-scale vishing campaign against Salesforce customers, calling up users and socially engineering them into connecting a malicious version of the “Data Loader” app into their tenant. This was in fact an attacker-controlled app that enabled data to be mass-exfiltrated via API. ",[],{},{"nodeType":2560,"data":3673,"content":3674},{},[3675],{"nodeType":1193,"data":3676,"content":3677},{},[3678,3683],{"nodeType":1192,"value":3679,"marks":3680,"data":3682},"Phase 2: ",[3681],{"type":1254},{},{"nodeType":1192,"value":3684,"marks":3685,"data":3686},"The attacker conducted a supply-chain compromise against customers of Salesloft. Users of Salesloft’s “Drift” integration were impacted by attackers stealing access tokens from Salesloft’s AWS environment. This integration allowed the attacker to steal data from customers that had deployed Drift to connected environments — namely, Salesforce, and Google Workspace. ",[],{},{"nodeType":2560,"data":3688,"content":3689},{},[3690],{"nodeType":1193,"data":3691,"content":3692},{},[3693,3698,3702,3710],{"nodeType":1192,"value":3694,"marks":3695,"data":3697},"Phase 3:",[3696],{"type":1254},{},{"nodeType":1192,"value":3699,"marks":3700,"data":3701}," The attacker then conducted a separate supply-chain compromise involving Gainsight (allegedly using OAuth tokens stolen in the Salesloft attack) which enabled them to ",[],{},{"nodeType":1288,"data":3703,"content":3705},{"uri":3704},"https://www.bleepingcomputer.com/news/security/salesforce-investigates-customer-data-theft-via-gainsight-breach/",[3706],{"nodeType":1192,"value":3707,"marks":3708,"data":3709},"breach a further 285 Salesforce instances",[],{},{"nodeType":1192,"value":3711,"marks":3712,"data":3713}," using stolen OAuth tokens from Gainsight's integrations. ",[],{},{"nodeType":1301,"data":3715,"content":3719},{"target":3716},{"sys":3717},{"id":3718,"type":1298,"linkType":1299},"3TwjpVKQ42SwQRhvGFbZdn",[],{"nodeType":1246,"data":3721,"content":3722},{},[],{"nodeType":1369,"data":3724,"content":3725},{},[3726],{"nodeType":1192,"value":3727,"marks":3728,"data":3730},"Malicious browser extensions",[3729],{"type":1254},{},{"nodeType":1193,"data":3732,"content":3733},{},[3734],{"nodeType":1192,"value":3735,"marks":3736,"data":3739},"CyberHaven (2024)",[3737,3738],{"type":1254},{"type":1286},{},{"nodeType":1193,"data":3741,"content":3742},{},[3743],{"nodeType":1192,"value":3744,"marks":3745,"data":3746},"Hackers phished a CyberHaven extension developer and uploaded a malicious version of the CyberHaven extension to the Chrome Web Store, leading to customer data breaches where installed in user browsers, impacting CyberHaven’s estimated ~400 business customers. This was part of a broader campaign that targeted 35 Chrome extensions, collectively impacting over 2.5 million users.",[],{},{"nodeType":1301,"data":3748,"content":3752},{"target":3749},{"sys":3750},{"id":3751,"type":1298,"linkType":1299},"4ErDI0xi0Vj2Zrk8Qsb2NB",[],{"nodeType":1246,"data":3754,"content":3755},{},[],{"nodeType":1256,"data":3757,"content":3758},{},[3759],{"nodeType":1192,"value":3760,"marks":3761,"data":3763},"The bigger picture",[3762],{"type":1254},{},{"nodeType":1193,"data":3765,"content":3766},{},[3767],{"nodeType":1192,"value":3768,"marks":3769,"data":3770},"Scattered Lapsus$ Hunters are dominating the headlines right now, but they aren’t the only attackers using these modern techniques and consciously evading established security controls. ",[],{},{"nodeType":1193,"data":3772,"content":3773},{},[3774],{"nodeType":1192,"value":3775,"marks":3776,"data":3777},"Threat reports agree that attackers are steering away from traditional exploit and malware-driven breaches towards identities:",[],{},{"nodeType":2556,"data":3779,"content":3780},{},[3781,3803,3825],{"nodeType":2560,"data":3782,"content":3783},{},[3784],{"nodeType":1193,"data":3785,"content":3786},{},[3787,3791,3799],{"nodeType":1192,"value":3788,"marks":3789,"data":3790},"Identity-based attacks surged 32% in the last year, while 97% of identity attacks are password-based, driven by credential leaks and infostealer malware. (",[],{},{"nodeType":1288,"data":3792,"content":3794},{"uri":3793},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf#page=1",[3795],{"nodeType":1192,"value":2647,"marks":3796,"data":3798},[3797],{"type":1286},{},{"nodeType":1192,"value":3800,"marks":3801,"data":3802},")",[],{},{"nodeType":2560,"data":3804,"content":3805},{},[3806],{"nodeType":1193,"data":3807,"content":3808},{},[3809,3813,3822],{"nodeType":1192,"value":3810,"marks":3811,"data":3812},"79% of detections were malware-free in the last year, up from 40% in 2019. (",[],{},{"nodeType":1288,"data":3814,"content":3816},{"uri":3815},"https://www.crowdstrike.com/en-gb/global-threat-report/",[3817],{"nodeType":1192,"value":3818,"marks":3819,"data":3821},"CrowdStrike",[3820],{"type":1286},{},{"nodeType":1192,"value":3800,"marks":3823,"data":3824},[],{},{"nodeType":2560,"data":3826,"content":3827},{},[3828],{"nodeType":1193,"data":3829,"content":3830},{},[3831,3835,3844],{"nodeType":1192,"value":3832,"marks":3833,"data":3834},"Credential abuse and phishing combined accounted for 38% of breaches, making identity the primary breach vector observed. (",[],{},{"nodeType":1288,"data":3836,"content":3838},{"uri":3837},"https://www.verizon.com/business/resources/reports/dbir/",[3839],{"nodeType":1192,"value":3840,"marks":3841,"data":3843},"Verizon",[3842],{"type":1286},{},{"nodeType":1192,"value":3800,"marks":3845,"data":3846},[],{},{"nodeType":1193,"data":3848,"content":3849},{},[3850],{"nodeType":1192,"value":3851,"marks":3852,"data":3853},"And other public breaches from this year alone demonstrate similar TTPs from outside of the Scattered Lapsus$ Hunters orbit:",[],{},{"nodeType":2556,"data":3855,"content":3856},{},[3857,3872,3887,3902],{"nodeType":2560,"data":3858,"content":3859},{},[3860],{"nodeType":1193,"data":3861,"content":3862},{},[3863,3868],{"nodeType":1192,"value":3864,"marks":3865,"data":3867},"Nikkei",[3866],{"type":1254},{},{"nodeType":1192,"value":3869,"marks":3870,"data":3871},": Japanese publishing giant Nikkei’s Slack messaging platform was compromised using stolen credentials, leaking the names, email addresses, and chat histories for 17,368 individuals registered on Slack.",[],{},{"nodeType":2560,"data":3873,"content":3874},{},[3875],{"nodeType":1193,"data":3876,"content":3877},{},[3878,3883],{"nodeType":1192,"value":3879,"marks":3880,"data":3882},"Evertec",[3881],{"type":1254},{},{"nodeType":1192,"value":3884,"marks":3885,"data":3886},": Hackers tried to steal $130 million from Evertec’s Brazilian subsidiary Sinqia S.A.after gaining unauthorized access to its environment on the central bank’s real-time payment system (Pix) using stolen credentials.",[],{},{"nodeType":2560,"data":3888,"content":3889},{},[3890],{"nodeType":1193,"data":3891,"content":3892},{},[3893,3898],{"nodeType":1192,"value":3894,"marks":3895,"data":3897},"Hy-Vee:",[3896],{"type":1254},{},{"nodeType":1192,"value":3899,"marks":3900,"data":3901}," Was hit with a data breach after hackers logged in with stolen credentials, exposing 53GB of sensitive data.",[],{},{"nodeType":2560,"data":3903,"content":3904},{},[3905],{"nodeType":1193,"data":3906,"content":3907},{},[3908,3913],{"nodeType":1192,"value":3909,"marks":3910,"data":3912},"Scania: ",[3911],{"type":1254},{},{"nodeType":1192,"value":3914,"marks":3915,"data":3916},"Automotive giant Scania confirmed it suffered a cybersecurity incident where threat actors used compromised credentials to breach its Financial Services systems and steal insurance claim documents.",[],{},{"nodeType":1193,"data":3918,"content":3919},{},[3920],{"nodeType":1192,"value":3921,"marks":3922,"data":3923},"Scattered Lapsus$ Hunters may be grabbing the headlines — but this a huge movement in a vast and flexible community of attackers. And criminals around the world are learning from their success. ",[],{},{"nodeType":1246,"data":3925,"content":3926},{},[],{"nodeType":1256,"data":3928,"content":3929},{},[3930],{"nodeType":1192,"value":3931,"marks":3932,"data":3934},"Lessons learned",[3933],{"type":1254},{},{"nodeType":1193,"data":3936,"content":3937},{},[3938],{"nodeType":1192,"value":3939,"marks":3940,"data":3941},"The common thread with all of these attacks is that they are evading established security controls by targeting applications directly, over the internet, via account takeover.",[],{},{"nodeType":1193,"data":3943,"content":3944},{},[3945],{"nodeType":1192,"value":3946,"marks":3947,"data":3948},"Clearly, the success of these attacks shows the limitations of multiple control layers. Endpoint and network layer controls have no visibility of this attack surface. Identity-focused controls are being undermined by ghost logins and shadow IT. And the limitations of cloud security controls in their ability to encompass all apps, and detect and stop malicious actions in real-time (that often blend in seamlessly with normal user activity). ",[],{},{"nodeType":1301,"data":3950,"content":3954},{"target":3951},{"sys":3952},{"id":3953,"type":1298,"linkType":1299},"4Dg3fZEGf7ShyQJ8jlNDME",[],{"nodeType":1246,"data":3956,"content":3957},{},[],{"nodeType":1256,"data":3959,"content":3960},{},[3961],{"nodeType":1192,"value":3962,"marks":3963,"data":3965},"How Push can help",[3964],{"type":1254},{},{"nodeType":1193,"data":3967,"content":3968},{},[3969],{"nodeType":1192,"value":3970,"marks":3971,"data":3972},"Stopping attacks that are designed to evade established controls is in our DNA — it’s the reason Push was founded. ",[],{},{"nodeType":1193,"data":3974,"content":3975},{},[3976],{"nodeType":1192,"value":3977,"marks":3978,"data":3979},"The browser is the gateway to to the apps and identities that attackers are now targeting, with many attacks taking place inside the user’s browser — whether that’s entering credentials onto a phishing page, approving a malicious OAuth grant, installing a risky browser extension, or insecurely accessing an app with a weak password and no MFA. ",[],{},{"nodeType":1193,"data":3981,"content":3982},{},[3983],{"nodeType":1192,"value":3984,"marks":3985,"data":3986},"Push’s browser-based security platform provides comprehensive detection and response capabilities against attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your attack surface.",[],{},{"nodeType":1193,"data":3988,"content":3989},{},[3990,3993,4000,4003,4010],{"nodeType":1192,"value":2327,"marks":3991,"data":3992},[],{},{"nodeType":1288,"data":3994,"content":3995},{"uri":2332},[3996],{"nodeType":1192,"value":2335,"marks":3997,"data":3999},[3998],{"type":1286},{},{"nodeType":1192,"value":2340,"marks":4001,"data":4002},[],{},{"nodeType":1288,"data":4004,"content":4005},{"uri":2345},[4006],{"nodeType":1192,"value":1877,"marks":4007,"data":4009},[4008],{"type":1286},{},{"nodeType":1192,"value":1513,"marks":4011,"data":4012},[],{},{"entries":4014},{"hyperlink":4015,"inline":4016,"block":4017},[],[],[4018,4033,4047,4055,4082,4096,4110,4136,4150,4164],{"sys":4019,"__typename":4020,"content":4021,"name":4032,"title":118},{"id":3118},"InsightTextBlockComponent",{"json":4022},{"nodeType":1194,"data":4023,"content":4024},{},[4025],{"nodeType":1193,"data":4026,"content":4027},{},[4028],{"nodeType":1192,"value":4029,"marks":4030,"data":4031},"The MGM hack resulted in a 36-hour outage, a $100M hit to its Q3 results, one-time cyber consulting fees in the region of $10M, and a class-action lawsuit later settled for $45M. Less is known about Caesars, except that a ransom of $15M was paid in an attempt to prevent stolen data being leaked online.",[],{},"SLH insight box 1",{"sys":4034,"__typename":4020,"content":4035,"name":4046,"title":118},{"id":3131},{"json":4036},{"nodeType":1194,"data":4037,"content":4038},{},[4039],{"nodeType":1193,"data":4040,"content":4041},{},[4042],{"nodeType":1192,"value":4043,"marks":4044,"data":4045},"The Marks & Spencer ransomware breach resulted in online shopping services being taken offline, stores running low on products, £300M in lost profits, and almost £1B wiped off the company’s stock market valuation at one stage. Co-op proactively pulled the plug on their network to prevent further damage, lessening the impact to a still-sizeable £107m in lost profits.",[],{},"SLH insight box 2",{"sys":4048,"__typename":4049,"title":4050,"caption":4050,"layoutMode":118,"file":4051},{"id":3229},"Image","Big picture view of Scattered Lapsus$ Hunters breaches since 2021.",{"url":4052,"width":4053,"height":4054},"https://images.ctfassets.net/y1cdw1ablpvd/415gvGUy6Ywr2zofY8Phpk/dc9a8461ef07c041fef4a7fb39d0a25b/Screenshot_2026-02-25_at_09.50.56.png",3414,1852,{"sys":4056,"__typename":4020,"content":4057,"name":4081,"title":118},{"id":3254},{"json":4058},{"nodeType":1194,"data":4059,"content":4060},{},[4061],{"nodeType":1193,"data":4062,"content":4063},{},[4064,4068,4077],{"nodeType":1192,"value":4065,"marks":4066,"data":4067},"Stolen credentials were, and still are, one of the easiest ways in for an attacker. They're one of the most abundant resources available to attackers online, with billions leaked as a by-product of phishing, malware infections (infostealers), and data breaches, which are packaged up and resold to other criminals. Sure, ",[],{},{"nodeType":1288,"data":4069,"content":4071},{"uri":4070},"https://pushsecurity.com/blog/verified-stolen-credential-detection/",[4072],{"nodeType":1192,"value":4073,"marks":4074,"data":4076},"there’s a lot of noise in credential feeds",[4075],{"type":1286},{},{"nodeType":1192,"value":4078,"marks":4079,"data":4080}," — but it only takes the attacker to get lucky once. And the steady stream of breaches are living proof of the MFA gaps waiting to be exploited.",[],{},"SLH insight box 3",{"sys":4083,"__typename":4020,"content":4084,"name":4095,"title":118},{"id":3432},{"json":4085},{"nodeType":1194,"data":4086,"content":4087},{},[4088],{"nodeType":1193,"data":4089,"content":4090},{},[4091],{"nodeType":1192,"value":4092,"marks":4093,"data":4094},"A group calling themselves “The Crimson Collective” originally claimed the breach, with Scattered Lapsus$ Hunters becoming the main voice behind the breach at the extortion phase — showing just how interconnected the ecosystem of cybercriminals is.",[],{},"SLH insight box 10",{"sys":4097,"__typename":4020,"content":4098,"name":4109,"title":118},{"id":3603},{"json":4099},{"nodeType":1194,"data":4100,"content":4101},{},[4102],{"nodeType":1193,"data":4103,"content":4104},{},[4105],{"nodeType":1192,"value":4106,"marks":4107,"data":4108},"An identical attack path was attempted against Co-op, but was detected early enough for the security team to pull the plug on their own network. This significantly reduced the disruption, although customer data was still taken by the attacker.",[],{},"SLH insight box 4",{"sys":4111,"__typename":4020,"content":4112,"name":4135,"title":118},{"id":3625},{"json":4113},{"nodeType":1194,"data":4114,"content":4115},{},[4116],{"nodeType":1193,"data":4117,"content":4118},{},[4119,4122,4131],{"nodeType":1192,"value":37,"marks":4120,"data":4121},[],{},{"nodeType":1288,"data":4123,"content":4125},{"uri":4124},"https://pushsecurity.com/blog/why-attackers-are-targeting-jira-with-stolen-credentials/",[4126],{"nodeType":1192,"value":4127,"marks":4128,"data":4130},"Jaguar’s Jira tenant was breached",[4129],{"type":1286},{},{"nodeType":1192,"value":4132,"marks":4133,"data":4134}," by the “Scattered Lapsus$ Hunters” affiliated “HellCat” group earlier in 2025, which led to an alleged ~350GB of data being stolen. It is highly likely that this inside information from Jira (a platform storing huge amounts of business process information, architectural diagrams, and even improperly stored credentials and secrets) was leveraged in the later ransomware breach.",[],{},"SLH insight box 5",{"sys":4137,"__typename":4020,"content":4138,"name":4149,"title":118},{"id":3718},{"json":4139},{"nodeType":1194,"data":4140,"content":4141},{},[4142],{"nodeType":1193,"data":4143,"content":4144},{},[4145],{"nodeType":1192,"value":4146,"marks":4147,"data":4148},"The Salesloft breach in fact originated from a developer’s GitHub account being phished, which enabled the attacker to pivot into AWS, steal access tokens, and pivot to downstream customer environments.",[],{},"SLH insight box 6",{"sys":4151,"__typename":4020,"content":4152,"name":4163,"title":118},{"id":3751},{"json":4153},{"nodeType":1194,"data":4154,"content":4155},{},[4156],{"nodeType":1193,"data":4157,"content":4158},{},[4159],{"nodeType":1192,"value":4160,"marks":4161,"data":4162},"While the CyberHaven attacks were conducted by an unknown threat group, the MO of the attacker — pursuing financial gain, bypassing traditional defenses — is very much in-line with the Scattered Lapsus$ Hunters TTPs observed. ",[],{},"SLH insight box 7",{"sys":4165,"__typename":4020,"content":4166,"name":4188,"title":118},{"id":3953},{"json":4167},{"nodeType":1194,"data":4168,"content":4169},{},[4170],{"nodeType":1193,"data":4171,"content":4172},{},[4173,4177,4184],{"nodeType":1192,"value":4174,"marks":4175,"data":4176},"One of the common threads from all of these breaches is the risk posed by ",[],{},{"nodeType":1288,"data":4178,"content":4179},{"uri":3575},[4180],{"nodeType":1192,"value":4181,"marks":4182,"data":4183},"help desk attacks",[],{},{"nodeType":1192,"value":4185,"marks":4186,"data":4187},", but it’s easy to over-index here. Naturally, making it possible for help desk operators to reset MFA for all users (including accounts with dangerous privileges) is always going to be targeted — but is fairly easy to address in principle by requiring escalations for high-risk changes. What is more interesting is that the vast majority of the help desk attacks featured in this article involved a single provider that is now no longer contracted by a number of the victims.",[],{},"SLH insight box 8","content:blog:scattered-lapsus-hunters.json","json","content","blog/scattered-lapsus-hunters.json","blog/scattered-lapsus-hunters",1776343350099]