[{"data":1,"prerenderedAt":3894},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/the-risky-terrain-of-oauth-scopes-in-third-party":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"ogImage":118,"summary":1282,"title":1296,"subtitle":118,"metaTitle":1297,"synopsis":1298,"hashTags":118,"publishedDate":1299,"slug":1300,"tagsCollection":1301,"content":1311,"relatedBlogPostsCollection":2070,"authorsCollection":3885,"_id":3889,"_type":3890,"_source":3891,"_file":3892,"_stem":3893,"_extension":3890},"/blog/the-risky-terrain-of-oauth-scopes-in-third-party","blog",{"id":1280,"publishedAt":1281},"7D24HwiebYpKv6FRe1ouwv","2024-10-01T13:15:27.455Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1295},{},[1286],{"data":1287,"content":1288,"nodeType":1294},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"While OAuth scopes provide seamless online user authentication, they also carry significant risk. This article explores these common, dangerous scopes so you can keep an eye out for them during your next risk assessment.\n","text","paragraph","document","Under the radar: The risky terrain of OAuth scopes in third-party Integrations","Dangerous OAuth scopes in third-party Integrations","While OAuth scopes provide seamless online user authentication, they also carry significant risk. Watch out for these common, dangerous scopes.\n","2023-09-06T00:00:00.000Z","the-risky-terrain-of-oauth-scopes-in-third-party",{"items":1302},[1303,1307],{"sys":1304,"name":1306},{"id":1305},"1gZi8NrRy2v9OqPV7C4dwD","Risk management",{"sys":1308,"name":1310},{"id":1309},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"json":1312,"links":2049},{"nodeType":1295,"data":1313,"content":1314},{},[1315,1322,1329,1337,1345,1397,1404,1411,1418,1426,1518,1525,1532,1539,1546,1593,1600,1607,1615,1662,1669,1701,1708,1716,1809,1816,1823,1830,1838,1884,1891,1898,1905,1913,1954,1961,1968,1975,2000,2007,2014,2036,2043],{"nodeType":1294,"data":1316,"content":1317},{},[1318],{"nodeType":1293,"value":1319,"marks":1320,"data":1321},"While OAuth scopes are instrumental in providing seamless online user authentication, they also carry significant risk in terms of security breaches. This risk magnifies when exposed to malicious actors, who can exploit certain high-risk scopes such as Microsoft 365’s “MailboxSettings.ReadWrite”, and Google Workspace’s “gmail.settings.sharing” to carry out nefarious actions.",[],{},{"nodeType":1294,"data":1323,"content":1324},{},[1325],{"nodeType":1293,"value":1326,"marks":1327,"data":1328},"This article includes the most common high-risk scopes that may pose risk to your organization following the compromise of a third-party integration. Watch out for these common, dangerous scopes in your next risk assessment.",[],{},{"nodeType":1330,"data":1331,"content":1332},"heading-1",{},[1333],{"nodeType":1293,"value":1334,"marks":1335,"data":1336},"Capability: Backdoor Mailbox",[],{},{"nodeType":1294,"data":1338,"content":1339},{},[1340],{"nodeType":1293,"value":1341,"marks":1342,"data":1344},"Types of attacks: Business email compromise, account takeover via password reset email",[1343],{"type":312},{},{"nodeType":1346,"data":1347,"content":1348},"table",{},[1349,1374],{"nodeType":1350,"data":1351,"content":1352},"table-row",{},[1353,1364],{"nodeType":1354,"data":1355,"content":1356},"table-cell",{},[1357],{"nodeType":1294,"data":1358,"content":1359},{},[1360],{"nodeType":1293,"value":1361,"marks":1362,"data":1363},"Microsoft 365 / Azure",[],{},{"nodeType":1354,"data":1365,"content":1366},{},[1367],{"nodeType":1294,"data":1368,"content":1369},{},[1370],{"nodeType":1293,"value":1371,"marks":1372,"data":1373},"Google Workspace",[],{},{"nodeType":1350,"data":1375,"content":1376},{},[1377,1387],{"nodeType":1354,"data":1378,"content":1379},{},[1380],{"nodeType":1294,"data":1381,"content":1382},{},[1383],{"nodeType":1293,"value":1384,"marks":1385,"data":1386},"MailboxSettings.ReadWrite",[],{},{"nodeType":1354,"data":1388,"content":1389},{},[1390],{"nodeType":1294,"data":1391,"content":1392},{},[1393],{"nodeType":1293,"value":1394,"marks":1395,"data":1396},"https://www.googleapis.com/auth/gmail.settings.sharing",[],{},{"nodeType":1294,"data":1398,"content":1399},{},[1400],{"nodeType":1293,"value":1401,"marks":1402,"data":1403},"Scopes that allow you to alter sensitive mailbox settings, such as forwarding rules, can allow malicious actors to take over a user’s mailbox by moving, deleting, or forwarding mail externally. This type of attack is typically prevalent in business email compromise (BEC) scenarios where malicious actors intercepts sensitive communications, leading to invoice fraud as an example.",[],{},{"nodeType":1294,"data":1405,"content":1406},{},[1407],{"nodeType":1293,"value":1408,"marks":1409,"data":1410},"The malicious actor would also be able to forward password reset email requests and delete the email from the victim’s inbox to avoid detection, thereby gaining the ability to reset credentials and gain access to third-party SaaS applications while remaining undetected.",[],{},{"nodeType":1330,"data":1412,"content":1413},{},[1414],{"nodeType":1293,"value":1415,"marks":1416,"data":1417},"Capability: Account Takeover, Privilege Escalation",[],{},{"nodeType":1294,"data":1419,"content":1420},{},[1421],{"nodeType":1293,"value":1422,"marks":1423,"data":1425},"Types of attacks: account takeover via password reset, privilege escalation via group membership change",[1424],{"type":312},{},{"nodeType":1346,"data":1427,"content":1428},{},[1429,1450,1473,1496],{"nodeType":1350,"data":1430,"content":1431},{},[1432,1441],{"nodeType":1354,"data":1433,"content":1434},{},[1435],{"nodeType":1294,"data":1436,"content":1437},{},[1438],{"nodeType":1293,"value":1361,"marks":1439,"data":1440},[],{},{"nodeType":1354,"data":1442,"content":1443},{},[1444],{"nodeType":1294,"data":1445,"content":1446},{},[1447],{"nodeType":1293,"value":1371,"marks":1448,"data":1449},[],{},{"nodeType":1350,"data":1451,"content":1452},{},[1453,1463],{"nodeType":1354,"data":1454,"content":1455},{},[1456],{"nodeType":1294,"data":1457,"content":1458},{},[1459],{"nodeType":1293,"value":1460,"marks":1461,"data":1462},"Directory.ReadWrite.All",[],{},{"nodeType":1354,"data":1464,"content":1465},{},[1466],{"nodeType":1294,"data":1467,"content":1468},{},[1469],{"nodeType":1293,"value":1470,"marks":1471,"data":1472},"https://www.googleapis.com/auth/admin.directory.user.security",[],{},{"nodeType":1350,"data":1474,"content":1475},{},[1476,1486],{"nodeType":1354,"data":1477,"content":1478},{},[1479],{"nodeType":1294,"data":1480,"content":1481},{},[1482],{"nodeType":1293,"value":1483,"marks":1484,"data":1485},"User.ReadWrite.All",[],{},{"nodeType":1354,"data":1487,"content":1488},{},[1489],{"nodeType":1294,"data":1490,"content":1491},{},[1492],{"nodeType":1293,"value":1493,"marks":1494,"data":1495},"https://www.googleapis.com/auth/admin.directory.user",[],{},{"nodeType":1350,"data":1497,"content":1498},{},[1499,1508],{"nodeType":1354,"data":1500,"content":1501},{},[1502],{"nodeType":1294,"data":1503,"content":1504},{},[1505],{"nodeType":1293,"value":37,"marks":1506,"data":1507},[],{},{"nodeType":1354,"data":1509,"content":1510},{},[1511],{"nodeType":1294,"data":1512,"content":1513},{},[1514],{"nodeType":1293,"value":1515,"marks":1516,"data":1517},"https://www.googleapis.com/auth/admin.directory.group",[],{},{"nodeType":1294,"data":1519,"content":1520},{},[1521],{"nodeType":1293,"value":1522,"marks":1523,"data":1524},"The above scopes are typically used by applications that perform identity management within your cloud environment. “Directory.ReadWrite.All” for example, allows you to read and modify practically any aspect of objects within your directory. This includes group membership, password resets, and re-enabling previously disabled accounts. ",[],{},{"nodeType":1294,"data":1526,"content":1527},{},[1528],{"nodeType":1293,"value":1529,"marks":1530,"data":1531},"“User.ReadWrite.All” has similar privileges, albeit limited in scope to user accounts only. An attacker in a position to abuse such scopes would be able to take over accounts, escalate privileges by assigning the accounts to privileged groups, and remain under the radar by making use of previously disabled accounts.",[],{},{"nodeType":1330,"data":1533,"content":1534},{},[1535],{"nodeType":1293,"value":1536,"marks":1537,"data":1538},"Capability: Email Access",[],{},{"nodeType":1294,"data":1540,"content":1541},{},[1542],{"nodeType":1293,"value":1341,"marks":1543,"data":1545},[1544],{"type":312},{},{"nodeType":1346,"data":1547,"content":1548},{},[1549,1570],{"nodeType":1350,"data":1550,"content":1551},{},[1552,1561],{"nodeType":1354,"data":1553,"content":1554},{},[1555],{"nodeType":1294,"data":1556,"content":1557},{},[1558],{"nodeType":1293,"value":1361,"marks":1559,"data":1560},[],{},{"nodeType":1354,"data":1562,"content":1563},{},[1564],{"nodeType":1294,"data":1565,"content":1566},{},[1567],{"nodeType":1293,"value":1371,"marks":1568,"data":1569},[],{},{"nodeType":1350,"data":1571,"content":1572},{},[1573,1583],{"nodeType":1354,"data":1574,"content":1575},{},[1576],{"nodeType":1294,"data":1577,"content":1578},{},[1579],{"nodeType":1293,"value":1580,"marks":1581,"data":1582},"Mail.ReadWrite",[],{},{"nodeType":1354,"data":1584,"content":1585},{},[1586],{"nodeType":1294,"data":1587,"content":1588},{},[1589],{"nodeType":1293,"value":1590,"marks":1591,"data":1592},"https://mail.google.com/",[],{},{"nodeType":1294,"data":1594,"content":1595},{},[1596],{"nodeType":1293,"value":1597,"marks":1598,"data":1599},"Scopes that have direct access to mailboxes naturally provide risk in terms of a malicious actor’s ability to read sensitive information, and access to third-party SaaS applications’ password reset email requests, not unlike the ‘Backdoor Mailbox’ capability.",[],{},{"nodeType":1330,"data":1601,"content":1602},{},[1603],{"nodeType":1293,"value":1604,"marks":1605,"data":1606},"Capability: Access as User",[],{},{"nodeType":1294,"data":1608,"content":1609},{},[1610],{"nodeType":1293,"value":1611,"marks":1612,"data":1614},"Types of attacks: Gain access to resources available to the particular account",[1613],{"type":312},{},{"nodeType":1346,"data":1616,"content":1617},{},[1618,1639],{"nodeType":1350,"data":1619,"content":1620},{},[1621,1630],{"nodeType":1354,"data":1622,"content":1623},{},[1624],{"nodeType":1294,"data":1625,"content":1626},{},[1627],{"nodeType":1293,"value":1361,"marks":1628,"data":1629},[],{},{"nodeType":1354,"data":1631,"content":1632},{},[1633],{"nodeType":1294,"data":1634,"content":1635},{},[1636],{"nodeType":1293,"value":1371,"marks":1637,"data":1638},[],{},{"nodeType":1350,"data":1640,"content":1641},{},[1642,1652],{"nodeType":1354,"data":1643,"content":1644},{},[1645],{"nodeType":1294,"data":1646,"content":1647},{},[1648],{"nodeType":1293,"value":1649,"marks":1650,"data":1651},"Directory.AccessAsUser.All",[],{},{"nodeType":1354,"data":1653,"content":1654},{},[1655],{"nodeType":1294,"data":1656,"content":1657},{},[1658],{"nodeType":1293,"value":1659,"marks":1660,"data":1661},"https://www.googleapis.com/auth/cloud-platform",[],{},{"nodeType":1294,"data":1663,"content":1664},{},[1665],{"nodeType":1293,"value":1666,"marks":1667,"data":1668},"Scopes that provide “Access as User” privileges are typically used by applications that need to impersonate a user and their access permissions. This may not sound super risky at the surface level, but if you consider that a user may have access to shared resources across an organization, the risk starts to add up.",[],{},{"nodeType":1294,"data":1670,"content":1671},{},[1672,1676,1685,1689,1697],{"nodeType":1293,"value":1673,"marks":1674,"data":1675},"One example of the impact of such scopes is noted in Chris Moberly's incredibly informative ",[],{},{"nodeType":1677,"data":1678,"content":1680},"hyperlink",{"uri":1679},"https://initblog.com/2020/gcp-post-exploitation/",[1681],{"nodeType":1293,"value":1682,"marks":1683,"data":1684},"blog post",[],{},{"nodeType":1293,"value":1686,"marks":1687,"data":1688}," where the “",[],{},{"nodeType":1677,"data":1690,"content":1691},{"uri":1659},[1692],{"nodeType":1293,"value":1659,"marks":1693,"data":1696},[1694],{"type":1695},"underline",{},{"nodeType":1293,"value":1698,"marks":1699,"data":1700},"” scope is abused to authenticate to practically all API functions within Google Cloud, and in turn access the owner’s data.",[],{},{"nodeType":1330,"data":1702,"content":1703},{},[1704],{"nodeType":1293,"value":1705,"marks":1706,"data":1707},"Capability: OneDrive / SharePoint /  Google Drive File Access",[],{},{"nodeType":1294,"data":1709,"content":1710},{},[1711],{"nodeType":1293,"value":1712,"marks":1713,"data":1715},"Types of attacks: Gain access to all files stored within the OneDrive/SharePoint or Google Drive services",[1714],{"type":312},{},{"nodeType":1346,"data":1717,"content":1718},{},[1719,1740,1763,1786],{"nodeType":1350,"data":1720,"content":1721},{},[1722,1731],{"nodeType":1354,"data":1723,"content":1724},{},[1725],{"nodeType":1294,"data":1726,"content":1727},{},[1728],{"nodeType":1293,"value":1361,"marks":1729,"data":1730},[],{},{"nodeType":1354,"data":1732,"content":1733},{},[1734],{"nodeType":1294,"data":1735,"content":1736},{},[1737],{"nodeType":1293,"value":1371,"marks":1738,"data":1739},[],{},{"nodeType":1350,"data":1741,"content":1742},{},[1743,1753],{"nodeType":1354,"data":1744,"content":1745},{},[1746],{"nodeType":1294,"data":1747,"content":1748},{},[1749],{"nodeType":1293,"value":1750,"marks":1751,"data":1752},"Files.ReadWrite.All / Files.Read.All",[],{},{"nodeType":1354,"data":1754,"content":1755},{},[1756],{"nodeType":1294,"data":1757,"content":1758},{},[1759],{"nodeType":1293,"value":1760,"marks":1761,"data":1762},"https://www.googleapis.com/auth/drive",[],{},{"nodeType":1350,"data":1764,"content":1765},{},[1766,1776],{"nodeType":1354,"data":1767,"content":1768},{},[1769],{"nodeType":1294,"data":1770,"content":1771},{},[1772],{"nodeType":1293,"value":1773,"marks":1774,"data":1775},"Sites.ReadWrite.All / Sites.Read.All",[],{},{"nodeType":1354,"data":1777,"content":1778},{},[1779],{"nodeType":1294,"data":1780,"content":1781},{},[1782],{"nodeType":1293,"value":1783,"marks":1784,"data":1785},"https://www.googleapis.com/auth/drive.readonly",[],{},{"nodeType":1350,"data":1787,"content":1788},{},[1789,1799],{"nodeType":1354,"data":1790,"content":1791},{},[1792],{"nodeType":1294,"data":1793,"content":1794},{},[1795],{"nodeType":1293,"value":1796,"marks":1797,"data":1798},"\n",[],{},{"nodeType":1354,"data":1800,"content":1801},{},[1802],{"nodeType":1294,"data":1803,"content":1804},{},[1805],{"nodeType":1293,"value":1806,"marks":1807,"data":1808},"https://www.googleapis.com/auth/drive.file",[],{},{"nodeType":1294,"data":1810,"content":1811},{},[1812],{"nodeType":1293,"value":1813,"marks":1814,"data":1815},"OneDrive, SharePoint, and Google Drive are likely the services where some of the most sensitive content in your organization resides. Scopes that provide access to document stores should thus be treated as having access to critical information (think PII, trade secrets, acquisition deals).",[],{},{"nodeType":1294,"data":1817,"content":1818},{},[1819],{"nodeType":1293,"value":1820,"marks":1821,"data":1822},"Document theft would be possible with the read-only scopes. However, a malicious actor with ‘write’ permissions would be able to expand into another level of attacks which involves manipulating the content of documents. This could include altering banking details on invoices, or the inclusion of malicious code in macros embedded in the documents, leading to code execution and further compromise.",[],{},{"nodeType":1330,"data":1824,"content":1825},{},[1826],{"nodeType":1293,"value":1827,"marks":1828,"data":1829},"Capability: Privilege Escalation, Persistence",[],{},{"nodeType":1294,"data":1831,"content":1832},{},[1833],{"nodeType":1293,"value":1834,"marks":1835,"data":1837},"Types of attacks: Adding credentials, backdooring applications",[1836],{"type":312},{},{"nodeType":1346,"data":1839,"content":1840},{},[1841,1862],{"nodeType":1350,"data":1842,"content":1843},{},[1844,1853],{"nodeType":1354,"data":1845,"content":1846},{},[1847],{"nodeType":1294,"data":1848,"content":1849},{},[1850],{"nodeType":1293,"value":1361,"marks":1851,"data":1852},[],{},{"nodeType":1354,"data":1854,"content":1855},{},[1856],{"nodeType":1294,"data":1857,"content":1858},{},[1859],{"nodeType":1293,"value":1371,"marks":1860,"data":1861},[],{},{"nodeType":1350,"data":1863,"content":1864},{},[1865,1875],{"nodeType":1354,"data":1866,"content":1867},{},[1868],{"nodeType":1294,"data":1869,"content":1870},{},[1871],{"nodeType":1293,"value":1872,"marks":1873,"data":1874},"Application.ReadWrite.All",[],{},{"nodeType":1354,"data":1876,"content":1877},{},[1878],{"nodeType":1294,"data":1879,"content":1880},{},[1881],{"nodeType":1293,"value":1659,"marks":1882,"data":1883},[],{},{"nodeType":1294,"data":1885,"content":1886},{},[1887],{"nodeType":1293,"value":1888,"marks":1889,"data":1890},"The \"Application.ReadWrite.All\" scope could enable a malicious actor to add credentials to applications already present in your tenant, paving the way for privilege escalation.As an example, if a malicious actor compromises an application with this scope, they could add credentials to any other application in your tenant that has the \"Directory.ReadWrite.All\" scope, thereby gaining access to its data and privileges.",[],{},{"nodeType":1294,"data":1892,"content":1893},{},[1894],{"nodeType":1293,"value":1895,"marks":1896,"data":1897},"This naturally lends itself to a malicious actor gaining persistence via the addition of credentials to other applications. This would allow them to authenticate as these other applications within your Azure or Google tenants, and allow them to assume those applications’ privileges, too.",[],{},{"nodeType":1330,"data":1899,"content":1900},{},[1901],{"nodeType":1293,"value":1902,"marks":1903,"data":1904},"Capability: Teams chat history / OneNote access",[],{},{"nodeType":1294,"data":1906,"content":1907},{},[1908],{"nodeType":1293,"value":1909,"marks":1910,"data":1912},"Types of attacks: Gain access to users’ teams chat histories or OneNote notes",[1911],{"type":312},{},{"nodeType":1346,"data":1914,"content":1915},{},[1916,1928,1941],{"nodeType":1350,"data":1917,"content":1918},{},[1919],{"nodeType":1354,"data":1920,"content":1921},{},[1922],{"nodeType":1294,"data":1923,"content":1924},{},[1925],{"nodeType":1293,"value":1361,"marks":1926,"data":1927},[],{},{"nodeType":1350,"data":1929,"content":1930},{},[1931],{"nodeType":1354,"data":1932,"content":1933},{},[1934],{"nodeType":1294,"data":1935,"content":1936},{},[1937],{"nodeType":1293,"value":1938,"marks":1939,"data":1940},"Chat.ReadWrite / Chat.ReadWrite.All",[],{},{"nodeType":1350,"data":1942,"content":1943},{},[1944],{"nodeType":1354,"data":1945,"content":1946},{},[1947],{"nodeType":1294,"data":1948,"content":1949},{},[1950],{"nodeType":1293,"value":1951,"marks":1952,"data":1953},"Notes.ReadWrite.All",[],{},{"nodeType":1294,"data":1955,"content":1956},{},[1957],{"nodeType":1293,"value":1958,"marks":1959,"data":1960},"If a malicious actor were to gain access to your meeting notes or Teams chat histories, what would they find? Perhaps passwords shared between team members or confidential proprietary information? With the scopes designated with ‘All’, a malicious actor will be able to pull the Teams or notes history of all users within the organization.",[],{},{"nodeType":1330,"data":1962,"content":1963},{},[1964],{"nodeType":1293,"value":1965,"marks":1966,"data":1967},"I found an integration we use that includes these dangerous scopes… now what?",[],{},{"nodeType":1294,"data":1969,"content":1970},{},[1971],{"nodeType":1293,"value":1972,"marks":1973,"data":1974},"While the scopes listed here are definitely some of the most dangerous when granted to third-party integrations, they will usually be paired with legitimate apps offering legitimate functionality. But then how do you determine which integrations need further scrutiny?",[],{},{"nodeType":1294,"data":1976,"content":1977},{},[1978,1982,1996],{"nodeType":1293,"value":1979,"marks":1980,"data":1981},"The biggest red flag you might come across would be an unrecognized or unapproved integration making use of these scopes, as it may be associated with attacks such as ",[],{},{"nodeType":1983,"data":1984,"content":1990},"entry-hyperlink",{"target":1985},{"sys":1986},{"id":1987,"type":1988,"linkType":1989},"1bV8YTSQHvveCTnRc4H8su","Link","Entry",[1991],{"nodeType":1293,"value":1992,"marks":1993,"data":1995},"consent phishing",[1994],{"type":1695},{},{"nodeType":1293,"value":1997,"marks":1998,"data":1999},". ",[],{},{"nodeType":1294,"data":2001,"content":2002},{},[2003],{"nodeType":1293,"value":2004,"marks":2005,"data":2006},"Determining their legitimacy should be the number one priority. This would hopefully be done via your security team having performed due diligence and permissions review, and ascertaining whether the app has legitimate use within the business. As with the consent phishing example, a user may have granted a third-party app access to their mailbox or OneDrive files without fully grasping the implications of their actions.",[],{},{"nodeType":1294,"data":2008,"content":2009},{},[2010],{"nodeType":1293,"value":2011,"marks":2012,"data":2013},"Push provides visibility to the security team whenever a new third-party integration is detected by way of notifications via a designated Slack or Teams channel. This may help your security team stay on top of unsanctioned apps by providing the ability to remove integrations which may provide unnecessary risk to your organization.",[],{},{"nodeType":1294,"data":2015,"content":2016},{},[2017,2021,2032],{"nodeType":1293,"value":2018,"marks":2019,"data":2020},"\nIf you’re interested in further reading about how attackers can compromise your environment through SaaS apps, ",[],{},{"nodeType":1983,"data":2022,"content":2026},{"target":2023},{"sys":2024},{"id":2025,"type":1988,"linkType":1989},"3JXKiUMGU8JBpndhLRYOCJ",[2027],{"nodeType":1293,"value":2028,"marks":2029,"data":2031},"this article",[2030],{"type":1695},{},{"nodeType":1293,"value":2033,"marks":2034,"data":2035}," may shed some light on the topic. ",[],{},{"nodeType":2037,"data":2038,"content":2042},"embedded-entry-block",{"target":2039},{"sys":2040},{"id":2041,"type":1988,"linkType":1989},"6iKFd9Qys2SSuNqKVQB7ka",[],{"nodeType":1294,"data":2044,"content":2045},{},[2046],{"nodeType":1293,"value":37,"marks":2047,"data":2048},[],{},{"entries":2050},{"inline":2051,"hyperlink":2052,"block":2062},[],[2053,2058],{"sys":2054,"__typename":2055,"title":2056,"slug":2057},{"id":1987},"BlogPosts","Consent phishing: the emerging phishing technique that can bypass 2FA","consent-phishing-the-emerging-phishing-technique-that-can-bypass-2fa",{"sys":2059,"__typename":2055,"title":2060,"slug":2061},{"id":2025},"How attackers compromise Azure organizations through SaaS apps ","how-attackers-compromise-azure-organizations-through-saas-apps",[2063],{"sys":2064,"__typename":2065,"type":2066,"ctaText":2067,"buttonLabel":2068,"buttonColour":2069,"buttonUrl":118},{"id":2041},"CtaWidget","Demo","Learn how Push can help you secure identities across your org","Book a demo!","sunny orange",{"items":2071},[2072,3401],{"__typename":2055,"sys":2073,"content":2074,"title":2060,"synopsis":2089,"hashTags":118,"publishedDate":3384,"slug":2061,"tagsCollection":3385,"authorsCollection":3393},{"id":2025},{"json":2075},{"nodeType":1295,"data":2076,"content":2077},{},[2078,2085,2092,2099,2107,2128,2135,2141,2148,2155,2162,2197,2203,2210,2328,2335,2342,2598,2605,2612,2618,2651,2658,2665,2671,2678,2684,2691,2698,2704,2711,2718,2724,2731,2738,2744,2751,2767,2773,2780,2812,2819,2839,2846,2853,2860,2866,2904,2924,2979,2986,2993,3013,3031,3038,3071,3077,3084,3091,3098,3105,3112,3119,3139,3145,3152,3171,3178,3185,3191,3198,3205,3211,3218,3264,3271,3277,3284,3290,3297,3304,3337,3344,3351,3358,3365,3372,3378],{"nodeType":1294,"data":2079,"content":2080},{},[2081],{"nodeType":1293,"value":2082,"marks":2083,"data":2084},"With the proliferation of SaaS apps and integrations comes an equal helping of uncertainty surrounding the associated security risks. If you’ve ever found yourself in a position where you’ve had to review a SaaS app integration, whether it’s during the remediation stage of an incident or simply during the process of tending to a user request, then keep on reading. ",[],{},{"nodeType":1294,"data":2086,"content":2087},{},[2088],{"nodeType":1293,"value":2089,"marks":2090,"data":2091},"This article covers common ways an app could lead to compromise in Microsoft Azure, and what to look out for when determining risk to your organization.",[],{},{"nodeType":1330,"data":2093,"content":2094},{},[2095],{"nodeType":1293,"value":2096,"marks":2097,"data":2098},"Consent phishing",[],{},{"nodeType":2100,"data":2101,"content":2102},"heading-2",{},[2103],{"nodeType":1293,"value":2104,"marks":2105,"data":2106},"The issue:",[],{},{"nodeType":1294,"data":2108,"content":2109},{},[2110,2114,2124],{"nodeType":1293,"value":2111,"marks":2112,"data":2113},"This method of compromising user accounts has been covered a ",[],{},{"nodeType":1983,"data":2115,"content":2118},{"target":2116},{"sys":2117},{"id":1987,"type":1988,"linkType":1989},[2119],{"nodeType":1293,"value":2120,"marks":2121,"data":2123},"few times",[2122],{"type":1695},{},{"nodeType":1293,"value":2125,"marks":2126,"data":2127}," by Push. Without rehashing too much of the content, the main idea behind consent phishing is to get a user to perform an integration while the app masquerades as something official. ",[],{},{"nodeType":1294,"data":2129,"content":2130},{},[2131],{"nodeType":1293,"value":2132,"marks":2133,"data":2134},"As an example, a user is sent an email where the content is either surprisingly legitimate, or sparks sufficient curiosity to make them want to access the data behind the link. They are directed to a Microsoft or Google login page, where the app asks for certain permissions, such as mailbox access. The user, having performed these actions before, thinks nothing of it and clicks ‘allow’. The attacker successfully tricked the user to give them access to their mailbox (or whichever privileges the app was requesting).",[],{},{"nodeType":2037,"data":2136,"content":2140},{"target":2137},{"sys":2138},{"id":2139,"type":1988,"linkType":1989},"2zeeE8NrgX4MnpHdIjszot",[],{"nodeType":2100,"data":2142,"content":2143},{},[2144],{"nodeType":1293,"value":2145,"marks":2146,"data":2147},"The solution:",[],{},{"nodeType":1294,"data":2149,"content":2150},{},[2151],{"nodeType":1293,"value":2152,"marks":2153,"data":2154},"There are two ways to help prevent this type of compromise:",[],{},{"nodeType":1294,"data":2156,"content":2157},{},[2158],{"nodeType":1293,"value":2159,"marks":2160,"data":2161},"The first is to go the “block everything” route by preventing any integrations from being added to your tenants at all. This is quite heavy-handed and a bit like throwing the baby out with the bathwater, as this approach leads to IT/security departments becoming known as the departments of ‘NO’, potentially resulting in users circumventing controls, and the emergence of shadow IT.",[],{},{"nodeType":1294,"data":2163,"content":2164},{},[2165,2169,2178,2182,2193],{"nodeType":1293,"value":2166,"marks":2167,"data":2168},"The second is to be sensible about what to allow and what to prevent during SaaS integrations. For instance, in Microsoft 365 administrators are able to ",[],{},{"nodeType":1677,"data":2170,"content":2172},{"uri":2171},"https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-permission-classifications",[2173],{"nodeType":1293,"value":2174,"marks":2175,"data":2177},"specify low-risk scopes",[2176],{"type":1695},{},{"nodeType":1293,"value":2179,"marks":2180,"data":2181},", such as ones specifically used for performing social logins (which are okay to do ",[],{},{"nodeType":1983,"data":2183,"content":2187},{"target":2184},{"sys":2185},{"id":2186,"type":1988,"linkType":1989},"68syxk4cmD6QOdVRcDqgEZ",[2188],{"nodeType":1293,"value":2189,"marks":2190,"data":2192},"by the way",[2191],{"type":1695},{},{"nodeType":1293,"value":2194,"marks":2195,"data":2196},"). Admins can then allow employees to perform social logins, and integrate apps making use of other low-risk scopes from  verified apps only. Employees can also request access to anything requiring other scopes. This is a great way to enable users to perform their jobs, while preventing them from accidentally exposing themselves or the wider organization to unnecessary risk.",[],{},{"nodeType":2037,"data":2198,"content":2202},{"target":2199},{"sys":2200},{"id":2201,"type":1988,"linkType":1989},"44NsMwlLpX4qnZP94GyTSO",[],{"nodeType":1294,"data":2204,"content":2205},{},[2206],{"nodeType":1293,"value":2207,"marks":2208,"data":2209},"When configuring the above for the first time, Microsoft provides a list of 5 scopes:",[],{},{"nodeType":1346,"data":2211,"content":2212},{},[2213,2236,2259,2282,2305],{"nodeType":1350,"data":2214,"content":2215},{},[2216,2226],{"nodeType":1354,"data":2217,"content":2218},{},[2219],{"nodeType":1294,"data":2220,"content":2221},{},[2222],{"nodeType":1293,"value":2223,"marks":2224,"data":2225},"profile",[],{},{"nodeType":1354,"data":2227,"content":2228},{},[2229],{"nodeType":1294,"data":2230,"content":2231},{},[2232],{"nodeType":1293,"value":2233,"marks":2234,"data":2235},"View user's basic profile",[],{},{"nodeType":1350,"data":2237,"content":2238},{},[2239,2249],{"nodeType":1354,"data":2240,"content":2241},{},[2242],{"nodeType":1294,"data":2243,"content":2244},{},[2245],{"nodeType":1293,"value":2246,"marks":2247,"data":2248},"openid",[],{},{"nodeType":1354,"data":2250,"content":2251},{},[2252],{"nodeType":1294,"data":2253,"content":2254},{},[2255],{"nodeType":1293,"value":2256,"marks":2257,"data":2258},"Sign users in",[],{},{"nodeType":1350,"data":2260,"content":2261},{},[2262,2272],{"nodeType":1354,"data":2263,"content":2264},{},[2265],{"nodeType":1294,"data":2266,"content":2267},{},[2268],{"nodeType":1293,"value":2269,"marks":2270,"data":2271},"email",[],{},{"nodeType":1354,"data":2273,"content":2274},{},[2275],{"nodeType":1294,"data":2276,"content":2277},{},[2278],{"nodeType":1293,"value":2279,"marks":2280,"data":2281},"View user's email address",[],{},{"nodeType":1350,"data":2283,"content":2284},{},[2285,2295],{"nodeType":1354,"data":2286,"content":2287},{},[2288],{"nodeType":1294,"data":2289,"content":2290},{},[2291],{"nodeType":1293,"value":2292,"marks":2293,"data":2294},"User.Read",[],{},{"nodeType":1354,"data":2296,"content":2297},{},[2298],{"nodeType":1294,"data":2299,"content":2300},{},[2301],{"nodeType":1293,"value":2302,"marks":2303,"data":2304},"Sign in and read user profile",[],{},{"nodeType":1350,"data":2306,"content":2307},{},[2308,2318],{"nodeType":1354,"data":2309,"content":2310},{},[2311],{"nodeType":1294,"data":2312,"content":2313},{},[2314],{"nodeType":1293,"value":2315,"marks":2316,"data":2317},"Offline_access",[],{},{"nodeType":1354,"data":2319,"content":2320},{},[2321],{"nodeType":1294,"data":2322,"content":2323},{},[2324],{"nodeType":1293,"value":2325,"marks":2326,"data":2327},"Maintain access to data you. have given it access to (refresh tokens)",[],{},{"nodeType":1294,"data":2329,"content":2330},{},[2331],{"nodeType":1293,"value":2332,"marks":2333,"data":2334},"The above scopes are the minimum required to enable social logins to take place, and would cover a good amount of apps that only require basic information for account creation purposes. ",[],{},{"nodeType":1294,"data":2336,"content":2337},{},[2338],{"nodeType":1293,"value":2339,"marks":2340,"data":2341},"If you’d like to go a step further, you should also consider approving the following to allow users to integrate these relatively common scopes from verified apps:",[],{},{"nodeType":1346,"data":2343,"content":2344},{},[2345,2368,2391,2414,2437,2460,2483,2506,2529,2552,2575],{"nodeType":1350,"data":2346,"content":2347},{},[2348,2358],{"nodeType":1354,"data":2349,"content":2350},{},[2351],{"nodeType":1294,"data":2352,"content":2353},{},[2354],{"nodeType":1293,"value":2355,"marks":2356,"data":2357},"Calendars.Read",[],{},{"nodeType":1354,"data":2359,"content":2360},{},[2361],{"nodeType":1294,"data":2362,"content":2363},{},[2364],{"nodeType":1293,"value":2365,"marks":2366,"data":2367},"Read user calendars",[],{},{"nodeType":1350,"data":2369,"content":2370},{},[2371,2381],{"nodeType":1354,"data":2372,"content":2373},{},[2374],{"nodeType":1294,"data":2375,"content":2376},{},[2377],{"nodeType":1293,"value":2378,"marks":2379,"data":2380},"Calendars.ReadWrite",[],{},{"nodeType":1354,"data":2382,"content":2383},{},[2384],{"nodeType":1294,"data":2385,"content":2386},{},[2387],{"nodeType":1293,"value":2388,"marks":2389,"data":2390},"Have full access to user calendars",[],{},{"nodeType":1350,"data":2392,"content":2393},{},[2394,2404],{"nodeType":1354,"data":2395,"content":2396},{},[2397],{"nodeType":1294,"data":2398,"content":2399},{},[2400],{"nodeType":1293,"value":2401,"marks":2402,"data":2403},"Calendars.ReadWrite.Shared",[],{},{"nodeType":1354,"data":2405,"content":2406},{},[2407],{"nodeType":1294,"data":2408,"content":2409},{},[2410],{"nodeType":1293,"value":2411,"marks":2412,"data":2413},"Read and write user and shared calendars",[],{},{"nodeType":1350,"data":2415,"content":2416},{},[2417,2427],{"nodeType":1354,"data":2418,"content":2419},{},[2420],{"nodeType":1294,"data":2421,"content":2422},{},[2423],{"nodeType":1293,"value":2424,"marks":2425,"data":2426},"Contacts.Read",[],{},{"nodeType":1354,"data":2428,"content":2429},{},[2430],{"nodeType":1294,"data":2431,"content":2432},{},[2433],{"nodeType":1293,"value":2434,"marks":2435,"data":2436},"Read user contacts",[],{},{"nodeType":1350,"data":2438,"content":2439},{},[2440,2450],{"nodeType":1354,"data":2441,"content":2442},{},[2443],{"nodeType":1294,"data":2444,"content":2445},{},[2446],{"nodeType":1293,"value":2447,"marks":2448,"data":2449},"Contacts.Read.Shared",[],{},{"nodeType":1354,"data":2451,"content":2452},{},[2453],{"nodeType":1294,"data":2454,"content":2455},{},[2456],{"nodeType":1293,"value":2457,"marks":2458,"data":2459},"Read user and shared contacts",[],{},{"nodeType":1350,"data":2461,"content":2462},{},[2463,2473],{"nodeType":1354,"data":2464,"content":2465},{},[2466],{"nodeType":1294,"data":2467,"content":2468},{},[2469],{"nodeType":1293,"value":2470,"marks":2471,"data":2472},"Contacts.ReadWrite",[],{},{"nodeType":1354,"data":2474,"content":2475},{},[2476],{"nodeType":1294,"data":2477,"content":2478},{},[2479],{"nodeType":1293,"value":2480,"marks":2481,"data":2482},"Have full access to user contacts",[],{},{"nodeType":1350,"data":2484,"content":2485},{},[2486,2496],{"nodeType":1354,"data":2487,"content":2488},{},[2489],{"nodeType":1294,"data":2490,"content":2491},{},[2492],{"nodeType":1293,"value":2493,"marks":2494,"data":2495},"Contacts.ReadWrite.Shared",[],{},{"nodeType":1354,"data":2497,"content":2498},{},[2499],{"nodeType":1294,"data":2500,"content":2501},{},[2502],{"nodeType":1293,"value":2503,"marks":2504,"data":2505},"Read and write user and shared contacts",[],{},{"nodeType":1350,"data":2507,"content":2508},{},[2509,2519],{"nodeType":1354,"data":2510,"content":2511},{},[2512],{"nodeType":1294,"data":2513,"content":2514},{},[2515],{"nodeType":1293,"value":2516,"marks":2517,"data":2518},"People.Read",[],{},{"nodeType":1354,"data":2520,"content":2521},{},[2522],{"nodeType":1294,"data":2523,"content":2524},{},[2525],{"nodeType":1293,"value":2526,"marks":2527,"data":2528},"Read users' relevant people lists",[],{},{"nodeType":1350,"data":2530,"content":2531},{},[2532,2542],{"nodeType":1354,"data":2533,"content":2534},{},[2535],{"nodeType":1294,"data":2536,"content":2537},{},[2538],{"nodeType":1293,"value":2539,"marks":2540,"data":2541},"Files.Read.Selected",[],{},{"nodeType":1354,"data":2543,"content":2544},{},[2545],{"nodeType":1294,"data":2546,"content":2547},{},[2548],{"nodeType":1293,"value":2549,"marks":2550,"data":2551},"Read files that the user selects",[],{},{"nodeType":1350,"data":2553,"content":2554},{},[2555,2565],{"nodeType":1354,"data":2556,"content":2557},{},[2558],{"nodeType":1294,"data":2559,"content":2560},{},[2561],{"nodeType":1293,"value":2562,"marks":2563,"data":2564},"Files.ReadWrite.Selected",[],{},{"nodeType":1354,"data":2566,"content":2567},{},[2568],{"nodeType":1294,"data":2569,"content":2570},{},[2571],{"nodeType":1293,"value":2572,"marks":2573,"data":2574},"Read and write files that the user selects",[],{},{"nodeType":1350,"data":2576,"content":2577},{},[2578,2588],{"nodeType":1354,"data":2579,"content":2580},{},[2581],{"nodeType":1294,"data":2582,"content":2583},{},[2584],{"nodeType":1293,"value":2585,"marks":2586,"data":2587},"User.ReadWrite",[],{},{"nodeType":1354,"data":2589,"content":2590},{},[2591],{"nodeType":1294,"data":2592,"content":2593},{},[2594],{"nodeType":1293,"value":2595,"marks":2596,"data":2597},"Read and write access to user profile",[],{},{"nodeType":1294,"data":2599,"content":2600},{},[2601],{"nodeType":1293,"value":2602,"marks":2603,"data":2604},"We’ve determined these scopes to be relatively low-risk, but this would depend on the risk appetite of your organization. Pre-approving the scopes will go a long way towards enabling your users to make use of SaaS apps without raising unnecessary approval requests from your IT or security team.",[],{},{"nodeType":1330,"data":2606,"content":2607},{},[2608],{"nodeType":1293,"value":2609,"marks":2610,"data":2611},"Unverified apps",[],{},{"nodeType":2100,"data":2613,"content":2614},{},[2615],{"nodeType":1293,"value":2104,"marks":2616,"data":2617},[],{},{"nodeType":1294,"data":2619,"content":2620},{},[2621,2625,2634,2638,2647],{"nodeType":1293,"value":2622,"marks":2623,"data":2624},"First, let’s define what causes an app to be classified as unverified. When you see an app in your tenant that’s marked as unverified, it means that the tenant that publishes the app has not gone through the ",[],{},{"nodeType":1677,"data":2626,"content":2628},{"uri":2627},"https://learn.microsoft.com/en-gb/azure/active-directory/develop/publisher-verification-overview",[2629],{"nodeType":1293,"value":2630,"marks":2631,"data":2633},"Publisher Verification",[2632],{"type":1695},{},{"nodeType":1293,"value":2635,"marks":2636,"data":2637}," process. Going through the verification process requires the publisher to have a Microsoft Partner Network (MPN) account, which typically involves ",[],{},{"nodeType":1677,"data":2639,"content":2641},{"uri":2640},"https://learn.microsoft.com/en-us/partner-center/verification-responses",[2642],{"nodeType":1293,"value":2643,"marks":2644,"data":2646},"verifying",[2645],{"type":1695},{},{"nodeType":1293,"value":2648,"marks":2649,"data":2650}," their business address, email address, and a few additional due diligence tasks. ",[],{},{"nodeType":1294,"data":2652,"content":2653},{},[2654],{"nodeType":1293,"value":2655,"marks":2656,"data":2657},"While I’m sure this is not a 100% infallible process, at the very least it provides you with the confidence that someone at Microsoft had reached out to the company and spoken to someone who claims they are who they say they are. This is opposed to a random person creating a Microsoft Azure tenant and marking their app as being published by Adobe, as an example.",[],{},{"nodeType":1294,"data":2659,"content":2660},{},[2661],{"nodeType":1293,"value":2662,"marks":2663,"data":2664},"At Push, we’ve noticed plenty of unverified apps published by legitimate vendors. This could be related to vendors having multiple tenants, and not having completed the verification process across all yet. As an example, we have a few of Adobe’s apps for Microsoft 365:",[],{},{"nodeType":2037,"data":2666,"content":2670},{"target":2667},{"sys":2668},{"id":2669,"type":1988,"linkType":1989},"4eDWZKrMau1AfU4pXgOW42",[],{"nodeType":1294,"data":2672,"content":2673},{},[2674],{"nodeType":1293,"value":2675,"marks":2676,"data":2677},"In the above image, we have a verified app from Adobe, Inc. We know this due to the ‘Verified Publisher’ attribute that is included when parsing the information provided by Microsoft. We can also see that the only reply url is one associated directly with Adobe – adobe.com. Next, we have an unverified app:",[],{},{"nodeType":2037,"data":2679,"content":2683},{"target":2680},{"sys":2681},{"id":2682,"type":1988,"linkType":1989},"5e5RhdYiMh0Q3CZzmNoRDI",[],{"nodeType":1294,"data":2685,"content":2686},{},[2687],{"nodeType":1293,"value":2688,"marks":2689,"data":2690},"This app does not include the ‘verified publisher’ attribute when reading the information provided by Microsoft. However, the app only has one reply url, and this is again a subdomain of adobe.com.",[],{},{"nodeType":1294,"data":2692,"content":2693},{},[2694],{"nodeType":1293,"value":2695,"marks":2696,"data":2697},"The takeaway here is that not all unverified apps are malicious. More often than not it’s related to the vendor not having gone through the verification process, but this means it unfortunately becomes the security team’s burden to figure out.",[],{},{"nodeType":2100,"data":2699,"content":2700},{},[2701],{"nodeType":1293,"value":2145,"marks":2702,"data":2703},[],{},{"nodeType":1294,"data":2705,"content":2706},{},[2707],{"nodeType":1293,"value":2708,"marks":2709,"data":2710},"At Push, we attempt to review every application we come across to determine if it's legit and whether it belongs to the vendor it claims to originate from. There are multiple ways to do this, but as a general rule of thumb if all the app’s reply urls are associated with the vendor, you are good. You can perform an integration from the app’s website to verify that the particular app ID (seen in the metadata tag above) is the one you are looking at in your environment.",[],{},{"nodeType":1330,"data":2712,"content":2713},{},[2714],{"nodeType":1293,"value":2715,"marks":2716,"data":2717},"Apps with excessive privileges",[],{},{"nodeType":2100,"data":2719,"content":2720},{},[2721],{"nodeType":1293,"value":2104,"marks":2722,"data":2723},[],{},{"nodeType":1294,"data":2725,"content":2726},{},[2727],{"nodeType":1293,"value":2728,"marks":2729,"data":2730},"When you first start doing deep dives on permissions associated with apps in your environment, you find yourself looking at some apps and wonder out loud “we’re granting this vendor access to what?!",[],{},{"nodeType":1294,"data":2732,"content":2733},{},[2734],{"nodeType":1293,"value":2735,"marks":2736,"data":2737},"It’s a totally normal response, but don't worry, we’re here to help. Let’s take diagrams.net as an example:",[],{},{"nodeType":2037,"data":2739,"content":2743},{"target":2740},{"sys":2741},{"id":2742,"type":1988,"linkType":1989},"7DcPUSZ0nDYKmIy4E9xEHs",[],{"nodeType":1294,"data":2745,"content":2746},{},[2747],{"nodeType":1293,"value":2748,"marks":2749,"data":2750},"At first glance this doesn’t seem too bad. For the purposes of this example, let’s say the app was approved by 49 users. That means if diagrams.net got compromised, an attacker would potentially have access to 49 of your user’s OneDrive files. “That’s OK!” you say. “This will only affect a handful of files they’ve been working on locally. Our policy specifies that any company data, specifically data containing PII, be stored in SharePoint.”",[],{},{"nodeType":1294,"data":2752,"content":2753},{},[2754,2758,2763],{"nodeType":1293,"value":2755,"marks":2756,"data":2757},"And then comes the part where you notice the following permission: ",[],{},{"nodeType":1293,"value":2759,"marks":2760,"data":2762},"Sites.Read.All",[2761],{"type":312},{},{"nodeType":1293,"value":2764,"marks":2765,"data":2766},". This permission gives the application the ability to read every file across all SharePoint sites in your organization (that the users have permission to access.) Suddenly the scope of data access is much larger than you hoped.",[],{},{"nodeType":2100,"data":2768,"content":2769},{},[2770],{"nodeType":1293,"value":2145,"marks":2771,"data":2772},[],{},{"nodeType":1294,"data":2774,"content":2775},{},[2776],{"nodeType":1293,"value":2777,"marks":2778,"data":2779},"When faced with the dilemma of granting apps access to resources within your organization, the best course of action is to do a risk assessment.",[],{},{"nodeType":1294,"data":2781,"content":2782},{},[2783,2787,2795,2799,2808],{"nodeType":1293,"value":2784,"marks":2785,"data":2786},"This requires some good ol’ googling and reviewing the security policies of the app’s creator. You ideally also want to know who they use to process your data. Through this process, I found a ",[],{},{"nodeType":1677,"data":2788,"content":2790},{"uri":2789},"https://www.diagrams.net/blog/data-protection",[2791],{"nodeType":1293,"value":1682,"marks":2792,"data":2794},[2793],{"type":1695},{},{"nodeType":1293,"value":2796,"marks":2797,"data":2798}," on diagrams.net detailing their approach to security and user privacy. They do make note that they don’t ",[],{},{"nodeType":1677,"data":2800,"content":2802},{"uri":2801},"https://www.diagrams.net/blog/data-protection#:~:text=Because%20your%20sensitive%20diagram%20data%20doesn%E2%80%99t%20leave%20your%20infrastructure%20and%20is%20never%20stored%20on%20the%20diagrams.net%20servers%2C%20diagrams.net%20is%20a%20tool%20which%20lets%20you%20comply%20with%20data%20protection%20certifications%20(ISO%2027000%2C%2027001%20and%2027002)%20and%20the%20GDPR.",[2803],{"nodeType":1293,"value":2804,"marks":2805,"data":2807},"store any sensitive customer data data on their servers",[2806],{"type":1695},{},{"nodeType":1293,"value":2809,"marks":2810,"data":2811},", and thus let you comply with GDPR, ISO 2700* etc. certifications if you use their services.",[],{},{"nodeType":1294,"data":2813,"content":2814},{},[2815],{"nodeType":1293,"value":2816,"marks":2817,"data":2818},"While this is great from a tick box exercise perspective, this doesn’t address the original concern – how much risk are you taking on by letting their app integrate with your environment? What could an attacker who compromises diagrams.net have access to and how do you lessen the risk while still allowing employees to use the app?",[],{},{"nodeType":1294,"data":2820,"content":2821},{},[2822,2826,2835],{"nodeType":1293,"value":2823,"marks":2824,"data":2825},"Further in the same blog post, they link to a GitHub ",[],{},{"nodeType":1677,"data":2827,"content":2829},{"uri":2828},"https://github.com/jgraph/security-privacy-legal",[2830],{"nodeType":1293,"value":2831,"marks":2832,"data":2834},"repository",[2833],{"type":1695},{},{"nodeType":1293,"value":2836,"marks":2837,"data":2838}," that contains their security and privacy processes, policies, and even some pentest reports. They do a great job of including this information, by the way, so cheers to diagrams.net!",[],{},{"nodeType":1294,"data":2840,"content":2841},{},[2842],{"nodeType":1293,"value":2843,"marks":2844,"data":2845},"At this point you should have a better understanding of the security of the vendor you’re integrating into your organization, and whether it’s okay to accept the risk. Documenting and adding the information you found to your risk register is also a good idea. Likely, you’ll be taking this information to your Information Security Manager for risk acceptance. ",[],{},{"nodeType":1294,"data":2847,"content":2848},{},[2849],{"nodeType":1293,"value":2850,"marks":2851,"data":2852},"We’re working on ways to provide this information to our clients through the Push app dashboard in future, too. Sign up or subscribe to our blog to get product updates when features like this are introduced. ",[],{},{"nodeType":1330,"data":2854,"content":2855},{},[2856],{"nodeType":1293,"value":2857,"marks":2858,"data":2859},"Hijackable urls and implicit grant flow",[],{},{"nodeType":2100,"data":2861,"content":2862},{},[2863],{"nodeType":1293,"value":2104,"marks":2864,"data":2865},[],{},{"nodeType":1294,"data":2867,"content":2868},{},[2869,2874,2884,2889,2899],{"nodeType":1293,"value":2870,"marks":2871,"data":2873},"Developer side note: The implicit grant flow is no longer recommended due to security-related concerns and that it won’t function where ",[2872],{"type":312},{},{"nodeType":1677,"data":2875,"content":2877},{"uri":2876},"https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-third-party-cookies-spas#:~:text=Many%20browsers%20block%20third%2Dparty%20cookies%2C%20cookies%20on%20requests%20to%20domains%20other%20than%20the%20domain%20shown%20in%20the%20browser%27s%20address%20bar.%20This%20block%20breaks%20the%20implicit%20flow%20and%20requires%20new%20authentication%20patterns%20to%20successfully%20sign%20in%20users.",[2878],{"nodeType":1293,"value":2879,"marks":2880,"data":2883},"3rd party cookies are blocked in browsers",[2881,2882],{"type":1695},{"type":312},{},{"nodeType":1293,"value":2885,"marks":2886,"data":2888},". Instead, you should switch to using the ",[2887],{"type":312},{},{"nodeType":1677,"data":2890,"content":2892},{"uri":2891},"https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow",[2893],{"nodeType":1293,"value":2894,"marks":2895,"data":2898},"authorization code flow",[2896,2897],{"type":1695},{"type":312},{},{"nodeType":1293,"value":2900,"marks":2901,"data":2903}," if applicable to your requirements.",[2902],{"type":312},{},{"nodeType":1294,"data":2905,"content":2906},{},[2907,2911,2920],{"nodeType":1293,"value":2908,"marks":2909,"data":2910},"Let’s quickly go over how OAuth2’s implicit grant flow works so you can better understand how to spot potentially risky apps and integrations, and why this can result in a security concern. Microsoft provides a great ",[],{},{"nodeType":1677,"data":2912,"content":2914},{"uri":2913},"https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow",[2915],{"nodeType":1293,"value":2916,"marks":2917,"data":2919},"breakdown",[2918],{"type":1695},{},{"nodeType":1293,"value":2921,"marks":2922,"data":2923}," of the implicit grant flow, however for the purposes of brevity (and simplicity), it does the following:",[],{},{"nodeType":2925,"data":2926,"content":2927},"ordered-list",{},[2928,2939,2949,2959,2969],{"nodeType":2929,"data":2930,"content":2931},"list-item",{},[2932],{"nodeType":1294,"data":2933,"content":2934},{},[2935],{"nodeType":1293,"value":2936,"marks":2937,"data":2938},"A user goes to a web app and clicks a login link",[],{},{"nodeType":2929,"data":2940,"content":2941},{},[2942],{"nodeType":1294,"data":2943,"content":2944},{},[2945],{"nodeType":1293,"value":2946,"marks":2947,"data":2948},"The web app redirects the user to authenticate and authorize the app. This is performed against your identity provider (in this example, Microsoft)",[],{},{"nodeType":2929,"data":2950,"content":2951},{},[2952],{"nodeType":1294,"data":2953,"content":2954},{},[2955],{"nodeType":1293,"value":2956,"marks":2957,"data":2958},"If this is the first time authorizing the app, the user is presented with a list of scopes (permissions) the app will need access to, and the user clicks “approve”",[],{},{"nodeType":2929,"data":2960,"content":2961},{},[2962],{"nodeType":1294,"data":2963,"content":2964},{},[2965],{"nodeType":1293,"value":2966,"marks":2967,"data":2968},"This responds with a token to one of the hard-coded reply urls associated with the app integration (e.g. https://apps.diagrams.net/microsoft as with the ‘Apps with excessive privileges’ example)",[],{},{"nodeType":2929,"data":2970,"content":2971},{},[2972],{"nodeType":1294,"data":2973,"content":2974},{},[2975],{"nodeType":1293,"value":2976,"marks":2977,"data":2978},"The app uses the token to access the user’s resources with the permissions approved in step 3",[],{},{"nodeType":1294,"data":2980,"content":2981},{},[2982],{"nodeType":1293,"value":2983,"marks":2984,"data":2985},"Based on the flow above, if an attacker gets their hands on the token from step 4, they can perform requests as the user, granting them access to your resources. To get the token, you need to control one of the hardcoded reply url endpoints, and convince a user to authenticate to the app – perhaps via a phishing attack.",[],{},{"nodeType":1294,"data":2987,"content":2988},{},[2989],{"nodeType":1293,"value":2990,"marks":2991,"data":2992},"As an example, some of the apps we’ve reviewed contained reply urls which were subdomains of azurewebsites.net and ngrok.io. These urls don’t appear problematic at first. However, the urls could have been used during the development process, and were forgotten about at the conclusion of the project. During the review process we follow at Push, we found multiple examples of such urls that were no longer in use.",[],{},{"nodeType":1294,"data":2994,"content":2995},{},[2996,3000,3009],{"nodeType":1293,"value":2997,"marks":2998,"data":2999},"This could allow an attacker to register the urls and perform phishing attacks against organizations that use these particular apps, granting the attacker access to previously- approved scopes and resources. The outcome of this attack would be similar to ",[],{},{"nodeType":1677,"data":3001,"content":3003},{"uri":3002},"https://www.oauth.com/oauth2-servers/authorization/security-considerations/#:~:text=Redirect%20URL%20Manipulation",[3004],{"nodeType":1293,"value":3005,"marks":3006,"data":3008},"redirect URL manipulation",[3007],{"type":1695},{},{"nodeType":1293,"value":3010,"marks":3011,"data":3012},", but instead of taking advantage of an open or misconfigured redirect, the attacker is in control of the endpoint where the token ends up.",[],{},{"nodeType":1294,"data":3014,"content":3015},{},[3016,3020,3027],{"nodeType":1293,"value":3017,"marks":3018,"data":3019},"How would you even go about detecting if an app makes use of the implicit grant flow? This requires getting your hands dirty with making authorization requests to your tenant for the specific app ID, and passing the “response_type=token” parameter in the url. This should return an error if the app is not configured with the implicit grant flow. If you’d like to test this yourself, you can follow the “Run in Postman” link at the top of ",[],{},{"nodeType":1677,"data":3021,"content":3022},{"uri":2913},[3023],{"nodeType":1293,"value":2028,"marks":3024,"data":3026},[3025],{"type":1695},{},{"nodeType":1293,"value":3028,"marks":3029,"data":3030}," to make this process a bit easier.",[],{},{"nodeType":1294,"data":3032,"content":3033},{},[3034],{"nodeType":1293,"value":3035,"marks":3036,"data":3037},"Another example of a hijackable url includes dangling DNS records. Let’s say your app includes a reply url pointing to a legacy server used for development (eg. apptesting-dev.ctrlaltsecure.com). This server was hosted on an EC2 instance in AWS, and has long since been decommissioned. However, the IP address associated with the instance is still pointing to the same address. A determined attacker could potentially gain access to the IP address by spinning up resources until it’s assigned to them.",[],{},{"nodeType":1294,"data":3039,"content":3040},{},[3041,3045,3054,3058,3067],{"nodeType":1293,"value":3042,"marks":3043,"data":3044},"OWASP has ",[],{},{"nodeType":1677,"data":3046,"content":3048},{"uri":3047},"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/10-Test_for_Subdomain_Takeover",[3049],{"nodeType":1293,"value":3050,"marks":3051,"data":3053},"published an article",[3052],{"type":1695},{},{"nodeType":1293,"value":3055,"marks":3056,"data":3057}," and HackerOne ",[],{},{"nodeType":1677,"data":3059,"content":3061},{"uri":3060},"https://www.hackerone.com/application-security/guide-subdomain-takeovers",[3062],{"nodeType":1293,"value":3063,"marks":3064,"data":3066},"posted a guide",[3065],{"type":1695},{},{"nodeType":1293,"value":3068,"marks":3069,"data":3070}," highlighting ways to take over subdomains , and it’s very easy to overlook.",[],{},{"nodeType":2100,"data":3072,"content":3073},{},[3074],{"nodeType":1293,"value":2145,"marks":3075,"data":3076},[],{},{"nodeType":1294,"data":3078,"content":3079},{},[3080],{"nodeType":1293,"value":3081,"marks":3082,"data":3083},"Unfortunately there is no elegant solution to this problem, and it’s not easy to spot as you would need to review each url to see if it’s still in use, in addition to figuring out if the app makes use of the implicit grant flow. Even then, is the active url being used by the developer, or has an attacker already claimed it.",[],{},{"nodeType":1294,"data":3085,"content":3086},{},[3087],{"nodeType":1293,"value":3088,"marks":3089,"data":3090},"The best course of action here is likely to make use of a proxy that prevents users from accessing unclassified urls, or urls with a low reputation. However, you will risk breaking applications and making your developers angry. This also does not solve the dangling DNS issue, as with the EC2 instance problem above.",[],{},{"nodeType":1294,"data":3092,"content":3093},{},[3094],{"nodeType":1293,"value":3095,"marks":3096,"data":3097},"Another option is to contact vendors of apps that you’ve noticed including such urls in their apps and ask them to remove the stale entries from their apps.",[],{},{"nodeType":1330,"data":3099,"content":3100},{},[3101],{"nodeType":1293,"value":3102,"marks":3103,"data":3104},"You think you’ve been compromised. Now what?",[],{},{"nodeType":1294,"data":3106,"content":3107},{},[3108],{"nodeType":1293,"value":3109,"marks":3110,"data":3111},"\nRegardless of the method of compromise, there’s a few steps you can take to review what happened and to prevent further access into your environment.",[],{},{"nodeType":2100,"data":3113,"content":3114},{},[3115],{"nodeType":1293,"value":3116,"marks":3117,"data":3118},"Review app sign-in logs",[],{},{"nodeType":1294,"data":3120,"content":3121},{},[3122,3126,3135],{"nodeType":1293,"value":3123,"marks":3124,"data":3125},"In Azure Active Directory, head to ",[],{},{"nodeType":1677,"data":3127,"content":3129},{"uri":3128},"https://portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId~/null",[3130],{"nodeType":1293,"value":3131,"marks":3132,"data":3134},"Enterprise applications",[3133],{"type":1695},{},{"nodeType":1293,"value":3136,"marks":3137,"data":3138}," and click on the app you want to review. In the new window, click on sign-in logs. You will be presented with a list of user sign-ins (interactive and non-interactive), service principal sign-ins, and managed identity sign-ins.",[],{},{"nodeType":2037,"data":3140,"content":3144},{"target":3141},{"sys":3142},{"id":3143,"type":1988,"linkType":1989},"2L7vf2zjZBelGMJSjP2inY",[],{"nodeType":1294,"data":3146,"content":3147},{},[3148],{"nodeType":1293,"value":3149,"marks":3150,"data":3151},"What you typically need to look for is non-interactive user sign-in logs. Non-interactive sign-ins are related to login events performed on behalf of a user where usernames and passwords were not used (read: tokens). You want to review the sign-ins to determine if there were authentication events from IP addresses unrelated to normal employee activity, which can include discrepancies in geographical locations, and out-of-hours activity. Service principal sign-ins would also be of interest, however it would be more difficult to determine odd behavior as you wouldn’t have user sign-ins to compare with.",[],{},{"nodeType":1294,"data":3153,"content":3154},{},[3155,3159,3167],{"nodeType":1293,"value":3156,"marks":3157,"data":3158},"You could also review Azure’s ",[],{},{"nodeType":1677,"data":3160,"content":3162},{"uri":3161},"https://portal.azure.com/#view/Microsoft_AAD_IAM/SecurityMenuBlade/~/RiskySignIns",[3163],{"nodeType":1293,"value":3164,"marks":3165,"data":3166},"risky sign-ins ",[],{},{"nodeType":1293,"value":3168,"marks":3169,"data":3170},"page, as these issues are likely to show up already classified. Just make sure your filters include non-interactive sign-in methods.",[],{},{"nodeType":2100,"data":3172,"content":3173},{},[3174],{"nodeType":1293,"value":3175,"marks":3176,"data":3177},"Review app audit logs",[],{},{"nodeType":1294,"data":3179,"content":3180},{},[3181],{"nodeType":1293,"value":3182,"marks":3183,"data":3184},"In the same window underneath sign-in logs, you’ll find the audit logs section. Audit logs will provide you with crucial information relating to when an app was integrated, by who, and which permissions were delegated.",[],{},{"nodeType":2037,"data":3186,"content":3190},{"target":3187},{"sys":3188},{"id":3189,"type":1988,"linkType":1989},"5HRLoa9zlIWZdZGLN84Yae",[],{"nodeType":2100,"data":3192,"content":3193},{},[3194],{"nodeType":1293,"value":3195,"marks":3196,"data":3197},"Disable the app",[],{},{"nodeType":1294,"data":3199,"content":3200},{},[3201],{"nodeType":1293,"value":3202,"marks":3203,"data":3204},"If you’ve determined that an app was involved in an incident, the first step would be to disable the app to prevent malicious actors from performing any further authentication. Under the application’s properties, change the setting “Enable for users to sign-in?” from “Yes” to “No”, followed by clicking “Save.”",[],{},{"nodeType":2037,"data":3206,"content":3210},{"target":3207},{"sys":3208},{"id":3209,"type":1988,"linkType":1989},"12NnJ8OhD3K27rFRJ48t6a",[],{"nodeType":2100,"data":3212,"content":3213},{},[3214],{"nodeType":1293,"value":3215,"marks":3216,"data":3217},"Revoke all refresh tokens",[],{},{"nodeType":1294,"data":3219,"content":3220},{},[3221,3225,3234,3238,3247,3251,3260],{"nodeType":1293,"value":3222,"marks":3223,"data":3224},"Disabling the app is not enough to prevent attackers from maintaining access to your environment. ",[],{},{"nodeType":1677,"data":3226,"content":3228},{"uri":3227},"https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens",[3229],{"nodeType":1293,"value":3230,"marks":3231,"data":3233},"Refresh tokens",[3232],{"type":1695},{},{"nodeType":1293,"value":3235,"marks":3236,"data":3237}," provide a way for apps to retrieve new access tokens without bugging users with pesky sign-in screens. Tokens are typically valid for between ",[],{},{"nodeType":1677,"data":3239,"content":3241},{"uri":3240},"https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#access-token-lifetime:~:text=The%20default%20lifetime%20of%20an%20access%20token%20is%20variable.%20When%20issued%2C%20the%20default%20lifetime%20of%20an%20access%20token%20is%20assigned%20a%20random%20value%20ranging%20between%2060%2D90%20minutes%20(75%20minutes%20on%20average).",[3242],{"nodeType":1293,"value":3243,"marks":3244,"data":3246},"60 to 90 minutes",[3245],{"type":1695},{},{"nodeType":1293,"value":3248,"marks":3249,"data":3250},", and if a refresh token has been issued, the token holder can request new tokens for ",[],{},{"nodeType":1677,"data":3252,"content":3254},{"uri":3253},"https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens#:~:text=The%20default%20lifetime%20for%20the%20refresh%20tokens%20is%2024%20hours%20for%20single%20page%20apps%20and%2090%20days%20for%20all%20other%20scenarios",[3255],{"nodeType":1293,"value":3256,"marks":3257,"data":3259},"up to 90 days",[3258],{"type":1695},{},{"nodeType":1293,"value":3261,"marks":3262,"data":3263},"! ",[],{},{"nodeType":1294,"data":3265,"content":3266},{},[3267],{"nodeType":1293,"value":3268,"marks":3269,"data":3270},"So, revoking refresh tokens is an important step as part of the mitigation and recovery steps. This step can be performed with some PowerShell – luckily Microsoft provides pre-generated scripts for you to copy and paste. Click on ‘Permissions’ for the app, followed by ‘Review permissions.’ ",[],{},{"nodeType":2037,"data":3272,"content":3276},{"target":3273},{"sys":3274},{"id":3275,"type":1988,"linkType":1989},"7vuFmlmZbzfNhWHPj8ToHm",[],{"nodeType":1294,"data":3278,"content":3279},{},[3280],{"nodeType":1293,"value":3281,"marks":3282,"data":3283},"In the new window, click on ‘This application is malicious and I’m compromised.’ This will present you with the necessary PowerShell scripts to remove users from the app, revoke all permissions granted to the app, and finally to revoke refresh tokens associated with the app.",[],{},{"nodeType":2037,"data":3285,"content":3289},{"target":3286},{"sys":3287},{"id":3288,"type":1988,"linkType":1989},"4NnD6WKRHlnzKE0F4GUDEm",[],{"nodeType":2100,"data":3291,"content":3292},{},[3293],{"nodeType":1293,"value":3294,"marks":3295,"data":3296},"What to do if the initial access token was stolen",[],{},{"nodeType":1294,"data":3298,"content":3299},{},[3300],{"nodeType":1293,"value":3301,"marks":3302,"data":3303},"The initial access token cannot be revoked. In practice, if an attacker has managed to steal an access token it will be valid for the remainder of its lifespan, which is typically one hour. This is true even if the account is disabled, the compromised app deleted, and all refresh tokens revoked. If you’re responding to an incident, you will need to keep an eye on audit logs for an hour or more after performing the above steps to make sure the valid access token wasn’t still being used to perform actions in the environment.",[],{},{"nodeType":1294,"data":3305,"content":3306},{},[3307,3311,3320,3324,3333],{"nodeType":1293,"value":3308,"marks":3309,"data":3310},"Microsoft’s response to this was to develop something called ",[],{},{"nodeType":1677,"data":3312,"content":3314},{"uri":3313},"https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation",[3315],{"nodeType":1293,"value":3316,"marks":3317,"data":3319},"continuous access evaluation",[3318],{"type":1695},{},{"nodeType":1293,"value":3321,"marks":3322,"data":3323},". However, they admit in the article that it does not address a scenario where an attacker exfiltrated the token outside of a ",[],{},{"nodeType":1677,"data":3325,"content":3327},{"uri":3326},"https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation#:~:text=Token%20export%20to%20a%20machine%20outside%20of%20a%20trusted%20network%20can%20be%20prevented%20with%20Conditional%20Access%20location%20policies",[3328],{"nodeType":1293,"value":3329,"marks":3330,"data":3332},"trusted network",[3331],{"type":1695},{},{"nodeType":1293,"value":3334,"marks":3335,"data":3336},", in which case conditional access policy enforcement would be required to address the issue. Continuous access evaluation is ideal for handling specific cases of user access into the environment such as employee contract termination, or scenarios where conditional access policies are violated.",[],{},{"nodeType":1330,"data":3338,"content":3339},{},[3340],{"nodeType":1293,"value":3341,"marks":3342,"data":3343},"Conclusion",[],{},{"nodeType":1294,"data":3345,"content":3346},{},[3347],{"nodeType":1293,"value":3348,"marks":3349,"data":3350},"This article should have given you a better understanding of the most common issues presented when reviewing SaaS apps integrated into your environment. ",[],{},{"nodeType":1294,"data":3352,"content":3353},{},[3354],{"nodeType":1293,"value":3355,"marks":3356,"data":3357},"Determining whether using an app would result in compromise is not a simple task, especially if you haven’t observed malicious behavior. As such, the best course of action is to consider all angles, which include the business case of users requiring its use, the permission scopes, and whether the vendor’s security practices are in line with your requirements.",[],{},{"nodeType":1294,"data":3359,"content":3360},{},[3361],{"nodeType":1293,"value":3362,"marks":3363,"data":3364},"SaaS is a new(ish) frontier that can be really daunting to defend against attackers, but it's not impossible to reduce risk without simply blocking access to SaaS. And, remember: denying users access to tools will make them find ways around the limitations.",[],{},{"nodeType":1294,"data":3366,"content":3367},{},[3368],{"nodeType":1293,"value":3369,"marks":3370,"data":3371},"We hope this article helps you get a better handle on how to determine if you’ve been compromised, and respond to incidents involving SaaS apps and/or OAuth integrations to your core work platforms.",[],{},{"nodeType":2037,"data":3373,"content":3377},{"target":3374},{"sys":3375},{"id":3376,"type":1988,"linkType":1989},"2y0INxqAi594O7rCAVKhTI",[],{"nodeType":1294,"data":3379,"content":3380},{},[3381],{"nodeType":1293,"value":37,"marks":3382,"data":3383},[],{},"2023-01-03T00:00:00.000Z",{"items":3386},[3387,3391],{"sys":3388,"name":3390},{"id":3389},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":3392,"name":1310},{"id":1309},{"items":3394},[3395],{"fullName":3396,"firstName":3397,"jobTitle":3398,"profilePicture":3399},"Johann Scheepers","Johann","Senior Security Engineer",{"url":3400},"https://images.ctfassets.net/y1cdw1ablpvd/75IEOH93vR0hbvxuqTu1m3/f6222745ee6892ea07bc18727a5a5ae7/T016S22KZ96-U02LU3SKC2D-e1e755770536-512.png",{"__typename":2055,"sys":3402,"content":3404,"title":3867,"synopsis":3868,"hashTags":118,"publishedDate":3869,"slug":3870,"tagsCollection":3871,"authorsCollection":3877},{"id":3403},"3cvobsSnd6xjB6tHhWt4bX",{"json":3405},{"data":3406,"content":3407,"nodeType":1295},{},[3408,3415,3424,3431,3465,3472,3480,3513,3533,3540,3546,3552,3560,3567,3573,3579,3586,3593,3600,3619,3625,3632,3652,3659,3665,3673,3680,3687,3706,3713,3720,3727,3733,3740,3746,3753,3759,3766,3787,3795,3802,3809,3816,3822,3840,3847,3853,3860],{"data":3409,"content":3410,"nodeType":1294},{},[3411],{"data":3412,"marks":3413,"value":3414,"nodeType":1293},{},[],"An employee has added a new app-to-app (aka OAuth) integration to your Azure tenant or Google Workspace but you’re unsure of what it is or what risk it poses to your organization. We’ll cover a few techniques to help you assess the risk in this article.",{"data":3416,"content":3417,"nodeType":2100},{},[3418],{"data":3419,"marks":3420,"value":3423,"nodeType":1293},{},[3421],{"type":3422},"bold","Introduction",{"data":3425,"content":3426,"nodeType":1294},{},[3427],{"data":3428,"marks":3429,"value":3430,"nodeType":1293},{},[]," There are a few key questions to keep in mind when evaluating an OAuth integration:",{"data":3432,"content":3433,"nodeType":3464},{},[3434,3444,3454],{"data":3435,"content":3436,"nodeType":2929},{},[3437],{"data":3438,"content":3439,"nodeType":1294},{},[3440],{"data":3441,"marks":3442,"value":3443,"nodeType":1293},{},[],"Is the source (usually the app vendor) trustworthy?",{"data":3445,"content":3446,"nodeType":2929},{},[3447],{"data":3448,"content":3449,"nodeType":1294},{},[3450],{"data":3451,"marks":3452,"value":3453,"nodeType":1293},{},[],"What can it do if it is not trustworthy? Does it have access to your data? How much access? Does it request more permissions that it should need to function?",{"data":3455,"content":3456,"nodeType":2929},{},[3457],{"data":3458,"content":3459,"nodeType":1294},{},[3460],{"data":3461,"marks":3462,"value":3463,"nodeType":1293},{},[],"What does it actually do (i.e. what do the logs indicate)? Which teams or individuals will be using it and for what purposes?","unordered-list",{"data":3466,"content":3467,"nodeType":1294},{},[3468],{"data":3469,"marks":3470,"value":3471,"nodeType":1293},{},[],"There are a variety of data sources that can be considered for each of these primary questions, which we’ll break down in this next section:. ",{"data":3473,"content":3474,"nodeType":2100},{},[3475],{"data":3476,"marks":3477,"value":3479,"nodeType":1293},{},[3478],{"type":3422},"Name and Verification Status",{"data":3481,"content":3482,"nodeType":1294},{},[3483,3487,3496,3500,3509],{"data":3484,"marks":3485,"value":3486,"nodeType":1293},{},[],"Every OAuth integration has a name and both Microsoft and Google verification processes that allow OAuth integrations to be verified as belonging to a particular company. Microsoft has a ",{"data":3488,"content":3490,"nodeType":1677},{"uri":3489},"https://learn.microsoft.com/en-us/azure/active-directory/develop/publisher-verification-overview",[3491],{"data":3492,"marks":3493,"value":3495,"nodeType":1293},{},[3494],{"type":1695},"publisher verification process ",{"data":3497,"marks":3498,"value":3499,"nodeType":1293},{},[],"that’s dependent on its Microsoft Cloud Partner Program, whereas Google has a ",{"data":3501,"content":3503,"nodeType":1677},{"uri":3502},"https://support.google.com/cloud/answer/9110914?hl=en#zippy=%2Csteps-to-prepare-for-verification",[3504],{"data":3505,"marks":3506,"value":3508,"nodeType":1293},{},[3507],{"type":1695},"brand verification process",{"data":3510,"marks":3511,"value":3512,"nodeType":1293},{},[]," that also has different levels of requirements depending on the level of data access requested.",{"data":3514,"content":3515,"nodeType":1294},{},[3516,3520,3529],{"data":3517,"marks":3518,"value":3519,"nodeType":1293},{},[],"While being verified does not mean an integration poses no risk – in fact, there ",{"data":3521,"content":3523,"nodeType":1677},{"uri":3522},"https://msrc.microsoft.com/blog/2023/01/threat-actor-consent-phishing-campaign-abusing-the-verified-publisher-process/",[3524],{"data":3525,"marks":3526,"value":3528,"nodeType":1293},{},[3527],{"type":1695},"have been malicious phishing campaigns using verified publishers",{"data":3530,"marks":3531,"value":3532,"nodeType":1293},{},[]," – it at least provides some extra assurance around what the integration actually is. This is especially true with Google integrations where access to restricted scopes has been granted.",{"data":3534,"content":3535,"nodeType":1294},{},[3536],{"data":3537,"marks":3538,"value":3539,"nodeType":1293},{},[],"For example, consider the Slack OAuth integration for Google Workspace. The name and icon make it very clear what the integration is claiming to be and the verification status shows that Google has verified this data - so you can quickly ensure the vendor is who they say they are, accept them as a third-party vendor, and move on to more traditional risk assessments. You can start to address questions like, “Should Slack be used within the organization?”  Does Slack as a company meet required security and compliance standards?” “Is an OAuth integration required or should it be used purely as a web or desktop app?,” and so on.   ",{"data":3541,"content":3545,"nodeType":2037},{"target":3542},{"sys":3543},{"id":3544,"type":1988,"linkType":1989},"aYslILzQ1kwQUHy7Cw7lR",[],{"data":3547,"content":3551,"nodeType":2037},{"target":3548},{"sys":3549},{"id":3550,"type":1988,"linkType":1989},"OmghmgRgSrdtMW9kgHaoa",[],{"data":3553,"content":3554,"nodeType":2100},{},[3555],{"data":3556,"marks":3557,"value":3559,"nodeType":1293},{},[3558],{"type":3422},"Reply URLs and Approved Domains",{"data":3561,"content":3562,"nodeType":1294},{},[3563],{"data":3564,"marks":3565,"value":3566,"nodeType":1293},{},[],"Some integrations may be unverified or have very generic or confusing names that give little indication as to who is actually behind the integration. For example, consider the following Microsoft OAuth integration:",{"data":3568,"content":3572,"nodeType":2037},{"target":3569},{"sys":3570},{"id":3571,"type":1988,"linkType":1989},"2smtwpUnKZElj4tmZUcobg",[],{"data":3574,"content":3578,"nodeType":2037},{"target":3575},{"sys":3576},{"id":3577,"type":1988,"linkType":1989},"23Dg0elnnY1j0dHP3GICJc",[],{"data":3580,"content":3581,"nodeType":1294},{},[3582],{"data":3583,"marks":3584,"value":3585,"nodeType":1293},{},[],"This integration says that it’s Trello, the well known SaaS platform. However, it’s unverified, so how do we actually know it is really Trello and not a malicious app masquerading as Trello? Reply URLs (Microsoft) and approved domains (Google) are other interesting sources of data about an integration as they give authorized callback URLs. ",{"data":3587,"content":3588,"nodeType":1294},{},[3589],{"data":3590,"marks":3591,"value":3592,"nodeType":1293},{},[],"During a common code-based flow for an OAuth consent, once the user has authorized the request, a redirect needs to be made back to a domain/URL that is controlled by the OAuth app vendor to pass the code back to the app. Then the app can use the code to get a token that can be used to act on behalf of the user. ",{"data":3594,"content":3595,"nodeType":1294},{},[3596],{"data":3597,"marks":3598,"value":3599,"nodeType":1293},{},[],"If any domain or URL could be used then there would be nothing stopping an attacker from impersonating legitimate OAuth apps and having the details passed back to a domain they control. This is much less of an issue with code-based flows, since the attacker would need access to the app secrets as well. However, with implicit flows that pass the token back directly, that would mean an impersonation attack would be possible and implicit flows are still somewhat common. To guard against this, the app owner has to specify exactly which domains or URLs are permitted for sending codes and tokens to. ",{"data":3601,"content":3602,"nodeType":1294},{},[3603,3607,3615],{"data":3604,"marks":3605,"value":3606,"nodeType":1293},{},[],"For Microsoft, this is one of the many fields returned from Graph API if you ",{"data":3608,"content":3610,"nodeType":1677},{"uri":3609},"https://learn.microsoft.com/en-us/graph/api/serviceprincipal-get?view=graph-rest-1.0&tabs=http",[3611],{"data":3612,"marks":3613,"value":3614,"nodeType":1293},{},[],"enumerate the service principals for apps installed",{"data":3616,"marks":3617,"value":3618,"nodeType":1293},{},[]," on your tenant. ",{"data":3620,"content":3624,"nodeType":2037},{"target":3621},{"sys":3622},{"id":3623,"type":1988,"linkType":1989},"115UEpFqDESlZJ0F5TqMjj",[],{"data":3626,"content":3627,"nodeType":1294},{},[3628],{"data":3629,"marks":3630,"value":3631,"nodeType":1293},{},[],"In this case, the app has only one authorized reply URL, which points to trello.com. This means that authorization tokens can only be sent to this URL. So, for the integration to be used (or abused) the developer (or attacker) would need control of that domain. In this example, you’d have some assurance that this integration is legitimately associated with Trello. However, there are no guarantees. It’s possible for an attacker to put a range of domains in a malicious integration they control and they only need control of one domain to make use of it. So if attackerdomain.com was also present, then trello.com could just be an effort by an attacker to make their integration appear more legitimate. Therefore, you need to consider all domains present as a whole, as the presence of one known legitimate domain isn’t enough on its own if other domains might be questionable. ",{"data":3633,"content":3634,"nodeType":1294},{},[3635,3639,3648],{"data":3636,"marks":3637,"value":3638,"nodeType":1293},{},[],"One caveat here is that this is much less of an issue when it comes to Google apps that have been through Google brand verification. Part of the verification process involves ",{"data":3640,"content":3642,"nodeType":1677},{"uri":3641},"https://developers.google.com/identity/protocols/oauth2/production-readiness/brand-verification#authorized-domains",[3643],{"data":3644,"marks":3645,"value":3647,"nodeType":1293},{},[3646],{"type":1695},"ensuring that the vendor owns the domains",{"data":3649,"marks":3650,"value":3651,"nodeType":1293},{},[]," (approved domains) registered in any callbacks. Therefore, if it’s a Google verified app then you don’t have to worry about legitimate domains being impersonated by an attacker to give a fake sense of legitimacy. ",{"data":3653,"content":3654,"nodeType":1294},{},[3655],{"data":3656,"marks":3657,"value":3658,"nodeType":1293},{},[],"It used to be possible to query the approved domains for a Google app via an undocumented API, however, this recently stopped returning this information. However, there are still other details returned by the API that can be of use during an investigation. See an example for Slack below, but you can replace the project ID in the URL with any app project ID:",{"data":3660,"content":3664,"nodeType":2037},{"target":3661},{"sys":3662},{"id":3663,"type":1988,"linkType":1989},"4kw9ZSZaGhbmvrp3wlaJgW",[],{"data":3666,"content":3667,"nodeType":2100},{},[3668],{"data":3669,"marks":3670,"value":3672,"nodeType":1293},{},[3671],{"type":3422},"Permissions",{"data":3674,"content":3675,"nodeType":1294},{},[3676],{"data":3677,"marks":3678,"value":3679,"nodeType":1293},{},[],"Both Google and Microsoft provide a very large number of permissions to give fine-grained control of what level of data access an OAuth integration has. This can be everything from a simple social login to access to high-risk data assets, like document stores and email inboxes, as well as administrative functionality. ",{"data":3681,"content":3682,"nodeType":1294},{},[3683],{"data":3684,"marks":3685,"value":3686,"nodeType":1293},{},[],"It’s worth noting a few differences between how Microsoft and Google handle these permissions. While both have a very large number of fine-grained permissions for users to delegate, Microsoft also has the concept of App Roles, which administrative users can consent to as well. These are often similarly named to delegated permissions, except they give access to data for all users rather than just for the user granting consent. ",{"data":3688,"content":3689,"nodeType":1294},{},[3690,3694,3703],{"data":3691,"marks":3692,"value":3693,"nodeType":1293},{},[],"For example, an ordinary user might be able to consent to grant access to their exchange email inbox using a delegated permission, but an app could also request access to an app role to allow access to all users’ email inboxes and an administrative user could consent to that using the same consent screen. Google does have similar capabilities but they are managed separately ",{"data":3695,"content":3697,"nodeType":1677},{"uri":3696},"https://support.google.com/a/answer/162106?hl=en",[3698],{"data":3699,"marks":3700,"value":3702,"nodeType":1293},{},[3701],{"type":1695},"using domain-wide delegation",{"data":3704,"marks":3705,"value":1997,"nodeType":1293},{},[],{"data":3707,"content":3708,"nodeType":1294},{},[3709],{"data":3710,"marks":3711,"value":3712,"nodeType":1293},{},[],"Another important difference to consider here is that, as mentioned in the section above about verification, Google has different verification requirements depending on the data access requested. Microsoft allows even unverified apps to request access to any data, whereas Google designates some of the most sensitive data sources (such as Google Drive and Gmail) as being sensitive and requiring an app to not just be verified but to have undergone a much more stringent manual security review, including third-party security testing. ",{"data":3714,"content":3715,"nodeType":1294},{},[3716],{"data":3717,"marks":3718,"value":3719,"nodeType":1293},{},[],"Even without good reason to trust an OAuth integration, if the permissions it requests are extremely low risk then arguably it isn’t much of an issue. On the other hand, organizations with a need for a particularly stringent level of security may not be comfortable sharing high risk permissions with even fairly established SaaS vendors. Consequently, one of the most important data sources for evaluating the risk of an OAuth integration is to look at the permissions it exposes. ",{"data":3721,"content":3722,"nodeType":1294},{},[3723],{"data":3724,"marks":3725,"value":3726,"nodeType":1293},{},[],"An important factor to consider is that permissions are not necessarily fixed to be the same for every user. If more than one employee makes use of the same SaaS integration, it’s possible they may grant different permissions depending on what the integration does and how they enabled it. For example, let’s consider the Slack integration we saw before:",{"data":3728,"content":3732,"nodeType":2037},{"target":3729},{"sys":3730},{"id":3731,"type":1988,"linkType":1989},"37l3selHqmcY8PKCLZEiKN",[],{"data":3734,"content":3735,"nodeType":1294},{},[3736],{"data":3737,"marks":3738,"value":3739,"nodeType":1293},{},[],"In this particular example, we have 15 users who have granted access to three different very low risk permissions concerning their basic account information, which typically are the minimum required in order to enable a simple social login. However, additional permissions have been granted for some other users:",{"data":3741,"content":3745,"nodeType":2037},{"target":3742},{"sys":3743},{"id":3744,"type":1988,"linkType":1989},"3pJ0G2yfMnM7fNpP3IMs3a",[],{"data":3747,"content":3748,"nodeType":1294},{},[3749],{"data":3750,"marks":3751,"value":3752,"nodeType":1293},{},[],"It seems 15 users have also allowed access to their Google calendars and 5 users have also allowed full access to their Google Drive. This is due to different employees adding different Slack apps to enable calendar and file integration. For example, a standard social login to Slack using a Google account won’t even present the user with a consent screen because it only requests the most basic scopes. However, add a sensitive Slack app integration, like the one for Google Drive, and the user will receive a consent screen that looks like this, which is where this difference between users comes from:",{"data":3754,"content":3758,"nodeType":2037},{"target":3755},{"sys":3756},{"id":3757,"type":1988,"linkType":1989},"fjM0oY0viy3p9OAxdrmtT",[],{"data":3760,"content":3761,"nodeType":1294},{},[3762],{"data":3763,"marks":3764,"value":3765,"nodeType":1293},{},[],"Even if Slack is an officially used SaaS provider for an organization though, perhaps enabling complete Google Drive access to a third party would be seen as a compliance risk too far, in which case, you could revoke the file permissions to reduce risk, if desired. ",{"data":3767,"content":3768,"nodeType":1294},{},[3769,3773,3783],{"data":3770,"marks":3771,"value":3772,"nodeType":1293},{},[],"In cases of untrusted OAuth integrations or those that are difficult to verify, the overall risk still remains very low if innocuous permissions like those required for social logins are the only permissions granted. In fact, the majority of OAuth integrations we see at Push do not request anything other than social login permissions. If you want to know more about social login risk then check our previous article ",{"data":3774,"content":3778,"nodeType":1983},{"target":3775},{"sys":3776},{"id":3777,"type":1988,"linkType":1989},"1pbtctbbJRqLuz8dOsecOt",[3779],{"data":3780,"marks":3781,"value":3782,"nodeType":1293},{},[],"here",{"data":3784,"marks":3785,"value":3786,"nodeType":1293},{},[],". However, much more careful attention should be paid once you see unknown integrations with high- risk permissions, such as full access to file stores.",{"data":3788,"content":3789,"nodeType":2100},{},[3790],{"data":3791,"marks":3792,"value":3794,"nodeType":1293},{},[3793],{"type":3422},"Activity Logs",{"data":3796,"content":3797,"nodeType":1294},{},[3798],{"data":3799,"marks":3800,"value":3801,"nodeType":1293},{},[],"It’s one thing to know what an integration can access in principle, due to its permissions, but it’s another to know what it’s actually doing. In one case, an integration may have requested permissions in order to access a user’s entire file store, but it may only use that functionality when specifically directed to as a result of a user attempting to share a file or some other trigger activity.",{"data":3803,"content":3804,"nodeType":1294},{},[3805],{"data":3806,"marks":3807,"value":3808,"nodeType":1293},{},[],"That isn’t to say there is no risk, certainly if the vendor is compromised and the tokens stolen then an attacker could arbitrarily access any files they like. However, if an integration constantly accesses all users files and syncs them in their entirety then that is clearly a very different risk profile to observe. Additionally, the ability to determine what an integration has actually done in an incident response scenario is invaluable.  ",{"data":3810,"content":3811,"nodeType":1294},{},[3812],{"data":3813,"marks":3814,"value":3815,"nodeType":1293},{},[],"Microsoft and Google offer different options here, which aren’t always available by default. Google provides API call visibility for OAuth integrations, which gives extremely detailed visibility of what an OAuth integration is doing and when. Here you can see the Slack integration using its Google Drive permissions to look for notifications for file changes, while the Thunderbird email integration is accessing some gmail related label data:",{"data":3817,"content":3821,"nodeType":2037},{"target":3818},{"sys":3819},{"id":3820,"type":1988,"linkType":1989},"UqbMx5UzEimig5uvUvag7",[],{"data":3823,"content":3824,"nodeType":1294},{},[3825,3829,3836],{"data":3826,"marks":3827,"value":3828,"nodeType":1293},{},[],"The key caveat with Google is that it’s not available on all plans. You can see ",{"data":3830,"content":3832,"nodeType":1677},{"uri":3831},"https://support.google.com/a/answer/6124308?hl=en",[3833],{"data":3834,"marks":3835,"value":3782,"nodeType":1293},{},[],{"data":3837,"marks":3838,"value":3839,"nodeType":1293},{},[]," that it's only available using Enterprise, Education and Cloud Identity Premium licenses. ",{"data":3841,"content":3842,"nodeType":1294},{},[3843],{"data":3844,"marks":3845,"value":3846,"nodeType":1293},{},[],"For Microsoft, rather than separate OAuth API call data, detailed audit data available as part of Microsoft Purview often gives context that can be traced back to OAuth integrations when that was the source. For example, here you can see the Mozilla Thunderbird OAuth integration being used to download a file from OneDrive. This is the same event you would get if a file was downloaded from a web interface, but in this case you can see in the AppAccessContext that it specifies a ClientAppId, which refers to the OAuth integration performing the action. This means you can track all activity specifically back to individual OAuth integrations separately from activity performed by a user within web interfaces - a very useful capability!",{"data":3848,"content":3852,"nodeType":2037},{"target":3849},{"sys":3850},{"id":3851,"type":1988,"linkType":1989},"38oqwAXkDrQSJzP1ByECLF",[],{"data":3854,"content":3855,"nodeType":2100},{},[3856],{"data":3857,"marks":3858,"value":3341,"nodeType":1293},{},[3859],{"type":3422},{"data":3861,"content":3862,"nodeType":1294},{},[3863],{"data":3864,"marks":3865,"value":3866,"nodeType":1293},{},[],"In this article, we have seen a range of ways that OAuth integrations for both Microsoft and Google can be investigated in order to gain a better understanding of their risk profile, as well as investigating what they actually do in an incident response scenario. While there are no hard and fast rules for when an integration should be considered safe or dangerous, hopefully this gives some idea as to how to perform a risk assessment to make a call depending on your organization’s risk tolerance level. ","An investigation guide for assessing app-to-app OAuth integration risk","An employee has added a new integration to your Azure tenant or Google Workspace. How do you assess risk? We’ll cover a few techniques in this article.","2023-03-15T00:00:00.000Z","an-investigation-guide-for-assessing-app-to-app-oauth-integration-risk",{"items":3872},[3873,3875],{"sys":3874,"name":1310},{"id":1309},{"sys":3876,"name":1306},{"id":1305},{"items":3878},[3879],{"fullName":3880,"firstName":3881,"jobTitle":3882,"profilePicture":3883},"Luke Jennings","Luke","Vice President, R&D",{"url":3884},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg",{"items":3886},[3887],{"fullName":3396,"firstName":3397,"jobTitle":3398,"profilePicture":3888},{"url":3400},"content:blog:the-risky-terrain-of-oauth-scopes-in-third-party.json","json","content","blog/the-risky-terrain-of-oauth-scopes-in-third-party.json","blog/the-risky-terrain-of-oauth-scopes-in-third-party",1776359991213]