[{"data":1,"prerenderedAt":4449},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/slack-phishing-for-initial-access":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"ogImage":118,"summary":1282,"title":1296,"subtitle":118,"metaTitle":1297,"synopsis":1298,"hashTags":118,"publishedDate":1299,"slug":1300,"tagsCollection":1301,"relatedBlogPostsCollection":1311,"authorsCollection":3569,"content":3573,"_id":4444,"_type":4445,"_source":4446,"_file":4447,"_stem":4448,"_extension":4445},"/blog/slack-phishing-for-initial-access","blog",{"id":1280,"publishedAt":1281},"2rjLrCo6KWwLicfpV2qTOZ","2024-03-21T08:57:37.984Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1295},{},[1286],{"data":1287,"content":1288,"nodeType":1294},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"Our latest post in the SaaS attacks matrix series is focused on external phishing via Slack. Unlike email, IM apps and the messages within them are typically more trusted by employees, making social engineering via Slack a juicy target.","text","paragraph","document","Slack Attack: A phisher's guide to initial access","Phishing through Slack for initial access","In this article, we’ll demonstrate how IM apps, specifically Slack, are an increasingly attractive target for a range of phishing & social engineering attacks.","2023-10-24T00:00:00.000Z","slack-phishing-for-initial-access",{"items":1302},[1303,1307],{"sys":1304,"name":1306},{"id":1305},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1308,"name":1310},{"id":1309},"3pjES4THCIfSAwhGdNwBcy","Identity security",{"items":1312},[1313,2195,3099],{"__typename":1314,"sys":1315,"content":1317,"title":2178,"synopsis":2179,"hashTags":118,"publishedDate":1299,"slug":2180,"tagsCollection":2181,"authorsCollection":2187},"BlogPosts",{"id":1316},"1hU7XNIizp4vQXsiiQmqvI",{"json":1318},{"data":1319,"content":1320,"nodeType":1295},{},[1321,1343,1367,1374,1463,1471,1493,1500,1507,1514,1521,1554,1561,1607,1614,1621,1628,1648,1655,1662,1682,1704,1726,1734,1741,1748,1754,1761,1768,1775,1781,1787,1807,1814,1820,1826,1832,1839,1855,1861,1867,1874,1881,1888,1895,1902,1908,1915,1934,1940,1947,1953,1960,1966,1973,1980,1987,1994,2000,2007,2013,2020,2027,2034,2143,2150,2157,2164,2171],{"data":1322,"content":1323,"nodeType":1294},{},[1324,1328,1339],{"data":1325,"marks":1326,"value":1327,"nodeType":1293},{},[],"This is the fourth post in a series on attack chains formed by combining techniques in the ",{"data":1329,"content":1331,"nodeType":1338},{"uri":1330},"https://github.com/pushsecurity/saas-attacks",[1332],{"data":1333,"marks":1334,"value":1337,"nodeType":1293},{},[1335],{"type":1336},"underline","SaaS attack matrix","hyperlink",{"data":1340,"marks":1341,"value":1342,"nodeType":1293},{},[]," and the second post of two focused on attacking instant messaging applications with Slack as the primary example. ",{"data":1344,"content":1345,"nodeType":1294},{},[1346,1350,1363],{"data":1347,"marks":1348,"value":1349,"nodeType":1293},{},[],"The ",{"data":1351,"content":1356,"nodeType":1362},{"target":1352},{"sys":1353},{"id":1280,"type":1354,"linkType":1355},"Link","Entry",[1357],{"data":1358,"marks":1359,"value":1361,"nodeType":1293},{},[1360],{"type":1336},"previous post","entry-hyperlink",{"data":1364,"marks":1365,"value":1366,"nodeType":1293},{},[]," focused on external attackers gaining an initial foothold during the initial access phase of the kill chain. In this post we’ll be focusing on persistence and lateral movement for an attacker that has already gained a foothold on a Slack tenant by compromising an internal account. ",{"data":1368,"content":1369,"nodeType":1294},{},[1370],{"data":1371,"marks":1372,"value":1373,"nodeType":1293},{},[],"We’ll build on the techniques in the previous post as well as introducing more and so will cover the following SaaS attack techniques, including chaining them together:",{"data":1375,"content":1376,"nodeType":1462},{},[1377,1399,1420,1441],{"data":1378,"content":1379,"nodeType":1398},{},[1380],{"data":1381,"content":1382,"nodeType":1294},{},[1383,1386,1395],{"data":1384,"marks":1385,"value":37,"nodeType":1293},{},[],{"data":1387,"content":1389,"nodeType":1338},{"uri":1388},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/im_phishing/description.md",[1390],{"data":1391,"marks":1392,"value":1394,"nodeType":1293},{},[1393],{"type":1336},"SAT1018 - IM phishing",{"data":1396,"marks":1397,"value":37,"nodeType":1293},{},[],"list-item",{"data":1400,"content":1401,"nodeType":1398},{},[1402],{"data":1403,"content":1404,"nodeType":1294},{},[1405,1408,1417],{"data":1406,"marks":1407,"value":37,"nodeType":1293},{},[],{"data":1409,"content":1411,"nodeType":1338},{"uri":1410},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/im_user_spoofing/description.md",[1412],{"data":1413,"marks":1414,"value":1416,"nodeType":1293},{},[1415],{"type":1336},"SAT1019 - IM user spoofing",{"data":1418,"marks":1419,"value":37,"nodeType":1293},{},[],{"data":1421,"content":1422,"nodeType":1398},{},[1423],{"data":1424,"content":1425,"nodeType":1294},{},[1426,1429,1438],{"data":1427,"marks":1428,"value":37,"nodeType":1293},{},[],{"data":1430,"content":1432,"nodeType":1338},{"uri":1431},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/system_integrations/description.md",[1433],{"data":1434,"marks":1435,"value":1437,"nodeType":1293},{},[1436],{"type":1336},"SAT1036 - OAuth system integrations ",{"data":1439,"marks":1440,"value":37,"nodeType":1293},{},[],{"data":1442,"content":1443,"nodeType":1398},{},[1444],{"data":1445,"content":1446,"nodeType":1294},{},[1447,1450,1459],{"data":1448,"marks":1449,"value":37,"nodeType":1293},{},[],{"data":1451,"content":1453,"nodeType":1338},{"uri":1452},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/shadow_workflows/description.md",[1454],{"data":1455,"marks":1456,"value":1458,"nodeType":1293},{},[1457],{"type":1336},"SAT1033 - Shadow workflows",{"data":1460,"marks":1461,"value":37,"nodeType":1293},{},[],"unordered-list",{"data":1464,"content":1465,"nodeType":1470},{},[1466],{"data":1467,"marks":1468,"value":1469,"nodeType":1293},{},[],"Why focus on instant messengers?","heading-1",{"data":1472,"content":1473,"nodeType":1294},{},[1474,1479,1488],{"data":1475,"marks":1476,"value":1478,"nodeType":1293},{},[1477],{"type":312},"If you’ve just read the ",{"data":1480,"content":1483,"nodeType":1362},{"target":1481},{"sys":1482},{"id":1280,"type":1354,"linkType":1355},[1484],{"data":1485,"marks":1486,"value":1361,"nodeType":1293},{},[1487],{"type":312},{"data":1489,"marks":1490,"value":1492,"nodeType":1293},{},[1491],{"type":312},", you can skip this introductory piece and jump straight to the next section.",{"data":1494,"content":1495,"nodeType":1294},{},[1496],{"data":1497,"marks":1498,"value":1499,"nodeType":1293},{},[],"They aren’t new, however, the original focus of IM apps was on internal communication and phishing and social engineering attacks are often external. Email remained the standards-based protocol that enabled external communication no matter what email vendor was in use. In recent years, however, instant messengers (IM) have become the primary method of communication for many businesses. I wanted to focus on IM here because if that’s where employees are communicating, it’s the best place to launch attacks against them. Even better, there’s a history of users placing a higher degree of trust in IM platforms than email, so it becomes a potentially easy target.",{"data":1501,"content":1502,"nodeType":1294},{},[1503],{"data":1504,"marks":1505,"value":1506,"nodeType":1293},{},[],"While IM platforms were initially used solely for internal communications, organizations quickly realized that IM platforms could be used to communicate with external groups, individuals, freelancers, and contractors, with the hope of fewer emails and more instant communications. ",{"data":1508,"content":1509,"nodeType":1294},{},[1510],{"data":1511,"marks":1512,"value":1513,"nodeType":1293},{},[],"We now have Slack Connect and Microsoft Teams external access to support this, with Slack Connect introduced in June 2020 and Teams introducing it in January 2022. This external access has increased the attack surface of these platforms considerably.",{"data":1515,"content":1516,"nodeType":1294},{},[1517],{"data":1518,"marks":1519,"value":1520,"nodeType":1293},{},[],"Despite decades of security research, email security appliances and user security training, email-based phishing and social engineering is still commonly successful. Now we have instant messenger platforms with:",{"data":1522,"content":1523,"nodeType":1462},{},[1524,1534,1544],{"data":1525,"content":1526,"nodeType":1398},{},[1527],{"data":1528,"content":1529,"nodeType":1294},{},[1530],{"data":1531,"marks":1532,"value":1533,"nodeType":1293},{},[],"Richer functionality than email, ",{"data":1535,"content":1536,"nodeType":1398},{},[1537],{"data":1538,"content":1539,"nodeType":1294},{},[1540],{"data":1541,"marks":1542,"value":1543,"nodeType":1293},{},[],"Lacking centralized security gateways and other security controls common to email and ",{"data":1545,"content":1546,"nodeType":1398},{},[1547],{"data":1548,"content":1549,"nodeType":1294},{},[1550],{"data":1551,"marks":1552,"value":1553,"nodeType":1293},{},[],"Unfamiliar as a threat vector to your average user compared with email. ",{"data":1555,"content":1556,"nodeType":1294},{},[1557],{"data":1558,"marks":1559,"value":1560,"nodeType":1293},{},[],"There’s also a sense of urgency associated with IM messages due to the conversational nature compared with emails. Combined with a history of increased trust, we have the ingredients for increased social engineering success.",{"data":1562,"content":1563,"nodeType":1294},{},[1564,1568,1577,1581,1590,1594,1603],{"data":1565,"marks":1566,"value":1567,"nodeType":1293},{},[],"There’s been an uptick recently in IM-based phishing research and real-world attacks, particularly for Microsoft Teams. For example, check out the ",{"data":1569,"content":1571,"nodeType":1338},{"uri":1570},"https://labs.jumpsec.com/advisory-idor-in-microsoft-teams-allows-for-external-tenants-to-introduce-malware/",[1572],{"data":1573,"marks":1574,"value":1576,"nodeType":1293},{},[1575],{"type":1336},"great research from JumpSec",{"data":1578,"marks":1579,"value":1580,"nodeType":1293},{},[]," on bypassing attachment protection for external Teams messages, the offensive tool ",{"data":1582,"content":1584,"nodeType":1338},{"uri":1583},"https://github.com/Octoberfest7/TeamsPhisher",[1585],{"data":1586,"marks":1587,"value":1589,"nodeType":1293},{},[1588],{"type":1336},"TeamsPhisher",{"data":1591,"marks":1592,"value":1593,"nodeType":1293},{},[]," and attacks distributing ",{"data":1595,"content":1597,"nodeType":1338},{"uri":1596},"https://www.bleepingcomputer.com/news/security/microsoft-teams-phishing-attack-pushes-darkgate-malware/",[1598],{"data":1599,"marks":1600,"value":1602,"nodeType":1293},{},[1601],{"type":1336},"DarkGate malware via Teams",{"data":1604,"marks":1605,"value":1606,"nodeType":1293},{},[],".",{"data":1608,"content":1609,"nodeType":1294},{},[1610],{"data":1611,"marks":1612,"value":1613,"nodeType":1293},{},[],"However, in this article we’ll focus on a few techniques specific to Slack.",{"data":1615,"content":1619,"nodeType":1620},{"target":1616},{"sys":1617},{"id":1618,"type":1354,"linkType":1355},"6iKFd9Qys2SSuNqKVQB7ka",[],"embedded-entry-block",{"data":1622,"content":1623,"nodeType":1470},{},[1624],{"data":1625,"marks":1626,"value":1627,"nodeType":1293},{},[],"Slack apps - spoofing and persistence",{"data":1629,"content":1630,"nodeType":1294},{},[1631,1635,1644],{"data":1632,"marks":1633,"value":1634,"nodeType":1293},{},[],"In the ",{"data":1636,"content":1639,"nodeType":1362},{"target":1637},{"sys":1638},{"id":1280,"type":1354,"linkType":1355},[1640],{"data":1641,"marks":1642,"value":1361,"nodeType":1293},{},[1643],{"type":1336},{"data":1645,"marks":1646,"value":1647,"nodeType":1293},{},[],", we covered user spoofing and link preview spoofing attacks that can be conducted externally. But do we have any other options available once on the inside that wouldn’t be available to us externally? ",{"data":1649,"content":1650,"nodeType":1294},{},[1651],{"data":1652,"marks":1653,"value":1654,"nodeType":1293},{},[],"What happens if you compromise a Slack account and then want to persist and/or move laterally? Ordinarily, you can maintain access until session expiry or a password change is forced or the account is deactivated/deleted. For further actual impact, you could silently read messages as the user continues to operate their account but if you start sending out malicious links to other targets, in an attempt to move laterally, then the real user is probably going to become aware of the compromise very quickly from seeing the malicious messages in their own chat client.",{"data":1656,"content":1657,"nodeType":1294},{},[1658],{"data":1659,"marks":1660,"value":1661,"nodeType":1293},{},[],"Alternatively, what happens in a situation where a disgruntled employee is let go and their account is terminated? Could they maintain some level of access and use it maliciously?",{"data":1663,"content":1664,"nodeType":1294},{},[1665,1669,1678],{"data":1666,"marks":1667,"value":1668,"nodeType":1293},{},[],"One key feature that some IM apps like Slack have is app integrations to allow bots and other functionality, usually using OAuth under the hood. This allows very useful functionality for users, but also opens up a whole new angle for persistence and spoofing. In Slack’s case, its separation of ",{"data":1670,"content":1672,"nodeType":1338},{"uri":1671},"https://api.slack.com/authentication/token-types",[1673],{"data":1674,"marks":1675,"value":1677,"nodeType":1293},{},[1676],{"type":1336},"user tokens and bot tokens",{"data":1679,"marks":1680,"value":1681,"nodeType":1293},{},[]," allows for particularly interesting spoofing and persistence capabilities, which we’ll come to later.",{"data":1683,"content":1684,"nodeType":1294},{},[1685,1689,1700],{"data":1686,"marks":1687,"value":1688,"nodeType":1293},{},[],"We could probably write several posts on OAuth apps alone. In fact, we’ve written about ",{"data":1690,"content":1694,"nodeType":1362},{"target":1691},{"sys":1692},{"id":1693,"type":1354,"linkType":1355},"3QpljiYU9YHEUhd5gsvypj",[1695],{"data":1696,"marks":1697,"value":1699,"nodeType":1293},{},[1698],{"type":1336},"using OAuth for persistence",{"data":1701,"marks":1702,"value":1703,"nodeType":1293},{},[]," more generally before. However, in this case we are going to focus on a couple examples of using a legitimate Slack app maliciously. ",{"data":1705,"content":1706,"nodeType":1294},{},[1707,1711,1722],{"data":1708,"marks":1709,"value":1710,"nodeType":1293},{},[],"In a previous blog post in this series, we spoke about ",{"data":1712,"content":1716,"nodeType":1362},{"target":1713},{"sys":1714},{"id":1715,"type":1354,"linkType":1355},"7ygI4NLJ2zpuiVwAlggkTG",[1717],{"data":1718,"marks":1719,"value":1721,"nodeType":1293},{},[1720],{"type":1336},"shadow workflows",{"data":1723,"marks":1724,"value":1725,"nodeType":1293},{},[]," using SaaS automation apps. We’re going to follow this theme again here and show how they can also be used with Slack. Previously, we used Zapier as our automation app example, but this time we are going to use make.com. ",{"data":1727,"content":1728,"nodeType":1733},{},[1729],{"data":1730,"marks":1731,"value":1732,"nodeType":1293},{},[],"Persistent spoofing","heading-2",{"data":1735,"content":1736,"nodeType":1294},{},[1737],{"data":1738,"marks":1739,"value":1740,"nodeType":1293},{},[],"We’ll show here how you can connect make.com to a Slack account you control and then maintain persistence, both as that user and partial access even if the account is deactivated or deleted, by using bot tokens. This is especially important in a disgruntled employee scenario as they could use this to maintain some level of access to Slack even if they were fired and had their account deleted. ",{"data":1742,"content":1743,"nodeType":1294},{},[1744],{"data":1745,"marks":1746,"value":1747,"nodeType":1293},{},[],"If we create a make.com account and click to create a new scenario, we can select Slack from the long list of integration possibilities. We’ll then be prompted to pick a specific Slack module. In more complicated scenarios, these can be chained together to take actions on events, but in this case we are going to create a simple scenario with just one module used to send a custom Slack message.",{"data":1749,"content":1753,"nodeType":1620},{"target":1750},{"sys":1751},{"id":1752,"type":1354,"linkType":1355},"2k6NeCNERIL4zx3FtTD97p",[],{"data":1755,"content":1756,"nodeType":1294},{},[1757],{"data":1758,"marks":1759,"value":1760,"nodeType":1293},{},[],"If we select the module “Create a Message” we’ll be prompted to select a Slack connection to use and then fill out the other details for the module. Since we haven’t already created a Slack connection, we’ll be prompted to create a new one. For this module, we have the option of creating either a user token or a bot token. ",{"data":1762,"content":1763,"nodeType":1294},{},[1764],{"data":1765,"marks":1766,"value":1767,"nodeType":1293},{},[],"A user token has full capabilities and will continue to operate in the event of a password change. However, if the user account is deactivated or deleted then it will cease to work. In contrast, the bot connection is limited in capabilities compared to a full user token, but the advantage is that it will continue to operate even if the user account is deactivated or deleted.",{"data":1769,"content":1770,"nodeType":1294},{},[1771],{"data":1772,"marks":1773,"value":1774,"nodeType":1293},{},[],"This means gaining even temporary control of a Slack account, either through a user compromise or by being a disgruntled employee (or fired employee), could enable the permanent ability to spoof messages unless the entire app is revoked from Slack. Even with the high bar set by shadow workflows, that’s a pretty epic level of persistence!\n\nSo, we’re going to select the bot token for this example:",{"data":1776,"content":1780,"nodeType":1620},{"target":1777},{"sys":1778},{"id":1779,"type":1354,"linkType":1355},"2Hx4QLlhLoXxoAVN7R72Tm",[],{"data":1782,"content":1786,"nodeType":1620},{"target":1783},{"sys":1784},{"id":1785,"type":1354,"linkType":1355},"6oSc2GzeZh5vUhyKC8viMn",[],{"data":1788,"content":1789,"nodeType":1294},{},[1790,1794,1803],{"data":1791,"marks":1792,"value":1793,"nodeType":1293},{},[],"Now that we’ve finished setting up the bot connection, we can configure the specifics for the module itself. In this case, we’ll demonstrate using it to send the same type of spoofed message we covered in the ",{"data":1795,"content":1798,"nodeType":1362},{"target":1796},{"sys":1797},{"id":1280,"type":1354,"linkType":1355},[1799],{"data":1800,"marks":1801,"value":1361,"nodeType":1293},{},[1802],{"type":1336},{"data":1804,"marks":1805,"value":1806,"nodeType":1293},{},[],", only it’ll be from a bot account. ",{"data":1808,"content":1809,"nodeType":1294},{},[1810],{"data":1811,"marks":1812,"value":1813,"nodeType":1293},{},[],"By default, it’ll use the name and icon of the Slack app, in this case Integromat (Make.com’s former name). Alternatively, we can choose to override this, which we will do in this case to mirror the user spoofing attacks we covered earlier. The only difference to a normal user message is there will be a small “APP” icon after the user. ",{"data":1815,"content":1819,"nodeType":1620},{"target":1816},{"sys":1817},{"id":1818,"type":1354,"linkType":1355},"44kvbP0IYSIrp5anRtuVhN",[],{"data":1821,"content":1825,"nodeType":1620},{"target":1822},{"sys":1823},{"id":1824,"type":1354,"linkType":1355},"225FeHRut5kzTuX1n0NDLt",[],{"data":1827,"content":1831,"nodeType":1620},{"target":1828},{"sys":1829},{"id":1830,"type":1354,"linkType":1355},"1c5AcrsoegPrNwrXtdCCaJ",[],{"data":1833,"content":1834,"nodeType":1294},{},[1835],{"data":1836,"marks":1837,"value":1838,"nodeType":1293},{},[],"The other great advantage with this is that it’s difficult to see which user is actually responsible for the spoofing. If a compromised user account is used to send spoofed messages, not only may the real employee see the messages and alert security, but if the messages are investigated by a target or the security team, it’s quick to click on the user and see the real email address associated with the account. ",{"data":1840,"content":1841,"nodeType":1294},{},[1842,1846,1851],{"data":1843,"marks":1844,"value":1845,"nodeType":1293},{},[],"However, when it’s done with a bot token for an app, ",{"data":1847,"marks":1848,"value":1850,"nodeType":1293},{},[1849],{"type":312},"you can only see the Slack app that was responsible, not the actual user account it originated from",{"data":1852,"marks":1853,"value":1854,"nodeType":1293},{},[],":",{"data":1856,"content":1860,"nodeType":1620},{"target":1857},{"sys":1858},{"id":1859,"type":1354,"linkType":1355},"62F3HPZdrQqBrUDV47pjjL",[],{"data":1862,"content":1866,"nodeType":1620},{"target":1863},{"sys":1864},{"id":1865,"type":1354,"linkType":1355},"7A8Run1271YslWTHNBqhc",[],{"data":1868,"content":1869,"nodeType":1733},{},[1870],{"data":1871,"marks":1872,"value":1873,"nodeType":1293},{},[],"Automated phishing replies",{"data":1875,"content":1876,"nodeType":1294},{},[1877],{"data":1878,"marks":1879,"value":1880,"nodeType":1293},{},[],"Ok, so we’ve just seen how you can internally spoof a message via a Slack app in a way that’s harder to track back to the original compromised user account and also achieve persistence at the same time. Pretty neat! But can we do more?",{"data":1882,"content":1883,"nodeType":1294},{},[1884],{"data":1885,"marks":1886,"value":1887,"nodeType":1293},{},[],"One of the great features of IM apps is the fact they are…well…instant! By making a slightly more sophisticated scenario with make.com, we can monitor public channels for messages that meet certain criteria and then immediately spoof a target phishing link as a reply. Phishing where the target is the one to reach out originally is much more likely to be successful as it’s more like a watering hole attack - the phishing message itself won’t be seen as unsolicited.",{"data":1889,"content":1890,"nodeType":1294},{},[1891],{"data":1892,"marks":1893,"value":1894,"nodeType":1293},{},[],"For example, let’s consider a scenario where someone has forgotten their password, or some other common IT support request, and they raise a question on a Slack channel about it. We could monitor for that and automatically respond. ",{"data":1896,"content":1897,"nodeType":1294},{},[1898],{"data":1899,"marks":1900,"value":1901,"nodeType":1293},{},[],"One caveat here is make.com requires we use a user token for the message monitoring part and therefore this attack couldn’t survive a deactivated/deleted Slack user account. However, it will still survive password changes and so is still a useful persistence option too. Additionally, the bot token can still be used for the message sending component in order to mask the source of the attack as above. ",{"data":1903,"content":1907,"nodeType":1620},{"target":1904},{"sys":1905},{"id":1906,"type":1354,"linkType":1355},"4AdugwjwhzK5gdxojpqDwn",[],{"data":1909,"content":1910,"nodeType":1294},{},[1911],{"data":1912,"marks":1913,"value":1914,"nodeType":1293},{},[],"In this case, we have configured a Slack module to watch public channel messages using a user token and apply a filter on those containing the words “password” and “reset”. If that is the case, we then trigger a spoofed threaded reply using the bot token and impersonating an “IT bot” and giving a link to documentation for how to perform a self-service password request. ",{"data":1916,"content":1917,"nodeType":1294},{},[1918,1922,1930],{"data":1919,"marks":1920,"value":1921,"nodeType":1293},{},[],"This makes use of the same link preview spoofing techniques we covered in the ",{"data":1923,"content":1926,"nodeType":1362},{"target":1924},{"sys":1925},{"id":1280,"type":1354,"linkType":1355},[1927],{"data":1928,"marks":1929,"value":1361,"nodeType":1293},{},[],{"data":1931,"marks":1932,"value":1933,"nodeType":1293},{},[]," and the actual link will present a fake Google login page to harvest credentials.  ",{"data":1935,"content":1939,"nodeType":1620},{"target":1936},{"sys":1937},{"id":1938,"type":1354,"linkType":1355},"6BuFqoDtaUGpz48ANXRDJu",[],{"data":1941,"content":1942,"nodeType":1294},{},[1943],{"data":1944,"marks":1945,"value":1946,"nodeType":1293},{},[],"Here’s a quick video demonstrating this combination of user spoofing, link preview spoofing and a shadow workflow in action:",{"data":1948,"content":1952,"nodeType":1620},{"target":1949},{"sys":1950},{"id":1951,"type":1354,"linkType":1355},"2PYOjiz7DIRKqdYuushsqB",[],{"data":1954,"content":1955,"nodeType":1294},{},[1956],{"data":1957,"marks":1958,"value":1959,"nodeType":1293},{},[],"To summarize, heres a diagram to show how this all fits together:",{"data":1961,"content":1965,"nodeType":1620},{"target":1962},{"sys":1963},{"id":1964,"type":1354,"linkType":1355},"6BsctEd635MRwcuzpOhx1V",[],{"data":1967,"content":1968,"nodeType":1733},{},[1969],{"data":1970,"marks":1971,"value":1972,"nodeType":1293},{},[],"Multi-party spoofing",{"data":1974,"content":1975,"nodeType":1294},{},[1976],{"data":1977,"marks":1978,"value":1979,"nodeType":1293},{},[],"Another great possibility provided from using Slack apps and bot tokens for spoofing is the ability to spoof inline with existing communications as multiple parties. Ordinarily, if a Slack user kept changing their name, handle and photo for spoofing internally, Slack would change all existing messages to the latest profile data every time. That makes it hard to spoof multiple identities in short time windows and so an attacker could only really spoof one person at a time. However, with Slack apps you can inject messages as different people at different points of a conversation using bot tokens.",{"data":1981,"content":1982,"nodeType":1294},{},[1983],{"data":1984,"marks":1985,"value":1986,"nodeType":1293},{},[],"Consider the following example, where I’m using my own internal account to message the CFO about paying a malicious invoice that I have hypothetically raised. Perhaps they then indicate approval is needed from another party, in this case the CEO. Similarly, this might be a common process for access requests requiring manager approval and many other business processes. ",{"data":1988,"content":1989,"nodeType":1294},{},[1990],{"data":1991,"marks":1992,"value":1993,"nodeType":1293},{},[],"In this case, I’m able to quickly spoof a message as another user to act as the approval in a manner that is pretty sneaky. The only giveaway at first glance is the “APP” tag after the spoofed message.",{"data":1995,"content":1999,"nodeType":1620},{"target":1996},{"sys":1997},{"id":1998,"type":1354,"linkType":1355},"0Qrre7ZeVsFu1usSSyNS8",[],{"data":2001,"content":2002,"nodeType":1294},{},[2003],{"data":2004,"marks":2005,"value":2006,"nodeType":1293},{},[],"This is just one example but the ability to spoof multiple identities simultaneously from just one compromised account on what is usually seen as a trusted internal communications system really opens up a ton of possibilities for social engineering attacks focused on lateral movement. ",{"data":2008,"content":2012,"nodeType":1620},{"target":2009},{"sys":2010},{"id":2011,"type":1354,"linkType":1355},"2y0INxqAi594O7rCAVKhTI",[],{"data":2014,"content":2015,"nodeType":1470},{},[2016],{"data":2017,"marks":2018,"value":2019,"nodeType":1293},{},[],"Impact",{"data":2021,"content":2022,"nodeType":1294},{},[2023],{"data":2024,"marks":2025,"value":2026,"nodeType":1293},{},[],"After two whole posts on attacking Slack, covering both external attacks during the initial access phase and internal attacks in the persistence and lateral movement phases, we’ve covered a serious amount of ground! ",{"data":2028,"content":2029,"nodeType":1294},{},[2030],{"data":2031,"marks":2032,"value":2033,"nodeType":1293},{},[],"It’s worth taking a step back and considering the key impact points:",{"data":2035,"content":2036,"nodeType":1462},{},[2037,2047,2057,2067,2077,2110],{"data":2038,"content":2039,"nodeType":1398},{},[2040],{"data":2041,"content":2042,"nodeType":1294},{},[2043],{"data":2044,"marks":2045,"value":2046,"nodeType":1293},{},[],"IM apps like Slack are now external phishing and social engineering vectors, not just internal ones",{"data":2048,"content":2049,"nodeType":1398},{},[2050],{"data":2051,"content":2052,"nodeType":1294},{},[2053],{"data":2054,"marks":2055,"value":2056,"nodeType":1293},{},[],"User spoofing can be used in novel ways to enhance social engineering that employees may not be familiar with",{"data":2058,"content":2059,"nodeType":1398},{},[2060],{"data":2061,"content":2062,"nodeType":1294},{},[2063],{"data":2064,"marks":2065,"value":2066,"nodeType":1293},{},[],"Link spoofing techniques can make phishing links much harder to spot and so increase social engineering success",{"data":2068,"content":2069,"nodeType":1398},{},[2070],{"data":2071,"content":2072,"nodeType":1294},{},[2073],{"data":2074,"marks":2075,"value":2076,"nodeType":1293},{},[],"Malicious Slack messages can be modified later to replace the phishing link to cover up the attack",{"data":2078,"content":2079,"nodeType":1398},{},[2080,2087],{"data":2081,"content":2082,"nodeType":1294},{},[2083],{"data":2084,"marks":2085,"value":2086,"nodeType":1293},{},[],"Slack apps, and especially bot tokens, can be used for very effective persistence techniques. Some examples:",{"data":2088,"content":2089,"nodeType":1462},{},[2090,2100],{"data":2091,"content":2092,"nodeType":1398},{},[2093],{"data":2094,"content":2095,"nodeType":1294},{},[2096],{"data":2097,"marks":2098,"value":2099,"nodeType":1293},{},[],"It’s possible to read all messages even after a compromised user changes their password",{"data":2101,"content":2102,"nodeType":1398},{},[2103],{"data":2104,"content":2105,"nodeType":1294},{},[2106],{"data":2107,"marks":2108,"value":2109,"nodeType":1293},{},[],"It’s possible to send (and spoof) messages even if the compromised user account is deleted (e.g. a disgruntled employee who is fired)",{"data":2111,"content":2112,"nodeType":1398},{},[2113,2120],{"data":2114,"content":2115,"nodeType":1294},{},[2116],{"data":2117,"marks":2118,"value":2119,"nodeType":1293},{},[],"Slack apps and shadow workflows can be used to conduct some fairly advanced social engineering attacks once an attack has a foothold on a Slack tenant. Some examples:",{"data":2121,"content":2122,"nodeType":1462},{},[2123,2133],{"data":2124,"content":2125,"nodeType":1398},{},[2126],{"data":2127,"content":2128,"nodeType":1294},{},[2129],{"data":2130,"marks":2131,"value":2132,"nodeType":1293},{},[],"Automatically phishing employees in response to common IT support questions",{"data":2134,"content":2135,"nodeType":1398},{},[2136],{"data":2137,"content":2138,"nodeType":1294},{},[2139],{"data":2140,"marks":2141,"value":2142,"nodeType":1293},{},[],"Multi-party spoofing for advanced social engineering",{"data":2144,"content":2145,"nodeType":1470},{},[2146],{"data":2147,"marks":2148,"value":2149,"nodeType":1293},{},[],"Conclusion",{"data":2151,"content":2152,"nodeType":1294},{},[2153],{"data":2154,"marks":2155,"value":2156,"nodeType":1293},{},[],"IM apps have become the default internal communication for most organizations now, but are now a common method of communication with external parties, as well. This means they’ll become a key battleground in both the initial access phase of compromises and the latter phases of lateral movement and persistence. ",{"data":2158,"content":2159,"nodeType":1294},{},[2160],{"data":2161,"marks":2162,"value":2163,"nodeType":1293},{},[],"This also means organizations reliant on traditional email security gateways and email-based phishing training are likely to see the effectiveness of these controls decrease if attacks shift to the IM apps. ",{"data":2165,"content":2166,"nodeType":1294},{},[2167],{"data":2168,"marks":2169,"value":2170,"nodeType":1293},{},[],"In this article, we highlighted a number of spoofing, phishing and persistence techniques that can be employed by an attacker with a foothold that has compromised an internal account on a Slack tenant in order to persist their access and perform lateral movement. In the previous article, we covered spoofing and phishing techniques that could be used by external attackers in the initial access phase to get that first foothold in the first place.",{"data":2172,"content":2173,"nodeType":1294},{},[2174],{"data":2175,"marks":2176,"value":2177,"nodeType":1293},{},[],"While this article focused on Slack specifically, similar attacks may be possible for other IM apps as well. Going forwards, it will be important for organizations to factor in these types of attacks into their security strategies.","Slack Attack: A phisher's guide to persistence and lateral movement","In this post, we're going to demonstrate how to phish via Slack to gain persistence and move laterally. ","phishing-slack-persistence",{"items":2182},[2183,2185],{"sys":2184,"name":1306},{"id":1305},{"sys":2186,"name":1310},{"id":1309},{"items":2188},[2189],{"fullName":2190,"firstName":2191,"jobTitle":2192,"profilePicture":2193},"Luke Jennings","Luke","Vice President, R&D",{"url":2194},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg",{"__typename":1314,"sys":2196,"content":2197,"title":3084,"synopsis":2205,"hashTags":118,"publishedDate":3085,"slug":3086,"tagsCollection":3087,"authorsCollection":3095},{"id":1715},{"json":2198},{"nodeType":1295,"data":2199,"content":2200},{},[2201,2208,2215,2248,2255,2262,2281,2288,2295,2302,2333,2340,2347,2363,2370,2377,2411,2418,2425,2432,2439,2446,2452,2459,2466,2473,2481,2488,2508,2515,2522,2529,2536,2543,2550,2557,2564,2571,2577,2584,2604,2611,2630,2636,2642,2648,2655,2662,2669,2675,2681,2688,2695,2702,2709,2716,2722,2742,2762,2769,2775,2781,2788,2795,2802,2809,2832,2838,2844,2851,2858,2865,2877,2883,2890,2896,2902,2909,2916,2923,2929,2935,2941,2948,3064,3070,3077],{"nodeType":1294,"data":2202,"content":2203},{},[2204],{"nodeType":1293,"value":2205,"marks":2206,"data":2207},"In this article, we’re going to demonstrate how combining two of our favorite new SaaS attack techniques makes a simple, but very stealthy persistence approach.",[],{},{"nodeType":1294,"data":2209,"content":2210},{},[2211],{"nodeType":1293,"value":2212,"marks":2213,"data":2214},"—----",[],{},{"nodeType":1294,"data":2216,"content":2217},{},[2218,2222,2229,2233,2244],{"nodeType":1293,"value":2219,"marks":2220,"data":2221},"This is the second post in a series on attack chains formed by combining techniques in the ",[],{},{"nodeType":1338,"data":2223,"content":2224},{"uri":1330},[2225],{"nodeType":1293,"value":1337,"marks":2226,"data":2228},[2227],{"type":1336},{},{"nodeType":1293,"value":2230,"marks":2231,"data":2232},". Last post we wrote about ",[],{},{"nodeType":1362,"data":2234,"content":2238},{"target":2235},{"sys":2236},{"id":2237,"type":1354,"linkType":1355},"3F96pyn4qqkbVctSOH69vm",[2239],{"nodeType":1293,"value":2240,"marks":2241,"data":2243},"SAMLjacking a poisoned tenant",[2242],{"type":1336},{},{"nodeType":1293,"value":2245,"marks":2246,"data":2247},". ",[],{},{"nodeType":1294,"data":2249,"content":2250},{},[2251],{"nodeType":1293,"value":2252,"marks":2253,"data":2254},"This time we’ll be looking at combining shadow workflows with an evil twin integration for an especially sneaky and flexible method of persistence. We’ll be using Zapier integrating with Azure as our primary example. ",[],{},{"nodeType":1470,"data":2256,"content":2257},{},[2258],{"nodeType":1293,"value":2259,"marks":2260,"data":2261},"What is a shadow workflow?",[],{},{"nodeType":1294,"data":2263,"content":2264},{},[2265,2269,2277],{"nodeType":1293,"value":2266,"marks":2267,"data":2268},"A ",[],{},{"nodeType":1338,"data":2270,"content":2271},{"uri":1452},[2272],{"nodeType":1293,"value":2273,"marks":2274,"data":2276},"shadow workflow ",[2275],{"type":1336},{},{"nodeType":1293,"value":2278,"marks":2279,"data":2280},"is a technique for using SaaS automation apps to provide a code execution-like method for conducting malicious actions from a legitimate source using OAuth integrations. This could be a daily export of files from shared cloud drives, automatic forwarding and deleting of emails, cloning instant messages, exporting user directories — basically anything that is possible using the target app’s API. ",[],{},{"nodeType":1294,"data":2282,"content":2283},{},[2284],{"nodeType":1293,"value":2285,"marks":2286,"data":2287},"The fact automation apps utilize OAuth integrations means they also function as a very effective method of maintaining persistence. Think of shadow workflows as the offensive PowerShell of the SaaS world. ",[],{},{"nodeType":1470,"data":2289,"content":2290},{},[2291],{"nodeType":1293,"value":2292,"marks":2293,"data":2294},"What’s an evil twin integration?",[],{},{"nodeType":1294,"data":2296,"content":2297},{},[2298],{"nodeType":1293,"value":2299,"marks":2300,"data":2301},"Creating a new OAuth integration, even if using a legitimate SaaS application, could be viewed as suspicious if seen by a security team or the affected user. This is especially true if an account compromise is discovered and an IR team sees a consent for a new OAuth integration in the log that the compromised user does not recognize. ",[],{},{"nodeType":1294,"data":2303,"content":2304},{},[2305,2309,2318,2322,2329],{"nodeType":1293,"value":2306,"marks":2307,"data":2308},"An ",[],{},{"nodeType":1338,"data":2310,"content":2312},{"uri":2311},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/evil_twin_integrations/description.md",[2313],{"nodeType":1293,"value":2314,"marks":2315,"data":2317},"evil twin integration",[2316],{"type":1336},{},{"nodeType":1293,"value":2319,"marks":2320,"data":2321},", however, reduces the chances of discovery by reusing an existing ",[],{},{"nodeType":1293,"value":2323,"marks":2324,"data":2328},"legitimate",[2325,2326],{"type":312},{"type":2327},"bold",{},{"nodeType":1293,"value":2330,"marks":2331,"data":2332}," integration for malicious purposes.",[],{},{"nodeType":1470,"data":2334,"content":2335},{},[2336],{"nodeType":1293,"value":2337,"marks":2338,"data":2339},"What’s the benefit of combining them?",[],{},{"nodeType":1294,"data":2341,"content":2342},{},[2343],{"nodeType":1293,"value":2344,"marks":2345,"data":2346},"While shadow workflows are incredibly powerful on their own, as malicious use of OAuth integrations becomes more common, security teams will start regularly checking for new, or unknown, integrations in response to security incidents. While automation apps are legitimate SaaS services, shadow workflow attacks could still raise question marks during incident response if it’s connected shortly after a compromise and/or if the affected user has no knowledge of it. ",[],{},{"nodeType":1294,"data":2348,"content":2349},{},[2350,2354,2359],{"nodeType":1293,"value":2351,"marks":2352,"data":2353},"Additionally, as use of security tools that ",[],{},{"nodeType":1293,"value":2355,"marks":2356,"data":2358},"provide visibility of OAuth integrations",[2357],{"type":1336},{},{"nodeType":1293,"value":2360,"marks":2361,"data":2362}," (check out our product) increases, it will become increasingly dangerous for an adversary to create a new OAuth integration. That’s because the target user and possibly even security teams may be notified.",[],{},{"nodeType":1294,"data":2364,"content":2365},{},[2366],{"nodeType":1293,"value":2367,"marks":2368,"data":2369},"This leads us on to evil twin integrations. Their power is in making use of existing integrations so they can avoid appearing as a new integration and getting flagged or sending alerts to security teams. That makes them much stealthier and increases the likelihood of a successful attack. ",[],{},{"nodeType":1294,"data":2371,"content":2372},{},[2373],{"nodeType":1293,"value":2374,"marks":2375,"data":2376},"There are three possibilities here that lead to two different levels of stealth for the attack:",[],{},{"nodeType":2378,"data":2379,"content":2380},"ordered-list",{},[2381,2391,2401],{"nodeType":1398,"data":2382,"content":2383},{},[2384],{"nodeType":1294,"data":2385,"content":2386},{},[2387],{"nodeType":1293,"value":2388,"marks":2389,"data":2390},"Medium stealth option: Making use of an automation app used legitimately by the organization, but not by the target user, specifically",[],{},{"nodeType":1398,"data":2392,"content":2393},{},[2394],{"nodeType":1294,"data":2395,"content":2396},{},[2397],{"nodeType":1293,"value":2398,"marks":2399,"data":2400},"High stealth option 1: Making use of an automation app used legitimately by the target user themselves",[],{},{"nodeType":1398,"data":2402,"content":2403},{},[2404],{"nodeType":1294,"data":2405,"content":2406},{},[2407],{"nodeType":1293,"value":2408,"marks":2409,"data":2410},"High stealth option 2: Making use of an automation app that has been granted admin consent",[],{},{"nodeType":1733,"data":2412,"content":2413},{},[2414],{"nodeType":1293,"value":2415,"marks":2416,"data":2417},"Medium stealth option: Pre-existing use by organization",[],{},{"nodeType":1294,"data":2419,"content":2420},{},[2421],{"nodeType":1293,"value":2422,"marks":2423,"data":2424},"This option is by far the most likely option to be applicable in a real-world situation. Here’s how it works:",[],{},{"nodeType":1294,"data":2426,"content":2427},{},[2428],{"nodeType":1293,"value":2429,"marks":2430,"data":2431},"The consent for the targeted user will be new and will generate an audit event to show that, but the integration itself will not be new inside the organization and may even be formally approved by the security team already. This will help evade general detection mechanisms as it won’t be seen as a brand new integration at the organization level that requires careful scrutiny. It’s much harder to evaluate new consents on a per-user basis for existing integrations if the organization is of any significant size.",[],{},{"nodeType":1294,"data":2433,"content":2434},{},[2435],{"nodeType":1293,"value":2436,"marks":2437,"data":2438},"The downside, however, is that this attack stands a greater chance of detection if notifications are delivered directly to the affected user. Alternatively, if the original compromise is discovered, incident responders are more likely to discover this consent during an investigation. That’s because the affected user would know they aren’t using the automation app and incident responders are likely to explore logs showing consents to new OAuth integrations and permissions shortly after a successful compromise.",[],{},{"nodeType":1294,"data":2440,"content":2441},{},[2442],{"nodeType":1293,"value":2443,"marks":2444,"data":2445},"Using Azure as an example, while no new service principal is created in this case, the audit logs still show a new consent for the targeted user to the existing Zapier app: ",[],{},{"nodeType":1620,"data":2447,"content":2451},{"target":2448},{"sys":2449},{"id":2450,"type":1354,"linkType":1355},"7m0E0sOulc348jhQguQLb1",[],{"nodeType":1733,"data":2453,"content":2454},{},[2455],{"nodeType":1293,"value":2456,"marks":2457,"data":2458},"High stealth option 1: Pre-existing use by targeted user",[],{},{"nodeType":1294,"data":2460,"content":2461},{},[2462],{"nodeType":1293,"value":2463,"marks":2464,"data":2465},"This is the holy grail option, but is likely to require more luck in the real world. It requires that the target user is already using an automation app, which the adversary could compromise and utilize. If the compromised user has already consented to permissions useful to the adversary, such as access to sensitive data like email and file stores, then new malicious workflows can be created without requiring the user to consent to new permissions. ",[],{},{"nodeType":1294,"data":2467,"content":2468},{},[2469],{"nodeType":1293,"value":2470,"marks":2471,"data":2472},"Consequently, there will be no new integration observed at the organization level, no new user-specific consents for sensitive permissions and the target user would indicate they’re just using a legitimate app if questioned by incident responders. ",[],{},{"nodeType":1294,"data":2474,"content":2475},{},[2476],{"nodeType":1293,"value":2477,"marks":2478,"data":2480},"None of the three audit log entries shown above would be present in this scenario either.",[2479],{"type":2327},{},{"nodeType":1733,"data":2482,"content":2483},{},[2484],{"nodeType":1293,"value":2485,"marks":2486,"data":2487},"High stealth option 2: Azure admin consented app",[],{},{"nodeType":1294,"data":2489,"content":2490},{},[2491,2495,2504],{"nodeType":1293,"value":2492,"marks":2493,"data":2494},"There is a mixed scenario when permissions for an automation app (or any app you want to use for an evil twin integration) have been granted tenant-wide ",[],{},{"nodeType":1338,"data":2496,"content":2498},{"uri":2497},"https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/user-admin-consent-overview#admin-consent",[2499],{"nodeType":1293,"value":2500,"marks":2501,"data":2503},"admin consent in Azure",[2502],{"type":1336},{},{"nodeType":1293,"value":2505,"marks":2506,"data":2507},". In this case, the administrator has effectively consented to permissions for all users, even if they aren’t currently active users of the app. ",[],{},{"nodeType":1294,"data":2509,"content":2510},{},[2511],{"nodeType":1293,"value":2512,"marks":2513,"data":2514},"This means when a new user integrates the app, it does not generate a new permission grant since it is effectively already granted. Consequently, the three log entries shown above would not be present in this scenario even if integrating the app for a user that has never used it before.",[],{},{"nodeType":1294,"data":2516,"content":2517},{},[2518],{"nodeType":1293,"value":2519,"marks":2520,"data":2521},"This gives the best level of flexibility for an adversary as they can avoid generating new permission grant logs for any user. However, it's not quite as stealthy as when the targeted user already makes use of the app as there is no history of legitimate app logins or activity for the user prior to the compromise to blend in with.",[],{},{"nodeType":1470,"data":2523,"content":2524},{},[2525],{"nodeType":1293,"value":2526,"marks":2527,"data":2528},"An example attack - Zapier",[],{},{"nodeType":1294,"data":2530,"content":2531},{},[2532],{"nodeType":1293,"value":2533,"marks":2534,"data":2535},"In this case, we’re going to use Zapier as our automation app example and Azure as the primary target for integrations and there will be no admin consent involved. We’ll also be using Google Workspace for data exfiltration. There are many other examples we could have used here, though - Make.com, IFTTT, Retool, Tines, Microsoft Power Automate and many other SaaS apps have powerful automation and integration capabilities and could be used for similar purposes. ",[],{},{"nodeType":1294,"data":2537,"content":2538},{},[2539],{"nodeType":1293,"value":2540,"marks":2541,"data":2542},"Azure and Google Workspace are also obvious juicy targets for integrations, but automation apps support integrations with vast numbers of other SaaS applications,so there are many possible targets.",[],{},{"nodeType":1294,"data":2544,"content":2545},{},[2546],{"nodeType":1293,"value":2547,"marks":2548,"data":2549},"So, let’s say we’ve compromised a target user’s Azure account. Perhaps we have conducted a successful credential stuffing attack, a phishing attack including MFA code proxying or even achieved a traditional endpoint compromise and have stolen the user’s session tokens.",[],{},{"nodeType":1294,"data":2551,"content":2552},{},[2553],{"nodeType":1293,"value":2554,"marks":2555,"data":2556},"Whatever the case, we have temporary control of the user’s account, either until the session expires or the user changes their password. If the original compromise is detected, that could happen quickly, so we want to conduct some malicious actions to make use of the access while we have it and to also gain persistence so we maintain our access beyond a password change.",[],{},{"nodeType":1294,"data":2558,"content":2559},{},[2560],{"nodeType":1293,"value":2561,"marks":2562,"data":2563},"We want to use an automation app, but we’d prefer to be as stealthy as possible by also making it an evil twin integration. We’d like to see if the target user has existing integrations with any apps we’d like to use - especially an automation app for that high stealth option we mentioned above. ",[],{},{"nodeType":1294,"data":2565,"content":2566},{},[2567],{"nodeType":1293,"value":2568,"marks":2569,"data":2570},"We’ve created a video demo of the full attack below. A step by step write up with more detail then follows:",[],{},{"nodeType":1620,"data":2572,"content":2576},{"target":2573},{"sys":2574},{"id":2575,"type":1354,"linkType":1355},"E1ZHBcjGLZAno0SRtJ3d3",[],{"nodeType":1470,"data":2578,"content":2579},{},[2580],{"nodeType":1293,"value":2581,"marks":2582,"data":2583},"Step 1 - Enumerating potential targets",[],{},{"nodeType":1294,"data":2585,"content":2586},{},[2587,2591,2600],{"nodeType":1293,"value":2588,"marks":2589,"data":2590},"We could perform something as simple as an email search for evidence of sign-ups, but that won’t necessarily show us if actual OAuth integrations have been configured and what permissions are in use. What we really need is a way to perform an ",[],{},{"nodeType":1338,"data":2592,"content":2594},{"uri":2593},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/oauth_token_enumeration/description.md",[2595],{"nodeType":1293,"value":2596,"marks":2597,"data":2599},"OAuth token enumeration",[2598],{"type":1336},{},{"nodeType":1293,"value":2601,"marks":2602,"data":2603}," attack.",[],{},{"nodeType":1733,"data":2605,"content":2606},{},[2607],{"nodeType":1293,"value":2608,"marks":2609,"data":2610},"The first method: myapps.microsoft.com",[],{},{"nodeType":1294,"data":2612,"content":2613},{},[2614,2618,2626],{"nodeType":1293,"value":2615,"marks":2616,"data":2617},"Make use of ",[],{},{"nodeType":1338,"data":2619,"content":2621},{"uri":2620},"https://myapps.microsoft.com",[2622],{"nodeType":1293,"value":2620,"marks":2623,"data":2625},[2624],{"type":1336},{},{"nodeType":1293,"value":2627,"marks":2628,"data":2629}," to see which apps are listed and which permissions have been granted. We can see Zapier is in use and the user has granted it access to their email and files, making it a great target.",[],{},{"nodeType":1620,"data":2631,"content":2635},{"target":2632},{"sys":2633},{"id":2634,"type":1354,"linkType":1355},"6dDez7xRZjliEJR6DAkWHa",[],{"nodeType":1620,"data":2637,"content":2641},{"target":2638},{"sys":2639},{"id":2640,"type":1354,"linkType":1355},"7M0imWv4n3z1RYQu3AdMF5",[],{"nodeType":1620,"data":2643,"content":2647},{"target":2644},{"sys":2645},{"id":2646,"type":1354,"linkType":1355},"3fwFBK03tc5g064k0IyADO",[],{"nodeType":1733,"data":2649,"content":2650},{},[2651],{"nodeType":1293,"value":2652,"marks":2653,"data":2654},"The second method: Microsoft’s graph API",[],{},{"nodeType":1294,"data":2656,"content":2657},{},[2658],{"nodeType":1293,"value":2659,"marks":2660,"data":2661},"\nMicrosoft’s graph API doesn’t make it possible to list out service principals without admin permissions, but you can enumerate individual OAuth permission grants and app role assignments for your own user account. ",[],{},{"nodeType":1294,"data":2663,"content":2664},{},[2665],{"nodeType":1293,"value":2666,"marks":2667,"data":2668},"The client ID listed for permission grants is actually the tenant-specific service principal ID, rather than the globally unique OAuth app ID, but the app role assignments call gives us the app display name. We can match up the IDs from the app role assignments with the OAuth permission grants to see which permissions have been granted to the given app. ",[],{},{"nodeType":1620,"data":2670,"content":2674},{"target":2671},{"sys":2672},{"id":2673,"type":1354,"linkType":1355},"519mlRMbaZYBAVdSADwop7",[],{"nodeType":1620,"data":2676,"content":2680},{"target":2677},{"sys":2678},{"id":2679,"type":1354,"linkType":1355},"3g4WBQBEvqx5mXXnZzZzUG",[],{"nodeType":1470,"data":2682,"content":2683},{},[2684],{"nodeType":1293,"value":2685,"marks":2686,"data":2687},"Step 2 - Create shadow workflows",[],{},{"nodeType":1294,"data":2689,"content":2690},{},[2691],{"nodeType":1293,"value":2692,"marks":2693,"data":2694},"Ok, so we’ve figured out the user already makes use of Zapier and they’ve even already granted access to their email and files - that’s a juicy target we can’t turn down! So the next step is to create our own malicious workflows, or shadow workflows if you will, to get Zapier to do our dirty work for us.",[],{},{"nodeType":1294,"data":2696,"content":2697},{},[2698],{"nodeType":1293,"value":2699,"marks":2700,"data":2701},"First of all, we’ll see if we can scope out the user’s existing Zapier account to better understand the setup. Then we’ll create a new Zapier account and link it to the target user’s account that we’ve compromised. Here’s how that would work:",[],{},{"nodeType":1733,"data":2703,"content":2704},{},[2705],{"nodeType":1293,"value":2706,"marks":2707,"data":2708},"Scope out the existing Zapier account",[],{},{"nodeType":1294,"data":2710,"content":2711},{},[2712],{"nodeType":1293,"value":2713,"marks":2714,"data":2715},"If the user uses SSO or social logins then we can login directly and, since we now control their Azure account, we can just log directly into their Zapier account!",[],{},{"nodeType":1620,"data":2717,"content":2721},{"target":2718},{"sys":2719},{"id":2720,"type":1354,"linkType":1355},"5IgmxUEm6n19OBL1cSZVkr",[],{"nodeType":1294,"data":2723,"content":2724},{},[2725,2729,2738],{"nodeType":1293,"value":2726,"marks":2727,"data":2728},"Alternatively, if they have created a standard password account, then we might already know the password if it’s the same used for their Azure account. Otherwise, we could potentially make use of an ",[],{},{"nodeType":1338,"data":2730,"content":2732},{"uri":2731},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/account_recovery/description.md",[2733],{"nodeType":1293,"value":2734,"marks":2735,"data":2737},"account recovery",[2736],{"type":1336},{},{"nodeType":1293,"value":2739,"marks":2740,"data":2741}," attack to gain access.",[],{},{"nodeType":1294,"data":2743,"content":2744},{},[2745,2749,2758],{"nodeType":1293,"value":2746,"marks":2747,"data":2748},"Once we have logged into their account, we can see their existing workflows and integrations. Technically, we could backdoor these or create new ones - a form of an ",[],{},{"nodeType":1338,"data":2750,"content":2752},{"uri":2751},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/abuse_existing_oauth_integrations/description.md",[2753],{"nodeType":1293,"value":2754,"marks":2755,"data":2757},"abuse existing OAuth integrations",[2756],{"type":1336},{},{"nodeType":1293,"value":2759,"marks":2760,"data":2761}," attack. However, that runs the risk of the user discovering our shadow workflows and also almost certainly being locked out of the account during the next password change. ",[],{},{"nodeType":1294,"data":2763,"content":2764},{},[2765],{"nodeType":1293,"value":2766,"marks":2767,"data":2768},"Instead, we can stick to an evil twin integration from our own Zapier account, which we’ll create later.",[],{},{"nodeType":1620,"data":2770,"content":2774},{"target":2771},{"sys":2772},{"id":2773,"type":1354,"linkType":1355},"2vhyTcVLq27QVa2HFFWBhH",[],{"nodeType":1620,"data":2776,"content":2780},{"target":2777},{"sys":2778},{"id":2779,"type":1354,"linkType":1355},"3jPSdBPSQgigA4yKK1udCV",[],{"nodeType":1294,"data":2782,"content":2783},{},[2784],{"nodeType":1293,"value":2785,"marks":2786,"data":2787},"Now we can see what the user was actually using Zapier for — they’ve set up an integration with both Outlook and OneDrive so they can forward emails related to their business expenses to a folder in their OneDrive. Probably a time-saving hack, which we can take advantage of since it won’t be unusual to see Zapier regularly accessing their Outlook and OneDrive. That means our attack will be extra stealthy.",[],{},{"nodeType":1733,"data":2789,"content":2790},{},[2791],{"nodeType":1293,"value":2792,"marks":2793,"data":2794},"Create our own malicious Zapier account",[],{},{"nodeType":1294,"data":2796,"content":2797},{},[2798],{"nodeType":1293,"value":2799,"marks":2800,"data":2801},"Given in this case we, at least temporarily, control the user’s Azure account there is nothing stopping us connecting this to our own malicious Zapier account completely separately from the user’s legitimate Zapier account. We then maintain full control over the Zapier account and the user will not be able to discover our shadow workflows as they won’t have any knowledge of our Zapier account: ",[],{},{"nodeType":1294,"data":2803,"content":2804},{},[2805],{"nodeType":1293,"value":2806,"marks":2807,"data":2808},"Let’s create our own shadow workflows:",[],{},{"nodeType":1462,"data":2810,"content":2811},{},[2812,2822],{"nodeType":1398,"data":2813,"content":2814},{},[2815],{"nodeType":1294,"data":2816,"content":2817},{},[2818],{"nodeType":1293,"value":2819,"marks":2820,"data":2821},"One that sends every new OneDrive file to our own separate Google Drive account. This allows us to maintain a complete view of the user’s files into the future. ",[],{},{"nodeType":1398,"data":2823,"content":2824},{},[2825],{"nodeType":1294,"data":2826,"content":2827},{},[2828],{"nodeType":1293,"value":2829,"marks":2830,"data":2831},"And one to forward every new Outlook email to our own GMail account.",[],{},{"nodeType":1620,"data":2833,"content":2837},{"target":2834},{"sys":2835},{"id":2836,"type":1354,"linkType":1355},"6eK8uNjPnkrfVjgFzl03SM",[],{"nodeType":1620,"data":2839,"content":2843},{"target":2840},{"sys":2841},{"id":2842,"type":1354,"linkType":1355},"6xJvuS374tbflAoNmhnqYP",[],{"nodeType":1294,"data":2845,"content":2846},{},[2847],{"nodeType":1293,"value":2848,"marks":2849,"data":2850},"We can now see we are logged in with a separate GMail account, but have created shadow workflows to forward emails from the user’s Outlook to our GMail account and harvest files from their OneDrive to our Google Drive.",[],{},{"nodeType":1294,"data":2852,"content":2853},{},[2854],{"nodeType":1293,"value":2855,"marks":2856,"data":2857},"The major benefit of creating our own Zapier account for an evil twin integration is that once we are locked out of the target user’s account via a password change or otherwise, not only do our existing shadow workflows continue to operate via OAuth, but we are able to create new shadow workflows and reuse the existing OAuth connections. That’s the power of having full control of the Zapier account. ",[],{},{"nodeType":1294,"data":2859,"content":2860},{},[2861],{"nodeType":1293,"value":2862,"marks":2863,"data":2864},"One small downside to this approach is that creating the new OAuth integrations inside a new Zapier account generates an interactive login event for the Zapier integrations from the adversary’s IP address. This occurs due to creating integrations from the new Zapier account, but because the user has already consented to all the relevant permissions for Zapier’s own OAuth apps there are no audit logs for new consents or applications, just the login event itself. ",[],{},{"nodeType":1294,"data":2866,"content":2867},{},[2868,2872],{"nodeType":1293,"value":2869,"marks":2870,"data":2871},"However, determining that a successful login to an app a user legitimately uses is actually malicious in this case is obviously extremely difficult to build detection logic for.   ",[],{},{"nodeType":1293,"value":2873,"marks":2874,"data":2876}," ",[2875],{"type":312},{},{"nodeType":1620,"data":2878,"content":2882},{"target":2879},{"sys":2880},{"id":2881,"type":1354,"linkType":1355},"1oZBtlL8rNl7TjmfJqRjUG",[],{"nodeType":1294,"data":2884,"content":2885},{},[2886],{"nodeType":1293,"value":2887,"marks":2888,"data":2889},"Beyond the initial login events, the only evidence of malicious activity in the future will be from the activity logs showing the actions conducted by our shadow workflows every time they are triggered to run. For example, the following screenshots show that the Zapier Todo app (ClientAppId 29246358-1970-4d6d-bc75-acf34edc758b) has been seen both uploading a file and downloading a file: \n",[],{},{"nodeType":1620,"data":2891,"content":2895},{"target":2892},{"sys":2893},{"id":2894,"type":1354,"linkType":1355},"2vYOSilB5W05aIHw2ZKqdC",[],{"nodeType":1620,"data":2897,"content":2901},{"target":2898},{"sys":2899},{"id":2900,"type":1354,"linkType":1355},"2fFwrdFO25BwY4vI7EKMA0",[],{"nodeType":1294,"data":2903,"content":2904},{},[2905],{"nodeType":1293,"value":2906,"marks":2907,"data":2908},"The file upload in this case relates to the legitimate workflow and the file download relates to the shadow workflow. The IP addresses relate to Zapier’s legitimate infrastructure so really only a very thorough and specific investigation is going to be able to uncover that one of these events is malicious.",[],{},{"nodeType":1470,"data":2910,"content":2911},{},[2912],{"nodeType":1293,"value":2913,"marks":2914,"data":2915},"Step 3 - Profit",[],{},{"nodeType":1294,"data":2917,"content":2918},{},[2919],{"nodeType":1293,"value":2920,"marks":2921,"data":2922},"Now we just need to sit back and let our shadow workflows do the work for us, 24/7 and from Zapier’s infrastructure via a legitimate OAuth integration. Here we can see files the user created in OneDrive and emails they received in Outlook mirrored to our own GMail and Google Drive via the magic of shadow workflows.",[],{},{"nodeType":1620,"data":2924,"content":2928},{"target":2925},{"sys":2926},{"id":2927,"type":1354,"linkType":1355},"4lJBrdJLEVnhBUjgtGo8T1",[],{"nodeType":1620,"data":2930,"content":2934},{"target":2931},{"sys":2932},{"id":2933,"type":1354,"linkType":1355},"azQ3IO0n4Idih5LDwOogV",[],{"nodeType":1470,"data":2936,"content":2937},{},[2938],{"nodeType":1293,"value":2019,"marks":2939,"data":2940},[],{},{"nodeType":1294,"data":2942,"content":2943},{},[2944],{"nodeType":1293,"value":2945,"marks":2946,"data":2947},"Ok, we’ve covered a lot of ground here so it’s worth taking a step back and considering the key impact points of this attack chain:",[],{},{"nodeType":1462,"data":2949,"content":2950},{},[2951,2961,2971,2981,2991,3044,3054],{"nodeType":1398,"data":2952,"content":2953},{},[2954],{"nodeType":1294,"data":2955,"content":2956},{},[2957],{"nodeType":1293,"value":2958,"marks":2959,"data":2960},"An adversary who has gained (temporary) access to a user account that supports OAuth integrations can use shadow workflows to execute malicious actions and to maintain persistence",[],{},{"nodeType":1398,"data":2962,"content":2963},{},[2964],{"nodeType":1294,"data":2965,"content":2966},{},[2967],{"nodeType":1293,"value":2968,"marks":2969,"data":2970},"This access will continue even if the user changes their password or resets MFA",[],{},{"nodeType":1398,"data":2972,"content":2973},{},[2974],{"nodeType":1294,"data":2975,"content":2976},{},[2977],{"nodeType":1293,"value":2978,"marks":2979,"data":2980},"Not only do existing shadow workflows continue to work after password changes, an adversary can continue to create new ones and reuse the existing integrations.",[],{},{"nodeType":1398,"data":2982,"content":2983},{},[2984],{"nodeType":1294,"data":2985,"content":2986},{},[2987],{"nodeType":1293,"value":2988,"marks":2989,"data":2990},"Any relevant logs will show access via legitimate IP addresses and OAuth integrations for SaaS automation apps ",[],{},{"nodeType":1398,"data":2992,"content":2993},{},[2994,3001],{"nodeType":1294,"data":2995,"content":2996},{},[2997],{"nodeType":1293,"value":2998,"marks":2999,"data":3000},"Automation apps are so flexible that an adversary can do pretty much anything - it’s basically the offensive PowerShell of the SaaS world. Just some examples:",[],{},{"nodeType":1462,"data":3002,"content":3003},{},[3004,3014,3024,3034],{"nodeType":1398,"data":3005,"content":3006},{},[3007],{"nodeType":1294,"data":3008,"content":3009},{},[3010],{"nodeType":1293,"value":3011,"marks":3012,"data":3013},"Monitor all emails and files the user creates",[],{},{"nodeType":1398,"data":3015,"content":3016},{},[3017],{"nodeType":1294,"data":3018,"content":3019},{},[3020],{"nodeType":1293,"value":3021,"marks":3022,"data":3023},"Delete email security alerts before the user sees them",[],{},{"nodeType":1398,"data":3025,"content":3026},{},[3027],{"nodeType":1294,"data":3028,"content":3029},{},[3030],{"nodeType":1293,"value":3031,"marks":3032,"data":3033},"Intercept password reset and passwordless login emails to access other apps",[],{},{"nodeType":1398,"data":3035,"content":3036},{},[3037],{"nodeType":1294,"data":3038,"content":3039},{},[3040],{"nodeType":1293,"value":3041,"marks":3042,"data":3043},"Monitor instant messaging apps and use it to send targeted internal social engineering emails",[],{},{"nodeType":1398,"data":3045,"content":3046},{},[3047],{"nodeType":1294,"data":3048,"content":3049},{},[3050],{"nodeType":1293,"value":3051,"marks":3052,"data":3053},"If targeted users are already using automation apps legitimately, it’s even more stealthy - you won’t even see any new integrations or permission grants appear as the user will have already granted these legitimately.",[],{},{"nodeType":1398,"data":3055,"content":3056},{},[3057],{"nodeType":1294,"data":3058,"content":3059},{},[3060],{"nodeType":1293,"value":3061,"marks":3062,"data":3063},"If admin consent has been granted to the automation app, any user can be targeted without generating new permission grant logs even if they have never used the app.",[],{},{"nodeType":1470,"data":3065,"content":3066},{},[3067],{"nodeType":1293,"value":2149,"marks":3068,"data":3069},[],{},{"nodeType":1294,"data":3071,"content":3072},{},[3073],{"nodeType":1293,"value":3074,"marks":3075,"data":3076},"We have seen how two new SaaS-focused attack techniques can be combined into one more effective attack chain - in this case, a particularly nasty and stealthy persistence technique. This shows how even if a user compromise is detected very early, with password and MFA resets immediately issued, adversaries can maintain control over the account regardless.",[],{},{"nodeType":1294,"data":3078,"content":3079},{},[3080],{"nodeType":1293,"value":3081,"marks":3082,"data":3083},"This shows how even legitimate SaaS applications have incredibly powerful offensive use cases and very careful attention needs to be paid to integrations with highly sensitive permissions, even when they are approved and vetted applications. Incident response teams especially need to be well aware of these techniques when investigating potential user account compromises as persistence approaches can extend much further than endpoint implants and stolen passwords.",[],{},"The shadow workflow’s evil twin: A nearly invisible attack chain","2023-09-11T00:00:00.000Z","nearly-invisible-attack-chain",{"items":3088},[3089,3091],{"sys":3090,"name":1306},{"id":1305},{"sys":3092,"name":3094},{"id":3093},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":3096},[3097],{"fullName":2190,"firstName":2191,"jobTitle":2192,"profilePicture":3098},{"url":2194},{"__typename":1314,"sys":3100,"content":3101,"title":2240,"synopsis":3556,"hashTags":118,"publishedDate":3557,"slug":3558,"tagsCollection":3559,"authorsCollection":3565},{"id":2237},{"json":3102},{"data":3103,"content":3104,"nodeType":1295},{},[3105,3123,3130,3137,3144,3163,3170,3189,3195,3202,3209,3216,3223,3230,3237,3257,3264,3271,3277,3284,3291,3298,3304,3310,3316,3323,3330,3336,3343,3350,3357,3363,3370,3377,3384,3391,3398,3404,3411,3418,3424,3431,3438,3444,3450,3457,3522,3529,3535,3542,3549],{"data":3106,"content":3107,"nodeType":1294},{},[3108,3112,3119],{"data":3109,"marks":3110,"value":3111,"nodeType":1293},{},[],"We published the ",{"data":3113,"content":3114,"nodeType":1338},{"uri":1330},[3115],{"data":3116,"marks":3117,"value":1337,"nodeType":1293},{},[3118],{"type":1336},{"data":3120,"marks":3121,"value":3122,"nodeType":1293},{},[]," on GitHub, which is an open-source research project to demonstrate the multitude of attacks that are possible against SaaS-native and hybrid SaaS organizations. On release day it contained 38 different techniques. ",{"data":3124,"content":3125,"nodeType":1294},{},[3126],{"data":3127,"marks":3128,"value":3129,"nodeType":1293},{},[],"However, we know it’s not just individual attack techniques and the phases of the cyber kill chain that matter - it’s also how you chain attacks together. Two lower risk vulnerabilities chained together could be a critical issue.",{"data":3131,"content":3132,"nodeType":1294},{},[3133],{"data":3134,"marks":3135,"value":3136,"nodeType":1293},{},[],"In this article, we’re going to demonstrate that by combining two of our favorite new SaaS attack techniques, poisoned tenants and SAMLjacking, you can make a simple, but effective attack chain.",{"data":3138,"content":3139,"nodeType":1470},{},[3140],{"data":3141,"marks":3142,"value":3143,"nodeType":1293},{},[],"What is a poisoned tenant?",{"data":3145,"content":3146,"nodeType":1294},{},[3147,3150,3159],{"data":3148,"marks":3149,"value":37,"nodeType":1293},{},[],{"data":3151,"content":3153,"nodeType":1338},{"uri":3152},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/poisoned_tenants/description.md",[3154],{"data":3155,"marks":3156,"value":3158,"nodeType":1293},{},[3157],{"type":1336},"Poisoned tenants",{"data":3160,"marks":3161,"value":3162,"nodeType":1293},{},[]," involve an adversary registering a tenant for a SaaS app they control and tricking target users to join it, often using built-in invite functionality. The end goal is to have some target users actively using a tenant you (as the adversary) control.",{"data":3164,"content":3165,"nodeType":1470},{},[3166],{"data":3167,"marks":3168,"value":3169,"nodeType":1293},{},[],"What the hell is SAMLjacking?",{"data":3171,"content":3172,"nodeType":1294},{},[3173,3176,3185],{"data":3174,"marks":3175,"value":37,"nodeType":1293},{},[],{"data":3177,"content":3179,"nodeType":1338},{"uri":3178},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/samljacking/description.md",[3180],{"data":3181,"marks":3182,"value":3184,"nodeType":1293},{},[3183],{"type":1336},"SAMLjacking",{"data":3186,"marks":3187,"value":3188,"nodeType":1293},{},[]," is where an attacker makes use of SAML SSO configuration settings for a SaaS tenant they control in order to redirect users to a malicious link of their choosing during the authentication process. This can be highly effective for phishing as the original URL will be a legitimate SaaS URL and users are expecting to provide credentials.",{"data":3190,"content":3191,"nodeType":1470},{},[3192],{"data":3193,"marks":3194,"value":2337,"nodeType":1293},{},[],{"data":3196,"content":3197,"nodeType":1294},{},[3198],{"data":3199,"marks":3200,"value":3201,"nodeType":1293},{},[],"A poisoned tenant on its own could be an epic supply chain attack if you get really lucky. Imagine discovering an organization was wanting to migrate to Slack and then catching some key teams with a Slack poisoned tenant and gradually getting the whole organization migrated over. You’d have a goldmine of information as an administrator of the platform.",{"data":3203,"content":3204,"nodeType":1294},{},[3205],{"data":3206,"marks":3207,"value":3208,"nodeType":1293},{},[],"However, it might be hard to trick a whole organization into using an attacker controlled slack instance without anyone realizing, but it could be a lot easier to successfully invite e.g. a marketing team into using/adopting a new marketing app that helps them do SEO. This might be easier to perform, but it doesn't really give the attacker valuable data in the poisoned tenant of the marketing app, so it seems a bit pointless.",{"data":3210,"content":3211,"nodeType":1294},{},[3212],{"data":3213,"marks":3214,"value":3215,"nodeType":1293},{},[],"On the other hand, what about SAMLjacking? It’s a great technique on its own, but you still need to get users to login to the app. Sure, you’ll be sending them a legitimate SaaS URL with a valid TLS certificate etc and so it’s going to pass the sniff test for many people and also bypass email security appliances and similar security tools. However, you’re still effectively phishing them for credentials, the one thing we train users to be most suspicious about, so there is still a possibility they will spot the attack. ",{"data":3217,"content":3218,"nodeType":1294},{},[3219],{"data":3220,"marks":3221,"value":3222,"nodeType":1293},{},[],"But what if you could combine these techniques so that a poisoned tenant didn’t need to be a big, juicy target to be useful and a SAMLjacking attack didn’t even necessarily require phishing someone directly? What if the attack could be successful just from a target accessing their own bookmarks or open tabs for an app they already use?",{"data":3224,"content":3225,"nodeType":1294},{},[3226],{"data":3227,"marks":3228,"value":3229,"nodeType":1293},{},[],"In a combination scenario, a user doesn't need to be phished for SAMLjacking. One day they go back to their tab and it's logged out and they get SAMLjacked while logging back in. They don't have to click a link in an email. That’s what we are talking about here, so let’s consider an example of this making use of the SaaS-based wiki, Nuclino.",{"data":3231,"content":3232,"nodeType":1470},{},[3233],{"data":3234,"marks":3235,"value":3236,"nodeType":1293},{},[],"An example attack - Nuclino",{"data":3238,"content":3239,"nodeType":1294},{},[3240,3244,3253],{"data":3241,"marks":3242,"value":3243,"nodeType":1293},{},[],"Before moving on, I’d just like to point out that this isn’t a vulnerability with ",{"data":3245,"content":3247,"nodeType":1338},{"uri":3246},"https://www.nuclino.com/",[3248],{"data":3249,"marks":3250,"value":3252,"nodeType":1293},{},[3251],{"type":1336},"Nuclino",{"data":3254,"marks":3255,"value":3256,"nodeType":1293},{},[]," per se and it won’t be limited to Nuclino either. I’ve used Nuclino as an example because it’s a great wiki platform we use at Push Security, so I’m familiar with it. ",{"data":3258,"content":3259,"nodeType":1294},{},[3260],{"data":3261,"marks":3262,"value":3263,"nodeType":1293},{},[],"It also allows custom SAML authentication, both as part of its free trial and as part of its lowest tier paid plan. This should be commended as many SaaS apps don’t support SAML or other forms of SSO, and many of those that do charge a huge premium via enterprise plans to gain access to it. We love you Nuclino, sorry!",{"data":3265,"content":3266,"nodeType":1294},{},[3267],{"data":3268,"marks":3269,"value":3270,"nodeType":1293},{},[],"We'll take a walkthrough of how the attack chain works now. However, if you'd like to jump straight to a demo of the attack then checkout the video here:",{"data":3272,"content":3276,"nodeType":1620},{"target":3273},{"sys":3274},{"id":3275,"type":1354,"linkType":1355},"3y6ZMPPsbh6PYlQ7IOxOzS",[],{"data":3278,"content":3279,"nodeType":1294},{},[3280],{"data":3281,"marks":3282,"value":3283,"nodeType":1293},{},[],"Next, we'll do a full walkthrough of the attack.",{"data":3285,"content":3286,"nodeType":1733},{},[3287],{"data":3288,"marks":3289,"value":3290,"nodeType":1293},{},[],"Step 1 - Setup a poisoned tenant and invite target users",{"data":3292,"content":3293,"nodeType":1294},{},[3294],{"data":3295,"marks":3296,"value":3297,"nodeType":1293},{},[],"The first step for an adversary is to set up their poisoned tenant and then make use of the invite functionality to target some employees of the target organization. With Nuclino, you can either do this by sending sharing links directly to the target or invite them through the Nuclino app, and it will send out legit email invitations on your behalf.",{"data":3299,"content":3303,"nodeType":1620},{"target":3300},{"sys":3301},{"id":3302,"type":1354,"linkType":1355},"740nQhGSFp2nFU1b4DP7Mp",[],{"data":3305,"content":3309,"nodeType":1620},{"target":3306},{"sys":3307},{"id":3308,"type":1354,"linkType":1355},"4GFL1L7Mmp3nnBODwC9SbH",[],{"data":3311,"content":3315,"nodeType":1620},{"target":3312},{"sys":3313},{"id":3314,"type":1354,"linkType":1355},"7KUWKFFlDyvBVoM3MEhPwR",[],{"data":3317,"content":3318,"nodeType":1733},{},[3319],{"data":3320,"marks":3321,"value":3322,"nodeType":1293},{},[],"Step 2 - Target responds to the invitation or later signs up for Nuclino",{"data":3324,"content":3325,"nodeType":1294},{},[3326],{"data":3327,"marks":3328,"value":3329,"nodeType":1293},{},[],"The interesting thing here is that whether the target signs up for Nuclino directly from the joining link or they sign up for an account separately in future, they get mapped to the workspace they have been invited to by default.",{"data":3331,"content":3335,"nodeType":1620},{"target":3332},{"sys":3333},{"id":3334,"type":1354,"linkType":1355},"2GlTHcT1cpQ44jb5lN9dr4",[],{"data":3337,"content":3338,"nodeType":1733},{},[3339],{"data":3340,"marks":3341,"value":3342,"nodeType":1293},{},[],"Step 3 - Configure a malicious SAML server",{"data":3344,"content":3345,"nodeType":1294},{},[3346],{"data":3347,"marks":3348,"value":3349,"nodeType":1293},{},[],"Once the adversary has a critical mass of users on their poisoned tenant, they can later engage the SAMLjacking attack. ",{"data":3351,"content":3352,"nodeType":1294},{},[3353],{"data":3354,"marks":3355,"value":3356,"nodeType":1293},{},[],"To do this, they need to configure a custom SAML server. You can point this to a fake authentication provider they control that mirrors the appearance of the SSO provider the target users are accustomed to using in order to capture credentials.",{"data":3358,"content":3362,"nodeType":1620},{"target":3359},{"sys":3360},{"id":3361,"type":1354,"linkType":1355},"1RbhUTZd5Ak4UvjiZhub4V",[],{"data":3364,"content":3365,"nodeType":1294},{},[3366],{"data":3367,"marks":3368,"value":3369,"nodeType":1293},{},[],"If you toggle the setting to require SSO, existing users will be sent emails prompting them to link their accounts to SSO. That leads to two possible paths to a user compromise.",{"data":3371,"content":3372,"nodeType":1470},{},[3373],{"data":3374,"marks":3375,"value":3376,"nodeType":1293},{},[],"Paths to user compromise ",{"data":3378,"content":3379,"nodeType":1733},{},[3380],{"data":3381,"marks":3382,"value":3383,"nodeType":1293},{},[],"The first possibility",{"data":3385,"content":3386,"nodeType":1294},{},[3387],{"data":3388,"marks":3389,"value":3390,"nodeType":1293},{},[],"This compromise occurs when the target sees the email that SSO has been configured and clicks the link in order to link their account to SSO. A smart adversary may improve the social engineering quality with an email sent out in advance informing users that the internal security team has requested Nuclino be linked to SSO. This makes the target expect the email and consider it legitimate. ",{"data":3392,"content":3393,"nodeType":1294},{},[3394],{"data":3395,"marks":3396,"value":3397,"nodeType":1293},{},[],"Even though the email is an official email from Nuclino and the link contained is an official Nuclino URL, it will immediately redirect to the malicious SAML server that has been configured, where credentials can then be captured.",{"data":3399,"content":3403,"nodeType":1620},{"target":3400},{"sys":3401},{"id":3402,"type":1354,"linkType":1355},"6zWiAfBx7aaUeo6t04AtUl",[],{"data":3405,"content":3406,"nodeType":1733},{},[3407],{"data":3408,"marks":3409,"value":3410,"nodeType":1293},{},[],"Second compromise possibility",{"data":3412,"content":3413,"nodeType":1294},{},[3414],{"data":3415,"marks":3416,"value":3417,"nodeType":1293},{},[],"If the user ignores the email, the other potential outcome occurs when their session expires and they need to login again to regain access. This is similar to a watering hole attack. When their session expires, the target’s open tabs or bookmarks will redirect back to the workspace specific login page, which will now look like this:",{"data":3419,"content":3423,"nodeType":1620},{"target":3420},{"sys":3421},{"id":3422,"type":1354,"linkType":1355},"580CvVtdyEpqdiK8T1lSfQ",[],{"data":3425,"content":3426,"nodeType":1294},{},[3427],{"data":3428,"marks":3429,"value":3430,"nodeType":1293},{},[],"Clicking the button to login with SSO will immediately redirect to the malicious SAML server and launch the attack. Alternatively, if the target attempts to login without SSO, the login will fail with an error message telling them to login with SSO.",{"data":3432,"content":3433,"nodeType":1294},{},[3434],{"data":3435,"marks":3436,"value":3437,"nodeType":1293},{},[],"Either way, once the SAMLjacking has taken effect, they’ll be faced with a familiar-looking SSO login page from a trusted source at a point they are expecting to enter their credentials - something even the most paranoid of users could easily fall for unknowingly. ",{"data":3439,"content":3443,"nodeType":1620},{"target":3440},{"sys":3441},{"id":3442,"type":1354,"linkType":1355},"5eFctGgFywtmhhjaXVraqN",[],{"data":3445,"content":3446,"nodeType":1470},{},[3447],{"data":3448,"marks":3449,"value":2019,"nodeType":1293},{},[],{"data":3451,"content":3452,"nodeType":1294},{},[3453],{"data":3454,"marks":3455,"value":3456,"nodeType":1293},{},[],"At this point, having compromised multiple user’s Google credentials, an adversary has a lot of options available:",{"data":3458,"content":3459,"nodeType":1462},{},[3460,3470,3480,3502],{"data":3461,"content":3462,"nodeType":1398},{},[3463],{"data":3464,"content":3465,"nodeType":1294},{},[3466],{"data":3467,"marks":3468,"value":3469,"nodeType":1293},{},[],"Access all data in Google apps like GMail, Google Drive etc",{"data":3471,"content":3472,"nodeType":1398},{},[3473],{"data":3474,"content":3475,"nodeType":1294},{},[3476],{"data":3477,"marks":3478,"value":3479,"nodeType":1293},{},[],"Access other SaaS apps that use SSO with the same Google account",{"data":3481,"content":3482,"nodeType":1398},{},[3483],{"data":3484,"content":3485,"nodeType":1294},{},[3486,3490,3499],{"data":3487,"marks":3488,"value":3489,"nodeType":1293},{},[],"Access other SaaS apps that use ",{"data":3491,"content":3493,"nodeType":1338},{"uri":3492},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/passwordless_logins/description.md",[3494],{"data":3495,"marks":3496,"value":3498,"nodeType":1293},{},[3497],{"type":1336},"passwordless logins",{"data":3500,"marks":3501,"value":37,"nodeType":1293},{},[],{"data":3503,"content":3504,"nodeType":1398},{},[3505],{"data":3506,"content":3507,"nodeType":1294},{},[3508,3512,3519],{"data":3509,"marks":3510,"value":3511,"nodeType":1293},{},[],"Access other SaaS apps via email ",{"data":3513,"content":3514,"nodeType":1338},{"uri":2731},[3515],{"data":3516,"marks":3517,"value":2734,"nodeType":1293},{},[3518],{"type":1336},{"data":3520,"marks":3521,"value":37,"nodeType":1293},{},[],{"data":3523,"content":3524,"nodeType":1294},{},[3525],{"data":3526,"marks":3527,"value":3528,"nodeType":1293},{},[],"Essentially, this can potentially lead to a compromise of every SaaS application accessible by the compromised user - all from the use of a poisoned tenant for an app with no particularly sensitive data or permissions.",{"data":3530,"content":3531,"nodeType":1733},{},[3532],{"data":3533,"marks":3534,"value":2149,"nodeType":1293},{},[],{"data":3536,"content":3537,"nodeType":1294},{},[3538],{"data":3539,"marks":3540,"value":3541,"nodeType":1293},{},[],"We have seen how two new SaaS-focused attack techniques can be combined into one more effective attack chain. This shows how a successful poisoned tenant attack for even a low risk app can still be a significant threat when combined with a SAMLjacking attack. ",{"data":3543,"content":3544,"nodeType":1294},{},[3545],{"data":3546,"marks":3547,"value":3548,"nodeType":1293},{},[],"This demonstrates even the least sensitive edge cases of SaaS sprawl can represent a vector to laterally move to compromise much more valuable assets. History taught us that protecting core production assets was not enough. Adversaries often achieved compromises via test systems and unsecured development resources. What we are seeing now is that this parallel exists in the SaaS-native world too. Therefore, we need to be protecting all SaaS resources with greater vigilance than their standalone sensitivity would indicate.",{"data":3550,"content":3551,"nodeType":1294},{},[3552],{"data":3553,"marks":3554,"value":3555,"nodeType":1293},{},[],"So what can be done about it? Well, like much in security, there is no silver bullet solution to this issue. SaaS apps are here to stay and are designed to be flexible, easy to sign up for and use. The key first step is always to get good visibility into the SaaS sprawl across your organization. If certain employees or teams start making use of a new SaaS app (or a new tenant for an existing one), that’s probably something your security team should be aware of so they can make sure it’s legitimate and being used as securely as possible. ","In this article, we’re going to demo combining two of our favorite new SaaS attack techniques to make a simple, but effective attack chain.\n","2023-08-17T00:00:00.000Z","samljacking-a-poisoned-tenant",{"items":3560},[3561,3563],{"sys":3562,"name":1306},{"id":1305},{"sys":3564,"name":3094},{"id":3093},{"items":3566},[3567],{"fullName":2190,"firstName":2191,"jobTitle":2192,"profilePicture":3568},{"url":2194},{"items":3570},[3571],{"fullName":2190,"firstName":2191,"jobTitle":2192,"profilePicture":3572},{"url":2194},{"json":3574,"links":4311},{"data":3575,"content":3576,"nodeType":1295},{},[3577,3607,3614,3655,3662,3681,3687,3693,3699,3705,3711,3741,3747,3783,3789,3794,3801,3808,3815,3822,3829,3835,3842,3849,3856,3863,3869,3876,3883,3890,3897,3904,3910,3916,3923,3930,3955,3962,3969,3976,3983,3989,3995,4002,4008,4015,4022,4029,4035,4042,4049,4056,4063,4072,4084,4090,4097,4104,4110,4116,4123,4130,4137,4144,4151,4157,4164,4170,4177,4184,4191,4197,4203,4210,4249,4255,4261,4268,4275,4281,4300,4305],{"data":3578,"content":3579,"nodeType":1294},{},[3580,3584,3591,3594,3604],{"data":3581,"marks":3582,"value":3583,"nodeType":1293},{},[],"This is the third post in a series on attack chains formed by combining techniques in the ",{"data":3585,"content":3586,"nodeType":1338},{"uri":1330},[3587],{"data":3588,"marks":3589,"value":1337,"nodeType":1293},{},[3590],{"type":1336},{"data":3592,"marks":3593,"value":2230,"nodeType":1293},{},[],{"data":3595,"content":3598,"nodeType":1362},{"target":3596},{"sys":3597},{"id":1715,"type":1354,"linkType":1355},[3599],{"data":3600,"marks":3601,"value":3603,"nodeType":1293},{},[3602],{"type":1336},"shadow workflows and evil twin integrations.",{"data":3605,"marks":3606,"value":37,"nodeType":1293},{},[],{"data":3608,"content":3609,"nodeType":1294},{},[3610],{"data":3611,"marks":3612,"value":3613,"nodeType":1293},{},[],"In this article, we’ll demonstrate how instant messaging applications are an increasingly attractive target for a range of phishing and social engineering attacks. We’ll use the following SaaS attack techniques chained together:",{"data":3615,"content":3616,"nodeType":1462},{},[3617,3636],{"data":3618,"content":3619,"nodeType":1398},{},[3620],{"data":3621,"content":3622,"nodeType":1294},{},[3623,3626,3633],{"data":3624,"marks":3625,"value":37,"nodeType":1293},{},[],{"data":3627,"content":3628,"nodeType":1338},{"uri":1388},[3629],{"data":3630,"marks":3631,"value":1394,"nodeType":1293},{},[3632],{"type":1336},{"data":3634,"marks":3635,"value":37,"nodeType":1293},{},[],{"data":3637,"content":3638,"nodeType":1398},{},[3639],{"data":3640,"content":3641,"nodeType":1294},{},[3642,3645,3652],{"data":3643,"marks":3644,"value":37,"nodeType":1293},{},[],{"data":3646,"content":3647,"nodeType":1338},{"uri":1410},[3648],{"data":3649,"marks":3650,"value":1416,"nodeType":1293},{},[3651],{"type":1336},{"data":3653,"marks":3654,"value":37,"nodeType":1293},{},[],{"data":3656,"content":3657,"nodeType":1294},{},[3658],{"data":3659,"marks":3660,"value":3661,"nodeType":1293},{},[],"We’ll use Slack as our primary example in this case and we’ll be primarily focused on external phishing as part of the initial access phase of the kill chain. ",{"data":3663,"content":3664,"nodeType":1294},{},[3665,3668,3677],{"data":3666,"marks":3667,"value":1634,"nodeType":1293},{},[],{"data":3669,"content":3672,"nodeType":1362},{"target":3670},{"sys":3671},{"id":1316,"type":1354,"linkType":1355},[3673],{"data":3674,"marks":3675,"value":3676,"nodeType":1293},{},[],"companion article",{"data":3678,"marks":3679,"value":3680,"nodeType":1293},{},[],", we’ll look at how once an attacker has a foothold on Slack, new attack possibilities open up that allow for persistence and lateral movement to be achieved.",{"data":3682,"content":3683,"nodeType":1470},{},[3684],{"data":3685,"marks":3686,"value":1469,"nodeType":1293},{},[],{"data":3688,"content":3689,"nodeType":1294},{},[3690],{"data":3691,"marks":3692,"value":1499,"nodeType":1293},{},[],{"data":3694,"content":3695,"nodeType":1294},{},[3696],{"data":3697,"marks":3698,"value":1506,"nodeType":1293},{},[],{"data":3700,"content":3701,"nodeType":1294},{},[3702],{"data":3703,"marks":3704,"value":1513,"nodeType":1293},{},[],{"data":3706,"content":3707,"nodeType":1294},{},[3708],{"data":3709,"marks":3710,"value":1520,"nodeType":1293},{},[],{"data":3712,"content":3713,"nodeType":1462},{},[3714,3723,3732],{"data":3715,"content":3716,"nodeType":1398},{},[3717],{"data":3718,"content":3719,"nodeType":1294},{},[3720],{"data":3721,"marks":3722,"value":1533,"nodeType":1293},{},[],{"data":3724,"content":3725,"nodeType":1398},{},[3726],{"data":3727,"content":3728,"nodeType":1294},{},[3729],{"data":3730,"marks":3731,"value":1543,"nodeType":1293},{},[],{"data":3733,"content":3734,"nodeType":1398},{},[3735],{"data":3736,"content":3737,"nodeType":1294},{},[3738],{"data":3739,"marks":3740,"value":1553,"nodeType":1293},{},[],{"data":3742,"content":3743,"nodeType":1294},{},[3744],{"data":3745,"marks":3746,"value":1560,"nodeType":1293},{},[],{"data":3748,"content":3749,"nodeType":1294},{},[3750,3753,3760,3763,3770,3773,3780],{"data":3751,"marks":3752,"value":1567,"nodeType":1293},{},[],{"data":3754,"content":3755,"nodeType":1338},{"uri":1570},[3756],{"data":3757,"marks":3758,"value":1576,"nodeType":1293},{},[3759],{"type":1336},{"data":3761,"marks":3762,"value":1580,"nodeType":1293},{},[],{"data":3764,"content":3765,"nodeType":1338},{"uri":1583},[3766],{"data":3767,"marks":3768,"value":1589,"nodeType":1293},{},[3769],{"type":1336},{"data":3771,"marks":3772,"value":1593,"nodeType":1293},{},[],{"data":3774,"content":3775,"nodeType":1338},{"uri":1596},[3776],{"data":3777,"marks":3778,"value":1602,"nodeType":1293},{},[3779],{"type":1336},{"data":3781,"marks":3782,"value":1606,"nodeType":1293},{},[],{"data":3784,"content":3785,"nodeType":1294},{},[3786],{"data":3787,"marks":3788,"value":1613,"nodeType":1293},{},[],{"data":3790,"content":3793,"nodeType":1620},{"target":3791},{"sys":3792},{"id":1618,"type":1354,"linkType":1355},[],{"data":3795,"content":3796,"nodeType":1470},{},[3797],{"data":3798,"marks":3799,"value":3800,"nodeType":1293},{},[],"IM user spoofing",{"data":3802,"content":3803,"nodeType":1294},{},[3804],{"data":3805,"marks":3806,"value":3807,"nodeType":1293},{},[],"The first consideration is the spoofing aspect. We’ve all seen techniques for spoofing emails, but there are many security controls like Sender Policy Framework (SPF) that can prevent direct spoofing of domains and email security gateways that can flag suspicious domains.",{"data":3809,"content":3810,"nodeType":1294},{},[3811],{"data":3812,"marks":3813,"value":3814,"nodeType":1293},{},[],"Those security controls don’t exist for IM, so we have new options for spoofing.",{"data":3816,"content":3817,"nodeType":1733},{},[3818],{"data":3819,"marks":3820,"value":3821,"nodeType":1293},{},[],"External IM invites",{"data":3823,"content":3824,"nodeType":1294},{},[3825],{"data":3826,"marks":3827,"value":3828,"nodeType":1293},{},[],"IM applications often make use of friendly display names for organization and employee names as well as user-chosen handles. These often don’t need to be unique either. Consider the following Slack Connect request:",{"data":3830,"content":3834,"nodeType":1620},{"target":3831},{"sys":3832},{"id":3833,"type":1354,"linkType":1355},"7MEljb1f6XzNRBEbOSsQXi",[],{"data":3836,"content":3837,"nodeType":1294},{},[3838],{"data":3839,"marks":3840,"value":3841,"nodeType":1293},{},[],"It’s not easy for a target user to tell if the user or organization requesting to connect is legitimate when they first receive this invitation. There’s also a curiosity incentive - you can’t see a first message from the user, so it’s tempting for the target user to accept in order to see the message, even if they then ignore it.",{"data":3843,"content":3844,"nodeType":1294},{},[3845],{"data":3846,"marks":3847,"value":3848,"nodeType":1293},{},[],"However, once an attacker has got a first connection, they have cleared the first hurdle. They can now launch attacks in future, not just attacks immediately following a successful connection, after the target user has forgotten they ever connected with the attacker (more on this later).",{"data":3850,"content":3851,"nodeType":1733},{},[3852],{"data":3853,"marks":3854,"value":3855,"nodeType":1293},{},[],"Spoofing an internal user",{"data":3857,"content":3858,"nodeType":1294},{},[3859],{"data":3860,"marks":3861,"value":3862,"nodeType":1293},{},[],"What’s more, there’s nothing stopping an external attacker from impersonating internal users/employees too. This is especially a concern if an attacker can social engineer their way into being invited into a channel.",{"data":3864,"content":3868,"nodeType":1620},{"target":3865},{"sys":3866},{"id":3867,"type":1354,"linkType":1355},"5TaP25v80xMkA5e33yFIfX",[],{"data":3870,"content":3871,"nodeType":1294},{},[3872],{"data":3873,"marks":3874,"value":3875,"nodeType":1293},{},[],"While this particular example is less likely to be successful in a small channel, it’s much more of a concern if they change their user identity to replicate an internal employee or teammate and then direct message a member of the channel. DMing an individual channel member doesn’t require a new Slack connect invite so it’s much easier for an unsuspecting target to fall victim to social engineering in this way. ",{"data":3877,"content":3878,"nodeType":1733},{},[3879],{"data":3880,"marks":3881,"value":3882,"nodeType":1293},{},[],"Chameleon attack",{"data":3884,"content":3885,"nodeType":1294},{},[3886],{"data":3887,"marks":3888,"value":3889,"nodeType":1293},{},[],"A particularly interesting external attack capability is that an attacker can act as a chameleon and change their identity over time. Let’s say an external attacker achieves a successful connection with a potential target as an external entity. Maybe they exchange some innocuous communications and then leave the conversation to die. Perhaps the target even has Slack message retention settings enabled that delete the chat history after 90 days.",{"data":3891,"content":3892,"nodeType":1294},{},[3893],{"data":3894,"marks":3895,"value":3896,"nodeType":1293},{},[],"The attacker bides their time and then in the future, they completely change their Slack identity to impersonate an internal user and message the target again. The connection is already present so the message will come through like any other message, only this time it will appear from a completely different identity. It’s quite possible that the target could be fooled into believing the message is from the internal user. ",{"data":3898,"content":3899,"nodeType":1294},{},[3900],{"data":3901,"marks":3902,"value":3903,"nodeType":1293},{},[],"This could be particularly dangerous in CEO fraud attacks. An attacker could forge connections with finance employees ahead of time for seemingly legitimate and innocuous means and then later use those to send Slack messages spoofing the CEO.",{"data":3905,"content":3909,"nodeType":1620},{"target":3906},{"sys":3907},{"id":3908,"type":1354,"linkType":1355},"51TYXiOwQw0D6BYCzu0em4",[],{"data":3911,"content":3915,"nodeType":1620},{"target":3912},{"sys":3913},{"id":3914,"type":1354,"linkType":1355},"6ZQ6iFu11NnXOP4EMAgxji",[],{"data":3917,"content":3918,"nodeType":1294},{},[3919],{"data":3920,"marks":3921,"value":3922,"nodeType":1293},{},[],"All the examples given so far are possible as an external attacker making Slack connect invites, so they work as the initial access phase of the kill chain. However, if an attacker gains control of an internal Slack user account for the target tenant, or the attacker is a malicious insider (e.g. a disgruntled employee), then they don’t even need to worry about achieving an initial connection request. Under a default configuration, they could change their name and photo to impersonate the CEO immediately and message anyone they like. However, this is moving into the lateral movement phase of the kill chain.",{"data":3924,"content":3925,"nodeType":1470},{},[3926],{"data":3927,"marks":3928,"value":3929,"nodeType":1293},{},[],"Link preview spoofing",{"data":3931,"content":3932,"nodeType":1294},{},[3933,3937,3942,3946,3951],{"data":3934,"marks":3935,"value":3936,"nodeType":1293},{},[],"Another key issue is link preview spoofing. HTML allows a variety of ways to specify hyperlinks. In email, secure email gateways will often alert or block commonly abused types, such as forging a different URL as the link display text to what the underlying link points to. For example, an attacker could show the link as ",{"data":3938,"marks":3939,"value":3941,"nodeType":1293},{},[3940],{"type":1336},"https://www.google.com",{"data":3943,"marks":3944,"value":3945,"nodeType":1293},{},[]," but direct it to ",{"data":3947,"marks":3948,"value":3950,"nodeType":1293},{},[3949],{"type":1336},"https://www.evil.com",{"data":3952,"marks":3953,"value":3954,"nodeType":1293},{},[]," when it is clicked. Secure email gateways often perform a lot of other analysis of links, including domain analysis and active crawling to identify common phishing attacks.",{"data":3956,"content":3957,"nodeType":1294},{},[3958],{"data":3959,"marks":3960,"value":3961,"nodeType":1293},{},[],"On IM applications, however, this same standard of link analysis is not always present and the widespread introduction of link unfurling/previewing has also given additional options for spoofing links to hide their true source and increase social engineering success. ",{"data":3963,"content":3964,"nodeType":1733},{},[3965],{"data":3966,"marks":3967,"value":3968,"nodeType":1293},{},[],"Traditional link forging",{"data":3970,"content":3971,"nodeType":1294},{},[3972],{"data":3973,"marks":3974,"value":3975,"nodeType":1293},{},[],"We’ll start with a common traditional link forging scenario to see how Slack handles that, then show how link previews change the threat.",{"data":3977,"content":3978,"nodeType":1294},{},[3979],{"data":3980,"marks":3981,"value":3982,"nodeType":1293},{},[],"Here, we can see forging a link is permitted by Slack, but at least the real domain is shown to the user along with an overt warning.",{"data":3984,"content":3988,"nodeType":1620},{"target":3985},{"sys":3986},{"id":3987,"type":1354,"linkType":1355},"3SDhqamQqXLfFqD8W1b37V",[],{"data":3990,"content":3994,"nodeType":1620},{"target":3991},{"sys":3992},{"id":3993,"type":1354,"linkType":1355},"5yfDUdZ4F6zrp7AGnMGD5b",[],{"data":3996,"content":3997,"nodeType":1294},{},[3998],{"data":3999,"marks":4000,"value":4001,"nodeType":1293},{},[],"On the other hand, if we use friendly text to mask the true URL, we no longer get a warning when clicking the link. However, it’s still possible to see the real URL via a mouseover, so this doesn’t really differ from traditional email phishing scenarios. Without any context of the link, it’s likely a security conscious user will hover-over to see what the link points to.",{"data":4003,"content":4007,"nodeType":1620},{"target":4004},{"sys":4005},{"id":4006,"type":1354,"linkType":1355},"3KCRJ9HIJimLX9vzJVHq1C",[],{"data":4009,"content":4010,"nodeType":1733},{},[4011],{"data":4012,"marks":4013,"value":4014,"nodeType":1293},{},[],"Abusing link previews using an internal account ",{"data":4016,"content":4017,"nodeType":1294},{},[4018],{"data":4019,"marks":4020,"value":4021,"nodeType":1293},{},[],"It gets more interesting when we use links that Slack is able to unfurl to provide a link preview. We’re going to show how this works with full link previews first. By default, full previews only show for messages from internal users. To make the explanation easier, we’ll show full previews first but then we’ll show the difference with limited previews in external messages afterwards and thus show how it impacts external phishing attacks in the initial access phase.",{"data":4023,"content":4024,"nodeType":1294},{},[4025],{"data":4026,"marks":4027,"value":4028,"nodeType":1293},{},[],"Here we’ll show a legitimate example of posting one of our own blogs where Slack helpfully unfurls the URL and gives some context to the link as a preview:",{"data":4030,"content":4034,"nodeType":1620},{"target":4031},{"sys":4032},{"id":4033,"type":1354,"linkType":1355},"7nknMRtdXGlupYom31kKor",[],{"data":4036,"content":4037,"nodeType":1294},{},[4038],{"data":4039,"marks":4040,"value":4041,"nodeType":1293},{},[],"This is very useful for the user and, despite the fact you can still see the real link clearly via a hover-over, a user is much less likely to check a link when they’ve already had a seemingly legitimate preview context displayed to them. ",{"data":4043,"content":4044,"nodeType":1294},{},[4045],{"data":4046,"marks":4047,"value":4048,"nodeType":1293},{},[],"So, how can we use this scenario maliciously?",{"data":4050,"content":4051,"nodeType":1294},{},[4052],{"data":4053,"marks":4054,"value":4055,"nodeType":1293},{},[],"The obvious attack scenario is to minimize the link display text so it’s not noticeable and hard to hover-over and then forge a different link preview for Slack than what is given to the user when they click the link. Then when the user clicks the link, they’ll be directed to our phishing page instead. ",{"data":4057,"content":4058,"nodeType":1294},{},[4059],{"data":4060,"marks":4061,"value":4062,"nodeType":1293},{},[],"We can do this through using a single character as the link display text and then performing user agent specific processing of web requests. For example, Slack unfurling uses a user agent like the following:",{"data":4064,"content":4065,"nodeType":1294},{},[4066],{"data":4067,"marks":4068,"value":4071,"nodeType":1293},{},[4069],{"type":4070},"code","Slackbot-LinkExpanding 1.0 (+https://api.slack.com/robots)",{"data":4073,"content":4074,"nodeType":1294},{},[4075,4079],{"data":4076,"marks":4077,"value":4078,"nodeType":1293},{},[],"Therefore, without even requiring much sophistication, we can use some simple python code to perform a redirect to a legitimate source when our web request handler sees this user agent. However, when a target user visits using a normal web browser we instead return a malicious page. The example python code below redirects to benign content for a Slack preview, while serving malicious content otherwise:",{"data":4080,"marks":4081,"value":4083,"nodeType":1293},{},[4082],{"type":2327},"    ",{"data":4085,"content":4089,"nodeType":1620},{"target":4086},{"sys":4087},{"id":4088,"type":1354,"linkType":1355},"4VHFyInQfa3tdvJO4rnnQL",[],{"data":4091,"content":4092,"nodeType":1294},{},[4093],{"data":4094,"marks":4095,"value":4096,"nodeType":1293},{},[],"The end result of this is that the user sees a nice friendly link preview legitimately produced by Slack and Google Docs in real time, whereas if they click the link they’ll be taken to our phishing page instead. ",{"data":4098,"content":4099,"nodeType":1294},{},[4100],{"data":4101,"marks":4102,"value":4103,"nodeType":1293},{},[],"In this case, we have shown a Google style phishing page as an example for harvesting credentials. Hopefully, the user will assume their Google Docs session expired and then re-enter their credentials. See what the target user would see below:",{"data":4105,"content":4109,"nodeType":1620},{"target":4106},{"sys":4107},{"id":4108,"type":1354,"linkType":1355},"3QaFhW1otbJpzMI9ff5R4F",[],{"data":4111,"content":4115,"nodeType":1620},{"target":4112},{"sys":4113},{"id":4114,"type":1354,"linkType":1355},"6ZFu92OSmI7miSGz8QwwtV",[],{"data":4117,"content":4118,"nodeType":1294},{},[4119],{"data":4120,"marks":4121,"value":4122,"nodeType":1293},{},[],"Using a small period as the display text for the hyperlink means it is difficult for the user to notice and hover-over to see Slack pop-up the true domain as we saw earlier. While they can still hover over the link preview itself, this only shows the real domain in the taskbar in the bottom left, which is only noticeable if you intentionally look for it. ",{"data":4124,"content":4125,"nodeType":1294},{},[4126],{"data":4127,"marks":4128,"value":4129,"nodeType":1293},{},[],"Given normal links in Slack show the domain above the mouse, users aren’t used to looking for the link here and, combined with the friendly link preview, it’s much less likely a target user will realize this is a phishing attack.",{"data":4131,"content":4132,"nodeType":1733},{},[4133],{"data":4134,"marks":4135,"value":4136,"nodeType":1293},{},[],"Abusing link previews with an external account ",{"data":4138,"content":4139,"nodeType":1294},{},[4140],{"data":4141,"marks":4142,"value":4143,"nodeType":1293},{},[],"What we’ve just shown is the behavior for a message from an internal user. Slack doesn’t fully unfurl a link by default, however, if this was combined with external messaging as we saw earlier. It does still show a partial link preview though and therefore this attack is still possible.",{"data":4145,"content":4146,"nodeType":1294},{},[4147],{"data":4148,"marks":4149,"value":4150,"nodeType":1293},{},[],"The only real difference is it doesn’t show the image part of the preview and, instead, shows a notice to the user that it’s external and gives them the option to click to show the image preview as well. If the user clicks to show the image preview, it converts to the same full preview with the image we saw above. In this case, we can see an example of chaining the original external user spoofing attack with a link preview spoofing attack below:",{"data":4152,"content":4156,"nodeType":1620},{"target":4153},{"sys":4154},{"id":4155,"type":1354,"linkType":1355},"4IkX0LI0bB36CxNlHYHRHs",[],{"data":4158,"content":4159,"nodeType":1294},{},[4160],{"data":4161,"marks":4162,"value":4163,"nodeType":1293},{},[],"While this is slightly more problematic for an attacker than the internal functionality for link previews, it’s still very useful as a social engineering technique and arguably the option to click “just show this one” adds to the legitimacy. The reason is the user may use this as a way to get context on what the link is, instead of looking for the underlying URL. Otherwise, clicking the link still takes the user to the phishing page without any other warnings the same as for internal messages.",{"data":4165,"content":4169,"nodeType":1620},{"target":4166},{"sys":4167},{"id":4168,"type":1354,"linkType":1355},"2ug8ozbhRM3Xg8nhasJ1er",[],{"data":4171,"content":4172,"nodeType":1733},{},[4173],{"data":4174,"marks":4175,"value":4176,"nodeType":1293},{},[],"Cleaning your tracks",{"data":4178,"content":4179,"nodeType":1294},{},[4180],{"data":4181,"marks":4182,"value":4183,"nodeType":1293},{},[],"Ok, so let’s say an attacker has either successfully phished the target user or perhaps now the user is suspicious and likely contacting security or IT. One of the great benefits of IM apps is you can generally edit and delete messages, which can be abused by an attacker.",{"data":4185,"content":4186,"nodeType":1294},{},[4187],{"data":4188,"marks":4189,"value":4190,"nodeType":1293},{},[],"As an attacker, I could make a tiny change to my message to replace the malicious link with the legitimate link I was spoofing for the link preview if I got the sense the target was getting suspicious. Then, if an incident responder comes to investigate, the malicious link is now gone and the message itself appears identical, covering my tracks. Other than being able to see the message has been edited, it’s no longer easy to see this was a phishing attack or where the phishing link pointed to. This is definitely a useful capability that isn’t usually possible with email phishing! \n\nSee this minor change reflected below, making the original phishing message appear innocuous due to the replacement of the phishing URL with a legitimate URL:",{"data":4192,"content":4196,"nodeType":1620},{"target":4193},{"sys":4194},{"id":4195,"type":1354,"linkType":1355},"32lWR3sObuIYvhSDUPIPAh",[],{"data":4198,"content":4199,"nodeType":1470},{},[4200],{"data":4201,"marks":4202,"value":2019,"nodeType":1293},{},[],{"data":4204,"content":4205,"nodeType":1294},{},[4206],{"data":4207,"marks":4208,"value":4209,"nodeType":1293},{},[],"We’ve covered a lot of ground here, showing the chaining of external user spoofing attacks with link preview spoofing and also how to cover your tracks afterwards. It’s worth taking a step back and considering the key impact points:",{"data":4211,"content":4212,"nodeType":1462},{},[4213,4222,4231,4240],{"data":4214,"content":4215,"nodeType":1398},{},[4216],{"data":4217,"content":4218,"nodeType":1294},{},[4219],{"data":4220,"marks":4221,"value":2046,"nodeType":1293},{},[],{"data":4223,"content":4224,"nodeType":1398},{},[4225],{"data":4226,"content":4227,"nodeType":1294},{},[4228],{"data":4229,"marks":4230,"value":2056,"nodeType":1293},{},[],{"data":4232,"content":4233,"nodeType":1398},{},[4234],{"data":4235,"content":4236,"nodeType":1294},{},[4237],{"data":4238,"marks":4239,"value":2066,"nodeType":1293},{},[],{"data":4241,"content":4242,"nodeType":1398},{},[4243],{"data":4244,"content":4245,"nodeType":1294},{},[4246],{"data":4247,"marks":4248,"value":2076,"nodeType":1293},{},[],{"data":4250,"content":4251,"nodeType":1470},{},[4252],{"data":4253,"marks":4254,"value":2149,"nodeType":1293},{},[],{"data":4256,"content":4257,"nodeType":1294},{},[4258],{"data":4259,"marks":4260,"value":2156,"nodeType":1293},{},[],{"data":4262,"content":4263,"nodeType":1294},{},[4264],{"data":4265,"marks":4266,"value":4267,"nodeType":1293},{},[],"This also means organizations reliant on traditional email security gateways and email-based phishing training are likely to see the effectiveness of these controls decrease if attacks shift to the IM apps.",{"data":4269,"content":4270,"nodeType":1294},{},[4271],{"data":4272,"marks":4273,"value":4274,"nodeType":1293},{},[],"In this article, we highlighted a number of spoofing and phishing strategies that can be employed by external attackers to target an organization using Slack in the initial access phase of the kill chain. In the next article, we’ll look at how once an attacker has a foothold on Slack, new attack possibilities open up that allow for persistence and lateral movement to be achieved.",{"data":4276,"content":4277,"nodeType":1294},{},[4278],{"data":4279,"marks":4280,"value":2177,"nodeType":1293},{},[],{"data":4282,"content":4283,"nodeType":1294},{},[4284,4288,4296],{"data":4285,"marks":4286,"value":4287,"nodeType":1293},{},[],"In our ",{"data":4289,"content":4292,"nodeType":1362},{"target":4290},{"sys":4291},{"id":1316,"type":1354,"linkType":1355},[4293],{"data":4294,"marks":4295,"value":3676,"nodeType":1293},{},[],{"data":4297,"marks":4298,"value":4299,"nodeType":1293},{},[],", we’ll talk about how to use Slack to gain persistence and move laterally across the organization. ",{"data":4301,"content":4304,"nodeType":1620},{"target":4302},{"sys":4303},{"id":2011,"type":1354,"linkType":1355},[],{"data":4306,"content":4307,"nodeType":1294},{},[4308],{"data":4309,"marks":4310,"value":37,"nodeType":1293},{},[],{"entries":4312},{"inline":4313,"hyperlink":4314,"block":4319},[],[4315,4317],{"sys":4316,"__typename":1314,"title":3084,"slug":3086},{"id":1715},{"sys":4318,"__typename":1314,"title":2178,"slug":2180},{"id":1316},[4320,4327,4336,4344,4352,4360,4367,4375,4383,4391,4397,4405,4413,4421,4430,4438],{"sys":4321,"__typename":4322,"type":4323,"ctaText":4324,"buttonLabel":4325,"buttonColour":4326,"buttonUrl":118},{"id":1618},"CtaWidget","Demo","Learn how Push can help you secure identities across your org","Book a demo!","sunny orange",{"sys":4328,"__typename":4329,"title":4330,"caption":4331,"layoutMode":118,"file":4332},{"id":3833},"Image","Slack phishing - new invite","Slack connect invite from an external tenant with an attacker chosen user name and organization name",{"url":4333,"width":4334,"height":4335},"https://images.ctfassets.net/y1cdw1ablpvd/32Q5YwPYPpnnwr05cFE9FZ/bf1537dc55dad812c2ef8bd56b1be0da/image5.png",792,211,{"sys":4337,"__typename":4329,"title":4338,"caption":4339,"layoutMode":118,"file":4340},{"id":3867},"Slack phishing - impersonating an employee","An external attacker (the Zuck with an F on the profile to show it's an external account) in a channel impersonating an internal user (the Zuck without an F to show it's an internal account)).",{"url":4341,"width":4342,"height":4343},"https://images.ctfassets.net/y1cdw1ablpvd/15wI2UepFxEhNu5Oniv2Jm/bc3719550be55300a1dc9865a2a5c94c/image13.png",1164,584,{"sys":4345,"__typename":4329,"title":4346,"caption":4347,"layoutMode":118,"file":4348},{"id":3908},"Slack phishing - spoofing","An initial message from an accepted Slack connect invite, from “Brian” at “SomeExternalMarketingAgency, LLC”",{"url":4349,"width":4350,"height":4351},"https://images.ctfassets.net/y1cdw1ablpvd/1PRhPZ9M8jiyICJV38EldP/c7bccda387c084cd0483ca9a051e1032/image12.png",1048,439,{"sys":4353,"__typename":4329,"title":4354,"caption":4355,"layoutMode":118,"file":4356},{"id":3914},"Slack phishing - social engineering","A social engineering message sent in future with a change in user identity - no new Slack connection is required",{"url":4357,"width":4358,"height":4359},"https://images.ctfassets.net/y1cdw1ablpvd/7D0CEOQmuomsw3uaq7EkNE/5cc635924e8d0ccb72340bbee7aadf78/image8.png",957,544,{"sys":4361,"__typename":4329,"title":4362,"caption":4363,"layoutMode":118,"file":4364},{"id":3987},"Slack phishing - link forging","Link forging shows the real domain on a hover-over",{"url":4365,"width":4366,"height":400},"https://images.ctfassets.net/y1cdw1ablpvd/3ZVdrMekiWSULQXFTKcOc3/59d6066d06d3543e7eed79f5d1d4bd61/image2.png",856,{"sys":4368,"__typename":4329,"title":4369,"caption":4370,"layoutMode":118,"file":4371},{"id":3993},"Slack phishing - link forging warning","Link forging also presents a warning dialog to the user by default if they click the link",{"url":4372,"width":4373,"height":4374},"https://images.ctfassets.net/y1cdw1ablpvd/1jkGOiQxzDe2xNJCmB8zL3/8babcd4e9ae83bbd79843eaf17596db4/image1.png",1044,504,{"sys":4376,"__typename":4329,"title":4377,"caption":4378,"layoutMode":118,"file":4379},{"id":4006},"Slack phishing - link forging friendly text","A hover-over still shows the true URL with a friendly text link but no warning dialog is given",{"url":4380,"width":4381,"height":4382},"https://images.ctfassets.net/y1cdw1ablpvd/6pNYmKoOBAvj5Pu0qpB88f/f770190659c1f499d73fffa3fbfce4d3/image9.png",852,146,{"sys":4384,"__typename":4329,"title":4385,"caption":4386,"layoutMode":118,"file":4387},{"id":4033},"Slack phishing - link unfurling","Link unfurling resulting in a helpful link preview",{"url":4388,"width":4389,"height":4390},"https://images.ctfassets.net/y1cdw1ablpvd/428xUDjIeEE6rzCyJJWfpe/60b48bf9c36e2831585c1f5c86f97154/image11.png",1276,744,{"sys":4392,"__typename":4393,"name":4394,"type":4395,"syntax":4396},{"id":4088},"CodeBlockComponent","Slack phishing 1: Link preview spoofing code","python","from http.server import HTTPServer, SimpleHTTPRequestHandler\n\n\nclass MyHandler(SimpleHTTPRequestHandler):\n    def do_GET(self):\n        for header, val in self.headers.items():\n            if header == \"User-Agent\":\n                print(header, val)\n                if val.startswith(\"Slackbot-LinkExpanding\") or \"SkypeUriPreview\" in val or \"Google-PageRenderer\" in val:\n                    self.send_response(301)\n                    self.send_header('Location', 'https://docs.google.com/presentation/d/1JsjD2Ro9KaHmW2vILPKJ6-7ptW89pfsAReyzCxQdpq0/edit?usp=sharing')\n                    self.end_headers()\n                    return\n            print(header, val)\n        return super(MyHandler, self).do_GET()\n\n\nhttpd = HTTPServer(('localhost', 8000), MyHandler)\nhttpd.serve_forever()",{"sys":4398,"__typename":4329,"title":4399,"caption":4400,"layoutMode":118,"file":4401},{"id":4108},"Slack phishing - user and link preview spoofing","Phishing message making use of user spoofing and link preview spoofing to make the link seem legitimate, so the user won’t notice the true URL. A small period is used to hide the URL.",{"url":4402,"width":4403,"height":4404},"https://images.ctfassets.net/y1cdw1ablpvd/2yh3i1Htdy4iXfKfRgiPBj/aa455d9513a6047b187df60494e942d8/image4.png",1160,678,{"sys":4406,"__typename":4329,"title":4407,"caption":4408,"layoutMode":118,"file":4409},{"id":4114},"Slack phishing - fake phishing page","The fake Google phishing page the user is directed to when clicking the link, in this case hosted on a custom ngrok domain",{"url":4410,"width":4411,"height":4412},"https://images.ctfassets.net/y1cdw1ablpvd/7eN4laU7EvdAbi0mjyLNeK/f8ed7e4db0fe35ebb85ac7a6946c7f05/image6.png",1718,1560,{"sys":4414,"__typename":4329,"title":4415,"caption":4416,"layoutMode":118,"file":4417},{"id":4155},"Slack phishing - link preview from external","Link previews from external messages do not show the image by default, but allow the user to override this",{"url":4418,"width":4419,"height":4420},"https://images.ctfassets.net/y1cdw1ablpvd/3OORVNatftPSxM4d5RUeCX/e88a707d86ac24db370ea7b54a5b5570/image7.png",613,239,{"sys":4422,"__typename":4329,"title":4423,"caption":4424,"layoutMode":4425,"file":4426},{"id":4168},"Slack phishing - technical diagram 1","A diagram to show the combination of external spoofing and link preview spoofing in action","Breaks margins",{"url":4427,"width":4428,"height":4429},"https://images.ctfassets.net/y1cdw1ablpvd/5F5m59YpByCrIMmm71sal/d6863a45244ebc9821589224d34a3962/image10.png",1999,1125,{"sys":4431,"__typename":4329,"title":4432,"caption":4433,"layoutMode":118,"file":4434},{"id":4195},"Slack phishing - link unfurling edited","An edited message to remove the malicious link and replace it with the same link used for spoofed link preview. ",{"url":4435,"width":4436,"height":4437},"https://images.ctfassets.net/y1cdw1ablpvd/2keEwuruFFUM8tT9AFqEvp/ee2b1d858ed766f5193317c4bb888e3c/image3.png",637,423,{"sys":4439,"__typename":4322,"type":4440,"ctaText":4441,"buttonLabel":4442,"buttonColour":4443,"buttonUrl":118},{"id":2011},"LinkedIn","See more original research and technical content from Push","Follow us on LinkedIn","orange","content:blog:slack-phishing-for-initial-access.json","json","content","blog/slack-phishing-for-initial-access.json","blog/slack-phishing-for-initial-access",1776359990600]