[{"data":1,"prerenderedAt":5216},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/unpacking-the-latest-slh-campaign":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"ogImage":118,"summary":1282,"title":1296,"subtitle":118,"metaTitle":1297,"synopsis":1298,"hashTags":118,"publishedDate":1299,"slug":1300,"tagsCollection":1301,"authorsCollection":1311,"content":1319,"relatedBlogPostsCollection":2089,"_id":5211,"_type":5212,"_source":5213,"_file":5214,"_stem":5215,"_extension":5212},"/blog/unpacking-the-latest-slh-campaign","blog",{"id":1280,"publishedAt":1281},"44DXq5ZkL9XQV5Fngto0XZ","2026-02-05T14:20:50.440Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1295},{},[1286],{"data":1287,"content":1288,"nodeType":1294},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"Analysing the latest Scattered Lapsus$ Hunters (SLH) phishing campaign targeting hundreds of organizations. ","text","paragraph","document","Unpacking the latest SLH campaign — combining vishing with AiTM phishing to hijack SSO accounts","Unpacking the latest SLH phishing campaign","Analysing the latest Scattered Lapsus$ Hunters (SLH) phishing campaign targeting hundreds of organizations.\n","2026-01-28T00:00:00.000Z","unpacking-the-latest-slh-campaign",{"items":1302},[1303,1307],{"sys":1304,"name":1306},{"id":1305},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1308,"name":1310},{"id":1309},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1312},[1313],{"fullName":1314,"firstName":1315,"jobTitle":1316,"profilePicture":1317},"Dan Green","Dan","Threat Research",{"url":1318},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"json":1320,"links":1955},{"nodeType":1295,"data":1321,"content":1322},{},[1323,1344,1351,1358,1362,1372,1392,1412,1446,1455,1458,1466,1475,1482,1500,1507,1513,1519,1526,1533,1541,1548,1555,1561,1568,1588,1596,1603,1610,1630,1636,1656,1662,1669,1675,1678,1686,1693,1713,1720,1749,1756,1764,1767,1775,1782,1789,1795,1802,1849,1855,1862,1895,1901,1949],{"nodeType":1294,"data":1324,"content":1325},{},[1326,1329,1340],{"nodeType":1293,"value":37,"marks":1327,"data":1328},[],{},{"nodeType":1330,"data":1331,"content":1333},"hyperlink",{"uri":1332},"https://pushsecurity.com/blog/scattered-lapsus-hunters/",[1334],{"nodeType":1293,"value":1335,"marks":1336,"data":1339},"Scattered Lapsus$ Hunters",[1337],{"type":1338},"underline",{},{"nodeType":1293,"value":1341,"marks":1342,"data":1343}," are running a large-scale hybrid vishing plus AiTM phishing campaign across several industry verticals, targeting Okta, Entra, and Google SSO platforms. ",[],{},{"nodeType":1294,"data":1345,"content":1346},{},[1347],{"nodeType":1293,"value":1348,"marks":1349,"data":1350},"The attacks begin with the attacker calling their victim, impersonating IT staff from their company. They offer to help the employee set up passkeys for logging into the enterprise SSO service, tricking the victim into visiting a specially crafted adversary-in-the-middle phishing site that captures their SSO credentials, MFA codes, and ultimately live session access. ",[],{},{"nodeType":1294,"data":1352,"content":1353},{},[1354],{"nodeType":1293,"value":1355,"marks":1356,"data":1357},"Once an account is stolen, the attacker logs in to the SSO dashboard to see which platforms they have access to and then proceeds to steal data from them — with the ultimate goal of extorting victims. ",[],{},{"nodeType":1359,"data":1360,"content":1361},"hr",{},[],{"nodeType":1363,"data":1364,"content":1365},"heading-1",{},[1366],{"nodeType":1293,"value":1367,"marks":1368,"data":1371},"What we know",[1369],{"type":1370},"bold",{},{"nodeType":1294,"data":1373,"content":1374},{},[1375,1379,1388],{"nodeType":1293,"value":1376,"marks":1377,"data":1378},"To date, ",[],{},{"nodeType":1330,"data":1380,"content":1382},{"uri":1381},"https://www.silentpush.com/blog/slsh-alert/",[1383],{"nodeType":1293,"value":1384,"marks":1385,"data":1387},"100+ companies have been targeted",[1386],{"type":1338},{},{"nodeType":1293,"value":1389,"marks":1390,"data":1391},", with infrastructure and domains impersonating their brand to be used in legit-looking campaigns against them. The reality is that the list of targets could be more extensive, and will continue to increase over time. ",[],{},{"nodeType":1294,"data":1393,"content":1394},{},[1395,1399,1408],{"nodeType":1293,"value":1396,"marks":1397,"data":1398},"SLH ",[],{},{"nodeType":1330,"data":1400,"content":1402},{"uri":1401},"https://www.bleepingcomputer.com/news/security/shinyhunters-claim-to-be-behind-sso-account-data-theft-attacks/",[1403],{"nodeType":1293,"value":1404,"marks":1405,"data":1407},"claims to be using data stolen in previous breaches",[1406],{"type":1338},{},{"nodeType":1293,"value":1409,"marks":1410,"data":1411},", such as the widespread Salesforce data theft attacks reported in 2025, to identify and contact employees. This data includes phone numbers, job titles, names, and other details used to make the social engineering calls more convincing.",[],{},{"nodeType":1294,"data":1413,"content":1414},{},[1415,1419,1424,1428,1433,1437,1442],{"nodeType":1293,"value":1416,"marks":1417,"data":1418},"The group recently relaunched its Tor data leak site, which currently lists breaches at ",[],{},{"nodeType":1293,"value":1420,"marks":1421,"data":1423},"Betterment",[1422],{"type":1370},{},{"nodeType":1293,"value":1425,"marks":1426,"data":1427}," (20 million records containing PII), ",[],{},{"nodeType":1293,"value":1429,"marks":1430,"data":1432},"Crunchbase",[1431],{"type":1370},{},{"nodeType":1293,"value":1434,"marks":1435,"data":1436}," (2 million records containing PII), and ",[],{},{"nodeType":1293,"value":1438,"marks":1439,"data":1441},"SoundCloud",[1440],{"type":1370},{},{"nodeType":1293,"value":1443,"marks":1444,"data":1445}," (30 million records containing PII). ",[],{},{"nodeType":1447,"data":1448,"content":1454},"embedded-entry-block",{"target":1449},{"sys":1450},{"id":1451,"type":1452,"linkType":1453},"5scKHYJJleNklGAXNKVc7b","Link","Entry",[],{"nodeType":1359,"data":1456,"content":1457},{},[],{"nodeType":1363,"data":1459,"content":1460},{},[1461],{"nodeType":1293,"value":1462,"marks":1463,"data":1465},"What’s new?",[1464],{"type":1370},{},{"nodeType":1467,"data":1468,"content":1469},"heading-2",{},[1470],{"nodeType":1293,"value":1471,"marks":1472,"data":1474},"The best of both worlds? Vishing + AiTM phishing",[1473],{"type":1370},{},{"nodeType":1294,"data":1476,"content":1477},{},[1478],{"nodeType":1293,"value":1479,"marks":1480,"data":1481},"SLH and threat actors affiliated with “The Com” are no stranger to voice phishing (vishing) or the use of MFA-bypassing Attacker-in-the-Middle (AitM) phishing kits. ",[],{},{"nodeType":1294,"data":1483,"content":1484},{},[1485,1488,1496],{"nodeType":1293,"value":37,"marks":1486,"data":1487},[],{},{"nodeType":1330,"data":1489,"content":1490},{"uri":1332},[1491],{"nodeType":1293,"value":1492,"marks":1493,"data":1495},"SLH and it’s precursor groups",[1494],{"type":1338},{},{"nodeType":1293,"value":1497,"marks":1498,"data":1499}," leveraged vishing to great success in the form of help desk impersonation and password/MFA reset attacks as seen in the high profile Marks & Spencer, Co-Op, and Jaguar Land Rover attacks in 2025, as well as the Caesars and MGM attacks in 2023. MFA-bypassing phishing techniques have also long been a part of their arsenal, from the 2022 0ktapus phishing campaign to more recent use of modern AiTM phishing kits. ",[],{},{"nodeType":1294,"data":1501,"content":1502},{},[1503],{"nodeType":1293,"value":1504,"marks":1505,"data":1506},"But until now, we haven’t seen them used together. ",[],{},{"nodeType":1447,"data":1508,"content":1512},{"target":1509},{"sys":1510},{"id":1511,"type":1452,"linkType":1453},"6poP5VM2ARrEvwKEG42HgK",[],{"nodeType":1447,"data":1514,"content":1518},{"target":1515},{"sys":1516},{"id":1517,"type":1452,"linkType":1453},"1IDsaYD3H5MjvPS4ekcUhU",[],{"nodeType":1294,"data":1520,"content":1521},{},[1522],{"nodeType":1293,"value":1523,"marks":1524,"data":1525},"It makes sense to combine these methods. AiTM phishing kits are flexible, highly customizable, and can be used to target a broad range of apps — including all of the major IdP platforms used for SSO. Vishing on the other hand is proven to increase the effectiveness of social engineering attacks when performed by an effective operator — which SLH are proven to be (helped by predominantly native English speakers making up their membership, along with the use of effective voice phishing tools). ",[],{},{"nodeType":1294,"data":1527,"content":1528},{},[1529],{"nodeType":1293,"value":1530,"marks":1531,"data":1532},"Both vishing and AiTM phishing are identity-first methods that consciously evade traditional security tools and detection controls at the endpoint and network layer. This makes them highly effective in today’s IT environment. ",[],{},{"nodeType":1467,"data":1534,"content":1535},{},[1536],{"nodeType":1293,"value":1537,"marks":1538,"data":1540},"A new kind of operator-driven AiTM kit",[1539],{"type":1370},{},{"nodeType":1294,"data":1542,"content":1543},{},[1544],{"nodeType":1293,"value":1545,"marks":1546,"data":1547},"Another unique part about this campaign is that it uses a “live phishing panel” — i.e. a customizable phishing page controlled by the attacker in real time. This enables attackers to dynamically change what a victim sees on a phishing site while speaking to them on the phone. This allows them to guide victims through each step of the login and MFA authentication process.",[],{},{"nodeType":1294,"data":1549,"content":1550},{},[1551],{"nodeType":1293,"value":1552,"marks":1553,"data":1554},"This is principally to increase the victim’s likelihood of engaging with the phishing page. As you can see in the image below, there are several options that can be presented to the victim — including not just the normal phishing stages of entering credentials and passing MFA checks, but also post-compromise actions (e.g. creating a passkey that would then be controlled by the attacker for persistent access even if an account password is reset). ",[],{},{"nodeType":1447,"data":1556,"content":1560},{"target":1557},{"sys":1558},{"id":1559,"type":1452,"linkType":1453},"73Y2n3tRkGFtfhrA2AVJyv",[],{"nodeType":1294,"data":1562,"content":1563},{},[1564],{"nodeType":1293,"value":1565,"marks":1566,"data":1567},"At the end of the authentication flow, the threat actor can choose to redirect their target to a “support ticket\" closure screen. This allows the threat actor to manually terminate the session once the compromise is complete while providing the targeted user with context that matches the \"IT support\" ruse. This further reduces the likelihood of post-hoc reporting by a suspicious victim.",[],{},{"nodeType":1294,"data":1569,"content":1570},{},[1571,1575,1584],{"nodeType":1293,"value":1572,"marks":1573,"data":1574},"Given that this modular, operator-controlled phishing kit is reportedly available “",[],{},{"nodeType":1330,"data":1576,"content":1578},{"uri":1577},"https://www.okta.com/blog/threat-intelligence/phishing-kits-adapt-to-the-script-of-callers/",[1579],{"nodeType":1293,"value":1580,"marks":1581,"data":1583},"as a service",[1582],{"type":1338},{},{"nodeType":1293,"value":1585,"marks":1586,"data":1587},"” for criminals, we should expect to see much more of this in future. ",[],{},{"nodeType":1467,"data":1589,"content":1590},{},[1591],{"nodeType":1293,"value":1592,"marks":1593,"data":1595},"0ktapus 2.0?",[1594],{"type":1370},{},{"nodeType":1294,"data":1597,"content":1598},{},[1599],{"nodeType":1293,"value":1600,"marks":1601,"data":1602},"As we mentioned earlier, Scattered Spider made their reputation launching phishing attacks against Okta accounts in the 2022 0ktapus campaign. ",[],{},{"nodeType":1294,"data":1604,"content":1605},{},[1606],{"nodeType":1293,"value":1607,"marks":1608,"data":1609},"The vast majority of phishing attacks target IdP accounts because of the widespread access to downstream apps they grant via SSO. ",[],{},{"nodeType":1294,"data":1611,"content":1612},{},[1613,1617,1626],{"nodeType":1293,"value":1614,"marks":1615,"data":1616},"This comes at the same time as ",[],{},{"nodeType":1330,"data":1618,"content":1620},{"uri":1619},"https://www.bleepingcomputer.com/news/security/fake-lastpass-emails-pose-as-password-vault-backup-alerts/",[1621],{"nodeType":1293,"value":1622,"marks":1623,"data":1625},"attackers running campaigns to target LastPass master passwords",[1624],{"type":1338},{},{"nodeType":1293,"value":1627,"marks":1628,"data":1629},". This provides a similar level of access to apps in the form of credentials (and sometimes saved passkeys). ",[],{},{"nodeType":1447,"data":1631,"content":1635},{"target":1632},{"sys":1633},{"id":1634,"type":1452,"linkType":1453},"1vyu5WvdktTnC24TkVFqfs",[],{"nodeType":1294,"data":1637,"content":1638},{},[1639,1643,1652],{"nodeType":1293,"value":1640,"marks":1641,"data":1642},"Not only is this a goldmine for attackers looking to steal data or pivot to other systems to be able to launch further attacks (e.g. pivoting to cloud and on-prem services for ransomware deployment) but it’s a nightmare for incident responders. If an attacker can access an app and create a backdoor login method (AKA. a ",[],{},{"nodeType":1330,"data":1644,"content":1646},{"uri":1645},"https://pushsecurity.com/blog/ghost-logins-when-forgotten-identities-come-back-to-haunt-you/",[1647],{"nodeType":1293,"value":1648,"marks":1649,"data":1651},"ghost login",[1650],{"type":1338},{},{"nodeType":1293,"value":1653,"marks":1654,"data":1655},") it can be very difficult for a security team to identify and clean them up. ",[],{},{"nodeType":1447,"data":1657,"content":1661},{"target":1658},{"sys":1659},{"id":1660,"type":1452,"linkType":1453},"7tILkroPw9w0WLIo1bVV24",[],{"nodeType":1294,"data":1663,"content":1664},{},[1665],{"nodeType":1293,"value":1666,"marks":1667,"data":1668},"Check out the excerpt from one of our recent webinars below for more information. ",[],{},{"nodeType":1447,"data":1670,"content":1674},{"target":1671},{"sys":1672},{"id":1673,"type":1452,"linkType":1453},"5IVkapjwLp1Ys14vXagQRD",[],{"nodeType":1359,"data":1676,"content":1677},{},[],{"nodeType":1363,"data":1679,"content":1680},{},[1681],{"nodeType":1293,"value":1682,"marks":1683,"data":1685},"Impact analysis",[1684],{"type":1370},{},{"nodeType":1294,"data":1687,"content":1688},{},[1689],{"nodeType":1293,"value":1690,"marks":1691,"data":1692},"This combination of methods is likely to increase the success of these malicious campaigns as well as reducing the likelihood of detection. ",[],{},{"nodeType":1294,"data":1694,"content":1695},{},[1696,1700,1709],{"nodeType":1293,"value":1697,"marks":1698,"data":1699},"It’s well documented that modern phishing attacks use a wide and ever-expanding range of ",[],{},{"nodeType":1330,"data":1701,"content":1703},{"uri":1702},"https://pushsecurity.com/blog/phishing-detection-evasion-launch/",[1704],{"nodeType":1293,"value":1705,"marks":1706,"data":1708},"detection evasion techniques",[1707],{"type":1338},{},{"nodeType":1293,"value":1710,"marks":1711,"data":1712}," — from implementing legitimate bot protection technologies to prevent analysis, to only loading pages if the correct parameters are met — such as coming through a specific URL redirect path, and adhering to “normal” browser configs (excluding unusual browser window sizes and the presence of security analysis tools).",[],{},{"nodeType":1294,"data":1714,"content":1715},{},[1716],{"nodeType":1293,"value":1717,"marks":1718,"data":1719},"In this case, the malicious payload will only trigger in the event that the delivery is approved by an operator in real time. This means that anyone attempting to find and proactively block a phishing page based on indicators of known-bad is going to have a tough time finding and flagging them. If you haven’t got a community of security analysts sharing and tagging samples of malicious pages, it makes it really hard to find and block them at scale before they hit a victim. And if these convincing attacks aren’t being reported, they’re even less likely to be investigated. This is what we mean when we say that most phishing attacks today are effectively zero-day. ",[],{},{"nodeType":1294,"data":1721,"content":1722},{},[1723,1727,1732,1736,1745],{"nodeType":1293,"value":1724,"marks":1725,"data":1726},"In this case, it’s worth pointing out that the phone call is essentially the delivery vector for the phishing page. This means there’s no email to intercept and analyse. This isn’t new — ",[],{},{"nodeType":1293,"value":1728,"marks":1729,"data":1731},"non-email vectors now account for more than 1 in 3 phishing attacks intercepted by Push",[1730],{"type":1370},{},{"nodeType":1293,"value":1733,"marks":1734,"data":1735},", ",[],{},{"nodeType":1330,"data":1737,"content":1739},{"uri":1738},"https://pushsecurity.com/blog/2025-top-phishing-trends/",[1740],{"nodeType":1293,"value":1741,"marks":1742,"data":1744},"LinkedIn and Google Search being the top culprits",[1743],{"type":1338},{},{"nodeType":1293,"value":1746,"marks":1747,"data":1748},". This effectively cuts out the primary phishing detection surface for most organizations.",[],{},{"nodeType":1294,"data":1750,"content":1751},{},[1752],{"nodeType":1293,"value":1753,"marks":1754,"data":1755},"All this means that unless you’re able to detect and block these attacks in real time, organizations will find themselves unable to counter this evolving threat. ",[],{},{"nodeType":1294,"data":1757,"content":1758},{},[1759],{"nodeType":1293,"value":1760,"marks":1761,"data":1763},"The best/only way to do that is to be in the browser. ",[1762],{"type":1370},{},{"nodeType":1359,"data":1765,"content":1766},{},[],{"nodeType":1363,"data":1768,"content":1769},{},[1770],{"nodeType":1293,"value":1771,"marks":1772,"data":1774},"How Push stops the attack",[1773],{"type":1370},{},{"nodeType":1294,"data":1776,"content":1777},{},[1778],{"nodeType":1293,"value":1779,"marks":1780,"data":1781},"As a browser-based detection and response tool, Push is perfectly positioned to detect and block attacks like this in real-time. ",[],{},{"nodeType":1294,"data":1783,"content":1784},{},[1785],{"nodeType":1293,"value":1786,"marks":1787,"data":1788},"Push harnesses deep browser telemetry to detect and block phishing based on behaviors, not static indicators. By analyzing how phishing pages behave and how users interact with them, Push uncovers fake pages, attempted credential theft, and phishing kits the moment they load in the browser — regardless of the delivery mechanism, and even when the attack has never been seen before. ",[],{},{"nodeType":1447,"data":1790,"content":1794},{"target":1791},{"sys":1792},{"id":1793,"type":1452,"linkType":1453},"2TAKFM1rpETq4KtTY3FPIs",[],{"nodeType":1294,"data":1796,"content":1797},{},[1798],{"nodeType":1293,"value":1799,"marks":1800,"data":1801},"Push's browser-based controls include:",[],{},{"nodeType":1803,"data":1804,"content":1805},"unordered-list",{},[1806,1828],{"nodeType":1807,"data":1808,"content":1809},"list-item",{},[1810],{"nodeType":1294,"data":1811,"content":1812},{},[1813,1816,1824],{"nodeType":1293,"value":37,"marks":1814,"data":1815},[],{},{"nodeType":1330,"data":1817,"content":1819},{"uri":1818},"https://pushsecurity.com/blog/introducing-sso-password-protection/",[1820],{"nodeType":1293,"value":1821,"marks":1822,"data":1823},"Fingerprinting high-risk app passwords",[],{},{"nodeType":1293,"value":1825,"marks":1826,"data":1827}," so they can only be used on a specific domain. Any attempt to reuse this password elsewhere (such as on a phishing site) results in the attempt being blocked. ",[],{},{"nodeType":1807,"data":1829,"content":1830},{},[1831],{"nodeType":1294,"data":1832,"content":1833},{},[1834,1837,1845],{"nodeType":1293,"value":37,"marks":1835,"data":1836},[],{},{"nodeType":1330,"data":1838,"content":1840},{"uri":1839},"https://pushsecurity.com/blog/detecting-and-blocking-phishing-attacks-in-the-browser/",[1841],{"nodeType":1293,"value":1842,"marks":1843,"data":1844},"Multiple browser-based checks",[],{},{"nodeType":1293,"value":1846,"marks":1847,"data":1848}," looking for indicators of bad, such as cloned elements from legitimate websites, and an ever-growing number of detections relating to phishing kit behaviors and attributes as they are rendered on a page. ",[],{},{"nodeType":1447,"data":1850,"content":1854},{"target":1851},{"sys":1852},{"id":1853,"type":1452,"linkType":1453},"4ESxxjTjNwNXGEW4DBcMVV",[],{"nodeType":1294,"data":1856,"content":1857},{},[1858],{"nodeType":1293,"value":1859,"marks":1860,"data":1861},"Because Push observes every login made in the browser, you can also use Push to find identities susceptible to phishing attacks, such as those not using phishing-resistant authentication methods (e.g. passkeys), to proactively improve your account hygiene and reduce your attack surface. ",[],{},{"nodeType":1294,"data":1863,"content":1864},{},[1865,1869,1878,1882,1891],{"nodeType":1293,"value":1866,"marks":1867,"data":1868},"Finally, you can also use our ",[],{},{"nodeType":1330,"data":1870,"content":1872},{"uri":1871},"https://pushsecurity.com/blog/employee-identity-verification-codes-release/",[1873],{"nodeType":1293,"value":1874,"marks":1875,"data":1877},"employee verification codes",[1876],{"type":1338},{},{"nodeType":1293,"value":1879,"marks":1880,"data":1881}," feature as part of a layered defense — a simple, browser-based identity check that gives your employees a reliable way to confirm they’re talking to another employee from your organization. It enables employees to quickly verify that a caller is who they say they are by relaying a rotating 6-digit verification code displayed in every employee's browser via the Push extension. This is an effective way of combating ",[],{},{"nodeType":1330,"data":1883,"content":1885},{"uri":1884},"https://pushsecurity.com/blog/scattered-spider-defending-against-help-desk-scams/",[1886],{"nodeType":1293,"value":1887,"marks":1888,"data":1890},"help desk scams",[1889],{"type":1338},{},{"nodeType":1293,"value":1892,"marks":1893,"data":1894}," too — another favorite of SLH. ",[],{},{"nodeType":1447,"data":1896,"content":1900},{"target":1897},{"sys":1898},{"id":1899,"type":1452,"linkType":1453},"1TEpCjh8UGwmejgYSGC1by",[],{"nodeType":1902,"data":1903,"content":1904},"blockquote",{},[1905],{"nodeType":1294,"data":1906,"content":1907},{},[1908,1912,1921,1924,1932,1936,1945],{"nodeType":1293,"value":1909,"marks":1910,"data":1911},"Want to learn more about Push? ",[],{},{"nodeType":1330,"data":1913,"content":1915},{"uri":1914},"https://pushsecurity.com/resources/product-brochure",[1916],{"nodeType":1293,"value":1917,"marks":1918,"data":1920},"Check out our latest product overview",[1919],{"type":1338},{},{"nodeType":1293,"value":1733,"marks":1922,"data":1923},[],{},{"nodeType":1330,"data":1925,"content":1927},{"uri":1926},"https://pushsecurity.com/product-demo/",[1928],{"nodeType":1293,"value":1929,"marks":1930,"data":1931},"visit our demo library",[],{},{"nodeType":1293,"value":1933,"marks":1934,"data":1935},", or ",[],{},{"nodeType":1330,"data":1937,"content":1939},{"uri":1938},"https://pushsecurity.com/demo",[1940],{"nodeType":1293,"value":1941,"marks":1942,"data":1944},"book some time with one of our team for a live demo",[1943],{"type":1338},{},{"nodeType":1293,"value":1946,"marks":1947,"data":1948},".",[],{},{"nodeType":1294,"data":1950,"content":1951},{},[1952],{"nodeType":1293,"value":37,"marks":1953,"data":1954},[],{},{"entries":1956},{"hyperlink":1957,"inline":1958,"block":1959},[],[],[1960,1969,1976,2002,2010,2017,2042,2048,2075,2081],{"sys":1961,"__typename":1962,"title":1963,"caption":1964,"layoutMode":118,"file":1965},{"id":1451},"Image","SLH TOR leak site with claimed victims.","SLH Tor leak site with claimed victims.",{"url":1966,"width":1967,"height":1968},"https://images.ctfassets.net/y1cdw1ablpvd/PoWJBZ3uyl94usKVv3zgr/ed5aefc88cf39fe354755c7b145564bf/image4.png",1284,588,{"sys":1970,"__typename":1962,"title":1971,"caption":1971,"layoutMode":118,"file":1972},{"id":1511},"Big picture view of Scattered Lapsus$ Hunters breaches since 2021.",{"url":1973,"width":1974,"height":1975},"https://images.ctfassets.net/y1cdw1ablpvd/415gvGUy6Ywr2zofY8Phpk/dc9a8461ef07c041fef4a7fb39d0a25b/Screenshot_2026-02-25_at_09.50.56.png",3414,1852,{"sys":1977,"__typename":1978,"content":1979,"name":2001,"title":118},{"id":1517},"InsightTextBlockComponent",{"json":1980},{"data":1981,"content":1982,"nodeType":1295},{},[1983],{"data":1984,"content":1985,"nodeType":1294},{},[1986,1990,1998],{"data":1987,"marks":1988,"value":1989,"nodeType":1293},{},[],"Get the background on Scattered Lapsus$ Hunters, and how they relate to Scattered Spider, Lapsus$, ShinyHunters, and other Com-affiliated groups in our recent deep dive, unpacking related breaches dating back to 2021 ",{"data":1991,"content":1992,"nodeType":1330},{"uri":1332},[1993],{"data":1994,"marks":1995,"value":1997,"nodeType":1293},{},[1996],{"type":1338},"in our recent blog post",{"data":1999,"marks":2000,"value":1946,"nodeType":1293},{},[],"SLH campaign insight box 1",{"sys":2003,"__typename":1962,"title":2004,"caption":2005,"layoutMode":118,"file":2006},{"id":1559},"What the operator sees in their phishing dashboard.","Phishing dashboard view provided by Okta Threat Intelligence.",{"url":2007,"width":2008,"height":2009},"https://images.ctfassets.net/y1cdw1ablpvd/3IvcYr8sCMsCbhnzG9OzJA/35e3bdcf6dcddb3c431600afe490fe7e/image5.png",1600,558,{"sys":2011,"__typename":1962,"title":2012,"caption":2012,"layoutMode":118,"file":2013},{"id":1634},"SSO panel examples in Entra and Okta.",{"url":2014,"width":2015,"height":2016},"https://images.ctfassets.net/y1cdw1ablpvd/31RIcvGgLz2fmHBYsZyEV5/4326e200aa8ba9879257c2f9b643cf08/image1.png",1999,680,{"sys":2018,"__typename":1978,"content":2019,"name":2041,"title":118},{"id":1660},{"json":2020},{"data":2021,"content":2022,"nodeType":1295},{},[2023],{"data":2024,"content":2025,"nodeType":1294},{},[2026,2029,2037],{"data":2027,"marks":2028,"value":37,"nodeType":1293},{},[],{"data":2030,"content":2032,"nodeType":1330},{"uri":2031},"https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft",[2033],{"data":2034,"marks":2035,"value":2036,"nodeType":1293},{},[],"Mandiant has reported",{"data":2038,"marks":2039,"value":2040,"nodeType":1293},{},[]," how the attacker opportunistically pivots across accessible SaaS platforms (SharePoint, Salesforce, DocuSign, Slack), hunting for specific strings like “poc,” “confidential,” “salesforce,” and “vpn.” Notable tradecraft includes using ToogleBox Recall to delete MFA enrollment notifications from victims’ inboxes and leveraging PowerShell to bulk-download SharePoint content routed through commercial VPN services like Mullvad, Oxylabs, and NetNut. Check out their blog post for some example SaaS activity logs that can be used to investigate a potential compromise. ","SLH V2 insight box 1",{"sys":2043,"__typename":2044,"title":2045,"arcadeDemoUrl":2046,"playText":2047},{"id":1673},"ArcadeDemo","SSO Exploitation Demo","https://demo.arcade.software/pwGUZuoRdTLzfbWGZUDJ?embed","2 mins",{"sys":2049,"__typename":1978,"content":2050,"name":2074,"title":118},{"id":1793},{"json":2051},{"data":2052,"content":2053,"nodeType":1295},{},[2054],{"data":2055,"content":2056,"nodeType":1294},{},[2057,2061,2070],{"data":2058,"marks":2059,"value":2060,"nodeType":1293},{},[],"This even includes brand new techniques that have never been seen in the wild — such as ",{"data":2062,"content":2064,"nodeType":1330},{"uri":2063},"https://pushsecurity.com/blog/consentfix-debrief/",[2065],{"data":2066,"marks":2067,"value":2069,"nodeType":1293},{},[2068],{"type":1338},"ConsentFix",{"data":2071,"marks":2072,"value":2073,"nodeType":1293},{},[],", which we blocked the first time it was seen targeting our customers, before even realizing it was a new kind of attack.","SLH campaign insight box 2",{"sys":2076,"__typename":1962,"title":2077,"caption":2077,"layoutMode":118,"file":2078},{"id":1853},"Push blocks phishing pages using real-time, in-browser analysis — shutting the attack down before a compromise happens. ",{"url":2079,"width":2015,"height":2080},"https://images.ctfassets.net/y1cdw1ablpvd/6InFhVkJJOPhsojQoub04K/b43e32cfa0bdc423dc993e930ebe1ae2/image1.png",1125,{"sys":2082,"__typename":1962,"title":2083,"caption":2084,"layoutMode":118,"file":2085},{"id":1899},"Employee Verification Codes","Push provides a lightweight verification feature in every user’s browser — no additional apps or devices required.",{"url":2086,"width":2087,"height":2088},"https://images.ctfassets.net/y1cdw1ablpvd/41X6fkPJgqf14vO3O14TF3/e0cecdbdfaee1353f15ff77ecb6a55a8/Employee_verification_codes.png",2088,1240,{"items":2090},[2091,2925,4252],{"__typename":2092,"sys":2093,"content":2095,"title":2911,"synopsis":2912,"hashTags":118,"publishedDate":2913,"slug":2914,"tagsCollection":2915,"authorsCollection":2921},"BlogPosts",{"id":2094},"4jcVFrvGBtVXpKU3gDMaa2",{"json":2096},{"nodeType":1295,"data":2097,"content":2098},{},[2099,2118,2125,2131,2189,2196,2203,2206,2214,2221,2228,2285,2293,2300,2323,2330,2333,2341,2348,2355,2362,2369,2376,2383,2389,2397,2404,2423,2443,2446,2454,2461,2468,2475,2483,2502,2509,2515,2523,2543,2563,2676,2679,2687,2694,2701,2704,2712,2719,2726,2733,2800,2831,2834,2842,2849,2856,2863,2870,2899,2905],{"nodeType":1294,"data":2100,"content":2101},{},[2102,2106,2114],{"nodeType":1293,"value":2103,"marks":2104,"data":2105},"In December, the Push Security research team discovered and blocked a brand new attack technique that we coined ",[],{},{"nodeType":1330,"data":2107,"content":2109},{"uri":2108},"https://pushsecurity.com/blog/consentfix/",[2110],{"nodeType":1293,"value":2069,"marks":2111,"data":2113},[2112],{"type":1338},{},{"nodeType":1293,"value":2115,"marks":2116,"data":2117},". This technique merged ClickFix-style social engineering with OAuth consent phishing to hijack Microsoft accounts. ",[],{},{"nodeType":1294,"data":2119,"content":2120},{},[2121],{"nodeType":1293,"value":2122,"marks":2123,"data":2124},"We saw this attack running across a large network of compromised websites that attackers were injecting the malicious payload into, forming a large-scale campaign that was detected across multiple customer estates. ",[],{},{"nodeType":1447,"data":2126,"content":2130},{"target":2127},{"sys":2128},{"id":2129,"type":1452,"linkType":1453},"603MWDqc9NsqkklIkfGNZN",[],{"nodeType":1294,"data":2132,"content":2133},{},[2134,2138,2147,2151,2160,2163,2172,2176,2185],{"nodeType":1293,"value":2135,"marks":2136,"data":2137},"ConsentFix got a pretty awesome response from the community in a very short space of time. Within days, ",[],{},{"nodeType":1330,"data":2139,"content":2141},{"uri":2140},"https://www.youtube.com/watch?v=AAiiIY-Soak",[2142],{"nodeType":1293,"value":2143,"marks":2144,"data":2146},"John Hammond shared a new and improved version of the technique",[2145],{"type":1338},{},{"nodeType":1293,"value":2148,"marks":2149,"data":2150}," that he’d spun up in his own lab, while security researchers from ",[],{},{"nodeType":1330,"data":2152,"content":2154},{"uri":2153},"https://medium.com/@nitashathakur/consentfix-poc-how-the-attack-works-end-to-end-4f8b656f977d",[2155],{"nodeType":1293,"value":2156,"marks":2157,"data":2159},"Microsoft",[2158],{"type":1338},{},{"nodeType":1293,"value":1733,"marks":2161,"data":2162},[],{},{"nodeType":1330,"data":2164,"content":2166},{"uri":2165},"https://www.glueckkanja.com/en/posts/2025-12-31-vulnerability-consentfix",[2167],{"nodeType":1293,"value":2168,"marks":2169,"data":2171},"Glueck Kanja",[2170],{"type":1338},{},{"nodeType":1293,"value":2173,"marks":2174,"data":2175},", and ",[],{},{"nodeType":1330,"data":2177,"content":2179},{"uri":2178},"https://msendpointmgr.com/2026/01/08/consentfix-quickfix/",[2180],{"nodeType":1293,"value":2181,"marks":2182,"data":2184},"other individual contributors",[2183],{"type":1338},{},{"nodeType":1293,"value":2186,"marks":2187,"data":2188}," all shared analysis and recommendations. ",[],{},{"nodeType":1294,"data":2190,"content":2191},{},[2192],{"nodeType":1293,"value":2193,"marks":2194,"data":2195},"In this blog, we’re sharing some new insights on the campaign, pulling together some of the top recommendations and resources shared across the community, and predicting what the future holds for this novel technique as it quickly enters the mainstream. ",[],{},{"nodeType":1294,"data":2197,"content":2198},{},[2199],{"nodeType":1293,"value":2200,"marks":2201,"data":2202},"First though, let’s quickly recap what ConsentFix is and how it works. ",[],{},{"nodeType":1359,"data":2204,"content":2205},{},[],{"nodeType":1363,"data":2207,"content":2208},{},[2209],{"nodeType":1293,"value":2210,"marks":2211,"data":2213},"ConsentFix 101",[2212],{"type":1370},{},{"nodeType":1294,"data":2215,"content":2216},{},[2217],{"nodeType":1293,"value":2218,"marks":2219,"data":2220},"ConsentFix is an attack technique that prompts the victim to share an OAuth authorization code with an attacker via a phishing page. The attacker then enters this code into a target application on their own device in order to complete the authorization handshake and take over the account. ",[],{},{"nodeType":1294,"data":2222,"content":2223},{},[2224],{"nodeType":1293,"value":2225,"marks":2226,"data":2227},"By hijacking OAuth, attackers can effectively bypass identity-layer controls like passwords and MFA — even phishing resistant authentication methods like passkeys have no impact on this attack, because it sidesteps the authentication process altogether. ",[],{},{"nodeType":1294,"data":2229,"content":2230},{},[2231,2235,2244,2248,2257,2261,2270,2274,2282],{"nodeType":1293,"value":2232,"marks":2233,"data":2234},"OAuth abuse attacks are not new. Techniques like ",[],{},{"nodeType":1330,"data":2236,"content":2238},{"uri":2237},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/consent_phishing/description.md",[2239],{"nodeType":1293,"value":2240,"marks":2241,"data":2243},"consent phishing",[2242],{"type":1338},{},{"nodeType":1293,"value":2245,"marks":2246,"data":2247}," and ",[],{},{"nodeType":1330,"data":2249,"content":2251},{"uri":2250},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/device_code_phishing/description.md",[2252],{"nodeType":1293,"value":2253,"marks":2254,"data":2256},"device code phishing",[2255],{"type":1338},{},{"nodeType":1293,"value":2258,"marks":2259,"data":2260}," have been around for some time. However, these mainly focus on connecting your primary workspace account (e.g. Microsoft, Google, etc.) to a fraudulent, attacker-controlled application. But this is becoming increasingly difficult in core enterprise cloud environments like Azure due to ",[],{},{"nodeType":1330,"data":2262,"content":2264},{"uri":2263},"https://learn.microsoft.com/en-us/microsoft-365/admin/misc/user-consent?view=o365-worldwide",[2265],{"nodeType":1293,"value":2266,"marks":2267,"data":2269},"stricter default configs",[2268],{"type":1338},{},{"nodeType":1293,"value":2271,"marks":2272,"data":2273},". That said, device code phishing still featured prominently in the recent ",[],{},{"nodeType":1330,"data":2275,"content":2276},{"uri":1332},[2277],{"nodeType":1293,"value":2278,"marks":2279,"data":2281},"high-profile Salesforce attacks in 2025",[2280],{"type":1338},{},{"nodeType":1293,"value":1946,"marks":2283,"data":2284},[],{},{"nodeType":1467,"data":2286,"content":2287},{},[2288],{"nodeType":1293,"value":2289,"marks":2290,"data":2292},"What makes ConsentFix so dangerous?",[2291],{"type":1370},{},{"nodeType":1294,"data":2294,"content":2295},{},[2296],{"nodeType":1293,"value":2297,"marks":2298,"data":2299},"Unlike typical OAuth attacks, the novel ConsentFix approach enabled the attacker to target different types of application to what they usually go after — with big implications for detection and response. In this case, the attacker:",[],{},{"nodeType":1803,"data":2301,"content":2302},{},[2303,2313],{"nodeType":1807,"data":2304,"content":2305},{},[2306],{"nodeType":1294,"data":2307,"content":2308},{},[2309],{"nodeType":1293,"value":2310,"marks":2311,"data":2312},"Specifically targeted first-party Microsoft apps that cannot be restricted in the same way as third-party applications, and are pre-consented in every tenant (meaning users can authenticate to them without admin approval). ",[],{},{"nodeType":1807,"data":2314,"content":2315},{},[2316],{"nodeType":1294,"data":2317,"content":2318},{},[2319],{"nodeType":1293,"value":2320,"marks":2321,"data":2322},"Leveraged legacy scopes that are outside the scope of default logging to evade detection, and targeted scopes with known Conditional Access policy exclusions.",[],{},{"nodeType":1294,"data":2324,"content":2325},{},[2326],{"nodeType":1293,"value":2327,"marks":2328,"data":2329},"This means that default controls you’d expect to block malicious OAuth grants don’t apply, you may not have logging enabled to detect it if it did happen to you, and to top it off, conditional access policy exclusions mean that many organizations’ expected controls don’t work as intended in this case. ",[],{},{"nodeType":1359,"data":2331,"content":2332},{},[],{"nodeType":1363,"data":2334,"content":2335},{},[2336],{"nodeType":1293,"value":2337,"marks":2338,"data":2340},"ConsentFix campaign recap",[2339],{"type":1370},{},{"nodeType":1294,"data":2342,"content":2343},{},[2344],{"nodeType":1293,"value":2345,"marks":2346,"data":2347},"Let’s quickly recap how the ConsentFix campaign was implemented. ",[],{},{"nodeType":1294,"data":2349,"content":2350},{},[2351],{"nodeType":1293,"value":2352,"marks":2353,"data":2354},"The victim is served a page which requires that they verify that they are human by pasting a URL into the phishing page.",[],{},{"nodeType":1294,"data":2356,"content":2357},{},[2358],{"nodeType":1293,"value":2359,"marks":2360,"data":2361},"Clicking the “Sign In” button opens a legitimate Microsoft login page. If the user is already logged in (which they likely are if working in their normal browser) their account information is already pre-populated and they won’t need to authenticate again. ",[],{},{"nodeType":1294,"data":2363,"content":2364},{},[2365],{"nodeType":1293,"value":2366,"marks":2367,"data":2368},"Selecting their account redirects them to a localhost URL containing an OAuth authorization code — this is what they then post into the original phishing page to complete the attack. ",[],{},{"nodeType":1294,"data":2370,"content":2371},{},[2372],{"nodeType":1293,"value":2373,"marks":2374,"data":2375},"Once the attacker gets the URL, they can exchange it for an access token or refresh token for the particular application being targeted — in this case, Azure CLI.",[],{},{"nodeType":1294,"data":2377,"content":2378},{},[2379],{"nodeType":1293,"value":2380,"marks":2381,"data":2382},"The TL;DR is that the attacker is manually completing an authorization flow that happens when a user logs into Azure CLI — a a command line client that provides you with the ability to easily manage your Azure AD / Entra ID environment. Except in this case, they’re taking the victim’s information to log in on the attacker’s device instead. ",[],{},{"nodeType":1447,"data":2384,"content":2388},{"target":2385},{"sys":2386},{"id":2387,"type":1452,"linkType":1453},"1eZOs7hXi9FzCE92QEP6xh",[],{"nodeType":1467,"data":2390,"content":2391},{},[2392],{"nodeType":1293,"value":2393,"marks":2394,"data":2396},"Latest campaign details",[2395],{"type":1370},{},{"nodeType":1294,"data":2398,"content":2399},{},[2400],{"nodeType":1293,"value":2401,"marks":2402,"data":2403},"Since we shared our blog post, we’ve had a number of additional details come to light about the campaign, which we’ve continued to track. ",[],{},{"nodeType":1294,"data":2405,"content":2406},{},[2407,2411,2419],{"nodeType":1293,"value":2408,"marks":2409,"data":2410},"It appears to be linked to Russian state-affiliated APT29, as corroborated by threat researchers we’ve been collaborating with. This is consistent with the ",[],{},{"nodeType":1330,"data":2412,"content":2413},{"uri":2108},[2414],{"nodeType":1293,"value":2415,"marks":2416,"data":2418},"stealthy tactics we observed",[2417],{"type":1338},{},{"nodeType":1293,"value":2420,"marks":2421,"data":2422},", which go far beyond the run-of-the-mill detection evasion techniques we see used in criminal phishing campaigns. ",[],{},{"nodeType":1294,"data":2424,"content":2425},{},[2426,2430,2439],{"nodeType":1293,"value":2427,"marks":2428,"data":2429},"It shares many similarities with, and appears to be an evolution of, ",[],{},{"nodeType":1330,"data":2431,"content":2433},{"uri":2432},"https://www.volexity.com/blog/2025/12/04/dangerous-invitations-russian-threat-actor-spoofs-european-security-events-in-targeted-phishing-attacks/",[2434],{"nodeType":1293,"value":2435,"marks":2436,"data":2438},"this Russia-affiliated campaign identified by Volexity",[2437],{"type":1338},{},{"nodeType":1293,"value":2440,"marks":2441,"data":2442}," that featured a manual version of the attack — where they victim was social engineered via email into opening the Microsoft URL, copying the localhost response, and sending it back to the attacker via email. ",[],{},{"nodeType":1359,"data":2444,"content":2445},{},[],{"nodeType":1363,"data":2447,"content":2448},{},[2449],{"nodeType":1293,"value":2450,"marks":2451,"data":2453},"Top contributions from the community",[2452],{"type":1370},{},{"nodeType":1294,"data":2455,"content":2456},{},[2457],{"nodeType":1293,"value":2458,"marks":2459,"data":2460},"As we mentioned earlier, the community response to ConsentFix has been incredible. ",[],{},{"nodeType":1294,"data":2462,"content":2463},{},[2464],{"nodeType":1293,"value":2465,"marks":2466,"data":2467},"As ever, you get a lot of vendors covering the attack technique with “install our product” as the recommendation. This is to be expected, but it’s misleading when some of these vendors are pushing EDR products that would have absolutely no way of detecting or blocking the attack. ",[],{},{"nodeType":1294,"data":2469,"content":2470},{},[2471],{"nodeType":1293,"value":2472,"marks":2473,"data":2474},"But cutting through the marketing, a lot of really great resources and recommendations were shared. ",[],{},{"nodeType":1467,"data":2476,"content":2477},{},[2478],{"nodeType":1293,"value":2479,"marks":2480,"data":2482},"V2.0 released by John Hammond",[2481],{"type":1370},{},{"nodeType":1294,"data":2484,"content":2485},{},[2486,2490,2498],{"nodeType":1293,"value":2487,"marks":2488,"data":2489},"Within days, John Hammond ",[],{},{"nodeType":1330,"data":2491,"content":2492},{"uri":2140},[2493],{"nodeType":1293,"value":2494,"marks":2495,"data":2497},"posted about ConsentFix on his Youtube channel",[2496],{"type":1338},{},{"nodeType":1293,"value":2499,"marks":2500,"data":2501},", where he showed off a slick improvement on the ConsentFix implementation used by attackers. In his version, the URL containing the Microsoft authorization code was generated in a pop-up browser window that could simply be drag-and-dropped into the phishing page. ",[],{},{"nodeType":1294,"data":2503,"content":2504},{},[2505],{"nodeType":1293,"value":2506,"marks":2507,"data":2508},"This implementation is way smoother, making it much more likely that a victim would fall for it. And this took a matter of days… ",[],{},{"nodeType":1447,"data":2510,"content":2514},{"target":2511},{"sys":2512},{"id":2513,"type":1452,"linkType":1453},"59tfJDRhGThKD48Wjg7uY2",[],{"nodeType":1467,"data":2516,"content":2517},{},[2518],{"nodeType":1293,"value":2519,"marks":2520,"data":2522},"Additional vulnerable first-party apps identified",[2521],{"type":1370},{},{"nodeType":1294,"data":2524,"content":2525},{},[2526,2530,2539],{"nodeType":1293,"value":2527,"marks":2528,"data":2529},"Fabian Bader and Dirk-jan Mollema from Glueck Kanja have ",[],{},{"nodeType":1330,"data":2531,"content":2533},{"uri":2532},"https://entrascopes.com/?bypass=true&authcodeFix=true",[2534],{"nodeType":1293,"value":2535,"marks":2536,"data":2538},"shared a great resource",[2537],{"type":1338},{},{"nodeType":1293,"value":2540,"marks":2541,"data":2542}," on wider first-party apps that are vulnerable to ConsentFix. ",[],{},{"nodeType":1294,"data":2544,"content":2545},{},[2546,2550,2559],{"nodeType":1293,"value":2547,"marks":2548,"data":2549},"In total, there are 11 apps vulnerable to ConsentFix that also have known ",[],{},{"nodeType":1330,"data":2551,"content":2553},{"uri":2552},"https://cloudbrothers.info/conditional-access-bypasses/#documented-bypasses",[2554],{"nodeType":1293,"value":2555,"marks":2556,"data":2558},"Conditional Access exclusions",[2557],{"type":1338},{},{"nodeType":1293,"value":2560,"marks":2561,"data":2562}," (either for the app generally, or when specific scopes are requested for the app):",[],{},{"nodeType":1803,"data":2564,"content":2565},{},[2566,2576,2586,2596,2606,2616,2626,2636,2646,2656,2666],{"nodeType":1807,"data":2567,"content":2568},{},[2569],{"nodeType":1294,"data":2570,"content":2571},{},[2572],{"nodeType":1293,"value":2573,"marks":2574,"data":2575},"Microsoft Azure CLI: 04b07795-8ddb-461a-bbee-02f9e1bf7b46",[],{},{"nodeType":1807,"data":2577,"content":2578},{},[2579],{"nodeType":1294,"data":2580,"content":2581},{},[2582],{"nodeType":1293,"value":2583,"marks":2584,"data":2585},"Microsoft Azure PowerShell: 1950a258-227b-4e31-a9cf-717495945fc2",[],{},{"nodeType":1807,"data":2587,"content":2588},{},[2589],{"nodeType":1294,"data":2590,"content":2591},{},[2592],{"nodeType":1293,"value":2593,"marks":2594,"data":2595},"Microsoft Teams: 1fec8e78-bce4-4aaf-ab1b-5451cc387264",[],{},{"nodeType":1807,"data":2597,"content":2598},{},[2599],{"nodeType":1294,"data":2600,"content":2601},{},[2602],{"nodeType":1293,"value":2603,"marks":2604,"data":2605},"Microsoft Whiteboard Client: 57336123-6e14-4acc-8dcf-287b6088aa28",[],{},{"nodeType":1807,"data":2607,"content":2608},{},[2609],{"nodeType":1294,"data":2610,"content":2611},{},[2612],{"nodeType":1293,"value":2613,"marks":2614,"data":2615},"Microsoft Flow Mobile PROD-GCCH-CN: 57fcbcfa-7cee-4eb1-8b25-12d2030b4ee0",[],{},{"nodeType":1807,"data":2617,"content":2618},{},[2619],{"nodeType":1294,"data":2620,"content":2621},{},[2622],{"nodeType":1293,"value":2623,"marks":2624,"data":2625},"Enterprise Roaming and Backup: 60c8bde5-3167-4f92-8fdb-059f6176dc0",[],{},{"nodeType":1807,"data":2627,"content":2628},{},[2629],{"nodeType":1294,"data":2630,"content":2631},{},[2632],{"nodeType":1293,"value":2633,"marks":2634,"data":2635},"Visual Studio: 872cd9fa-d31f-45e0-9eab-6e460a02d1f1",[],{},{"nodeType":1807,"data":2637,"content":2638},{},[2639],{"nodeType":1294,"data":2640,"content":2641},{},[2642],{"nodeType":1293,"value":2643,"marks":2644,"data":2645},"Aadrm Admin Powershell: 90f610bf-206d-4950-b61d-37fa6fd1b224",[],{},{"nodeType":1807,"data":2647,"content":2648},{},[2649],{"nodeType":1294,"data":2650,"content":2651},{},[2652],{"nodeType":1293,"value":2653,"marks":2654,"data":2655},"Microsoft SharePoint Online Management Shell: 9bc3ab49-b65d-410a-85ad-de819febfddc",[],{},{"nodeType":1807,"data":2657,"content":2658},{},[2659],{"nodeType":1294,"data":2660,"content":2661},{},[2662],{"nodeType":1293,"value":2663,"marks":2664,"data":2665},"Microsoft Power Query for Excel: a672d62c-fc7b-4e81-a576-e60dc46e951d",[],{},{"nodeType":1807,"data":2667,"content":2668},{},[2669],{"nodeType":1294,"data":2670,"content":2671},{},[2672],{"nodeType":1293,"value":2673,"marks":2674,"data":2675},"Visual Studio Code: aebc6443-996d-45c2-90f0-388ff96faa56",[],{},{"nodeType":1359,"data":2677,"content":2678},{},[],{"nodeType":1363,"data":2680,"content":2681},{},[2682],{"nodeType":1293,"value":2683,"marks":2684,"data":2686},"Predictions for ConsentFix",[2685],{"type":1370},{},{"nodeType":1294,"data":2688,"content":2689},{},[2690],{"nodeType":1293,"value":2691,"marks":2692,"data":2693},"Based on the speed at which new iterations on the ConsentFix technique were shared by security researchers, and the breadth of apps and possible scopes that can be leveraged, both red teams and criminals will inevitably adopt ConsentFix into their arsenal of TTPs in the near future. It is likely that new ConsentFix variants will emerge imminently (if not already in circulation). ",[],{},{"nodeType":1294,"data":2695,"content":2696},{},[2697],{"nodeType":1293,"value":2698,"marks":2699,"data":2700},"All security teams responsible for protecting Microsoft environments should ensure that monitoring controls and mitigations are put in place as a matter of high priority. ",[],{},{"nodeType":1359,"data":2702,"content":2703},{},[],{"nodeType":1363,"data":2705,"content":2706},{},[2707],{"nodeType":1293,"value":2708,"marks":2709,"data":2711},"Updated recommendations for security teams",[2710],{"type":1370},{},{"nodeType":1294,"data":2713,"content":2714},{},[2715],{"nodeType":1293,"value":2716,"marks":2717,"data":2718},"As an entirely browser-native attack technique, many traditional security tools and data sources are of limited use when it comes to detecting or pre-emptively blocking this attack. At the same time, the attack exploits default Microsoft security configs to evade both prevention and detection controls.",[],{},{"nodeType":1294,"data":2720,"content":2721},{},[2722],{"nodeType":1293,"value":2723,"marks":2724,"data":2725},"To be able to tackle modern attacks like ConsentFix that occur entirely within the browser context, it is vital that organizations look to monitor the browser as a detection surface, hunt for signs of malicious activity, and block attacks in real-time — in the same way that you would expect EDR to work for endpoint attacks. ",[],{},{"nodeType":1294,"data":2727,"content":2728},{},[2729],{"nodeType":1293,"value":2730,"marks":2731,"data":2732},"For organizations relying on Microsoft logging as the sole line of defense against this attack, there are some new recommendations to add to the list thanks to the community response: ",[],{},{"nodeType":1803,"data":2734,"content":2735},{},[2736,2759,2769,2790],{"nodeType":1807,"data":2737,"content":2738},{},[2739],{"nodeType":1294,"data":2740,"content":2741},{},[2742,2746,2755],{"nodeType":1293,"value":2743,"marks":2744,"data":2745},"Ensure that logging for the deprecated ",[],{},{"nodeType":1330,"data":2747,"content":2749},{"uri":2748},"https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/aadgraphactivitylogs",[2750],{"nodeType":1293,"value":2751,"marks":2752,"data":2754},"AADGraphActivityLogs",[2753],{"type":1338},{},{"nodeType":1293,"value":2756,"marks":2757,"data":2758}," is enabled.",[],{},{"nodeType":1807,"data":2760,"content":2761},{},[2762],{"nodeType":1294,"data":2763,"content":2764},{},[2765],{"nodeType":1293,"value":2766,"marks":2767,"data":2768},"Hunt in logs for the Application IDs highlighted above, along with the Resource IDs for Windows Azure Active Directory (00000002-0000-0000-c000-000000000000) and Microsoft Intune Checkin (26a4ae64-5862-427f-a9b0-044e62572a4f)",[],{},{"nodeType":1807,"data":2770,"content":2771},{},[2772],{"nodeType":1294,"data":2773,"content":2774},{},[2775,2778,2786],{"nodeType":1293,"value":37,"marks":2776,"data":2777},[],{},{"nodeType":1330,"data":2779,"content":2780},{"uri":2178},[2781],{"nodeType":1293,"value":2782,"marks":2783,"data":2785},"Create Service Principals for each of the vulnerable apps and restrict the users that are authorized to access them",[2784],{"type":1338},{},{"nodeType":1293,"value":2787,"marks":2788,"data":2789}," to reduce the attack surface of users that can be phished with this method.",[],{},{"nodeType":1807,"data":2791,"content":2792},{},[2793],{"nodeType":1294,"data":2794,"content":2795},{},[2796],{"nodeType":1293,"value":2797,"marks":2798,"data":2799},"Block access to CLI tools via Conditional Access policy and issue exclusions for authorized users/groups. ",[],{},{"nodeType":1294,"data":2801,"content":2802},{},[2803,2807,2816,2820,2827],{"nodeType":1293,"value":2804,"marks":2805,"data":2806},"Additional resources that may be of use include community-created ",[],{},{"nodeType":1330,"data":2808,"content":2810},{"uri":2809},"https://github.com/elastic/detection-rules/pull/5485",[2811],{"nodeType":1293,"value":2812,"marks":2813,"data":2815},"Elastic detection rules",[2814],{"type":1338},{},{"nodeType":1293,"value":2817,"marks":2818,"data":2819}," for ConsentFix and further mitigation and hunting guidance from ",[],{},{"nodeType":1330,"data":2821,"content":2822},{"uri":2165},[2823],{"nodeType":1293,"value":2168,"marks":2824,"data":2826},[2825],{"type":1338},{},{"nodeType":1293,"value":2828,"marks":2829,"data":2830},". ",[],{},{"nodeType":1359,"data":2832,"content":2833},{},[],{"nodeType":1363,"data":2835,"content":2836},{},[2837],{"nodeType":1293,"value":2838,"marks":2839,"data":2841},"Learn more about Push Security",[2840],{"type":1370},{},{"nodeType":1294,"data":2843,"content":2844},{},[2845],{"nodeType":1293,"value":2846,"marks":2847,"data":2848},"Even though this was a brand new technique, Push intercepted this attack and shut it down before customers could interact with it. ",[],{},{"nodeType":1294,"data":2850,"content":2851},{},[2852],{"nodeType":1293,"value":2853,"marks":2854,"data":2855},"Push tackles browser-based attacks using behavioral threat detection controls, powered by deep browser telemetry, to provide broad detection and blocking capabilities against attacks happening in the browser. This means analyzing the end-to-end process of a webpage loading/running in the browser, and how the user interacts with the page, to spot universal indicators of bad activity. ",[],{},{"nodeType":1294,"data":2857,"content":2858},{},[2859],{"nodeType":1293,"value":2860,"marks":2861,"data":2862},"This is the only reliable way to detect malicious websites in a world where IoC-based detections are trivial for attackers to get around. Rather than playing known-bad whac-a-mole, Push detects and blocks even zero-day browser threats in real time.",[],{},{"nodeType":1294,"data":2864,"content":2865},{},[2866],{"nodeType":1293,"value":2867,"marks":2868,"data":2869},"Push stops browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, ConsentFix, and session hijacking. You don’t need to wait until it all goes wrong either — you can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.",[],{},{"nodeType":1294,"data":2871,"content":2872},{},[2873,2877,2885,2889,2896],{"nodeType":1293,"value":2874,"marks":2875,"data":2876},"To learn more about Push, ",[],{},{"nodeType":1330,"data":2878,"content":2879},{"uri":1914},[2880],{"nodeType":1293,"value":2881,"marks":2882,"data":2884},"check out our latest product overview",[2883],{"type":1338},{},{"nodeType":1293,"value":2886,"marks":2887,"data":2888}," or ",[],{},{"nodeType":1330,"data":2890,"content":2891},{"uri":1938},[2892],{"nodeType":1293,"value":1941,"marks":2893,"data":2895},[2894],{"type":1338},{},{"nodeType":1293,"value":1946,"marks":2897,"data":2898},[],{},{"nodeType":1447,"data":2900,"content":2904},{"target":2901},{"sys":2902},{"id":2903,"type":1452,"linkType":1453},"4D7zpYAc1tTEAmn2hpkWPe",[],{"nodeType":1294,"data":2906,"content":2907},{},[2908],{"nodeType":1293,"value":37,"marks":2909,"data":2910},[],{},"ConsentFix debrief: latest community insights, recommendations, and predictions","New insights on the ConsentFix campaign stopped by Push.","2026-01-14T00:00:00.000Z","consentfix-debrief",{"items":2916},[2917,2919],{"sys":2918,"name":1310},{"id":1309},{"sys":2920,"name":1306},{"id":1305},{"items":2922},[2923],{"fullName":1314,"firstName":1315,"jobTitle":1316,"profilePicture":2924},{"url":1318},{"__typename":2092,"sys":2926,"content":2928,"title":4234,"synopsis":4235,"hashTags":118,"publishedDate":4236,"slug":4237,"tagsCollection":4238,"authorsCollection":4244},{"id":2927},"37KWV8V5L3aNZBSx6JMd0Z",{"json":2929},{"data":2930,"content":2931,"nodeType":1295},{},[2932,2939,2946,3010,3017,3086,3092,3099,3106,3109,3116,3123,3130,3235,3254,3261,3303,3310,3317,3324,3357,3363,3395,3401,3408,3415,3448,3468,3471,3478,3484,3515,3522,3529,3536,3542,3549,3555,3570,3613,3619,3639,3642,3649,3655,3675,3682,3714,3735,3741,3762,3769,3776,3836,3843,3849,3864,3879,3900,3906,3927,3934,3937,3944,3950,3957,3964,3985,3991,4012,4018,4025,4058,4076,4079,4086,4092,4099,4120,4126,4141,4147,4154,4161,4180,4183,4190,4197,4204],{"data":2933,"content":2934,"nodeType":1294},{},[2935],{"data":2936,"marks":2937,"value":2938,"nodeType":1293},{},[],"Looking back over the year’s headlines and trending TTPs, it’s clear that 2025 was the year that browser-based account takeover techniques made the leap into the mainstream.",{"data":2940,"content":2941,"nodeType":1294},{},[2942],{"data":2943,"marks":2944,"value":2945,"nodeType":1293},{},[],"A few stats tell the story …",{"data":2947,"content":2948,"nodeType":1803},{},[2949,2970,2989],{"data":2950,"content":2951,"nodeType":1807},{},[2952],{"data":2953,"content":2954,"nodeType":1294},{},[2955,2959,2966],{"data":2956,"marks":2957,"value":2958,"nodeType":1293},{},[],"Identity-based attacks surged by 32% over the last year, and 97% of identity attacks were password-based, driven by a combination of credential leaks and infostealer malware. (",{"data":2960,"content":2962,"nodeType":1330},{"uri":2961},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf#page=1",[2963],{"data":2964,"marks":2965,"value":2156,"nodeType":1293},{},[],{"data":2967,"marks":2968,"value":2969,"nodeType":1293},{},[],")",{"data":2971,"content":2972,"nodeType":1807},{},[2973],{"data":2974,"content":2975,"nodeType":1294},{},[2976,2980,2986],{"data":2977,"marks":2978,"value":2979,"nodeType":1293},{},[],"ClickFix was the most common initial point of access for adversaries in the past year, accounting for a whopping 47% of observed attacks. (",{"data":2981,"content":2982,"nodeType":1330},{"uri":2961},[2983],{"data":2984,"marks":2985,"value":2156,"nodeType":1293},{},[],{"data":2987,"marks":2988,"value":2969,"nodeType":1293},{},[],{"data":2990,"content":2991,"nodeType":1807},{},[2992],{"data":2993,"content":2994,"nodeType":1294},{},[2995,2999,3007],{"data":2996,"marks":2997,"value":2998,"nodeType":1293},{},[],"Pure malware-based attacks declined, as adversaries continued to shift from targeting endpoints to corporate identities. In the last year-plus, 79% of detections were malware-free, up from 40% in 2019. And abuse of valid accounts was responsible for more than one-third of all cloud-related incidents. (",{"data":3000,"content":3002,"nodeType":1330},{"uri":3001},"https://www.crowdstrike.com/en-gb/global-threat-report/",[3003],{"data":3004,"marks":3005,"value":3006,"nodeType":1293},{},[],"Crowdstrike",{"data":3008,"marks":3009,"value":2969,"nodeType":1293},{},[],{"data":3011,"content":3012,"nodeType":1294},{},[3013],{"data":3014,"marks":3015,"value":3016,"nodeType":1293},{},[],"… and so do the headlines from 2025:",{"data":3018,"content":3019,"nodeType":1803},{},[3020,3039,3067],{"data":3021,"content":3022,"nodeType":1807},{},[3023],{"data":3024,"content":3025,"nodeType":1294},{},[3026,3030,3035],{"data":3027,"marks":3028,"value":3029,"nodeType":1293},{},[],"Attackers stole over ",{"data":3031,"marks":3032,"value":3034,"nodeType":1293},{},[3033],{"type":1370},"1.5 billion records",{"data":3036,"marks":3037,"value":3038,"nodeType":1293},{},[]," from an estimated 1,000+ Salesforce tenants by exploiting integrations (Salesloft, Gainsight), phishing credentials, and by tricking users into installing a malicious OAuth app.",{"data":3040,"content":3041,"nodeType":1807},{},[3042],{"data":3043,"content":3044,"nodeType":1294},{},[3045,3049,3054,3058,3063],{"data":3046,"marks":3047,"value":3048,"nodeType":1293},{},[],"Marks & Spencer was hit with a help desk scam that led to a compromised Microsoft Entra account, followed by a ransomware deployment resulting in months of disruption, ",{"data":3050,"marks":3051,"value":3053,"nodeType":1293},{},[3052],{"type":1370},"$400M",{"data":3055,"marks":3056,"value":3057,"nodeType":1293},{},[]," in lost profits, and around ",{"data":3059,"marks":3060,"value":3062,"nodeType":1293},{},[3061],{"type":1370},"$1.3B",{"data":3064,"marks":3065,"value":3066,"nodeType":1293},{},[]," wiped off their stock market valuation at one stage.",{"data":3068,"content":3069,"nodeType":1807},{},[3070],{"data":3071,"content":3072,"nodeType":1294},{},[3073,3077,3082],{"data":3074,"marks":3075,"value":3076,"nodeType":1293},{},[],"Jaguar Land Rover was compromised via highly privileged admin accounts — another help desk scam targeting workforce credentials for initial access — resulting in months of disruption that led the UK government to underwrite a ",{"data":3078,"marks":3079,"value":3081,"nodeType":1293},{},[3080],{"type":1370},"$1.5B",{"data":3083,"marks":3084,"value":3085,"nodeType":1293},{},[]," loan to alleviate the supply chain impact. This was the most economically consequential cyber attack yet recorded in a G7 economy.",{"data":3087,"content":3091,"nodeType":1447},{"target":3088},{"sys":3089},{"id":3090,"type":1452,"linkType":1453},"v5YYnjP2NViOh6Ucxp2Fe",[],{"data":3093,"content":3094,"nodeType":1294},{},[3095],{"data":3096,"marks":3097,"value":3098,"nodeType":1293},{},[],"At Push, we’ve been closely tracking the evolution of browser-based attacks. Looking back at 2025, we’ve seen a notable increase in the sophistication and frequency of modern attack techniques methods like ClickFix, commodified phish kits that bypass MFA, malicious browser extensions, and many more. (Writing phish kit teardowns for the Push blog is practically a full-time job now.)",{"data":3100,"content":3101,"nodeType":1294},{},[3102],{"data":3103,"marks":3104,"value":3105,"nodeType":1293},{},[],"In this article, we’ll take a look at how real-world attacks and our own research drove the features we delivered for Push customers this year to take the fight to adversaries.",{"data":3107,"content":3108,"nodeType":1359},{},[],{"data":3110,"content":3111,"nodeType":1363},{},[3112],{"data":3113,"marks":3114,"value":3115,"nodeType":1293},{},[],"Detecting and blocking increasingly sophisticated phishing-as-a-service tools",{"data":3117,"content":3118,"nodeType":1467},{},[3119],{"data":3120,"marks":3121,"value":3122,"nodeType":1293},{},[],"What happened",{"data":3124,"content":3125,"nodeType":1294},{},[3126],{"data":3127,"marks":3128,"value":3129,"nodeType":1293},{},[],"The current state of the art for phishing centers on three core developments:",{"data":3131,"content":3132,"nodeType":1803},{},[3133,3163,3206],{"data":3134,"content":3135,"nodeType":1807},{},[3136],{"data":3137,"content":3138,"nodeType":1294},{},[3139,3144,3148,3159],{"data":3140,"marks":3141,"value":3143,"nodeType":1293},{},[3142],{"type":1370},"Detection evasion: ",{"data":3145,"marks":3146,"value":3147,"nodeType":1293},{},[],"Adversaries demonstrated a ",{"data":3149,"content":3153,"nodeType":3158},{"target":3150},{"sys":3151},{"id":3152,"type":1452,"linkType":1453},"4XZ6qCr8pjJvcD7hi09x2Y",[3154],{"data":3155,"marks":3156,"value":3157,"nodeType":1293},{},[],"creative array of approaches","entry-hyperlink",{"data":3160,"marks":3161,"value":3162,"nodeType":1293},{},[]," this year to hide their intentions from end-users and defenders, using methods such as sending phishing emails from legitimate services; serving phishing pages via malvertising and SEO poisoning; and obfuscating URLs. More sophisticated techniques used page-level obfuscation, cross-domain iframes, single-use links, and legitimate OIDC logins to evade detection and analysis from traditional tools.",{"data":3164,"content":3165,"nodeType":1807},{},[3166],{"data":3167,"content":3168,"nodeType":1294},{},[3169,3174,3178,3188,3192,3202],{"data":3170,"marks":3171,"value":3173,"nodeType":1293},{},[3172],{"type":1370},"Multi-channel delivery of lures:",{"data":3175,"marks":3176,"value":3177,"nodeType":1293},{},[]," Adversaries proved the truism of “phishing doesn’t just happen in the mailbox” this year by increasing their observed use of ",{"data":3179,"content":3183,"nodeType":3158},{"target":3180},{"sys":3181},{"id":3182,"type":1452,"linkType":1453},"72lLmy0CXnOp3LWOdcUguX",[3184],{"data":3185,"marks":3186,"value":3187,"nodeType":1293},{},[],"malvertising",{"data":3189,"marks":3190,"value":3191,"nodeType":1293},{},[]," and SEO poisoning — techniques that place malicious pages within trusted contexts like the Google search engine results page — as well as the use of social media services like LinkedIn to ",{"data":3193,"content":3197,"nodeType":3158},{"target":3194},{"sys":3195},{"id":3196,"type":1452,"linkType":1453},"2yEhB2gFC2TJDLquVP3cg2",[3198],{"data":3199,"marks":3200,"value":3201,"nodeType":1293},{},[],"deliver phishing lures",{"data":3203,"marks":3204,"value":3205,"nodeType":1293},{},[],". ",{"data":3207,"content":3208,"nodeType":1807},{},[3209],{"data":3210,"content":3211,"nodeType":1294},{},[3212,3217,3221,3231],{"data":3213,"marks":3214,"value":3216,"nodeType":1293},{},[3215],{"type":1370},"Commodification of phishing toolkits:",{"data":3218,"marks":3219,"value":3220,"nodeType":1293},{},[]," Phishing-as-a-service (PhaaS) kits have become another SaaS with their own supply chain, including developers of malicious tooling, operators who run the campaigns, and brokers who sell stolen credentials and tokens. The incentives for attackers are clear: quick ROI from targeting workforce identities, and out-of-the-box tools that make it easier to efficiently spin up new campaigns or try new techniques. As with any SaaS offering, the customer (attackers, in this case) benefits from rapid innovations they didn’t have to build. We saw this recently with the ",{"data":3222,"content":3226,"nodeType":3158},{"target":3223},{"sys":3224},{"id":3225,"type":1452,"linkType":1453},"6QLonRmBzbj9h88Y7jD0LU",[3227],{"data":3228,"marks":3229,"value":3230,"nodeType":1293},{},[],"addition of a browser-in-the-browser (BitB) technique",{"data":3232,"marks":3233,"value":3234,"nodeType":1293},{},[]," to the phish kit Sneaky2FA — a change that makes it even more effective.",{"data":3236,"content":3237,"nodeType":1294},{},[3238,3242,3250],{"data":3239,"marks":3240,"value":3241,"nodeType":1293},{},[],"In 2025, Push researchers tracked how each of these developments expanded in scope and sophistication. Check out our ",{"data":3243,"content":3245,"nodeType":1330},{"uri":3244},"https://pushsecurity.github.io/phishing-techniques/",[3246],{"data":3247,"marks":3248,"value":3249,"nodeType":1293},{},[],"phishing detection evasion techniques matrix",{"data":3251,"marks":3252,"value":3253,"nodeType":1293},{},[]," on Github for more detail. ",{"data":3255,"content":3256,"nodeType":1294},{},[3257],{"data":3258,"marks":3259,"value":3260,"nodeType":1293},{},[],"The takeaways for security teams?",{"data":3262,"content":3263,"nodeType":1803},{},[3264,3274,3293],{"data":3265,"content":3266,"nodeType":1807},{},[3267],{"data":3268,"content":3269,"nodeType":1294},{},[3270],{"data":3271,"marks":3272,"value":3273,"nodeType":1293},{},[],"You can’t block your way to safety when adversaries are using the same legitimate apps that your employees use.",{"data":3275,"content":3276,"nodeType":1807},{},[3277],{"data":3278,"content":3279,"nodeType":1294},{},[3280,3284,3289],{"data":3281,"marks":3282,"value":3283,"nodeType":1293},{},[],"Similarly, while end-user training is important, it’s not reasonable to expect employees to know when a SharePoint document link is malicious when it looks identical to the ones they trust every day — because adversaries ",{"data":3285,"marks":3286,"value":3288,"nodeType":1293},{},[3287],{"type":312},"are using the legitimate service",{"data":3290,"marks":3291,"value":3292,"nodeType":1293},{},[],". Push researchers have observed the abuse of hundreds of legitimate services in phishing attacks this year.",{"data":3294,"content":3295,"nodeType":1807},{},[3296],{"data":3297,"content":3298,"nodeType":1294},{},[3299],{"data":3300,"marks":3301,"value":3302,"nodeType":1293},{},[],"Security solutions need to be able to analyze real-time context and behavior, not rely solely on inferences from secondary characteristics like domain reputation.",{"data":3304,"content":3305,"nodeType":1294},{},[3306],{"data":3307,"marks":3308,"value":3309,"nodeType":1293},{},[],"Here's what we built to help defend organizations.",{"data":3311,"content":3312,"nodeType":1467},{},[3313],{"data":3314,"marks":3315,"value":3316,"nodeType":1293},{},[],"What we built",{"data":3318,"content":3319,"nodeType":1294},{},[3320],{"data":3321,"marks":3322,"value":3323,"nodeType":1293},{},[],"The feature we built in 2025 that gave us unique insight into these TTPs is Push’s Detections capability. With Detections, you can:",{"data":3325,"content":3326,"nodeType":1803},{},[3327,3337,3347],{"data":3328,"content":3329,"nodeType":1807},{},[3330],{"data":3331,"content":3332,"nodeType":1294},{},[3333],{"data":3334,"marks":3335,"value":3336,"nodeType":1293},{},[],"Get alerted when Push detects a browser-based attack, and see how the Push agent responded to block the attack. The platform provides a front-end view for quick triage, and you can also pipe the detection events to your SIEM or other platform of choice.",{"data":3338,"content":3339,"nodeType":1807},{},[3340],{"data":3341,"content":3342,"nodeType":1294},{},[3343],{"data":3344,"marks":3345,"value":3346,"nodeType":1293},{},[],"Review a timeline of the incident: Where a phishing link originated; whether a user entered their credentials; what kind of phishkit was detected; and how Push responded (configurable based on your environment).",{"data":3348,"content":3349,"nodeType":1807},{},[3350],{"data":3351,"content":3352,"nodeType":1294},{},[3353],{"data":3354,"marks":3355,"value":3356,"nodeType":1293},{},[],"Get actionable telemetry and metadata about an incident, including a screenshot of the malicious page to see exactly what the user saw; intel about the involved domains, including when they were registered and if they’ve been scanned by urlscan before; and the blast radius of an attack, including other apps that shared a password with the potentially compromised account",{"data":3358,"content":3362,"nodeType":1447},{"target":3359},{"sys":3360},{"id":3361,"type":1452,"linkType":1453},"5dygPaG3Gfw4Yeicffv6tV",[],{"data":3364,"content":3365,"nodeType":1294},{},[3366,3370,3375,3378,3383,3386,3391],{"data":3367,"marks":3368,"value":3369,"nodeType":1293},{},[],"This telemetry — combined with Push’s out-of-the-box controls like ",{"data":3371,"marks":3372,"value":3374,"nodeType":1293},{},[3373],{"type":1370},"Phishing tool detection",{"data":3376,"marks":3377,"value":1733,"nodeType":1293},{},[],{"data":3379,"marks":3380,"value":3382,"nodeType":1293},{},[3381],{"type":1370},"Cloned login page detection",{"data":3384,"marks":3385,"value":2173,"nodeType":1293},{},[],{"data":3387,"marks":3388,"value":3390,"nodeType":1293},{},[3389],{"type":1370},"Malicious copy and paste detection",{"data":3392,"marks":3393,"value":3394,"nodeType":1293},{},[]," (aka ClickFix detection) — give you a seat on the user’s side of the equation, capturing real-time information about what users did and the TTPs of an attack so you can investigate and respond efficiently and confidently.",{"data":3396,"content":3400,"nodeType":1447},{"target":3397},{"sys":3398},{"id":3399,"type":1452,"linkType":1453},"563fJFSgoLDOwSXSQ9Y0MM",[],{"data":3402,"content":3403,"nodeType":1294},{},[3404],{"data":3405,"marks":3406,"value":3407,"nodeType":1293},{},[],"With the visibility provided by this telemetry across Push’s install base, our R&D and Product teams have rapidly iterated all year on our detections to increase coverage and respond quickly to newly identified attack types.",{"data":3409,"content":3410,"nodeType":1294},{},[3411],{"data":3412,"marks":3413,"value":3414,"nodeType":1293},{},[],"This year, we also released:",{"data":3416,"content":3417,"nodeType":1803},{},[3418,3428,3438],{"data":3419,"content":3420,"nodeType":1807},{},[3421],{"data":3422,"content":3423,"nodeType":1294},{},[3424],{"data":3425,"marks":3426,"value":3427,"nodeType":1293},{},[],"Detections for new variants of cloned login pages and AiTM phish kits.",{"data":3429,"content":3430,"nodeType":1807},{},[3431],{"data":3432,"content":3433,"nodeType":1294},{},[3434],{"data":3435,"marks":3436,"value":3437,"nodeType":1293},{},[],"12+ pre-release detections focused on flagging emerging attacker techniques.",{"data":3439,"content":3440,"nodeType":1807},{},[3441],{"data":3442,"content":3443,"nodeType":1294},{},[3444],{"data":3445,"marks":3446,"value":3447,"nodeType":1293},{},[],"7+ first-class SIEM and SOAR integrations, to make it simpler to ingest Push telemetry and operationalize it.",{"data":3449,"content":3450,"nodeType":1294},{},[3451,3455,3465],{"data":3452,"marks":3453,"value":3454,"nodeType":1293},{},[],"Learn more about Push’s detections features in our ",{"data":3456,"content":3460,"nodeType":3158},{"target":3457},{"sys":3458},{"id":3459,"type":1452,"linkType":1453},"6OFdfAsoPUECeRAetWvedp",[3461],{"data":3462,"marks":3463,"value":3464,"nodeType":1293},{},[],"blog article",{"data":3466,"marks":3467,"value":1946,"nodeType":1293},{},[],{"data":3469,"content":3470,"nodeType":1359},{},[],{"data":3472,"content":3473,"nodeType":1363},{},[3474],{"data":3475,"marks":3476,"value":3477,"nodeType":1293},{},[],"Detecting and blocking ClickFix-style malicious copy and paste attacks",{"data":3479,"content":3480,"nodeType":1467},{},[3481],{"data":3482,"marks":3483,"value":3122,"nodeType":1293},{},[],{"data":3485,"content":3486,"nodeType":1294},{},[3487,3491,3499,3503,3511],{"data":3488,"marks":3489,"value":3490,"nodeType":1293},{},[],"ClickFix-style attacks left their mark in 2025, quickly becoming one of the most prevalent attack techniques — with ",{"data":3492,"content":3494,"nodeType":1330},{"uri":3493},"https://www.scworld.com/news/clickfix-phishing-links-increased-nearly-400-in-12-months-report-says",[3495],{"data":3496,"marks":3497,"value":3498,"nodeType":1293},{},[],"estimates",{"data":3500,"marks":3501,"value":3502,"nodeType":1293},{},[]," of a 400 percent year-over-year increase, and another ",{"data":3504,"content":3506,"nodeType":1330},{"uri":3505},"https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h12025.pdf",[3507],{"data":3508,"marks":3509,"value":3510,"nodeType":1293},{},[],"report",{"data":3512,"marks":3513,"value":3514,"nodeType":1293},{},[]," documenting a 517 percent growth in just the last 6 months of the year.",{"data":3516,"content":3517,"nodeType":1294},{},[3518],{"data":3519,"marks":3520,"value":3521,"nodeType":1293},{},[],"What is ClickFix? This attack technique prompts the user to solve some kind of problem or troubleshooting step in the browser — often presented as a CAPTCHA challenge. The key aspect of the attack is that it tricks users into running malicious commands on their device by copying malicious code from the page clipboard and running it locally. (The copy typically occurs  automatically via the page itself, but can also be performed manually by the user.)",{"data":3523,"content":3524,"nodeType":1294},{},[3525],{"data":3526,"marks":3527,"value":3528,"nodeType":1293},{},[],"These malicious copy and paste attacks are often used to deliver infostealer malware or remote access software, with the attacker’s end goal being stealing session cookies and credentials to facilitate attacks on business apps.",{"data":3530,"content":3531,"nodeType":1294},{},[3532],{"data":3533,"marks":3534,"value":3535,"nodeType":1293},{},[],"What’s especially challenging about this attack type is that it usually can only be detected after the fact — when a machine is already compromised, or malicious code attempts to execute (if EDR catches it). Even if it is detected, security teams are left flying blind when they try to determine the initial vector for the attack, and which other users might have been targeted.",{"data":3537,"content":3538,"nodeType":1467},{},[3539],{"data":3540,"marks":3541,"value":3316,"nodeType":1293},{},[],{"data":3543,"content":3544,"nodeType":1294},{},[3545],{"data":3546,"marks":3547,"value":3548,"nodeType":1293},{},[],"Because of our position in the browser, Push is uniquely positioned to detect and block browser-native attacks like ClickFix and other forms of malicious copy and paste techniques. So that’s what we built.",{"data":3550,"content":3554,"nodeType":1447},{"target":3551},{"sys":3552},{"id":3553,"type":1452,"linkType":1453},"56jVT7dbNqUGiSRTfTCQw2",[],{"data":3556,"content":3557,"nodeType":1294},{},[3558,3562,3566],{"data":3559,"marks":3560,"value":3561,"nodeType":1293},{},[],"With our ",{"data":3563,"marks":3564,"value":3390,"nodeType":1293},{},[3565],{"type":1370},{"data":3567,"marks":3568,"value":3569,"nodeType":1293},{},[],", you can:",{"data":3571,"content":3572,"nodeType":1803},{},[3573,3583,3593,3603],{"data":3574,"content":3575,"nodeType":1807},{},[3576],{"data":3577,"content":3578,"nodeType":1294},{},[3579],{"data":3580,"marks":3581,"value":3582,"nodeType":1293},{},[],"Detect ClickFix-style attacks as soon as they target end-users, regardless of the delivery channel for the lure, or the specifics of the malware type and execution.",{"data":3584,"content":3585,"nodeType":1807},{},[3586],{"data":3587,"content":3588,"nodeType":1294},{},[3589],{"data":3590,"marks":3591,"value":3592,"nodeType":1293},{},[],"Block these attacks before the malicious code is copied to the clipboard.",{"data":3594,"content":3595,"nodeType":1807},{},[3596],{"data":3597,"content":3598,"nodeType":1294},{},[3599],{"data":3600,"marks":3601,"value":3602,"nodeType":1293},{},[],"Safely collect the payload for further investigation by your security team, and replace the clipboard contents with safe text as part of the blocking action.",{"data":3604,"content":3605,"nodeType":1807},{},[3606],{"data":3607,"content":3608,"nodeType":1294},{},[3609],{"data":3610,"marks":3611,"value":3612,"nodeType":1293},{},[],"Capture a detailed timeline of events to see how users were targeted and how the attack unfolded.",{"data":3614,"content":3618,"nodeType":1447},{"target":3615},{"sys":3616},{"id":3617,"type":1452,"linkType":1453},"sALkMt8UbTZ2f34hKvGLj",[],{"data":3620,"content":3621,"nodeType":1294},{},[3622,3626,3636],{"data":3623,"marks":3624,"value":3625,"nodeType":1293},{},[],"Learn more about ClickFix detection in our ",{"data":3627,"content":3631,"nodeType":3158},{"target":3628},{"sys":3629},{"id":3630,"type":1452,"linkType":1453},"7jygmadjoz0asAHv7e5PuK",[3632],{"data":3633,"marks":3634,"value":3635,"nodeType":1293},{},[],"documentation",{"data":3637,"marks":3638,"value":1946,"nodeType":1293},{},[],{"data":3640,"content":3641,"nodeType":1359},{},[],{"data":3643,"content":3644,"nodeType":1363},{},[3645],{"data":3646,"marks":3647,"value":3648,"nodeType":1293},{},[],"Getting ahead of breaches tied to stolen credentials and ghost logins",{"data":3650,"content":3651,"nodeType":1467},{},[3652],{"data":3653,"marks":3654,"value":3122,"nodeType":1293},{},[],{"data":3656,"content":3657,"nodeType":1294},{},[3658,3662,3672],{"data":3659,"marks":3660,"value":3661,"nodeType":1293},{},[],"Starting in November 2024 and continuing through July 2025, adversaries linked to the HELLCAT threat group compromised Jira tenants belonging to 10 organizations using ",{"data":3663,"content":3667,"nodeType":3158},{"target":3664},{"sys":3665},{"id":3666,"type":1452,"linkType":1453},"gANCbeL9AnxmbGAE5HhyG",[3668],{"data":3669,"marks":3670,"value":3671,"nodeType":1293},{},[],"stolen credentials",{"data":3673,"marks":3674,"value":3205,"nodeType":1293},{},[],{"data":3676,"content":3677,"nodeType":1294},{},[3678],{"data":3679,"marks":3680,"value":3681,"nodeType":1293},{},[],"Business-critical applications like Jira are prime targets for attackers, who in this case dumped valuable data and then held it for ransom (or sold it on criminal marketplaces). Of course, this isn’t just a problem for Jira — data from Push’s initial deployment into customer environments shows that lots of critical apps lack basic controls like strong passwords and MFA.",{"data":3683,"content":3684,"nodeType":1294},{},[3685,3689,3698,3702,3710],{"data":3686,"marks":3687,"value":3688,"nodeType":1293},{},[],"The evolving threat group known as ",{"data":3690,"content":3694,"nodeType":3158},{"target":3691},{"sys":3692},{"id":3693,"type":1452,"linkType":1453},"2sFCww9xnI8okIxhtOaiY1",[3695],{"data":3696,"marks":3697,"value":1335,"nodeType":1293},{},[],{"data":3699,"marks":3700,"value":3701,"nodeType":1293},{},[]," has also embraced the use of stolen creds, session cookies, and unprotected local account logins — aka ",{"data":3703,"content":3705,"nodeType":1330},{"uri":3704},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/ghost_logins/description.md",[3706],{"data":3707,"marks":3708,"value":3709,"nodeType":1293},{},[],"ghost logins",{"data":3711,"marks":3712,"value":3713,"nodeType":1293},{},[]," — to compromise large organizations.",{"data":3715,"content":3716,"nodeType":1294},{},[3717,3721,3731],{"data":3718,"marks":3719,"value":3720,"nodeType":1293},{},[],"In 2025, Red Hat’s GitLab instance was compromised due to a local account that essentially provided a backdoor to an otherwise secure and SSO-connected account — an attack reminiscent of the ",{"data":3722,"content":3726,"nodeType":3158},{"target":3723},{"sys":3724},{"id":3725,"type":1452,"linkType":1453},"PAPJPr3CIB6J20udYyy1r",[3727],{"data":3728,"marks":3729,"value":3730,"nodeType":1293},{},[],"2024 Snowflake breach",{"data":3732,"marks":3733,"value":3734,"nodeType":1293},{},[],", which targeted local logins that lacked MFA.",{"data":3736,"content":3737,"nodeType":1467},{},[3738],{"data":3739,"marks":3740,"value":3316,"nodeType":1293},{},[],{"data":3742,"content":3743,"nodeType":1294},{},[3744,3748,3758],{"data":3745,"marks":3746,"value":3747,"nodeType":1293},{},[],"Push already provided the ability to detect stolen credentials being actively used by employees in your organization with our ",{"data":3749,"content":3753,"nodeType":3158},{"target":3750},{"sys":3751},{"id":3752,"type":1452,"linkType":1453},"6vCr4d3R1XA1E8dU883l7N",[3754],{"data":3755,"marks":3756,"value":3757,"nodeType":1293},{},[],"Stolen credential detection control",{"data":3759,"marks":3760,"value":3761,"nodeType":1293},{},[],". This provides an early-warning signal when Push finds a match between credentials for sale on criminal forums with those still being used by your employees, reducing some 99.5% of false positives we usually see with TI feed data.",{"data":3763,"content":3764,"nodeType":1294},{},[3765],{"data":3766,"marks":3767,"value":3768,"nodeType":1293},{},[],"With Push, you can also identify where employees are logging in with passwords on apps that otherwise should be using SAML, OIDC, or some other federated mechanism — aka the ghost login vulnerability.",{"data":3770,"content":3771,"nodeType":1294},{},[3772],{"data":3773,"marks":3774,"value":3775,"nodeType":1293},{},[],"This year, we made it easier for security teams to enforce two security fundamentals that help harden accounts and reduce the risk of ATO, even on unmanaged apps:",{"data":3777,"content":3778,"nodeType":1803},{},[3779,3808],{"data":3780,"content":3781,"nodeType":1807},{},[3782],{"data":3783,"content":3784,"nodeType":1294},{},[3785,3790,3794,3804],{"data":3786,"marks":3787,"value":3789,"nodeType":1293},{},[3788],{"type":1370},"Strong password enforcement:",{"data":3791,"marks":3792,"value":3793,"nodeType":1293},{},[]," With this control, you can prompt end-users to ",{"data":3795,"content":3799,"nodeType":3158},{"target":3796},{"sys":3797},{"id":3798,"type":1452,"linkType":1453},"5aB5x5VXrMv7PDmH0iiK0c",[3800],{"data":3801,"marks":3802,"value":3803,"nodeType":1293},{},[],"fix an insecure password",{"data":3805,"marks":3806,"value":3807,"nodeType":1293},{},[]," on all your workforce apps, even the ones you don’t centrally manage. ",{"data":3809,"content":3810,"nodeType":1807},{},[3811],{"data":3812,"content":3813,"nodeType":1294},{},[3814,3819,3822,3832],{"data":3815,"marks":3816,"value":3818,"nodeType":1293},{},[3817],{"type":1370},"MFA enforcement:",{"data":3820,"marks":3821,"value":3793,"nodeType":1293},{},[],{"data":3823,"content":3827,"nodeType":3158},{"target":3824},{"sys":3825},{"id":3826,"type":1452,"linkType":1453},"wikyVxlHwKUOKM9xo19eP",[3828],{"data":3829,"marks":3830,"value":3831,"nodeType":1293},{},[],"register for MFA",{"data":3833,"marks":3834,"value":3835,"nodeType":1293},{},[]," where Push detects it’s missing — again, even on unmanaged apps.",{"data":3837,"content":3838,"nodeType":1294},{},[3839],{"data":3840,"marks":3841,"value":3842,"nodeType":1293},{},[],"Both of these controls use in-browser banners to provide point-in-time guidance to users when they’re most likely to see it and act on it.",{"data":3844,"content":3848,"nodeType":1447},{"target":3845},{"sys":3846},{"id":3847,"type":1452,"linkType":1453},"3XH0hnnhcZNI47PhdiD4q0",[],{"data":3850,"content":3851,"nodeType":1294},{},[3852,3856,3861],{"data":3853,"marks":3854,"value":3855,"nodeType":1293},{},[],"To address the pattern of adversaries moving from targeting hardened core apps such as identity providers to the likes of GitLab, Postman, Jira, and others containing valuable corporate data, we also expanded one of the Push platform’s core security controls called ",{"data":3857,"marks":3858,"value":3860,"nodeType":1293},{},[3859],{"type":1370},"Password protection",{"data":3862,"marks":3863,"value":1946,"nodeType":1293},{},[],{"data":3865,"content":3866,"nodeType":1294},{},[3867,3871,3875],{"data":3868,"marks":3869,"value":3870,"nodeType":1293},{},[],"The ",{"data":3872,"marks":3873,"value":3860,"nodeType":1293},{},[3874],{"type":1370},{"data":3876,"marks":3877,"value":3878,"nodeType":1293},{},[]," control previously could be applied only to IdP passwords, allowing you to essentially “pin” the credential for those systems so that it could never be entered on a phishing page or reused on any other app. ",{"data":3880,"content":3881,"nodeType":1294},{},[3882,3886,3896],{"data":3883,"marks":3884,"value":3885,"nodeType":1293},{},[],"We expanded that control to allow you to ",{"data":3887,"content":3891,"nodeType":3158},{"target":3888},{"sys":3889},{"id":3890,"type":1452,"linkType":1453},"6FYHbkcRUrtznPo7RarRsz",[3892],{"data":3893,"marks":3894,"value":3895,"nodeType":1293},{},[],"protect passwords on any valuable app",{"data":3897,"marks":3898,"value":3899,"nodeType":1293},{},[],", preventing account takeover through phished creds and reducing the blast radius of attacks when a compromised account has been reusing passwords on multiple applications.",{"data":3901,"content":3905,"nodeType":1447},{"target":3902},{"sys":3903},{"id":3904,"type":1452,"linkType":1453},"74l82HIeaumFX4u9AMjj79",[],{"data":3907,"content":3908,"nodeType":1294},{},[3909,3913,3923],{"data":3910,"marks":3911,"value":3912,"nodeType":1293},{},[],"Push also now gives you visibility into where employees are ",{"data":3914,"content":3918,"nodeType":3158},{"target":3915},{"sys":3916},{"id":3917,"type":1452,"linkType":1453},"7uLeQ9twNl5RyNaWkkJNjd",[3919],{"data":3920,"marks":3921,"value":3922,"nodeType":1293},{},[],"syncing their corporate browser profile",{"data":3924,"marks":3925,"value":3926,"nodeType":1293},{},[]," to a personal profile, raising the risk of syncing corporate passwords to unmanaged devices — another vector for credential harvesting if those endpoints become compromised.",{"data":3928,"content":3929,"nodeType":1294},{},[3930],{"data":3931,"marks":3932,"value":3933,"nodeType":1293},{},[],"And of course, underlying all these features is the foundational visibility of all your apps, accounts, account vulnerabilities, and login methods that Push provides.",{"data":3935,"content":3936,"nodeType":1359},{},[],{"data":3938,"content":3939,"nodeType":1363},{},[3940],{"data":3941,"marks":3942,"value":3943,"nodeType":1293},{},[],"Blocking malicious browser extensions",{"data":3945,"content":3946,"nodeType":1467},{},[3947],{"data":3948,"marks":3949,"value":3122,"nodeType":1293},{},[],{"data":3951,"content":3952,"nodeType":1294},{},[3953],{"data":3954,"marks":3955,"value":3956,"nodeType":1293},{},[],"Getting visibility and control over all the browser extensions used across your workforce has long been a thorny problem for security teams. ",{"data":3958,"content":3959,"nodeType":1294},{},[3960],{"data":3961,"marks":3962,"value":3963,"nodeType":1293},{},[],"The possible solutions haven’t been great, either. Teams could either apply a blunt-force block for most or all extensions, or spend painstaking time trying to understand what was installed, why, and by whom, across all the browsers in the environment.",{"data":3965,"content":3966,"nodeType":1294},{},[3967,3971,3981],{"data":3968,"marks":3969,"value":3970,"nodeType":1293},{},[],"The urgency of solving this problem increased for many organizations this year after the December 2024 compromise of at least 35 Google Chrome extensions in a ",{"data":3972,"content":3976,"nodeType":3158},{"target":3973},{"sys":3974},{"id":3975,"type":1452,"linkType":1453},"6sprbTRpfnTJsP3mGR2gKa",[3977],{"data":3978,"marks":3979,"value":3980,"nodeType":1293},{},[],"campaign targeting browser extension developers",{"data":3982,"marks":3983,"value":3984,"nodeType":1293},{},[],". Cyberhaven’s extension was one of these, and the campaign inherited their name.",{"data":3986,"content":3987,"nodeType":1467},{},[3988],{"data":3989,"marks":3990,"value":3316,"nodeType":1293},{},[],{"data":3992,"content":3993,"nodeType":1294},{},[3994,3998,4008],{"data":3995,"marks":3996,"value":3997,"nodeType":1293},{},[],"With Push, you can now get visibility across ",{"data":3999,"content":4003,"nodeType":3158},{"target":4000},{"sys":4001},{"id":4002,"type":1452,"linkType":1453},"3ibVBa6u0XfcXXDVtON5th",[4004],{"data":4005,"marks":4006,"value":4007,"nodeType":1293},{},[],"all the browser extensions",{"data":4009,"marks":4010,"value":4011,"nodeType":1293},{},[]," installed on employee browsers in your environment, and block the ones you don’t want.",{"data":4013,"content":4017,"nodeType":1447},{"target":4014},{"sys":4015},{"id":4016,"type":1452,"linkType":1453},"5J5jdmwugy7yU8GGwxe7iH",[],{"data":4019,"content":4020,"nodeType":1294},{},[4021],{"data":4022,"marks":4023,"value":4024,"nodeType":1293},{},[],"You can also:",{"data":4026,"content":4027,"nodeType":1803},{},[4028,4038,4048],{"data":4029,"content":4030,"nodeType":1807},{},[4031],{"data":4032,"content":4033,"nodeType":1294},{},[4034],{"data":4035,"marks":4036,"value":4037,"nodeType":1293},{},[],"Review extensions with risky permissions.",{"data":4039,"content":4040,"nodeType":1807},{},[4041],{"data":4042,"content":4043,"nodeType":1294},{},[4044],{"data":4045,"marks":4046,"value":4047,"nodeType":1293},{},[],"Identify extensions with potentially suspicious installation methods, such as sideloaded or manually installed.",{"data":4049,"content":4050,"nodeType":1807},{},[4051],{"data":4052,"content":4053,"nodeType":1294},{},[4054],{"data":4055,"marks":4056,"value":4057,"nodeType":1293},{},[],"Block extensions based on user groups and browser profiles (e.g. profiles logged in with a company domain).",{"data":4059,"content":4060,"nodeType":1294},{},[4061,4065,4073],{"data":4062,"marks":4063,"value":4064,"nodeType":1293},{},[],"Learn more about extension visibility and management in our ",{"data":4066,"content":4069,"nodeType":3158},{"target":4067},{"sys":4068},{"id":4002,"type":1452,"linkType":1453},[4070],{"data":4071,"marks":4072,"value":3635,"nodeType":1293},{},[],{"data":4074,"marks":4075,"value":1946,"nodeType":1293},{},[],{"data":4077,"content":4078,"nodeType":1359},{},[],{"data":4080,"content":4081,"nodeType":1363},{},[4082],{"data":4083,"marks":4084,"value":4085,"nodeType":1293},{},[],"Adding a layer of protection against help desk scams",{"data":4087,"content":4088,"nodeType":1467},{},[4089],{"data":4090,"marks":4091,"value":3122,"nodeType":1293},{},[],{"data":4093,"content":4094,"nodeType":1294},{},[4095],{"data":4096,"marks":4097,"value":4098,"nodeType":1293},{},[],"Finally, another big theme in this year’s TTPs was the use of help desk social engineering to compromise organizations. ",{"data":4100,"content":4101,"nodeType":1294},{},[4102,4106,4116],{"data":4103,"marks":4104,"value":4105,"nodeType":1293},{},[],"Attackers like ",{"data":4107,"content":4111,"nodeType":3158},{"target":4108},{"sys":4109},{"id":4110,"type":1452,"linkType":1453},"wgpdyHDn9NcpIJNr7jnFp",[4112],{"data":4113,"marks":4114,"value":4115,"nodeType":1293},{},[],"Scattered Spider",{"data":4117,"marks":4118,"value":4119,"nodeType":1293},{},[]," — now known as part of the evolving cybercriminal group Scattered Lapsus$ Hunters — have targeted organizations including MGM Resorts and Marks & Spencer by convincing help desk staff to help them bypass MFA or reset credentials for accounts they then use to access corporate systems. ",{"data":4121,"content":4122,"nodeType":1467},{},[4123],{"data":4124,"marks":4125,"value":3316,"nodeType":1293},{},[],{"data":4127,"content":4128,"nodeType":1294},{},[4129,4133,4138],{"data":4130,"marks":4131,"value":4132,"nodeType":1293},{},[],"To provide an additional layer of security when verifying employee identities during help desk interactions, Push introduced ",{"data":4134,"marks":4135,"value":4137,"nodeType":1293},{},[4136],{"type":1370},"Employee verification codes",{"data":4139,"marks":4140,"value":1946,"nodeType":1293},{},[],{"data":4142,"content":4146,"nodeType":1447},{"target":4143},{"sys":4144},{"id":4145,"type":1452,"linkType":1453},"19Baqh5QwbonzsR0EcaDS8",[],{"data":4148,"content":4149,"nodeType":1294},{},[4150],{"data":4151,"marks":4152,"value":4153,"nodeType":1293},{},[],"These are a rotating 6-digit verification code accessible via the Push Security extension dropdown. When an employee contacts your help desk, staff can use this code to help verify their identity before performing any sensitive account changes.",{"data":4155,"content":4156,"nodeType":1294},{},[4157],{"data":4158,"marks":4159,"value":4160,"nodeType":1293},{},[],"Employee verification codes are lightweight, rotate every 24 hours, and don’t require any additional apps or devices.",{"data":4162,"content":4163,"nodeType":1294},{},[4164,4168,4177],{"data":4165,"marks":4166,"value":4167,"nodeType":1293},{},[],"Learn more about verification codes in our ",{"data":4169,"content":4173,"nodeType":3158},{"target":4170},{"sys":4171},{"id":4172,"type":1452,"linkType":1453},"4rLP8wr6HnvBG2OzqYYKpF",[4174],{"data":4175,"marks":4176,"value":3464,"nodeType":1293},{},[],{"data":4178,"marks":4179,"value":1946,"nodeType":1293},{},[],{"data":4181,"content":4182,"nodeType":1359},{},[],{"data":4184,"content":4185,"nodeType":1363},{},[4186],{"data":4187,"marks":4188,"value":4189,"nodeType":1293},{},[],"Learn more about Push",{"data":4191,"content":4192,"nodeType":1294},{},[4193],{"data":4194,"marks":4195,"value":4196,"nodeType":1293},{},[],"Push Security’s browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, and session hijacking. ",{"data":4198,"content":4199,"nodeType":1294},{},[4200],{"data":4201,"marks":4202,"value":4203,"nodeType":1293},{},[],"You don’t need to wait until it all goes wrong — you can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.",{"data":4205,"content":4206,"nodeType":1294},{},[4207,4211,4219,4223,4231],{"data":4208,"marks":4209,"value":4210,"nodeType":1293},{},[],"To learn more about Push, check out our latest ",{"data":4212,"content":4214,"nodeType":1330},{"uri":4213},"/resources/product-brochure",[4215],{"data":4216,"marks":4217,"value":4218,"nodeType":1293},{},[],"product overview",{"data":4220,"marks":4221,"value":4222,"nodeType":1293},{},[]," or book some time with one of our team for a ",{"data":4224,"content":4226,"nodeType":1330},{"uri":4225},"/demo",[4227],{"data":4228,"marks":4229,"value":4230,"nodeType":1293},{},[],"live demo",{"data":4232,"marks":4233,"value":1946,"nodeType":1293},{},[],"Taking the fight to attackers: Push’s top features of 2025","Here’s how real-world attacks and our own R&D informed what we built for Push customers over the last year.","2025-12-17T00:00:00.000Z","taking-the-fight-to-attackers-top-features-of-2025",{"items":4239},[4240,4242],{"sys":4241,"name":1310},{"id":1309},{"sys":4243,"name":1306},{"id":1305},{"items":4245},[4246],{"fullName":4247,"firstName":4248,"jobTitle":4249,"profilePicture":4250},"Kelly Davenport","Kelly","Product Team",{"url":4251},"https://images.ctfassets.net/y1cdw1ablpvd/1hi8bEuVfn5sF57LivAq6d/9a3b82426c697d765e2e450e33a18424/kelly_profile_pic.jpeg",{"__typename":2092,"sys":4253,"content":4254,"title":5197,"synopsis":5198,"hashTags":118,"publishedDate":5199,"slug":5200,"tagsCollection":5201,"authorsCollection":5207},{"id":3693},{"json":4255},{"nodeType":1295,"data":4256,"content":4257},{},[4258,4265,4272,4279,4282,4290,4297,4304,4310,4317,4323,4343,4350,4362,4365,4373,4380,4396,4403,4415,4420,4423,4431,4439,4445,4454,4474,4483,4490,4499,4518,4527,4534,4543,4574,4583,4590,4599,4617,4623,4632,4639,4648,4689,4692,4700,4709,4729,4738,4745,4754,4786,4792,4801,4808,4814,4817,4825,4834,4841,4901,4907,4910,4918,4927,4934,4940,4943,4951,4958,4965,5031,5038,5101,5108,5111,5119,5126,5133,5139,5142,5150,5157,5164,5171],{"nodeType":1294,"data":4259,"content":4260},{},[4261],{"nodeType":1293,"value":4262,"marks":4263,"data":4264},"The biggest cybersecurity story this year (so far) has been the emergence of “Scattered Lapsus$ Hunters” and their record-breaking worldwide hacking spree. ",[],{},{"nodeType":1294,"data":4266,"content":4267},{},[4268],{"nodeType":1293,"value":4269,"marks":4270,"data":4271},"Scattered Lapsus$ Hunters is part of “The Com”, the name for the broad community of English-speaking cybercriminals with international criminal connections — including with nation-state sponsored groups. They are also known to collaborate with a range of cybercrime “as-a-Service” organizations for phishing, initial access, ransomware, and more. ",[],{},{"nodeType":1294,"data":4273,"content":4274},{},[4275],{"nodeType":1293,"value":4276,"marks":4277,"data":4278},"It’s difficult to pin down exactly who the individuals are that make up this criminal collective. But what is known is their MO — making money through extortion by means of account takeover, mass data theft, and ransomware deployment. ",[],{},{"nodeType":1359,"data":4280,"content":4281},{},[],{"nodeType":1363,"data":4283,"content":4284},{},[4285],{"nodeType":1293,"value":4286,"marks":4287,"data":4289},"How did we get here? ",[4288],{"type":1370},{},{"nodeType":1294,"data":4291,"content":4292},{},[4293],{"nodeType":1293,"value":4294,"marks":4295,"data":4296},"Earlier this year, the threat group known to most analysts as Scattered Spider (also tracked as 0ktapus, Octo Tempest, Scatter Swine, Muddled Libra, and UNC3944) re-emerged after a series of arrests in late 2024. ",[],{},{"nodeType":1294,"data":4298,"content":4299},{},[4300],{"nodeType":1293,"value":4301,"marks":4302,"data":4303},"This group has been active in peaks and troughs over the years, but are mainly known for high-profile ransomware attacks on Caesars and MGM Resorts in 2024. ",[],{},{"nodeType":1447,"data":4305,"content":4309},{"target":4306},{"sys":4307},{"id":4308,"type":1452,"linkType":1453},"1Vt269d7n6IGMzOrJs1FDx",[],{"nodeType":1294,"data":4311,"content":4312},{},[4313],{"nodeType":1293,"value":4314,"marks":4315,"data":4316},"Scattered Spider hit the headlines again in April 2025 with attacks on UK retailers Marks & Spencer and Co-op, which resulted in significant, prolonged disruption, and a serious downstream impact on the retail supply chain. ",[],{},{"nodeType":1447,"data":4318,"content":4322},{"target":4319},{"sys":4320},{"id":4321,"type":1452,"linkType":1453},"3kvcGV2zZZUPnM8IK04Y1O",[],{"nodeType":1294,"data":4324,"content":4325},{},[4326,4330,4339],{"nodeType":1293,"value":4327,"marks":4328,"data":4329},"It didn’t stop there, though. What followed was a wide-scale campaign targeting Salesforce customers, with the attackers claiming to have stolen ",[],{},{"nodeType":1330,"data":4331,"content":4333},{"uri":4332},"https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/",[4334],{"nodeType":1293,"value":4335,"marks":4336,"data":4338},"over 1.5 billion records from 1000+ companies",[4337],{"type":1338},{},{"nodeType":1293,"value":4340,"marks":4341,"data":4342}," across multiple verticals, including heavyweights like Google, Cloudflare, Workday, Adidas, FedEx, Disney, LVMH, and many more.",[],{},{"nodeType":1294,"data":4344,"content":4345},{},[4346],{"nodeType":1293,"value":4347,"marks":4348,"data":4349},"Around this time, the attackers began to refer to themselves as part of a wider collective, assuming the moniker “Scattered Lapsus$ Hunters” (a mash-up of names given by analysts and self-adopted by attackers — Scattered Spider, ShinyHunters, and Lapsus$).",[],{},{"nodeType":1294,"data":4351,"content":4352},{},[4353,4357],{"nodeType":1293,"value":4354,"marks":4355,"data":4356},"The most significant breach this year to-date impacted Jaguar Land Rover. A ransomware attack resulted in months of disruption that directly impacted the UK’s GDP, with the government underwriting a $1.5B loan to alleviate the supply chain impact. ",[],{},{"nodeType":1293,"value":4358,"marks":4359,"data":4361},"In fact, this was the most economically consequential cyber attack yet recorded in a G7 economy. ",[4360],{"type":1370},{},{"nodeType":1359,"data":4363,"content":4364},{},[],{"nodeType":1363,"data":4366,"content":4367},{},[4368],{"nodeType":1293,"value":4369,"marks":4370,"data":4372},"2025 wasn’t a one-off",[4371],{"type":1370},{},{"nodeType":1294,"data":4374,"content":4375},{},[4376],{"nodeType":1293,"value":4377,"marks":4378,"data":4379},"The developments through 2025 have presented a stronger picture than ever before that cybercriminal operations are heavily interlinked. Groups overlap considerably, and individuals freely move between different cells. ",[],{},{"nodeType":1294,"data":4381,"content":4382},{},[4383,4387,4392],{"nodeType":1293,"value":4384,"marks":4385,"data":4386},"When we scratch beneath the surface, this is evident in the tactics, techniques and procedures (TTPs) used by these attackers — even stretching as far back as 2021 with the initial rise of Lapsus$. This is not an accident. ",[],{},{"nodeType":1293,"value":4388,"marks":4389,"data":4391},"The TTPs used show a conscious move by attackers to move away from environments that are well-protected by traditional security tools. ",[4390],{"type":1370},{},{"nodeType":1293,"value":4393,"marks":4394,"data":4395},"This means avoiding targeting endpoints with malware, and not relying on software-based exploits. Instead, these attackers look to take over apps and services directly over the internet. ",[],{},{"nodeType":1294,"data":4397,"content":4398},{},[4399],{"nodeType":1293,"value":4400,"marks":4401,"data":4402},"Most of the time, this is as simple as logging in to a SaaS app, or an enterprise SSO account (e.g. Microsoft, Okta, or Google) and dumping the data. For attackers that want to take it further, they can abuse the sprawl of interconnected apps that make up modern business IT, seeking out specific data or exploitable functionality. Or, they can leverage internet-accessible management portals to chart a path back to your on-premise assets, giving them everything they need to pivot toward more conventional methods such as ransomware deployment. ",[],{},{"nodeType":1294,"data":4404,"content":4405},{},[4406,4410],{"nodeType":1293,"value":4407,"marks":4408,"data":4409},"When we look at historical breaches, the pattern is clear. ",[],{},{"nodeType":1293,"value":4411,"marks":4412,"data":4414},"Not one of the attacks attributed to Scattered Lapsus$ Hunters, or its predecessors, started with an endpoint or network attack — they all began with account takeover. ",[4413],{"type":1370},{},{"nodeType":1447,"data":4416,"content":4419},{"target":4417},{"sys":4418},{"id":1511,"type":1452,"linkType":1453},[],{"nodeType":1359,"data":4421,"content":4422},{},[],{"nodeType":1363,"data":4424,"content":4425},{},[4426],{"nodeType":1293,"value":4427,"marks":4428,"data":4430},"TTP breakdown: Analysing the top “Scattered Lapsus$ Hunters” breaches since 2021",[4429],{"type":1370},{},{"nodeType":1467,"data":4432,"content":4433},{},[4434],{"nodeType":1293,"value":4435,"marks":4436,"data":4438},"Phishing and stolen credentials",[4437],{"type":1370},{},{"nodeType":1447,"data":4440,"content":4444},{"target":4441},{"sys":4442},{"id":4443,"type":1452,"linkType":1453},"4SNOanDIdGZsvRRnMYQVSo",[],{"nodeType":1294,"data":4446,"content":4447},{},[4448],{"nodeType":1293,"value":4449,"marks":4450,"data":4453},"EA Games (2021)",[4451,4452],{"type":1370},{"type":1338},{},{"nodeType":1294,"data":4455,"content":4456},{},[4457,4461,4470],{"nodeType":1293,"value":4458,"marks":4459,"data":4460},"Attackers used stolen session cookies to log into EA’s Slack instance, purchased on a criminal forum. Combined with ",[],{},{"nodeType":1330,"data":4462,"content":4464},{"uri":4463},"https://pushsecurity.com/blog/phishing-slack-persistence/",[4465],{"nodeType":1293,"value":4466,"marks":4467,"data":4469},"social engineering via Slack",[4468],{"type":1338},{},{"nodeType":1293,"value":4471,"marks":4472,"data":4473},", this was used to steal 750GB of data, including video game source code. ",[],{},{"nodeType":1294,"data":4475,"content":4476},{},[4477],{"nodeType":1293,"value":4478,"marks":4479,"data":4482},"Nvidia (2022)",[4480,4481],{"type":1370},{"type":1338},{},{"nodeType":1294,"data":4484,"content":4485},{},[4486],{"nodeType":1293,"value":4487,"marks":4488,"data":4489},"Attackers used stolen credentials to steal 1TB of data from Nvidia’s internal shares, including a significant amount of sensitive information about the designs of Nvidia graphics cards, source code, and the usernames and passwords of more than 71,000 Nvidia employees.",[],{},{"nodeType":1294,"data":4491,"content":4492},{},[4493],{"nodeType":1293,"value":4494,"marks":4495,"data":4498},"Microsoft (2022)",[4496,4497],{"type":1370},{"type":1338},{},{"nodeType":1294,"data":4500,"content":4501},{},[4502,4506,4514],{"nodeType":1293,"value":4503,"marks":4504,"data":4505},"Attackers used stolen credentials combined with SIM swapping and ",[],{},{"nodeType":1330,"data":4507,"content":4509},{"uri":4508},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/mfa_fatigue/description.md",[4510],{"nodeType":1293,"value":4511,"marks":4512,"data":4513},"MFA fatigue",[],{},{"nodeType":1293,"value":4515,"marks":4516,"data":4517}," attacks to steal Azure DevOps source code — leaked a 9GB archive of Microsoft source code – including ~90% of Bing and 45% of Cortana code. ",[],{},{"nodeType":1294,"data":4519,"content":4520},{},[4521],{"nodeType":1293,"value":4522,"marks":4523,"data":4526},"T-Mobile (2022)",[4524,4525],{"type":1370},{"type":1338},{},{"nodeType":1294,"data":4528,"content":4529},{},[4530],{"nodeType":1293,"value":4531,"marks":4532,"data":4533},"Attackers used stolen credentials to establish initial access, coupled with social engineering T-Mobile staff into approving the attacker’s device for VPN access. This resulted in source code being stolen from over 30,000 repositories. ",[],{},{"nodeType":1294,"data":4535,"content":4536},{},[4537],{"nodeType":1293,"value":4538,"marks":4539,"data":4542},"Snowflake (165 customers) (2024)",[4540,4541],{"type":1370},{"type":1338},{},{"nodeType":1294,"data":4544,"content":4545},{},[4546,4550,4559,4563,4570],{"nodeType":1293,"value":4547,"marks":4548,"data":4549},"Attackers targeted ",[],{},{"nodeType":1330,"data":4551,"content":4553},{"uri":4552},"https://pushsecurity.com/blog/snowflake-retro/",[4554],{"nodeType":1293,"value":4555,"marks":4556,"data":4558},"165 Snowflake customers",[4557],{"type":1338},{},{"nodeType":1293,"value":4560,"marks":4561,"data":4562}," using stolen credentials from credential breaches dating back as far as 2020. Due to widespread MFA gaps and the presence of ",[],{},{"nodeType":1330,"data":4564,"content":4565},{"uri":3704},[4566],{"nodeType":1293,"value":3709,"marks":4567,"data":4569},[4568],{"type":1338},{},{"nodeType":1293,"value":4571,"marks":4572,"data":4573},", attackers were able to simply log in to individual customer tenants, dump the data, and use it to extort the companies. In total, 9 public victims were named following the breach, with over 1B breached customer records. ",[],{},{"nodeType":1294,"data":4575,"content":4576},{},[4577],{"nodeType":1293,"value":4578,"marks":4579,"data":4582},"PowerSchool (2024)",[4580,4581],{"type":1370},{"type":1338},{},{"nodeType":1294,"data":4584,"content":4585},{},[4586],{"nodeType":1293,"value":4587,"marks":4588,"data":4589},"Attackers gained access to a community-focused customer support portal, PowerSource, using compromised credentials and stole data using an \"export data manager\" customer support tool, stealing the data of 62.4 million students and 9.5 million teachers. PowerSchool paid an undisclosed ransom fee, but hackers returned later to extort schools and individuals separately anyway.",[],{},{"nodeType":1294,"data":4591,"content":4592},{},[4593],{"nodeType":1293,"value":4594,"marks":4595,"data":4598},"Red Hat (2025)",[4596,4597],{"type":1370},{"type":1338},{},{"nodeType":1294,"data":4600,"content":4601},{},[4602,4606,4613],{"nodeType":1293,"value":4603,"marks":4604,"data":4605},"Attackers breached Red Hat’s GitLab instance via a compromised account — the result of ",[],{},{"nodeType":1330,"data":4607,"content":4608},{"uri":3704},[4609],{"nodeType":1293,"value":3709,"marks":4610,"data":4612},[4611],{"type":1338},{},{"nodeType":1293,"value":4614,"marks":4615,"data":4616}," providing a backdoor to access an otherwise secure, SSO-connected account. Stolen data included approximately 800 Customer Engagement Reports (CERs), authentication tokens, full database URIs, and other private information in Red Hat code and CERs, which they claimed to use to gain access to downstream customer infrastructure. ",[],{},{"nodeType":1447,"data":4618,"content":4622},{"target":4619},{"sys":4620},{"id":4621,"type":1452,"linkType":1453},"G1V7d5Dvevmr9p0YXElPX",[],{"nodeType":1294,"data":4624,"content":4625},{},[4626],{"nodeType":1293,"value":4627,"marks":4628,"data":4631},"Discord (2025)",[4629,4630],{"type":1370},{"type":1338},{},{"nodeType":1294,"data":4633,"content":4634},{},[4635],{"nodeType":1293,"value":4636,"marks":4637,"data":4638},"Attackers compromised a Zendesk customer support account, stealing 1.6TB of data. The hackers say this consisted of roughly 8.4 million tickets affecting 5.5 million unique users, and that about 580,000 users contained payment information.",[],{},{"nodeType":1294,"data":4640,"content":4641},{},[4642],{"nodeType":1293,"value":4643,"marks":4644,"data":4647},"SoundCloud, MatchGroup, Crunchbase, Betterment... (2026)",[4645,4646],{"type":1370},{"type":1338},{},{"nodeType":1294,"data":4649,"content":4650},{},[4651,4655,4662,4665,4673,4677,4685],{"nodeType":1293,"value":4652,"marks":4653,"data":4654},"Scattered Lapsus$ Hunters have already claimed several public victims in 2026, with over 60 million breached records. ",[],{},{"nodeType":1330,"data":4656,"content":4657},{"uri":1401},[4658],{"nodeType":1293,"value":4659,"marks":4660,"data":4661},"SoundCloud, Betterment, Crunchbase",[],{},{"nodeType":1293,"value":2245,"marks":4663,"data":4664},[],{},{"nodeType":1330,"data":4666,"content":4668},{"uri":4667},"https://www.bleepingcomputer.com/news/security/match-group-breach-exposes-data-from-hinge-tinder-okcupid-and-match/",[4669],{"nodeType":1293,"value":4670,"marks":4671,"data":4672},"MatchGroup",[],{},{"nodeType":1293,"value":4674,"marks":4675,"data":4676}," have all reported breaches this month, powered by a brand ",[],{},{"nodeType":1330,"data":4678,"content":4680},{"uri":4679},"https://pushsecurity.com/blog/unpacking-the-latest-slh-campaign/",[4681],{"nodeType":1293,"value":4682,"marks":4683,"data":4684},"new real-time-operated AiTM phishing kit",[],{},{"nodeType":1293,"value":4686,"marks":4687,"data":4688}," targeting Okta, Entra, and Google SSO accounts. This is a developing situation, with more victims expected to be announced publicly soon.",[],{},{"nodeType":1359,"data":4690,"content":4691},{},[],{"nodeType":1467,"data":4693,"content":4694},{},[4695],{"nodeType":1293,"value":4696,"marks":4697,"data":4699},"Vishing and help desk scams",[4698],{"type":1370},{},{"nodeType":1294,"data":4701,"content":4702},{},[4703],{"nodeType":1293,"value":4704,"marks":4705,"data":4708},"MGM Resorts & Caesars (2023)",[4706,4707],{"type":1370},{"type":1338},{},{"nodeType":1294,"data":4710,"content":4711},{},[4712,4716,4725],{"nodeType":1293,"value":4713,"marks":4714,"data":4715},"MGM Resorts and Caesars were hit with twin breaches in 2023. Attackers socially engineered help desk personnel to take over accounts with Super Administrator privileges within MGM Resorts’ Okta tenant, which they then used to register a second, attacker-controlled IdP via ",[],{},{"nodeType":1330,"data":4717,"content":4719},{"uri":4718},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/inbound_federation/description.md",[4720],{"nodeType":1293,"value":4721,"marks":4722,"data":4724},"inbound federation",[4723],{"type":1338},{},{"nodeType":1293,"value":4726,"marks":4727,"data":4728}," — granting comprehensive access that was used to deploy ransomware. ",[],{},{"nodeType":1294,"data":4730,"content":4731},{},[4732],{"nodeType":1293,"value":4733,"marks":4734,"data":4737},"Transport for London (2024)",[4735,4736],{"type":1370},{"type":1338},{},{"nodeType":1294,"data":4739,"content":4740},{},[4741],{"nodeType":1293,"value":4742,"marks":4743,"data":4744},"Attackers socially engineered the Transport for London help desk to gain privileged access to the IT environment, resulting in prolonged disruption to key online services underpinning London’s public transport network, theft of 5,000 users bank details, and all 30,000 staff members having to reset their online credentials in person.",[],{},{"nodeType":1294,"data":4746,"content":4747},{},[4748],{"nodeType":1293,"value":4749,"marks":4750,"data":4753},"Marks & Spencer (2025)",[4751,4752],{"type":1370},{"type":1338},{},{"nodeType":1294,"data":4755,"content":4756},{},[4757,4761,4769,4773,4782],{"nodeType":1293,"value":4758,"marks":4759,"data":4760},"Attackers compromised a Microsoft Entra account belonging to a privileged user via a ",[],{},{"nodeType":1330,"data":4762,"content":4763},{"uri":1884},[4764],{"nodeType":1293,"value":4765,"marks":4766,"data":4768},"help desk scam",[4767],{"type":1338},{},{"nodeType":1293,"value":4770,"marks":4771,"data":4772},", which enabled them to steal sensitive data from cloud environments, as well as pivot to deploy ransomware via the ",[],{},{"nodeType":1330,"data":4774,"content":4776},{"uri":4775},"https://cloud.google.com/blog/topics/threat-intelligence/vsphere-active-directory-integration-risks",[4777],{"nodeType":1293,"value":4778,"marks":4779,"data":4781},"VMware admin console",[4780],{"type":1338},{},{"nodeType":1293,"value":4783,"marks":4784,"data":4785},". This enabled ransomware to be deployed at the hypervisor layer, evading host-based protections like EDR. ",[],{},{"nodeType":1447,"data":4787,"content":4791},{"target":4788},{"sys":4789},{"id":4790,"type":1452,"linkType":1453},"7hBdHG74NaA3bQfOMpYA9o",[],{"nodeType":1294,"data":4793,"content":4794},{},[4795],{"nodeType":1293,"value":4796,"marks":4797,"data":4800},"Jaguar Land Rover (2025)",[4798,4799],{"type":1370},{"type":1338},{},{"nodeType":1294,"data":4802,"content":4803},{},[4804],{"nodeType":1293,"value":4805,"marks":4806,"data":4807},"Attackers compromised highly privileged admin accounts via a help desk scam, which they leveraged to access and deploy ransomware to all aspects of Jaguar’s business, from CAD and engineering software, to payments tracking, to customer car delivery, using similar techniques to the Marks & Spencer breach. ",[],{},{"nodeType":1447,"data":4809,"content":4813},{"target":4810},{"sys":4811},{"id":4812,"type":1452,"linkType":1453},"6s1X2fo4K9EeVLBmHm4YXb",[],{"nodeType":1359,"data":4815,"content":4816},{},[],{"nodeType":1467,"data":4818,"content":4819},{},[4820],{"nodeType":1293,"value":4821,"marks":4822,"data":4824},"Malicious OAuth integrations",[4823],{"type":1370},{},{"nodeType":1294,"data":4826,"content":4827},{},[4828],{"nodeType":1293,"value":4829,"marks":4830,"data":4833},"Salesforce & Salesloft (1000+ customers) (2025)",[4831,4832],{"type":1370},{"type":1338},{},{"nodeType":1294,"data":4835,"content":4836},{},[4837],{"nodeType":1293,"value":4838,"marks":4839,"data":4840},"A vast campaign against Salesforce customers resulted in the compromise of 1000+ Salesforce tenants (according to the attacker) with more than 1.5 billion records stolen. This campaign can consisted of three phases:",[],{},{"nodeType":1803,"data":4842,"content":4843},{},[4844,4859,4874],{"nodeType":1807,"data":4845,"content":4846},{},[4847],{"nodeType":1294,"data":4848,"content":4849},{},[4850,4855],{"nodeType":1293,"value":4851,"marks":4852,"data":4854},"Phase 1:",[4853],{"type":1370},{},{"nodeType":1293,"value":4856,"marks":4857,"data":4858}," The attacker conducted a large-scale vishing campaign against Salesforce customers, calling up users and socially engineering them into connecting a malicious version of the “Data Loader” app into their tenant. This was in fact an attacker-controlled app that enabled data to be mass-exfiltrated via API. ",[],{},{"nodeType":1807,"data":4860,"content":4861},{},[4862],{"nodeType":1294,"data":4863,"content":4864},{},[4865,4870],{"nodeType":1293,"value":4866,"marks":4867,"data":4869},"Phase 2: ",[4868],{"type":1370},{},{"nodeType":1293,"value":4871,"marks":4872,"data":4873},"The attacker conducted a supply-chain compromise against customers of Salesloft. Users of Salesloft’s “Drift” integration were impacted by attackers stealing access tokens from Salesloft’s AWS environment. This integration allowed the attacker to steal data from customers that had deployed Drift to connected environments — namely, Salesforce, and Google Workspace. ",[],{},{"nodeType":1807,"data":4875,"content":4876},{},[4877],{"nodeType":1294,"data":4878,"content":4879},{},[4880,4885,4889,4897],{"nodeType":1293,"value":4881,"marks":4882,"data":4884},"Phase 3:",[4883],{"type":1370},{},{"nodeType":1293,"value":4886,"marks":4887,"data":4888}," The attacker then conducted a separate supply-chain compromise involving Gainsight (allegedly using OAuth tokens stolen in the Salesloft attack) which enabled them to ",[],{},{"nodeType":1330,"data":4890,"content":4892},{"uri":4891},"https://www.bleepingcomputer.com/news/security/salesforce-investigates-customer-data-theft-via-gainsight-breach/",[4893],{"nodeType":1293,"value":4894,"marks":4895,"data":4896},"breach a further 285 Salesforce instances",[],{},{"nodeType":1293,"value":4898,"marks":4899,"data":4900}," using stolen OAuth tokens from Gainsight's integrations. ",[],{},{"nodeType":1447,"data":4902,"content":4906},{"target":4903},{"sys":4904},{"id":4905,"type":1452,"linkType":1453},"3TwjpVKQ42SwQRhvGFbZdn",[],{"nodeType":1359,"data":4908,"content":4909},{},[],{"nodeType":1467,"data":4911,"content":4912},{},[4913],{"nodeType":1293,"value":4914,"marks":4915,"data":4917},"Malicious browser extensions",[4916],{"type":1370},{},{"nodeType":1294,"data":4919,"content":4920},{},[4921],{"nodeType":1293,"value":4922,"marks":4923,"data":4926},"CyberHaven (2024)",[4924,4925],{"type":1370},{"type":1338},{},{"nodeType":1294,"data":4928,"content":4929},{},[4930],{"nodeType":1293,"value":4931,"marks":4932,"data":4933},"Hackers phished a CyberHaven extension developer and uploaded a malicious version of the CyberHaven extension to the Chrome Web Store, leading to customer data breaches where installed in user browsers, impacting CyberHaven’s estimated ~400 business customers. This was part of a broader campaign that targeted 35 Chrome extensions, collectively impacting over 2.5 million users.",[],{},{"nodeType":1447,"data":4935,"content":4939},{"target":4936},{"sys":4937},{"id":4938,"type":1452,"linkType":1453},"4ErDI0xi0Vj2Zrk8Qsb2NB",[],{"nodeType":1359,"data":4941,"content":4942},{},[],{"nodeType":1363,"data":4944,"content":4945},{},[4946],{"nodeType":1293,"value":4947,"marks":4948,"data":4950},"The bigger picture",[4949],{"type":1370},{},{"nodeType":1294,"data":4952,"content":4953},{},[4954],{"nodeType":1293,"value":4955,"marks":4956,"data":4957},"Scattered Lapsus$ Hunters are dominating the headlines right now, but they aren’t the only attackers using these modern techniques and consciously evading established security controls. ",[],{},{"nodeType":1294,"data":4959,"content":4960},{},[4961],{"nodeType":1293,"value":4962,"marks":4963,"data":4964},"Threat reports agree that attackers are steering away from traditional exploit and malware-driven breaches towards identities:",[],{},{"nodeType":1803,"data":4966,"content":4967},{},[4968,4988,5009],{"nodeType":1807,"data":4969,"content":4970},{},[4971],{"nodeType":1294,"data":4972,"content":4973},{},[4974,4978,4985],{"nodeType":1293,"value":4975,"marks":4976,"data":4977},"Identity-based attacks surged 32% in the last year, while 97% of identity attacks are password-based, driven by credential leaks and infostealer malware. (",[],{},{"nodeType":1330,"data":4979,"content":4980},{"uri":2961},[4981],{"nodeType":1293,"value":2156,"marks":4982,"data":4984},[4983],{"type":1338},{},{"nodeType":1293,"value":2969,"marks":4986,"data":4987},[],{},{"nodeType":1807,"data":4989,"content":4990},{},[4991],{"nodeType":1294,"data":4992,"content":4993},{},[4994,4998,5006],{"nodeType":1293,"value":4995,"marks":4996,"data":4997},"79% of detections were malware-free in the last year, up from 40% in 2019. (",[],{},{"nodeType":1330,"data":4999,"content":5000},{"uri":3001},[5001],{"nodeType":1293,"value":5002,"marks":5003,"data":5005},"CrowdStrike",[5004],{"type":1338},{},{"nodeType":1293,"value":2969,"marks":5007,"data":5008},[],{},{"nodeType":1807,"data":5010,"content":5011},{},[5012],{"nodeType":1294,"data":5013,"content":5014},{},[5015,5019,5028],{"nodeType":1293,"value":5016,"marks":5017,"data":5018},"Credential abuse and phishing combined accounted for 38% of breaches, making identity the primary breach vector observed. (",[],{},{"nodeType":1330,"data":5020,"content":5022},{"uri":5021},"https://www.verizon.com/business/resources/reports/dbir/",[5023],{"nodeType":1293,"value":5024,"marks":5025,"data":5027},"Verizon",[5026],{"type":1338},{},{"nodeType":1293,"value":2969,"marks":5029,"data":5030},[],{},{"nodeType":1294,"data":5032,"content":5033},{},[5034],{"nodeType":1293,"value":5035,"marks":5036,"data":5037},"And other public breaches from this year alone demonstrate similar TTPs from outside of the Scattered Lapsus$ Hunters orbit:",[],{},{"nodeType":1803,"data":5039,"content":5040},{},[5041,5056,5071,5086],{"nodeType":1807,"data":5042,"content":5043},{},[5044],{"nodeType":1294,"data":5045,"content":5046},{},[5047,5052],{"nodeType":1293,"value":5048,"marks":5049,"data":5051},"Nikkei",[5050],{"type":1370},{},{"nodeType":1293,"value":5053,"marks":5054,"data":5055},": Japanese publishing giant Nikkei’s Slack messaging platform was compromised using stolen credentials, leaking the names, email addresses, and chat histories for 17,368 individuals registered on Slack.",[],{},{"nodeType":1807,"data":5057,"content":5058},{},[5059],{"nodeType":1294,"data":5060,"content":5061},{},[5062,5067],{"nodeType":1293,"value":5063,"marks":5064,"data":5066},"Evertec",[5065],{"type":1370},{},{"nodeType":1293,"value":5068,"marks":5069,"data":5070},": Hackers tried to steal $130 million from Evertec’s Brazilian subsidiary Sinqia S.A.after gaining unauthorized access to its environment on the central bank’s real-time payment system (Pix) using stolen credentials.",[],{},{"nodeType":1807,"data":5072,"content":5073},{},[5074],{"nodeType":1294,"data":5075,"content":5076},{},[5077,5082],{"nodeType":1293,"value":5078,"marks":5079,"data":5081},"Hy-Vee:",[5080],{"type":1370},{},{"nodeType":1293,"value":5083,"marks":5084,"data":5085}," Was hit with a data breach after hackers logged in with stolen credentials, exposing 53GB of sensitive data.",[],{},{"nodeType":1807,"data":5087,"content":5088},{},[5089],{"nodeType":1294,"data":5090,"content":5091},{},[5092,5097],{"nodeType":1293,"value":5093,"marks":5094,"data":5096},"Scania: ",[5095],{"type":1370},{},{"nodeType":1293,"value":5098,"marks":5099,"data":5100},"Automotive giant Scania confirmed it suffered a cybersecurity incident where threat actors used compromised credentials to breach its Financial Services systems and steal insurance claim documents.",[],{},{"nodeType":1294,"data":5102,"content":5103},{},[5104],{"nodeType":1293,"value":5105,"marks":5106,"data":5107},"Scattered Lapsus$ Hunters may be grabbing the headlines — but this a huge movement in a vast and flexible community of attackers. And criminals around the world are learning from their success. ",[],{},{"nodeType":1359,"data":5109,"content":5110},{},[],{"nodeType":1363,"data":5112,"content":5113},{},[5114],{"nodeType":1293,"value":5115,"marks":5116,"data":5118},"Lessons learned",[5117],{"type":1370},{},{"nodeType":1294,"data":5120,"content":5121},{},[5122],{"nodeType":1293,"value":5123,"marks":5124,"data":5125},"The common thread with all of these attacks is that they are evading established security controls by targeting applications directly, over the internet, via account takeover.",[],{},{"nodeType":1294,"data":5127,"content":5128},{},[5129],{"nodeType":1293,"value":5130,"marks":5131,"data":5132},"Clearly, the success of these attacks shows the limitations of multiple control layers. Endpoint and network layer controls have no visibility of this attack surface. Identity-focused controls are being undermined by ghost logins and shadow IT. And the limitations of cloud security controls in their ability to encompass all apps, and detect and stop malicious actions in real-time (that often blend in seamlessly with normal user activity). ",[],{},{"nodeType":1447,"data":5134,"content":5138},{"target":5135},{"sys":5136},{"id":5137,"type":1452,"linkType":1453},"4Dg3fZEGf7ShyQJ8jlNDME",[],{"nodeType":1359,"data":5140,"content":5141},{},[],{"nodeType":1363,"data":5143,"content":5144},{},[5145],{"nodeType":1293,"value":5146,"marks":5147,"data":5149},"How Push can help",[5148],{"type":1370},{},{"nodeType":1294,"data":5151,"content":5152},{},[5153],{"nodeType":1293,"value":5154,"marks":5155,"data":5156},"Stopping attacks that are designed to evade established controls is in our DNA — it’s the reason Push was founded. ",[],{},{"nodeType":1294,"data":5158,"content":5159},{},[5160],{"nodeType":1293,"value":5161,"marks":5162,"data":5163},"The browser is the gateway to to the apps and identities that attackers are now targeting, with many attacks taking place inside the user’s browser — whether that’s entering credentials onto a phishing page, approving a malicious OAuth grant, installing a risky browser extension, or insecurely accessing an app with a weak password and no MFA. ",[],{},{"nodeType":1294,"data":5165,"content":5166},{},[5167],{"nodeType":1293,"value":5168,"marks":5169,"data":5170},"Push’s browser-based security platform provides comprehensive detection and response capabilities against attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your attack surface.",[],{},{"nodeType":1294,"data":5172,"content":5173},{},[5174,5177,5184,5187,5194],{"nodeType":1293,"value":2874,"marks":5175,"data":5176},[],{},{"nodeType":1330,"data":5178,"content":5179},{"uri":1914},[5180],{"nodeType":1293,"value":2881,"marks":5181,"data":5183},[5182],{"type":1338},{},{"nodeType":1293,"value":2886,"marks":5185,"data":5186},[],{},{"nodeType":1330,"data":5188,"content":5189},{"uri":1938},[5190],{"nodeType":1293,"value":1941,"marks":5191,"data":5193},[5192],{"type":1338},{},{"nodeType":1293,"value":1946,"marks":5195,"data":5196},[],{},"\"Scattered Lapsus$ Hunters\" — how modern attackers exploit the gaps in your security stack ","How Scattered Lapsus$ Hunters breaches demonstrate the evolution of attacker TTPs, shaping the future of cyber attacks.","2025-11-13T00:00:00.000Z","scattered-lapsus-hunters",{"items":5202},[5203,5205],{"sys":5204,"name":1306},{"id":1305},{"sys":5206,"name":1310},{"id":1309},{"items":5208},[5209],{"fullName":1314,"firstName":1315,"jobTitle":1316,"profilePicture":5210},{"url":1318},"content:blog:unpacking-the-latest-slh-campaign.json","json","content","blog/unpacking-the-latest-slh-campaign.json","blog/unpacking-the-latest-slh-campaign",1776359982003]