[{"data":1,"prerenderedAt":4576},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"navbar-about-highlight":155,"navbar-resource-highlight":211,"use-case-page":256,"blog/why-attackers-are-targeting-jira-with-stolen-credentials":1276},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":14,"data":15,"variations":50,"lastUpdated":51,"firstPublished":52,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","inductive-automation","1c6207a5f24948ab82d4a0b17f251193","published",[],{"testimonial":16,"description":43,"type":19,"link":44,"title":47,"testimonialLink":48,"image":49},{"@type":17,"id":18,"model":19,"value":20},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":21,"folders":22,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":26,"variations":30,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":35,"rev":42},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":27,"jobTitle":28,"quote":24,"image":29},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2",{"kind":36,"lastPreviewUrl":37,"breakpoints":38,"hasAutosaves":41},"data","",{"small":39,"medium":40},640,768,true,"3v32gocrrqz","Join the industry's top security minds as they break down the browser attack landscape.",{"url":45,"text":46},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot","State of Browser Attacks Series","/customer-stories/inductive-automation","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{},1776257019270,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2",[],{"breakpoints":56,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},320,"motto9r9yg",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":33,"createdBy":53,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":36,"lastPreviewUrl":37,"breakpoints":75,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"stageModifiedSincePublish":6,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"image":82,"type":83,"description":84,"link":85,"title":88},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9","resource","Learn about the latest techniques being used in the wild.",{"url":86,"text":87},"/resources/browser-attacks-report","Download now","Report: 2026 Browser Attack Techniques",{},1776255866789,1742208570400,[],{"kind":36,"lastPreviewUrl":37,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":33,"createdBy":34,"lastUpdatedBy":148,"folders":149,"meta":150,"rev":154},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":37,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":46,"url":45,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":45},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-08zrjigffq5t","img",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":37,"query":144},{},{},1775137295127,1774968080803,"ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":151,"hasLinks":6,"kind":152,"lastPreviewUrl":153,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2lvuonnywj",[156,180],{"createdDate":157,"id":158,"name":159,"modelId":160,"published":13,"stageModifiedSincePublish":6,"query":161,"data":162,"variations":173,"lastUpdated":174,"firstPublished":175,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":176,"meta":177,"rev":179},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":163,"type":19,"testimonialLink":48,"testimonial":164},{},{"@type":17,"id":18,"model":19,"value":165},{"query":166,"folders":167,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":168,"variations":169,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":170,"rev":172},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":171,"hasAutosaves":41},{"small":39,"medium":40},"7t755zfvte3",{},1776247404986,1776247404973,[],{"breakpoints":178,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"4moh0qpywtr",{"createdDate":181,"id":182,"name":88,"modelId":160,"published":13,"meta":183,"stageModifiedSincePublish":6,"query":185,"data":186,"variations":207,"lastUpdated":208,"firstPublished":209,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":210,"rev":179},1776255761419,"05a9322735fc427db12e2740e4302300",{"breakpoints":184,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":187,"link":206,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":189},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":190,"folders":191,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":194,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":203,"rev":205},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":36,"lastPreviewUrl":37,"breakpoints":204,"hasAutosaves":41},{"small":39,"medium":40},"6s8ic0w0ao6",{"text":87,"url":86},{},1776255810913,1776255810900,[],[212,235],{"createdDate":213,"id":214,"name":88,"modelId":215,"published":13,"meta":216,"stageModifiedSincePublish":6,"query":218,"data":219,"variations":230,"lastUpdated":231,"firstPublished":232,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":233,"rev":234},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":217,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[],{"testimonial":220,"link":229,"type":83,"title":88,"description":84,"image":82},{"@type":17,"id":188,"model":19,"value":221},{"query":222,"folders":223,"createdDate":192,"id":188,"name":193,"modelId":25,"published":13,"data":224,"variations":225,"lastUpdated":201,"firstPublished":202,"testRatio":33,"createdBy":34,"lastUpdatedBy":53,"meta":226,"rev":228},[],[],{"video":195,"jobTitle":196,"author":197,"qoute":37,"quote":198,"image":199},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":227,"hasAutosaves":41},{"small":39,"medium":40},"r77qqueuo3j",{"text":87,"url":86},{},1776256937553,1776256937540,[],"q0jkez80wkg",{"createdDate":236,"id":237,"name":11,"modelId":215,"published":13,"stageModifiedSincePublish":6,"query":238,"data":239,"variations":250,"lastUpdated":251,"firstPublished":252,"testRatio":33,"createdBy":53,"lastUpdatedBy":53,"folders":253,"meta":254,"rev":234},1776256949234,"ce043785b71b4ece98eac811ecf4ba10",[],{"link":240,"type":19,"testimonial":241,"testimonialLink":48},{},{"@type":17,"id":18,"model":19,"value":242},{"query":243,"folders":244,"createdDate":23,"id":18,"name":24,"modelId":25,"published":13,"data":245,"variations":246,"lastUpdated":31,"firstPublished":32,"testRatio":33,"createdBy":34,"lastUpdatedBy":34,"meta":247,"rev":249},[],[],{"author":27,"jobTitle":28,"quote":24,"image":29},{},{"kind":36,"lastPreviewUrl":37,"breakpoints":248,"hasAutosaves":41},{"small":39,"medium":40},"mnaneamy308",{},1776256974140,1776256974130,[],{"breakpoints":255,"kind":36,"lastPreviewUrl":37,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},[257,441,560,679,797,917,1037,1157],{"createdDate":258,"id":259,"name":260,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":262,"data":268,"variations":429,"lastUpdated":430,"firstPublished":431,"testRatio":33,"screenshot":432,"createdBy":34,"lastUpdatedBy":433,"folders":434,"meta":435,"rev":440},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[263],{"@type":264,"property":265,"operator":266,"value":267},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":269,"customFonts":270,"seoTitle":318,"title":318,"tsCode":37,"seoDescription":319,"fontAwesomeIcon":320,"jsCode":37,"blocks":321,"url":267,"state":426},[],[271],{"family":272,"kind":273,"version":274,"lastModified":275,"files":276,"category":295,"menu":296,"subsets":297,"variants":300},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"900italic":286,"700italic":287,"100italic":288,"italic":289,"regular":290,"200italic":291,"500italic":292,"300italic":293,"600italic":294},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[298,299],"latin","latin-ext",[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[322,421],{"@type":106,"@version":107,"tagName":323,"id":324,"children":325},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[326,343,351,358,370,385,396,407,413],{"@type":106,"@version":107,"layerName":327,"id":328,"component":329,"responsiveStyles":340},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":327,"options":330,"isRSC":118},{"title":318,"description":331,"points":332,"video":339},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[333,335,337],{"item":334},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":336},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":338},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":341},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},"transparent",{"@type":106,"@version":107,"id":344,"component":345,"responsiveStyles":348},"builder-96634044407e491299e291ed64669e39",{"name":346,"options":347,"isRSC":118},"TrustedBy",{"AllPartners":41,"backgroundTransparent":6},{"large":349},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},"#000",{"@type":106,"@version":107,"id":352,"component":353,"responsiveStyles":356},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":354,"options":355,"isRSC":118},"Diagonal",{"darkMode":41},{"large":357},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":360,"component":361,"responsiveStyles":368},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":359,"tag":359,"options":362,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":365,"description":366,"animatedTitle":37,"image":367,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":369},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":371,"component":372,"responsiveStyles":380},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":373,"options":374,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":377,"description":378,"reverse":41,"image":379},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":381},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":386,"component":387,"responsiveStyles":393},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":373,"options":388,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":390,"description":391,"reverse":6,"image":392},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":394},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},"36px",{"@type":106,"@version":107,"layerName":373,"id":397,"component":398,"responsiveStyles":404},"builder-42c32198083f4880acb37c5cb76934da",{"name":373,"options":399,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":401,"description":402,"reverse":41,"image":403},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":405},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},"47px",{"@type":106,"@version":107,"id":408,"component":409,"responsiveStyles":411},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":354,"options":410,"isRSC":118},{"darkMode":6},{"large":412},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":414,"component":415,"responsiveStyles":419},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":416,"tag":416,"options":417,"isRSC":118},"LatestResources",{"sectionHeading":37,"customClass":418},"bg-black",{"large":420},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":422,"@type":106,"tagName":131,"properties":423,"responsiveStyles":424},"builder-pixel-21yj6h3p4wh",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":425},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":427},{"path":37,"query":428},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":436,"winningTest":118,"breakpoints":437,"kind":438,"hasLinks":6,"originalContentId":439,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},"page","2daa5670b8504fc7ba4700633e8bd921","atvz4dp24b7",{"createdDate":442,"id":443,"name":444,"modelId":261,"published":13,"stageModifiedSincePublish":6,"query":445,"data":448,"variations":552,"lastUpdated":553,"firstPublished":554,"testRatio":33,"screenshot":555,"createdBy":34,"lastUpdatedBy":433,"folders":556,"meta":557,"rev":440},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[446],{"@type":264,"property":265,"operator":266,"value":447},"/uc/browser-extension-security",{"seoDescription":449,"jsCode":37,"fontAwesomeIcon":450,"tsCode":37,"title":444,"seoTitle":444,"customFonts":451,"inputs":456,"blocks":457,"url":447,"state":549},"Shine a light on risky browser extensions.","faPuzzlePiece",[452],{"kind":273,"family":272,"version":274,"files":453,"category":295,"lastModified":275,"subsets":454,"variants":455,"menu":296},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"100italic":288,"italic":289,"regular":290,"900italic":286,"800italic":285,"700italic":287,"200italic":291,"300italic":293,"500italic":292,"600italic":294},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],[],[458,544],{"@type":106,"@version":107,"tagName":323,"id":459,"meta":460,"children":461},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":324},[462,478,485,492,501,511,521,531,538],{"@type":106,"@version":107,"id":463,"meta":464,"component":465,"responsiveStyles":476},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":328},{"name":327,"options":466,"isRSC":118},{"title":444,"description":467,"points":468,"video":475},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[469,471,473],{"item":470},"Discover every browser extension in use",{"item":472},"Spot risky or unsanctioned behavior",{"item":474},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":477},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":479,"meta":480,"component":481,"responsiveStyles":483},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":344},{"name":346,"options":482,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":484},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":486,"meta":487,"component":488,"responsiveStyles":490},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":352},{"name":354,"options":489,"isRSC":118},{"darkMode":41},{"large":491},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":359,"id":493,"component":494,"responsiveStyles":499},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":359,"tag":359,"options":495,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":496,"description":497,"image":498,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":500},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":502,"meta":503,"component":504,"responsiveStyles":509},"builder-93738f98109a4009affb349afd7bb182",{"previousId":371},{"name":373,"options":505,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":506,"description":507,"reverse":41,"image":508},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":510},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":512,"meta":513,"component":514,"responsiveStyles":519},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":386},{"name":373,"options":515,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":516,"description":517,"reverse":6,"image":518},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":520},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":522,"meta":523,"component":524,"responsiveStyles":529},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":397},{"name":373,"options":525,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":526,"description":527,"reverse":41,"image":528},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":530},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":532,"meta":533,"component":534,"responsiveStyles":536},"builder-1a689287d1a1418997d57db578a71105",{"previousId":408},{"name":354,"options":535,"isRSC":118},{"darkMode":6},{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":539,"component":540,"responsiveStyles":542},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":416,"tag":416,"options":541,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":543},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":545,"@type":106,"tagName":131,"properties":546,"responsiveStyles":547},"builder-pixel-0edn39avfcei",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":548},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":550},{"path":37,"query":551},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":438,"winningTest":118,"breakpoints":558,"lastPreviewUrl":559,"hasLinks":6,"originalContentId":259,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":561,"id":562,"name":563,"modelId":261,"published":13,"query":564,"data":567,"variations":670,"lastUpdated":671,"firstPublished":672,"testRatio":33,"screenshot":673,"createdBy":34,"lastUpdatedBy":674,"folders":675,"meta":676,"rev":440},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[565],{"@type":264,"property":265,"operator":266,"value":566},"/uc/account-takeover-detection",{"title":563,"customFonts":568,"jsCode":37,"seoTitle":563,"seoDescription":573,"fontAwesomeIcon":574,"tsCode":37,"blocks":575,"url":566,"state":667},[569],{"kind":273,"category":295,"variants":570,"menu":296,"files":571,"family":272,"subsets":572,"version":274,"lastModified":275},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"800italic":285,"700italic":287,"italic":289,"900italic":286,"600italic":294,"200italic":291,"regular":290,"100italic":288},[298,299],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[576,662],{"@type":106,"@version":107,"tagName":323,"id":577,"meta":578,"children":579},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":324},[580,596,603,610,619,629,639,649,656],{"@type":106,"@version":107,"id":581,"meta":582,"component":583,"responsiveStyles":594},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":328},{"name":327,"options":584,"isRSC":118},{"title":563,"description":585,"points":586,"video":593},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[587,589,591],{"item":588},"Identify credential-based ATO as it unfolds",{"item":590},"Surface hijacked sessions and token misuse",{"item":592},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":595},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":597,"meta":598,"component":599,"responsiveStyles":601},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":344},{"name":346,"options":600,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":602},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":604,"meta":605,"component":606,"responsiveStyles":608},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":352},{"name":354,"options":607,"isRSC":118},{"darkMode":41},{"large":609},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":611,"component":612,"responsiveStyles":617},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":359,"tag":359,"options":613,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":614,"description":615,"image":616,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":618},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":620,"meta":621,"component":622,"responsiveStyles":627},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":371},{"name":373,"options":623,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":624,"description":625,"reverse":41,"image":626},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":628},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":630,"meta":631,"component":632,"responsiveStyles":637},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":386},{"name":373,"options":633,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":634,"description":635,"reverse":6,"image":636},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":638},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":640,"meta":641,"component":642,"responsiveStyles":647},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":397},{"name":373,"options":643,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":644,"description":645,"reverse":41,"image":646},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":648},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":650,"meta":651,"component":652,"responsiveStyles":654},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":408},{"name":354,"options":653,"isRSC":118},{"darkMode":6},{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":657,"component":658,"responsiveStyles":660},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":416,"tag":416,"options":659,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":661},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":663,"@type":106,"tagName":131,"properties":664,"responsiveStyles":665},"builder-pixel-s5u3wmvz7jq",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":666},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":668},{"path":37,"query":669},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":677,"hasLinks":6,"originalContentId":259,"breakpoints":678,"winningTest":118,"kind":438,"hasAutosaves":41},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":680,"id":681,"name":682,"modelId":261,"published":13,"query":683,"data":686,"variations":789,"lastUpdated":790,"firstPublished":791,"testRatio":33,"screenshot":792,"createdBy":34,"lastUpdatedBy":674,"folders":793,"meta":794,"rev":440},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[684],{"@type":264,"property":265,"operator":266,"value":685},"/uc/attack-path-hardening",{"tsCode":37,"seoDescription":687,"jsCode":37,"customFonts":688,"fontAwesomeIcon":693,"seoTitle":682,"title":682,"blocks":694,"url":685,"state":786},"Harden access paths with visibility,  detection, and guardrails.",[689],{"kind":273,"files":690,"version":274,"lastModified":275,"subsets":691,"menu":296,"category":295,"variants":692,"family":272},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"regular":290,"italic":289,"800italic":285,"500italic":292,"600italic":294,"200italic":291,"900italic":286,"700italic":287,"100italic":288,"300italic":293},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"faRadar",[695,781],{"@type":106,"@version":107,"tagName":323,"id":696,"meta":697,"children":698},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":577},[699,715,722,729,738,748,758,768,775],{"@type":106,"@version":107,"id":700,"meta":701,"component":702,"responsiveStyles":713},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":581},{"name":327,"options":703,"isRSC":118},{"title":682,"description":704,"points":705,"video":712},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[706,708,710],{"item":707},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":709},"Monitor how users actually log in across apps, flows, and tools",{"item":711},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":714},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":716,"meta":717,"component":718,"responsiveStyles":720},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":597},{"name":346,"options":719,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":721},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":723,"meta":724,"component":725,"responsiveStyles":727},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":604},{"name":354,"options":726,"isRSC":118},{"darkMode":41},{"large":728},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":730,"component":731,"responsiveStyles":736},"builder-dec0246085e1485c803f7152b1922a81",{"name":359,"tag":359,"options":732,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":733,"description":734,"image":735,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":737},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":739,"meta":740,"component":741,"responsiveStyles":746},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":620},{"name":373,"options":742,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":743,"description":744,"reverse":41,"image":745},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":747},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":749,"meta":750,"component":751,"responsiveStyles":756},"builder-431d175c59004669b0b2776b07d71737",{"previousId":630},{"name":373,"options":752,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":753,"description":754,"reverse":6,"image":755},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":757},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":759,"meta":760,"component":761,"responsiveStyles":766},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":640},{"name":373,"options":762,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":763,"description":764,"reverse":41,"image":765},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":767},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":769,"meta":770,"component":771,"responsiveStyles":773},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":650},{"name":354,"options":772,"isRSC":118},{"darkMode":6},{"large":774},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":776,"component":777,"responsiveStyles":779},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":416,"tag":416,"options":778,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":780},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":782,"@type":106,"tagName":131,"properties":783,"responsiveStyles":784},"builder-pixel-7akm7dayau8",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":785},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":787},{"path":37,"query":788},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":438,"lastPreviewUrl":795,"breakpoints":796,"hasLinks":6,"originalContentId":562,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":798,"id":799,"name":800,"modelId":261,"published":13,"query":801,"data":804,"variations":909,"lastUpdated":910,"firstPublished":911,"testRatio":33,"screenshot":912,"createdBy":34,"lastUpdatedBy":674,"folders":913,"meta":914,"rev":440},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[802],{"@type":264,"property":265,"operator":266,"value":803},"/uc/clickfix-protection",{"seoDescription":805,"fontAwesomeIcon":806,"customFonts":807,"seoTitle":812,"jsCode":37,"tsCode":37,"title":812,"blocks":813,"url":803,"state":906},"Block attacks that trick users into running malicious code.","faLaptopCode",[808],{"files":809,"subsets":810,"menu":296,"version":274,"kind":273,"family":272,"lastModified":275,"variants":811,"category":295},{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"200italic":291,"800italic":285,"700italic":287,"600italic":294,"100italic":288,"italic":289,"regular":290,"300italic":293,"500italic":292,"900italic":286},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],"ClickFix protection",[814,901],{"@type":106,"@version":107,"tagName":323,"id":815,"meta":816,"children":817},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":696},[818,834,841,848,858,868,878,888,895],{"@type":106,"@version":107,"id":819,"meta":820,"component":821,"responsiveStyles":832},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":700},{"name":327,"options":822,"isRSC":118},{"title":812,"description":823,"points":824,"image":831},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[825,827,829],{"item":826},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":828},"Block malicious copy-and-paste actions before code is executed",{"item":830},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":833},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":835,"meta":836,"component":837,"responsiveStyles":839},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":716},{"name":346,"options":838,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":840},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":842,"meta":843,"component":844,"responsiveStyles":846},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":723},{"name":354,"options":845,"isRSC":118},{"darkMode":41},{"large":847},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":849,"meta":850,"component":851,"responsiveStyles":856},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":730},{"name":359,"tag":359,"options":852,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":853,"description":854,"reverse":6,"image":855},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":857},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":859,"meta":860,"component":861,"responsiveStyles":866},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":739},{"name":373,"options":862,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":863,"description":864,"reverse":41,"image":865},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":867},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":383,"marginTop":384},{"@type":106,"@version":107,"id":869,"meta":870,"component":871,"responsiveStyles":876},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":749},{"name":373,"options":872,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":873,"description":874,"reverse":6,"image":875},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":877},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":879,"meta":880,"component":881,"responsiveStyles":886},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":759},{"name":373,"options":882,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":883,"description":884,"reverse":41,"image":885},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":887},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":889,"meta":890,"component":891,"responsiveStyles":893},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":769},{"name":354,"options":892,"isRSC":118},{"darkMode":6},{"large":894},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":896,"component":897,"responsiveStyles":899},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":416,"tag":416,"options":898,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":900},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":902,"@type":106,"tagName":131,"properties":903,"responsiveStyles":904},"builder-pixel-zzjpxxgrc2l",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":905},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":907},{"path":37,"query":908},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":915,"originalContentId":681,"winningTest":118,"hasLinks":6,"kind":438,"breakpoints":916,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":918,"id":919,"name":920,"modelId":261,"published":13,"query":921,"data":924,"variations":1029,"lastUpdated":1030,"firstPublished":1031,"testRatio":33,"screenshot":1032,"createdBy":34,"lastUpdatedBy":674,"folders":1033,"meta":1034,"rev":440},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[922],{"@type":264,"property":265,"operator":266,"value":923},"/uc/incident-response",{"seoDescription":925,"customFonts":926,"title":920,"jsCode":37,"fontAwesomeIcon":931,"seoTitle":932,"tsCode":37,"blocks":933,"url":923,"state":1026},"Investigate and respond faster with unique browser telemetry.",[927],{"kind":273,"subsets":928,"menu":296,"variants":929,"category":295,"family":272,"version":274,"lastModified":275,"files":930},[298,299],[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"900italic":286,"600italic":294,"200italic":291,"300italic":293,"100italic":288,"700italic":287,"800italic":285,"regular":290,"italic":289,"500italic":292},"faSatelliteDish","Browser based incident response",[934,1021],{"@type":106,"@version":107,"tagName":323,"id":935,"meta":936,"children":937},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":696},[938,955,962,969,978,988,998,1008,1015],{"@type":106,"@version":107,"id":939,"meta":940,"component":941,"responsiveStyles":953},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":700},{"name":327,"options":942,"isRSC":118},{"title":943,"description":944,"points":945,"video":952},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[946,948,950],{"item":947},"Reconstruct what happened with real browser session context",{"item":949},"Investigate faster with real-world session context",{"item":951},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":954},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":956,"meta":957,"component":958,"responsiveStyles":960},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":716},{"name":346,"options":959,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":961},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":963,"meta":964,"component":965,"responsiveStyles":967},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":723},{"name":354,"options":966,"isRSC":118},{"darkMode":41},{"large":968},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":970,"component":971,"responsiveStyles":976},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":359,"tag":359,"options":972,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":973,"description":974,"image":975,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":977},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":979,"meta":980,"component":981,"responsiveStyles":986},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":739},{"name":373,"options":982,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":983,"description":984,"reverse":41,"image":985},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":987},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":989,"meta":990,"component":991,"responsiveStyles":996},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":749},{"name":373,"options":992,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":993,"description":994,"reverse":6,"image":995},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":997},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":999,"meta":1000,"component":1001,"responsiveStyles":1006},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":759},{"name":373,"options":1002,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1003,"description":1004,"reverse":41,"image":1005},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":1007},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1009,"meta":1010,"component":1011,"responsiveStyles":1013},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":769},{"name":354,"options":1012,"isRSC":118},{"darkMode":6},{"large":1014},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1016,"component":1017,"responsiveStyles":1019},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":416,"tag":416,"options":1018,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1020},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1022,"@type":106,"tagName":131,"properties":1023,"responsiveStyles":1024},"builder-pixel-z197gdgcmu",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1025},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1027},{"path":37,"query":1028},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":438,"breakpoints":1035,"originalContentId":681,"winningTest":118,"lastPreviewUrl":1036,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1038,"id":1039,"name":1040,"modelId":261,"published":13,"query":1041,"data":1044,"variations":1149,"lastUpdated":1150,"firstPublished":1151,"testRatio":33,"screenshot":1152,"createdBy":34,"lastUpdatedBy":674,"folders":1153,"meta":1154,"rev":440},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1042],{"@type":264,"property":265,"operator":266,"value":1043},"/uc/shadow-saas",{"seoTitle":1045,"seoDescription":1046,"customFonts":1047,"fontAwesomeIcon":1052,"title":1053,"jsCode":37,"tsCode":37,"blocks":1054,"url":1043,"state":1146},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1048],{"kind":273,"variants":1049,"files":1050,"family":272,"version":274,"subsets":1051,"lastModified":275,"category":295,"menu":296},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"300italic":293,"500italic":292,"regular":290,"900italic":286,"italic":289,"100italic":288,"200italic":291,"600italic":294,"700italic":287,"800italic":285},[298,299],"faShieldCheck","Secure shadow SaaS",[1055,1141],{"@type":106,"@version":107,"tagName":323,"id":1056,"meta":1057,"children":1058},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":935},[1059,1075,1082,1089,1098,1108,1118,1128,1135],{"@type":106,"@version":107,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1073},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":939},{"name":327,"options":1063,"isRSC":118},{"title":1045,"description":1064,"points":1065,"video":1072},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1066,1068,1070],{"item":1067},"Discover every SaaS app users access, managed or not",{"item":1069},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1071},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1074},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1076,"meta":1077,"component":1078,"responsiveStyles":1080},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":956},{"name":346,"options":1079,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1081},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1087},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":963},{"name":354,"options":1086,"isRSC":118},{"darkMode":41},{"large":1088},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1090,"component":1091,"responsiveStyles":1096},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":359,"tag":359,"options":1092,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1093,"description":1094,"image":1095,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1097},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1099,"meta":1100,"component":1101,"responsiveStyles":1106},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":979},{"name":373,"options":1102,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1103,"description":1104,"reverse":41,"image":1105},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1107},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1109,"meta":1110,"component":1111,"responsiveStyles":1116},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":989},{"name":373,"options":1112,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1113,"description":1114,"reverse":6,"image":1115},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1117},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1119,"meta":1120,"component":1121,"responsiveStyles":1126},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":999},{"name":373,"options":1122,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1123,"description":1124,"reverse":41,"image":1125},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1127},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1129,"meta":1130,"component":1131,"responsiveStyles":1133},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":1009},{"name":354,"options":1132,"isRSC":118},{"darkMode":6},{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1136,"component":1137,"responsiveStyles":1139},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":416,"tag":416,"options":1138,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1140},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1142,"@type":106,"tagName":131,"properties":1143,"responsiveStyles":1144},"builder-pixel-d1ul2kmxbed",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1145},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1147},{"path":37,"query":1148},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":919,"winningTest":118,"lastPreviewUrl":1155,"breakpoints":1156,"kind":438,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":39,"medium":40},{"createdDate":1158,"id":1159,"name":1160,"modelId":261,"published":13,"query":1161,"data":1164,"variations":1268,"lastUpdated":1269,"firstPublished":1270,"testRatio":33,"screenshot":1271,"createdBy":34,"lastUpdatedBy":674,"folders":1272,"meta":1273,"rev":440},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1162],{"@type":264,"property":265,"operator":266,"value":1163},"/uc/shadow-ai",{"fontAwesomeIcon":1165,"seoTitle":1166,"jsCode":37,"customFonts":1167,"title":1172,"tsCode":37,"seoDescription":1173,"blocks":1174,"url":1163,"state":1265},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1168],{"variants":1169,"category":295,"files":1170,"subsets":1171,"family":272,"kind":273,"menu":296,"lastModified":275,"version":274},[301,302,303,304,305,306,128,307,308,309,310,311,312,313,314,315,316,317],{"100":277,"200":278,"300":279,"500":280,"600":281,"700":282,"800":283,"900":284,"800italic":285,"regular":290,"700italic":287,"200italic":291,"italic":289,"500italic":292,"600italic":294,"300italic":293,"100italic":288,"900italic":286},[298,299],"Secure shadow AI","See and control shadow AI apps in the browser.",[1175,1260],{"@type":106,"@version":107,"tagName":323,"id":1176,"meta":1177,"children":1178},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1056},[1179,1195,1202,1209,1219,1228,1237,1247,1254],{"@type":106,"@version":107,"id":1180,"meta":1181,"component":1182,"responsiveStyles":1193},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1060},{"name":327,"options":1183,"isRSC":118},{"title":1172,"description":1184,"points":1185,"image":1192},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1186,1188,1190],{"item":1187},"Map every AI tool used across your workforce",{"item":1189},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1191},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1194},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":342},{"@type":106,"@version":107,"id":1196,"meta":1197,"component":1198,"responsiveStyles":1200},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1076},{"name":346,"options":1199,"isRSC":118},{"AllPartners":41,"backgroundTransparent":6},{"large":1201},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":350},{"@type":106,"@version":107,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1207},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1083},{"name":354,"options":1206,"isRSC":118},{"darkMode":41},{"large":1208},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1210,"meta":1211,"component":1212,"responsiveStyles":1217},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1090},{"name":359,"tag":359,"options":1213,"isRSC":118},{"darkMode":6,"maxWidth":363,"maxTextWidth":364,"title":1214,"description":1215,"image":1216,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1218},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1220,"meta":1221,"component":1222,"responsiveStyles":1226},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1099},{"name":373,"options":1223,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":376,"title":1224,"description":1225,"reverse":41,"image":1115},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1227},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":382,"paddingTop":384,"marginTop":384},{"@type":106,"@version":107,"id":1229,"meta":1230,"component":1231,"responsiveStyles":1235},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1109},{"name":373,"options":1232,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":389,"title":1233,"description":1234,"reverse":6,"image":1125},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1236},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":395},{"@type":106,"@version":107,"layerName":373,"id":1238,"meta":1239,"component":1240,"responsiveStyles":1245},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1119},{"name":373,"options":1241,"isRSC":118},{"darkMode":6,"maxWidth":363,"imageMaxWidth":375,"textPaddingTop":400,"title":1242,"description":1243,"reverse":41,"image":1244},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1246},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":406},{"@type":106,"@version":107,"id":1248,"meta":1249,"component":1250,"responsiveStyles":1252},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1129},{"name":354,"options":1251,"isRSC":118},{"darkMode":6},{"large":1253},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1255,"component":1256,"responsiveStyles":1258},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":416,"tag":416,"options":1257,"isRSC":118},{"sectionHeading":37,"customClass":418},{"large":1259},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1261,"@type":106,"tagName":131,"properties":1262,"responsiveStyles":1263},"builder-pixel-wxx9tk70r9p",{"src":133,"aria-hidden":134,"alt":37,"role":135,"width":124,"height":124},{"large":1264},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1266},{"path":37,"query":1267},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1274,"originalContentId":1039,"kind":438,"lastPreviewUrl":1275,"hasLinks":6,"hasAutosaves":41},{"xsmall":57,"small":39,"medium":40},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"_path":1277,"_dir":1278,"_draft":6,"_partial":6,"_locale":37,"sys":1279,"summary":1282,"title":1296,"subtitle":118,"metaTitle":1297,"synopsis":1292,"hashTags":118,"publishedDate":1298,"slug":1299,"ogImage":1300,"tagsCollection":1302,"relatedBlogPostsCollection":1312,"authorsCollection":3759,"content":3763,"_id":4571,"_type":4572,"_source":4573,"_file":4574,"_stem":4575,"_extension":4572},"/blog/why-attackers-are-targeting-jira-with-stolen-credentials","blog",{"id":1280,"publishedAt":1281},"gANCbeL9AnxmbGAE5HhyG","2025-04-28T12:19:15.275Z",{"json":1283},{"data":1284,"content":1285,"nodeType":1295},{},[1286],{"data":1287,"content":1288,"nodeType":1294},{},[1289],{"data":1290,"marks":1291,"value":1292,"nodeType":1293},{},[],"Attackers are persistently targeting Jira accounts with stolen credentials. What can we learn from this trend?","text","paragraph","document","6 breaches in 5 months: Why attackers are targeting Jira with stolen credentials","Why attackers are targeting Jira with stolen credentials","2025-03-25T00:00:00.000Z","why-attackers-are-targeting-jira-with-stolen-credentials",{"url":1301},"https://images.ctfassets.net/y1cdw1ablpvd/2IqfH1VLMma3YrbSX29q2Q/0b87ae386387e2ceaed097baf7321257/hellcat_social_graphic.png",{"items":1303},[1304,1308],{"sys":1305,"name":1307},{"id":1306},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1309,"name":1311},{"id":1310},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1313},[1314,2351,3163],{"__typename":1315,"sys":1316,"content":1318,"title":2332,"synopsis":2333,"hashTags":118,"publishedDate":1298,"slug":2334,"tagsCollection":2335,"authorsCollection":2343},"BlogPosts",{"id":1317},"5aB5x5VXrMv7PDmH0iiK0c",{"json":1319},{"nodeType":1295,"data":1320,"content":1321},{},[1322,1344,1351,1358,1365,1372,1381,1388,1405,1409,1417,1424,1431,1438,1449,1456,1463,1470,1479,1486,1562,1574,1581,1589,1596,1655,1667,1674,1680,1688,1695,1728,1752,1759,1769,1772,1779,1799,1806,1839,1846,1853,1860,1866,1869,1876,1883,1891,1898,1905,1921,1927,1935,1942,1948,1956,1976,1983,2016,2037,2043,2063,2083,2091,2098,2105,2111,2131,2134,2142,2157,2164,2171,2221,2227,2234,2241,2284,2287,2295,2302,2305,2312],{"nodeType":1294,"data":1323,"content":1324},{},[1325,1329,1340],{"nodeType":1293,"value":1326,"marks":1327,"data":1328},"It wasn’t supposed to be like this. Passwords were supposed to be dead (just ask ",[],{},{"nodeType":1330,"data":1331,"content":1333},"hyperlink",{"uri":1332},"https://www.cnet.com/news/privacy/gates-predicts-death-of-the-password/",[1334],{"nodeType":1293,"value":1335,"marks":1336,"data":1339},"Bill Gates",[1337],{"type":1338},"underline",{},{"nodeType":1293,"value":1341,"marks":1342,"data":1343},").",[],{},{"nodeType":1294,"data":1345,"content":1346},{},[1347],{"nodeType":1293,"value":1348,"marks":1349,"data":1350},"Instead, hardworking security pros are left to sit around in community center basements drinking mediocre coffee and commiserating.",[],{},{"nodeType":1294,"data":1352,"content":1353},{},[1354],{"nodeType":1293,"value":1355,"marks":1356,"data":1357},"“I admit it. My users still use passwords.”",[],{},{"nodeType":1294,"data":1359,"content":1360},{},[1361],{"nodeType":1293,"value":1362,"marks":1363,"data":1364},"“Yeah, mine too. I’ve been telling people we’re rolling out passkeys for three years now. I’m not sure how much longer I can keep this up …”",[],{},{"nodeType":1294,"data":1366,"content":1367},{},[1368],{"nodeType":1293,"value":1369,"marks":1370,"data":1371},"Somber nodding all around. Hugs. A few chocolate-chip cookies on paper napkins.",[],{},{"nodeType":1373,"data":1374,"content":1380},"embedded-entry-block",{"target":1375},{"sys":1376},{"id":1377,"type":1378,"linkType":1379},"4Wt29DxSSczFt5THWkuIiS","Link","Entry",[],{"nodeType":1294,"data":1382,"content":1383},{},[1384],{"nodeType":1293,"value":1385,"marks":1386,"data":1387},"This is a no-judgment zone here at Push Security. So let’s take a look at why we’re still stuck with passwords, how attackers are increasingly exploiting weak credentials to infiltrate organizations, and how Push can help you get visibility and control of all your workforce identities.",[],{},{"nodeType":1294,"data":1389,"content":1390},{},[1391,1395,1401],{"nodeType":1293,"value":1392,"marks":1393,"data":1394},"We’ll also cover how you can use Push’s latest feature, ",[],{},{"nodeType":1293,"value":1396,"marks":1397,"data":1400},"Strong password enforcement",[1398],{"type":1399},"bold",{},{"nodeType":1293,"value":1402,"marks":1403,"data":1404},", to require that employees use strong, unique passwords. Push automatically detects when employees have weak, reused, or stolen passwords and then guides them to update their password using in-browser messaging — even on apps that don’t natively support administrative control of password posture.",[],{},{"nodeType":1406,"data":1407,"content":1408},"hr",{},[],{"nodeType":1410,"data":1411,"content":1412},"heading-1",{},[1413],{"nodeType":1293,"value":1414,"marks":1415,"data":1416},"3 reasons why we’re still stuck with passwords",[],{},{"nodeType":1294,"data":1418,"content":1419},{},[1420],{"nodeType":1293,"value":1421,"marks":1422,"data":1423},"At the risk of preaching to the choir, let’s review why we’re still stuck with passwords. ",[],{},{"nodeType":1294,"data":1425,"content":1426},{},[1427],{"nodeType":1293,"value":1428,"marks":1429,"data":1430},"It’s worth stating the Push perspective up front: We’re not here to push the narrative that you must completely get rid of passwords. To begin with, it’s not easy to get rid of them. Like the imaginary scene from the passwordless support group, we’ve lived the reality of this.",[],{},{"nodeType":1294,"data":1432,"content":1433},{},[1434],{"nodeType":1293,"value":1435,"marks":1436,"data":1437},"What we observe across our install base for the Push browser agent reinforces this reality. For the last 1 million or so logins that Push recorded, more than a quarter (26%) were password logins.",[],{},{"nodeType":1439,"data":1440,"content":1441},"blockquote",{},[1442],{"nodeType":1294,"data":1443,"content":1444},{},[1445],{"nodeType":1293,"value":1446,"marks":1447,"data":1448},"For the last 1M+ logins that the Push browser agent observed, more than a quarter were password logins.",[],{},{"nodeType":1294,"data":1450,"content":1451},{},[1452],{"nodeType":1293,"value":1453,"marks":1454,"data":1455},"Of those password logins, 18% had a security issue with the password — reused, easily guessable, already leaked in a public breach list, or actively for sale in criminal forums.",[],{},{"nodeType":1294,"data":1457,"content":1458},{},[1459],{"nodeType":1293,"value":1460,"marks":1461,"data":1462},"Yet when strong, unique passwords are used in conjunction with MFA, they can provide a powerful line of defense. Indeed, in cases where onboarding an app to SSO isn’t possible (for reasons we’ll cover below), a strong, unique password plus MFA is the most pragmatic solution you can achieve.",[],{},{"nodeType":1294,"data":1464,"content":1465},{},[1466],{"nodeType":1293,"value":1467,"marks":1468,"data":1469},"Here’s why bad passwords persist, and why it matters.",[],{},{"nodeType":1471,"data":1472,"content":1473},"heading-2",{},[1474],{"nodeType":1293,"value":1475,"marks":1476,"data":1478},"Systemic reasons",[1477],{"type":1399},{},{"nodeType":1294,"data":1480,"content":1481},{},[1482],{"nodeType":1293,"value":1483,"marks":1484,"data":1485},"If we zoom out, there are several systemic reasons that contribute to the persistence of password security issues:",[],{},{"nodeType":1487,"data":1488,"content":1489},"unordered-list",{},[1490,1519,1547],{"nodeType":1491,"data":1492,"content":1493},"list-item",{},[1494],{"nodeType":1294,"data":1495,"content":1496},{},[1497,1502,1506,1515],{"nodeType":1293,"value":1498,"marks":1499,"data":1501},"Self-adoption of work apps",[1500],{"type":1399},{},{"nodeType":1293,"value":1503,"marks":1504,"data":1505}," makes it extremely difficult to know all the workforce identities that exist across your environment, let alone whether they’re using a secure authentication method, or the strength or uniqueness of their password. Push’s ",[],{},{"nodeType":1330,"data":1507,"content":1509},{"uri":1508},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have/",[1510],{"nodeType":1293,"value":1511,"marks":1512,"data":1514},"own research",[1513],{"type":1338},{},{"nodeType":1293,"value":1516,"marks":1517,"data":1518}," shows that for an average organization, each employee has 15 identities.",[],{},{"nodeType":1491,"data":1520,"content":1521},{},[1522],{"nodeType":1294,"data":1523,"content":1524},{},[1525,1530,1534,1543],{"nodeType":1293,"value":1526,"marks":1527,"data":1529},"Apps optimize signups for low friction, not security.",[1528],{"type":1399},{},{"nodeType":1293,"value":1531,"marks":1532,"data":1533}," That often results in multiple authentication methods tied to any given account because local password accounts can still persist even after SSO onboarding — a phenomenon that we call ",[],{},{"nodeType":1330,"data":1535,"content":1537},{"uri":1536},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/ghost_logins/description.md",[1538],{"nodeType":1293,"value":1539,"marks":1540,"data":1542},"ghost logins",[1541],{"type":1338},{},{"nodeType":1293,"value":1544,"marks":1545,"data":1546}," because they provide attackers with a way around a company’s enterprise SSO solution. These local accounts represent a significant risk, and most are invisible. Which brings us to …",[],{},{"nodeType":1491,"data":1548,"content":1549},{},[1550],{"nodeType":1294,"data":1551,"content":1552},{},[1553,1558],{"nodeType":1293,"value":1554,"marks":1555,"data":1557},"Many apps provide very little information to admins about the posture of accounts",[1556],{"type":1399},{},{"nodeType":1293,"value":1559,"marks":1560,"data":1561}," on that service, and even fewer offer management options to address security issues on those accounts. Some services provide no information at all about which accounts can even access a given tenant.",[],{},{"nodeType":1294,"data":1563,"content":1564},{},[1565,1570],{"nodeType":1293,"value":1566,"marks":1567,"data":1569},"The impact: ",[1568],{"type":1399},{},{"nodeType":1293,"value":1571,"marks":1572,"data":1573},"These systemic factors contribute to what we see many organizations grappling with: Known visibility gaps in their workforce identities, which are scattered across many more third-party apps than they imagine, and unknown account security risks for both managed and unmanaged apps.",[],{},{"nodeType":1294,"data":1575,"content":1576},{},[1577],{"nodeType":1293,"value":1578,"marks":1579,"data":1580},"These gaps open up a large attack surface for organizations. The 2024 Verizon DBIR found that 79% of web application compromises were the result of breached creds, and researchers at IBM reported last year that they observed a 71% year-over-year increase in cyberattacks using stolen or compromised credentials.",[],{},{"nodeType":1471,"data":1582,"content":1583},{},[1584],{"nodeType":1293,"value":1585,"marks":1586,"data":1588},"Technical reasons",[1587],{"type":1399},{},{"nodeType":1294,"data":1590,"content":1591},{},[1592],{"nodeType":1293,"value":1593,"marks":1594,"data":1595},"There are also several technical reasons why bad passwords persist:",[],{},{"nodeType":1487,"data":1597,"content":1598},{},[1599,1627],{"nodeType":1491,"data":1600,"content":1601},{},[1602],{"nodeType":1294,"data":1603,"content":1604},{},[1605,1608,1618,1623],{"nodeType":1293,"value":37,"marks":1606,"data":1607},[],{},{"nodeType":1330,"data":1609,"content":1611},{"uri":1610},"https://www.ncsc.gov.uk/blog-post/passkeys-not-perfect-getting-better",[1612],{"nodeType":1293,"value":1613,"marks":1614,"data":1617},"Going passwordless is hard",[1615,1616],{"type":1338},{"type":1399},{},{"nodeType":1293,"value":1619,"marks":1620,"data":1622}," ",[1621],{"type":1399},{},{"nodeType":1293,"value":1624,"marks":1625,"data":1626},"because it requires a large investment of time, money, and training for end-users. In environments with a mix of older and newer infrastructure, it can be challenging to get complete coverage, and employees may struggle with the transition to device-based authentication (especially when they lose their device and aren’t familiar with how to regain account access).",[],{},{"nodeType":1491,"data":1628,"content":1629},{},[1630],{"nodeType":1294,"data":1631,"content":1632},{},[1633,1638,1642,1651],{"nodeType":1293,"value":1634,"marks":1635,"data":1637},"Many apps do not even provide a SAML option",[1636],{"type":1399},{},{"nodeType":1293,"value":1639,"marks":1640,"data":1641},", making it difficult to onboard every business app to SSO even once you know about them all. Last we checked, only about 30% of commonly used work apps supported SAML. Even when apps do provide the option, many charge the infamous “",[],{},{"nodeType":1330,"data":1643,"content":1645},{"uri":1644},"https://sso.tax/",[1646],{"nodeType":1293,"value":1647,"marks":1648,"data":1650},"SSO tax",[1649],{"type":1338},{},{"nodeType":1293,"value":1652,"marks":1653,"data":1654},",” putting the feature behind enterprise plans.",[],{},{"nodeType":1294,"data":1656,"content":1657},{},[1658,1663],{"nodeType":1293,"value":1659,"marks":1660,"data":1662},"The impact:",[1661],{"type":1399},{},{"nodeType":1293,"value":1664,"marks":1665,"data":1666}," What ends up happening in many organizations is a patchwork of login methods, including passwords, passkeys, OIDC, and SAML. Looking at data from Push’s install base, we see on average around 15,000 accounts per 1,000 users, with 5,900+ outside of SSO — about 40%. ",[],{},{"nodeType":1294,"data":1668,"content":1669},{},[1670],{"nodeType":1293,"value":1671,"marks":1672,"data":1673},"That means more — not less — for a security and IT team to manage, often without the visibility or control they need to do so effectively.",[],{},{"nodeType":1373,"data":1675,"content":1679},{"target":1676},{"sys":1677},{"id":1678,"type":1378,"linkType":1379},"2QnWVpPYRyJQaQ5TuKSSLp",[],{"nodeType":1471,"data":1681,"content":1682},{},[1683],{"nodeType":1293,"value":1684,"marks":1685,"data":1687},"Human reasons",[1686],{"type":1399},{},{"nodeType":1294,"data":1689,"content":1690},{},[1691],{"nodeType":1293,"value":1692,"marks":1693,"data":1694},"Finally, there are a lot of human reasons why poor passwords persist, all of them familiar and intractable:",[],{},{"nodeType":1487,"data":1696,"content":1697},{},[1698,1713],{"nodeType":1491,"data":1699,"content":1700},{},[1701],{"nodeType":1294,"data":1702,"content":1703},{},[1704,1709],{"nodeType":1293,"value":1705,"marks":1706,"data":1708},"Password change fatigue",[1707],{"type":1399},{},{"nodeType":1293,"value":1710,"marks":1711,"data":1712},", resulting in weak and reused passwords — often driven by incomplete adoption of enterprise password managers or outdated password security policies that require users to rotate passwords frequently. ",[],{},{"nodeType":1491,"data":1714,"content":1715},{},[1716],{"nodeType":1294,"data":1717,"content":1718},{},[1719,1724],{"nodeType":1293,"value":1720,"marks":1721,"data":1723},"Shortcuts that busy humans take",[1722],{"type":1399},{},{"nodeType":1293,"value":1725,"marks":1726,"data":1727}," to get work done on a daily basis, including reusing passwords across personal and corporate accounts, storing passwords insecurely, and using easier-to-remember passwords over secure, complex ones.  ",[],{},{"nodeType":1294,"data":1729,"content":1730},{},[1731,1735,1739,1748],{"nodeType":1293,"value":1659,"marks":1732,"data":1734},[1733],{"type":1399},{},{"nodeType":1293,"value":1736,"marks":1737,"data":1738}," When there’s a large, complex, and largely invisible attack surface made up of these online corporate identities, adversaries profit. Just look at any of the ",[],{},{"nodeType":1330,"data":1740,"content":1742},{"uri":1741},"https://pushsecurity.com/resources/2024-identity-attacks",[1743],{"nodeType":1293,"value":1744,"marks":1745,"data":1747},"major identity attacks",[1746],{"type":1338},{},{"nodeType":1293,"value":1749,"marks":1750,"data":1751}," of the past year, some of which used password-spraying and credential-stuffing techniques to compromise accounts and pivot to high-value systems and data.",[],{},{"nodeType":1294,"data":1753,"content":1754},{},[1755],{"nodeType":1293,"value":1756,"marks":1757,"data":1758},"Password reuse also extends the blast radius for any account takeover incident when MFA is missing — a gap that occurs more often than you may think. Typically, 37% of logins observed by Push upon initial deployment into a new customer environment do not use any form of MFA.",[],{},{"nodeType":1439,"data":1760,"content":1761},{},[1762],{"nodeType":1294,"data":1763,"content":1764},{},[1765],{"nodeType":1293,"value":1766,"marks":1767,"data":1768},"2 in 5 logins observed by Push upon initial deployment into a new customer environment do not use any form of MFA.",[],{},{"nodeType":1406,"data":1770,"content":1771},{},[],{"nodeType":1410,"data":1773,"content":1774},{},[1775],{"nodeType":1293,"value":1776,"marks":1777,"data":1778},"Why identity posture matters more in a SaaS-first world",[],{},{"nodeType":1294,"data":1780,"content":1781},{},[1782,1786,1795],{"nodeType":1293,"value":1783,"marks":1784,"data":1785},"When most work now happens via the browser on web-based applications, the stakes are even higher for preventing account takeover. That’s because the way that attacks occur in a SaaS environment is ",[],{},{"nodeType":1330,"data":1787,"content":1789},{"uri":1788},"https://pushsecurity.com/blog/shifting-detection-left-for-more-effective-itdr/",[1790],{"nodeType":1293,"value":1791,"marks":1792,"data":1794},"very different",[1793],{"type":1338},{},{"nodeType":1293,"value":1796,"marks":1797,"data":1798}," from traditional network attacks, and there are few effective ways to detect and respond post-account compromise.",[],{},{"nodeType":1294,"data":1800,"content":1801},{},[1802],{"nodeType":1293,"value":1803,"marks":1804,"data":1805},"The average SaaS attack path looks like this:",[],{},{"nodeType":1487,"data":1807,"content":1808},{},[1809,1819,1829],{"nodeType":1491,"data":1810,"content":1811},{},[1812],{"nodeType":1294,"data":1813,"content":1814},{},[1815],{"nodeType":1293,"value":1816,"marks":1817,"data":1818},"Attackers gain control of legitimate employee accounts using stolen credentials or via password-spraying or credential-stuffing techniques.",[],{},{"nodeType":1491,"data":1820,"content":1821},{},[1822],{"nodeType":1294,"data":1823,"content":1824},{},[1825],{"nodeType":1293,"value":1826,"marks":1827,"data":1828},"Attackers exfiltrate data.",[],{},{"nodeType":1491,"data":1830,"content":1831},{},[1832],{"nodeType":1294,"data":1833,"content":1834},{},[1835],{"nodeType":1293,"value":1836,"marks":1837,"data":1838},"The end.",[],{},{"nodeType":1294,"data":1840,"content":1841},{},[1842],{"nodeType":1293,"value":1843,"marks":1844,"data":1845},"Compare that to traditional network or enterprise cloud attacks, which usually involve more complex lateral movement, privilege escalation, and defense evasion.",[],{},{"nodeType":1294,"data":1847,"content":1848},{},[1849],{"nodeType":1293,"value":1850,"marks":1851,"data":1852},"With limited log data and few response capabilities provided by most SaaS apps, security teams also have few good options to stop the damage of an account takeover once one has occurred. ",[],{},{"nodeType":1294,"data":1854,"content":1855},{},[1856],{"nodeType":1293,"value":1857,"marks":1858,"data":1859},"That’s why at Push, we advocate for “shifting left,” and preventing account takeover before it happens.",[],{},{"nodeType":1373,"data":1861,"content":1865},{"target":1862},{"sys":1863},{"id":1864,"type":1378,"linkType":1379},"6wIzMu3jBhaas9jtpV48bz",[],{"nodeType":1406,"data":1867,"content":1868},{},[],{"nodeType":1410,"data":1870,"content":1871},{},[1872],{"nodeType":1293,"value":1873,"marks":1874,"data":1875},"How Push helps you ensure strong passwords",[],{},{"nodeType":1294,"data":1877,"content":1878},{},[1879],{"nodeType":1293,"value":1880,"marks":1881,"data":1882},"There are four capabilities that security teams need in order to regain control over password security issues across their corporate accounts. Here’s how Push accomplishes each one.",[],{},{"nodeType":1471,"data":1884,"content":1885},{},[1886],{"nodeType":1293,"value":1887,"marks":1888,"data":1890},"1. A reliable inventory of all the apps that employees are using, including work apps and internal apps.",[1889],{"type":1399},{},{"nodeType":1294,"data":1892,"content":1893},{},[1894],{"nodeType":1293,"value":1895,"marks":1896,"data":1897},"Push achieves this by deploying a browser agent to employee browsers that can directly observe their login activity, which feeds the data back into an admin console (or your SIEM/SOAR or other third-party system). You can enforce the installation of the agent using any MDM solution, on all major browsers.",[],{},{"nodeType":1294,"data":1899,"content":1900},{},[1901],{"nodeType":1293,"value":1902,"marks":1903,"data":1904},"Once the agent is activated, it begins immediately capturing employee logins and produces a real-time inventory of all your work and internal apps. Because Push observes the login directly in the browser, it can identify all the apps and accounts being used by your employees — both managed and unmanaged (shadow IT).",[],{},{"nodeType":1294,"data":1906,"content":1907},{},[1908,1912,1917],{"nodeType":1293,"value":1909,"marks":1910,"data":1911},"You can also configure Push to monitor ",[],{},{"nodeType":1293,"value":1913,"marks":1914,"data":1916},"any",[1915],{"type":312},{},{"nodeType":1293,"value":1918,"marks":1919,"data":1920}," login to a work app, regardless of the associated email domain of the employee. This means you can monitor personal account logins to apps that are commonly used for work.",[],{},{"nodeType":1373,"data":1922,"content":1926},{"target":1923},{"sys":1924},{"id":1925,"type":1378,"linkType":1379},"4ctCB7kBscj12BnfHhk3ro",[],{"nodeType":1471,"data":1928,"content":1929},{},[1930],{"nodeType":1293,"value":1931,"marks":1932,"data":1934},"2. A way to identify the login methods an account is using, whether that’s SAML, OIDC, or password.",[1933],{"type":1399},{},{"nodeType":1294,"data":1936,"content":1937},{},[1938],{"nodeType":1293,"value":1939,"marks":1940,"data":1941},"Again, because Push observes the login event, it can analyze the authentication method or methods in use by a given account. Push tells you which SSO accounts still have passwords associated with them, and which authentication methods are being actively used.",[],{},{"nodeType":1373,"data":1943,"content":1947},{"target":1944},{"sys":1945},{"id":1946,"type":1378,"linkType":1379},"pVD238hZ331gjWalDTM1q",[],{"nodeType":1471,"data":1949,"content":1950},{},[1951],{"nodeType":1293,"value":1952,"marks":1953,"data":1955},"3. A method for analyzing whether an employee is using secure passwords on all their accounts.",[1954],{"type":1399},{},{"nodeType":1294,"data":1957,"content":1958},{},[1959,1963,1972],{"nodeType":1293,"value":1960,"marks":1961,"data":1962},"Using Push, you can also check the posture of all your employee accounts. The browser agent accomplishes this by ",[],{},{"nodeType":1330,"data":1964,"content":1966},{"uri":1965},"https://pushsecurity.com/help/10065#start",[1967],{"nodeType":1293,"value":1968,"marks":1969,"data":1971},"creating a salted hash",[1970],{"type":1338},{},{"nodeType":1293,"value":1973,"marks":1974,"data":1975}," of a user’s observed password and then taking the first 8 characters of that hash to store locally in the browser.",[],{},{"nodeType":1294,"data":1977,"content":1978},{},[1979],{"nodeType":1293,"value":1980,"marks":1981,"data":1982},"This allows Push to analyze whether the password is weak (comparing the hash to a list of 10,000 common basewords and common permutations); or reused across accounts.",[],{},{"nodeType":1294,"data":1984,"content":1985},{},[1986,1990,1999,2003,2012],{"nodeType":1293,"value":1987,"marks":1988,"data":1989},"Push can also identify when employee passwords have ",[],{},{"nodeType":1330,"data":1991,"content":1993},{"uri":1992},"https://pushsecurity.com/help/10066#start",[1994],{"nodeType":1293,"value":1995,"marks":1996,"data":1998},"appeared in a public breach list",[1997],{"type":1338},{},{"nodeType":1293,"value":2000,"marks":2001,"data":2002}," using the Have I Been Pwned service, using a k-anonymized hash. Using similar secure methods, Push can detect when employees are sharing account credentials, whether they’re using a ",[],{},{"nodeType":1330,"data":2004,"content":2006},{"uri":2005},"https://pushsecurity.com/help/10085/#start",[2007],{"nodeType":1293,"value":2008,"marks":2009,"data":2011},"password manager",[2010],{"type":1338},{},{"nodeType":1293,"value":2013,"marks":2014,"data":2015},", and which one.",[],{},{"nodeType":1294,"data":2017,"content":2018},{},[2019,2023,2033],{"nodeType":1293,"value":2020,"marks":2021,"data":2022},"Using Push’s ",[],{},{"nodeType":1330,"data":2024,"content":2026},{"uri":2025},"https://pushsecurity.com/blog/verified-stolen-credential-detection/",[2027],{"nodeType":1293,"value":2028,"marks":2029,"data":2032},"Stolen credentials detection",[2030,2031],{"type":1338},{"type":1399},{},{"nodeType":1293,"value":2034,"marks":2035,"data":2036}," feature, you can also get alerted when an employee is using credentials that match those for sale in criminal forums. Push integrates with commercial threat intelligence sources to perform these matches, and you can also bring your own TI using the Push REST API to perform additional checks for in-use stolen creds. This check still happens locally in the browser, so no hashes are sent to third-party systems.",[],{},{"nodeType":1373,"data":2038,"content":2042},{"target":2039},{"sys":2040},{"id":2041,"type":1378,"linkType":1379},"6wfLCTzvHeMzagyuEWGyJg",[],{"nodeType":1294,"data":2044,"content":2045},{},[2046,2050,2059],{"nodeType":1293,"value":2047,"marks":2048,"data":2049},"If you configure Push to also monitor for employees who are logging in to work apps using ",[],{},{"nodeType":1330,"data":2051,"content":2053},{"uri":2052},"https://pushsecurity.com/help/10105#start",[2054],{"nodeType":1293,"value":2055,"marks":2056,"data":2058},"personal email addresses",[2057],{"type":1338},{},{"nodeType":1293,"value":2060,"marks":2061,"data":2062}," or any non-corporate email, Push can identify when personal accounts and work accounts are reusing passwords for the same work application.",[],{},{"nodeType":1294,"data":2064,"content":2065},{},[2066,2070,2079],{"nodeType":1293,"value":2067,"marks":2068,"data":2069},"Using the Push ",[],{},{"nodeType":1330,"data":2071,"content":2073},{"uri":2072},"https://pushsecurity.com/help/audience/administrators/docs/getting-started/#api-and-webhooks",[2074],{"nodeType":1293,"value":2075,"marks":2076,"data":2078},"REST API and webhooks",[2077],{"type":1338},{},{"nodeType":1293,"value":2080,"marks":2081,"data":2082},", you can get alerted when Push raises a security finding for an account, and when a finding is resolved.",[],{},{"nodeType":1471,"data":2084,"content":2085},{},[2086],{"nodeType":1293,"value":2087,"marks":2088,"data":2090},"4. The ability to solve any issues at scale, including remediating bad passwords and enforcing MFA, even on apps where the security team doesn’t have administrative control.",[2089],{"type":1399},{},{"nodeType":1294,"data":2092,"content":2093},{},[2094],{"nodeType":1293,"value":2095,"marks":2096,"data":2097},"Finally, you can enforce self-remediation workflows using Push’s position in the browser, right where employees are working. ",[],{},{"nodeType":1294,"data":2099,"content":2100},{},[2101],{"nodeType":1293,"value":2102,"marks":2103,"data":2104},"Push recently released a new in-browser control to enforce strong passwords. It works by detecting when an employee has a password security issue, and then prompting them to update their password by displaying a customizable banner message when they log in to the affected account.",[],{},{"nodeType":1373,"data":2106,"content":2110},{"target":2107},{"sys":2108},{"id":2109,"type":1378,"linkType":1379},"4IfBLaE66CJSsb5h44vSNp",[],{"nodeType":1294,"data":2112,"content":2113},{},[2114,2118,2127],{"nodeType":1293,"value":2115,"marks":2116,"data":2117},"This control complements an existing ",[],{},{"nodeType":1330,"data":2119,"content":2121},{"uri":2120},"https://pushsecurity.com/blog/enforce-mfa-on-third-party-apps/",[2122],{"nodeType":1293,"value":2123,"marks":2124,"data":2126},"MFA enforcement",[2125],{"type":1338},{},{"nodeType":1293,"value":2128,"marks":2129,"data":2130}," guardrail, which uses a similar workflow to prompt employees to register for MFA on apps where it’s missing.",[],{},{"nodeType":1406,"data":2132,"content":2133},{},[],{"nodeType":1410,"data":2135,"content":2136},{},[2137],{"nodeType":1293,"value":2138,"marks":2139,"data":2141},"A closer look at password enforcement",[2140],{"type":1399},{},{"nodeType":1294,"data":2143,"content":2144},{},[2145,2149,2153],{"nodeType":1293,"value":2146,"marks":2147,"data":2148},"In the spirit of helping users do the right thing, we designed the",[],{},{"nodeType":1293,"value":1619,"marks":2150,"data":2152},[2151],{"type":1399},{},{"nodeType":1293,"value":2154,"marks":2155,"data":2156},"password enforcement control to meet users where they are, in the most relevant context where they can fix the problem. ",[],{},{"nodeType":1294,"data":2158,"content":2159},{},[2160],{"nodeType":1293,"value":2161,"marks":2162,"data":2163},"Because this control is powered by the Push browser agent, security teams don’t need administrative control over every app where password accounts exist — which often isn’t practical for all the reasons we reviewed earlier. Instead, they can use Push to prompt employees to fix the issue themselves.",[],{},{"nodeType":1294,"data":2165,"content":2166},{},[2167],{"nodeType":1293,"value":2168,"marks":2169,"data":2170},"Here’s a closer look at how it works:",[],{},{"nodeType":1487,"data":2172,"content":2173},{},[2174,2201,2211],{"nodeType":1491,"data":2175,"content":2176},{},[2177],{"nodeType":1294,"data":2178,"content":2179},{},[2180,2184,2188,2192,2197],{"nodeType":1293,"value":2181,"marks":2182,"data":2183},"You can enable ",[],{},{"nodeType":1293,"value":1396,"marks":2185,"data":2187},[2186],{"type":1399},{},{"nodeType":1293,"value":2189,"marks":2190,"data":2191}," from the tile on the ",[],{},{"nodeType":1293,"value":2193,"marks":2194,"data":2196},"Controls",[2195],{"type":1399},{},{"nodeType":1293,"value":2198,"marks":2199,"data":2200}," page of the Push admin console. ",[],{},{"nodeType":1491,"data":2202,"content":2203},{},[2204],{"nodeType":1294,"data":2205,"content":2206},{},[2207],{"nodeType":1293,"value":2208,"marks":2209,"data":2210},"Using the rule editor, select whether you want to apply the control for all employees, or just specific groups or individuals, and which apps it should apply to. You can also select which types of password security issues you want to prompt users about.",[],{},{"nodeType":1491,"data":2212,"content":2213},{},[2214],{"nodeType":1294,"data":2215,"content":2216},{},[2217],{"nodeType":1293,"value":2218,"marks":2219,"data":2220},"Then customize the message that employees will see. Push will then automatically display the banner based on your criteria. Where possible, Push will include a link in the banner that takes employees directly to the page in the app where they can change their password — or you can add a link yourself.",[],{},{"nodeType":1373,"data":2222,"content":2226},{"target":2223},{"sys":2224},{"id":2225,"type":1378,"linkType":1379},"shpVOAMlk7OE1mWrE9h8S",[],{"nodeType":1294,"data":2228,"content":2229},{},[2230],{"nodeType":1293,"value":2231,"marks":2232,"data":2233},"Once the password has been changed and Push verifies that the new password is strong, you’ll see the security finding cleared from the account record in the admin console and the banner will no longer display to the end-user.",[],{},{"nodeType":1294,"data":2235,"content":2236},{},[2237],{"nodeType":1293,"value":2238,"marks":2239,"data":2240},"Push also sends webhook events when:",[],{},{"nodeType":1487,"data":2242,"content":2243},{},[2244,2254,2264,2274],{"nodeType":1491,"data":2245,"content":2246},{},[2247],{"nodeType":1294,"data":2248,"content":2249},{},[2250],{"nodeType":1293,"value":2251,"marks":2252,"data":2253},"A banner is displayed",[],{},{"nodeType":1491,"data":2255,"content":2256},{},[2257],{"nodeType":1294,"data":2258,"content":2259},{},[2260],{"nodeType":1293,"value":2261,"marks":2262,"data":2263},"A user clicks the link in the banner to take action",[],{},{"nodeType":1491,"data":2265,"content":2266},{},[2267],{"nodeType":1294,"data":2268,"content":2269},{},[2270],{"nodeType":1293,"value":2271,"marks":2272,"data":2273},"A password is updated",[],{},{"nodeType":1491,"data":2275,"content":2276},{},[2277],{"nodeType":1294,"data":2278,"content":2279},{},[2280],{"nodeType":1293,"value":2281,"marks":2282,"data":2283},"A password security finding is resolved",[],{},{"nodeType":1406,"data":2285,"content":2286},{},[],{"nodeType":1410,"data":2288,"content":2289},{},[2290],{"nodeType":1293,"value":2291,"marks":2292,"data":2294},"Where to begin",[2293],{"type":1399},{},{"nodeType":1294,"data":2296,"content":2297},{},[2298],{"nodeType":1293,"value":2299,"marks":2300,"data":2301},"Most organizations we work with deploy the Push agent first to get an initial understanding of their attack surface and account posture issues. Then we recommend enabling the one-two punch of MFA and strong password enforcement guardrails. You can use both controls in tandem, and Push will first seek to resolve the password issues on a given account, and then prompt the user to register for MFA.",[],{},{"nodeType":1406,"data":2303,"content":2304},{},[],{"nodeType":1410,"data":2306,"content":2307},{},[2308],{"nodeType":1293,"value":2309,"marks":2310,"data":2311},"Find out more",[],{},{"nodeType":1294,"data":2313,"content":2314},{},[2315,2319,2328],{"nodeType":1293,"value":2316,"marks":2317,"data":2318},"If you want to learn more about how Push helps you to detect and defeat common identity attack techniques like AiTM phishing, credential stuffing, and session hijacking while improving your workforce identity posture, book some time with one of our team for a ",[],{},{"nodeType":1330,"data":2320,"content":2322},{"uri":2321},"https://pushsecurity.com/demo/",[2323],{"nodeType":1293,"value":2324,"marks":2325,"data":2327},"live demo",[2326],{"type":1338},{},{"nodeType":1293,"value":2329,"marks":2330,"data":2331},".",[],{},"Introducing Push password enforcement — for when weak passwords are still plaguing you","Detects when employees have weak, reused, or stolen passwords and guide them to update their password using in-browser messaging on any app. ","introducing-strong-password-enforcement",{"items":2336},[2337,2341],{"sys":2338,"name":2340},{"id":2339},"3pjES4THCIfSAwhGdNwBcy","Identity security",{"sys":2342,"name":1307},{"id":1306},{"items":2344},[2345],{"fullName":2346,"firstName":2347,"jobTitle":2348,"profilePicture":2349},"Kelly Davenport","Kelly","Product Team",{"url":2350},"https://images.ctfassets.net/y1cdw1ablpvd/1hi8bEuVfn5sF57LivAq6d/9a3b82426c697d765e2e450e33a18424/kelly_profile_pic.jpeg",{"__typename":1315,"sys":2352,"content":2354,"title":3147,"synopsis":3148,"hashTags":118,"publishedDate":3149,"slug":3150,"tagsCollection":3151,"authorsCollection":3155},{"id":2353},"PAPJPr3CIB6J20udYyy1r",{"json":2355},{"data":2356,"content":2357,"nodeType":1295},{},[2358,2364,2384,2391,2398,2404,2407,2415,2422,2442,2453,2460,2467,2474,2567,2570,2578,2661,2667,2670,2678,2686,2693,2700,2708,2726,2733,2741,2748,2755,2763,2770,2777,2797,2803,2806,2814,2822,2829,2932,2939,2947,2954,2961,2967,2975,2982,2989,2996,3004,3011,3018,3025,3032,3038,3041,3049,3056,3089,3096,3115,3135,3141],{"data":2359,"content":2363,"nodeType":1373},{"target":2360},{"sys":2361},{"id":2362,"type":1378,"linkType":1379},"1eBClNW4NOR66F0tl9h6lD",[],{"data":2365,"content":2366,"nodeType":1294},{},[2367,2371,2380],{"data":2368,"marks":2369,"value":2370,"nodeType":1293},{},[],"The attacks on Snowflake customers in 2024 collectively constituted the biggest cyber security event of the year in terms of the number of organizations and individuals affected (at least, if you exclude CrowdStrike causing a worldwide outage in July) — certainly, it was the largest perpetrated by a criminal group against commercial enterprises. It has been touted by some news outlets as ‘",{"data":2372,"content":2374,"nodeType":1330},{"uri":2373},"https://www.wired.com/story/snowflake-breach-advanced-auto-parts-lendingtree/",[2375],{"data":2376,"marks":2377,"value":2379,"nodeType":1293},{},[2378],{"type":1338},"one of the biggest breaches ever",{"data":2381,"marks":2382,"value":2383,"nodeType":1293},{},[],"’.  ",{"data":2385,"content":2386,"nodeType":1294},{},[2387],{"data":2388,"marks":2389,"value":2390,"nodeType":1293},{},[],"Snowflake was a watershed moment that signalled the significant opportunity presented by identity attacks on cloud services. It demonstrated how comparatively unsophisticated methods (logging in to user accounts with stolen credentials and dumping the data) can have the same or greater impact as a traditional network or endpoint based cyber attack involving vulnerability exploitation, malware deployment, ransomware, etc. ",{"data":2392,"content":2393,"nodeType":1294},{},[2394],{"data":2395,"marks":2396,"value":2397,"nodeType":1293},{},[],"Here’s everything you need to know about the Snowflake attacks — and what you can do to protect yourself against the next Snowflake in the future.",{"data":2399,"content":2403,"nodeType":1373},{"target":2400},{"sys":2401},{"id":2402,"type":1378,"linkType":1379},"4QoPUiP5q6Mwj1eWUZT15Q",[],{"data":2405,"content":2406,"nodeType":1406},{},[],{"data":2408,"content":2409,"nodeType":1410},{},[2410],{"data":2411,"marks":2412,"value":2414,"nodeType":1293},{},[2413],{"type":1399},"Snowflake: The facts",{"data":2416,"content":2417,"nodeType":1294},{},[2418],{"data":2419,"marks":2420,"value":2421,"nodeType":1293},{},[],"Cyber criminals associated with the threat group known as ShinyHunters claimed responsibility for breaching multiple organizations using Snowflake, a cloud-based data warehousing and analytics platform. ",{"data":2423,"content":2424,"nodeType":1294},{},[2425,2429,2438],{"data":2426,"marks":2427,"value":2428,"nodeType":1293},{},[],"ShinyHunters associates targeted ~165 organizations that were subjected to account takeover attacks using stolen credentials harvested from historical infostealer infections dating back as far as 2020, ",{"data":2430,"content":2432,"nodeType":1330},{"uri":2431},"https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion",[2433],{"data":2434,"marks":2435,"value":2437,"nodeType":1293},{},[2436],{"type":1338},"according to Mandiant’s investigation",{"data":2439,"marks":2440,"value":2441,"nodeType":1293},{},[],". ",{"data":2443,"content":2444,"nodeType":1439},{},[2445],{"data":2446,"content":2447,"nodeType":1294},{},[2448],{"data":2449,"marks":2450,"value":2452,"nodeType":1293},{},[2451],{"type":1399},">80% of the compromised accounts belonging to Snowflake customers had prior credential exposure. ",{"data":2454,"content":2455,"nodeType":1294},{},[2456],{"data":2457,"marks":2458,"value":2459,"nodeType":1293},{},[],"The impacted accounts lacked MFA, meaning successful authentication only required a valid username and password. As the Snowflake credentials found in infostealer malware credential dumps had not been rotated or updated, they remained valid and could be used to authenticate to user accounts on Snowflake tenants belonging to various customers.",{"data":2461,"content":2462,"nodeType":1294},{},[2463],{"data":2464,"marks":2465,"value":2466,"nodeType":1293},{},[],"As a data warehousing platform integrated with a range of connected cloud services, access to a customer’s Snowflake tenant provided attackers with large quantities of sensitive commercial and personal data that could be stolen and monetized by attackers in a variety of ways — such as by ransoming the victim organization, extorting individual end-customers, and selling the data on to other criminal organizations. ",{"data":2468,"content":2469,"nodeType":1294},{},[2470],{"data":2471,"marks":2472,"value":2473,"nodeType":1293},{},[],"In total, 9 public victims were named following the breach, collectively impacting hundreds of millions of people. ",{"data":2475,"content":2476,"nodeType":1487},{},[2477,2487,2497,2507,2517,2527,2537,2547,2557],{"data":2478,"content":2479,"nodeType":1491},{},[2480],{"data":2481,"content":2482,"nodeType":1294},{},[2483],{"data":2484,"marks":2485,"value":2486,"nodeType":1293},{},[],"Lending Tree: Sensitive data for over 190 million people available online including customer details, partial credit card numbers, insurance quotes and other information, being sold for $2m.",{"data":2488,"content":2489,"nodeType":1491},{},[2490],{"data":2491,"content":2492,"nodeType":1294},{},[2493],{"data":2494,"marks":2495,"value":2496,"nodeType":1293},{},[],"Truist Bank: Information belonging to 65,000 employees being sold online for $1m",{"data":2498,"content":2499,"nodeType":1491},{},[2500],{"data":2501,"content":2502,"nodeType":1294},{},[2503],{"data":2504,"marks":2505,"value":2506,"nodeType":1293},{},[],"Advance Auto Parts: 3TB of data for sale for $1.5 million. Affected 2.3 million people, as well as current and former employees and job applicants.",{"data":2508,"content":2509,"nodeType":1491},{},[2510],{"data":2511,"content":2512,"nodeType":1294},{},[2513],{"data":2514,"marks":2515,"value":2516,"nodeType":1293},{},[],"Pure Storage: Workspace with 11k customer records including company, email, LDAP username and software version numbers.",{"data":2518,"content":2519,"nodeType":1491},{},[2520],{"data":2521,"content":2522,"nodeType":1294},{},[2523],{"data":2524,"marks":2525,"value":2526,"nodeType":1293},{},[],"Los Angeles Unified: Student data, disability information, discipline details, and parent information, being sold online for $150k.",{"data":2528,"content":2529,"nodeType":1491},{},[2530],{"data":2531,"content":2532,"nodeType":1294},{},[2533],{"data":2534,"marks":2535,"value":2536,"nodeType":1293},{},[],"Neiman Marcus: 31m email addresses exposed alongside various personal information.",{"data":2538,"content":2539,"nodeType":1491},{},[2540],{"data":2541,"content":2542,"nodeType":1294},{},[2543],{"data":2544,"marks":2545,"value":2546,"nodeType":1293},{},[],"Santander: 30 million customer details for sale relating to customers of Santander Chile, Spain, and Uruguay.",{"data":2548,"content":2549,"nodeType":1491},{},[2550],{"data":2551,"content":2552,"nodeType":1294},{},[2553],{"data":2554,"marks":2555,"value":2556,"nodeType":1293},{},[],"Ticketmaster: 560 million customer details for sale, disruption to events and ticketing worldwide, increasing in scam ticket production.",{"data":2558,"content":2559,"nodeType":1491},{},[2560],{"data":2561,"content":2562,"nodeType":1294},{},[2563],{"data":2564,"marks":2565,"value":2566,"nodeType":1293},{},[],"AT&T: Call logs stolen for approximately 109 million customers (nearly all of its mobile customers). AT&T paid an undisclosed ransom fee. ",{"data":2568,"content":2569,"nodeType":1406},{},[],{"data":2571,"content":2572,"nodeType":1410},{},[2573],{"data":2574,"marks":2575,"value":2577,"nodeType":1293},{},[2576],{"type":1399},"The Snowflake attacks step-by-step",{"data":2579,"content":2580,"nodeType":1487},{},[2581,2591,2601,2611,2621,2631,2641,2651],{"data":2582,"content":2583,"nodeType":1491},{},[2584],{"data":2585,"content":2586,"nodeType":1294},{},[2587],{"data":2588,"marks":2589,"value":2590,"nodeType":1293},{},[],"Snowflake users were infected with infostealer malware that harvested credentials from user devices over an extended period via several infostealer malware variants, including; VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA and METASTEALER.",{"data":2592,"content":2593,"nodeType":1491},{},[2594],{"data":2595,"content":2596,"nodeType":1294},{},[2597],{"data":2598,"marks":2599,"value":2600,"nodeType":1293},{},[],"Credentials appeared on criminal marketplaces e.g. dark web forums and Telegram channels.",{"data":2602,"content":2603,"nodeType":1491},{},[2604],{"data":2605,"content":2606,"nodeType":1294},{},[2607],{"data":2608,"marks":2609,"value":2610,"nodeType":1293},{},[],"ShinyHunters saw the potential in targeting Snowflake users, based on the availability of credentials, number of customer organizations, and the value of the data that can be accessed in Snowflake. ",{"data":2612,"content":2613,"nodeType":1491},{},[2614],{"data":2615,"content":2616,"nodeType":1294},{},[2617],{"data":2618,"marks":2619,"value":2620,"nodeType":1293},{},[],"ShinyHunters embarked on a large-scale campaign targeting Snowflake customer accounts using previously breached credentials. ",{"data":2622,"content":2623,"nodeType":1491},{},[2624],{"data":2625,"content":2626,"nodeType":1294},{},[2627],{"data":2628,"marks":2629,"value":2630,"nodeType":1293},{},[],"ShinyHunters accessed user accounts that lacked MFA, belonging to approximately 165 Snowflake customers. ",{"data":2632,"content":2633,"nodeType":1491},{},[2634],{"data":2635,"content":2636,"nodeType":1294},{},[2637],{"data":2638,"marks":2639,"value":2640,"nodeType":1293},{},[],"ShinyHunters used SQL-based reconnaissance, staging, and data exfiltration techniques, expedited by custom hacker tooling developed specifically for Snowflake, to conduct attacks at scale.",{"data":2642,"content":2643,"nodeType":1491},{},[2644],{"data":2645,"content":2646,"nodeType":1294},{},[2647],{"data":2648,"marks":2649,"value":2650,"nodeType":1293},{},[],"ShinyHunters acquired massive quantities of Snowflake data based on the information that each customer stored in Snowflake or connected apps. ",{"data":2652,"content":2653,"nodeType":1491},{},[2654],{"data":2655,"content":2656,"nodeType":1294},{},[2657],{"data":2658,"marks":2659,"value":2660,"nodeType":1293},{},[],"ShinyHunters began attempts to extort Snowflake and end-customers using the data acquired.",{"data":2662,"content":2666,"nodeType":1373},{"target":2663},{"sys":2664},{"id":2665,"type":1378,"linkType":1379},"2J92gFLs1wAAGC4nQTaiWu",[],{"data":2668,"content":2669,"nodeType":1406},{},[],{"data":2671,"content":2672,"nodeType":1410},{},[2673],{"data":2674,"marks":2675,"value":2677,"nodeType":1293},{},[2676],{"type":1399},"Why did the Snowflake breaches happen?",{"data":2679,"content":2680,"nodeType":1471},{},[2681],{"data":2682,"marks":2683,"value":2685,"nodeType":1293},{},[2684],{"type":1399},"Stolen credentials remained valid for years",{"data":2687,"content":2688,"nodeType":1294},{},[2689],{"data":2690,"marks":2691,"value":2692,"nodeType":1293},{},[],"The credentials used to access Snowflake accounts from historical infostealer infections had not been changed or rotated despite dating back as far as 2020, and remained valid. ",{"data":2694,"content":2695,"nodeType":1294},{},[2696],{"data":2697,"marks":2698,"value":2699,"nodeType":1293},{},[],"This highlights the potential risk of breached credentials already in the public domain, particularly in the case of cloud services like Snowflake that may not be subject to the same levels of credential hygiene as other traditional enterprise domain accounts. ",{"data":2701,"content":2702,"nodeType":1471},{},[2703],{"data":2704,"marks":2705,"value":2707,"nodeType":1293},{},[2706],{"type":1399},"Local logins lacked MFA ",{"data":2709,"content":2710,"nodeType":1294},{},[2711,2715,2723],{"data":2712,"marks":2713,"value":2714,"nodeType":1293},{},[],"Even where organizations were primarily encouraging employees to use SSO to access their Snowflake tenant, previously created local logins with a username and password continue to exist even after introducing SSO-based logins. Further, MFA was not globally enforceable at the application level, meaning that MFA was only set when logging into an IdP account for SSO, but not for local logins. We call this problem ",{"data":2716,"content":2718,"nodeType":1330},{"uri":2717},"https://pushsecurity.com/blog/ghost-logins-when-forgotten-identities-come-back-to-haunt-you/",[2719],{"data":2720,"marks":2721,"value":1539,"nodeType":1293},{},[2722],{"type":1338},{"data":2724,"marks":2725,"value":2441,"nodeType":1293},{},[],{"data":2727,"content":2728,"nodeType":1294},{},[2729],{"data":2730,"marks":2731,"value":2732,"nodeType":1293},{},[],"This meant that attackers were able to take over Snowflake accounts with only a single authentication factor (username & password). ",{"data":2734,"content":2735,"nodeType":1471},{},[2736],{"data":2737,"marks":2738,"value":2740,"nodeType":1293},{},[2739],{"type":1399},"Snowflake was a high-value target used by many organizations",{"data":2742,"content":2743,"nodeType":1294},{},[2744],{"data":2745,"marks":2746,"value":2747,"nodeType":1293},{},[],"As a data warehousing platform used by a vast number of organizations, Snowflake represented a high-value target based on the data typically stored within it, and the repeatable way in which Snowflake users could be targeted. ",{"data":2749,"content":2750,"nodeType":1294},{},[2751],{"data":2752,"marks":2753,"value":2754,"nodeType":1293},{},[],"The attacker followed a near identical process when targeting Snowflake victims, meaning it could be scripted and executed at scale, with attacks taking a matter of minutes. ",{"data":2756,"content":2757,"nodeType":1471},{},[2758],{"data":2759,"marks":2760,"value":2762,"nodeType":1293},{},[2761],{"type":1399},"Infostealer infections are driving credential availability",{"data":2764,"content":2765,"nodeType":1294},{},[2766],{"data":2767,"marks":2768,"value":2769,"nodeType":1293},{},[],"Infostealers are often seen as a low-priority issue, but are the primary source of stolen credentials used in campaigns like this one. ",{"data":2771,"content":2772,"nodeType":1294},{},[2773],{"data":2774,"marks":2775,"value":2776,"nodeType":1293},{},[],"EDR is a strong protection but is often bypassed by infostealers as attackers continually modify them to bypass security controls. Further, unmanaged devices such as those used by third-party contractors or BYOD employees often lack the robust controls applied to company-managed devices and are naturally more susceptible to infostealer attacks. And since browser profiles can be synced across devices, even personal device compromises can result in the capture of corporate credentials.  ",{"data":2778,"content":2779,"nodeType":1294},{},[2780,2784,2793],{"data":2781,"marks":2782,"value":2783,"nodeType":1293},{},[],"There is some suggestion that targeting key third-party suppliers – ",{"data":2785,"content":2787,"nodeType":1330},{"uri":2786},"https://www.wired.com/story/epam-snowflake-ticketmaster-breach-shinyhunters/",[2788],{"data":2789,"marks":2790,"value":2792,"nodeType":1293},{},[2791],{"type":1338},"such as EPAM Systems, a software engineering firm and Snowflake ‘Elite Tier Partner’",{"data":2794,"marks":2795,"value":2796,"nodeType":1293},{},[]," – provided some of the access to Snowflake customers needed. It’s unclear what came first, but it’s possible (likely, even) that EPAM was identified as a target specifically because of its lucrative customer base and Snowflake credentials — adding another indicator that Snowflake was potentially a premeditated attack inspired by the availability of Snowflake credentials online.",{"data":2798,"content":2802,"nodeType":1373},{"target":2799},{"sys":2800},{"id":2801,"type":1378,"linkType":1379},"4D0gjt5oJLNKJH8GzjP8Je",[],{"data":2804,"content":2805,"nodeType":1406},{},[],{"data":2807,"content":2808,"nodeType":1410},{},[2809],{"data":2810,"marks":2811,"value":2813,"nodeType":1293},{},[2812],{"type":1399},"Key takeaways from the Snowflake attacks",{"data":2815,"content":2816,"nodeType":1471},{},[2817],{"data":2818,"marks":2819,"value":2821,"nodeType":1293},{},[2820],{"type":1399},"Securing your IdP accounts is not enough",{"data":2823,"content":2824,"nodeType":1294},{},[2825],{"data":2826,"marks":2827,"value":2828,"nodeType":1293},{},[],"SSO can help reduce your identity attack surface, but it's not feasible to get every workforce identity behind it.",{"data":2830,"content":2831,"nodeType":1487},{},[2832,2854,2875,2910],{"data":2833,"content":2834,"nodeType":1491},{},[2835],{"data":2836,"content":2837,"nodeType":1294},{},[2838,2842,2850],{"data":2839,"marks":2840,"value":2841,"nodeType":1293},{},[],"Only 1 in 3 apps support SAML SSO, and those that offer it often charge more for it; the “",{"data":2843,"content":2845,"nodeType":1330},{"uri":2844},"https://ssotax.org/",[2846],{"data":2847,"marks":2848,"value":1647,"nodeType":1293},{},[2849],{"type":1338},{"data":2851,"marks":2852,"value":2853,"nodeType":1293},{},[],"”.",{"data":2855,"content":2856,"nodeType":1491},{},[2857],{"data":2858,"content":2859,"nodeType":1294},{},[2860,2864,2872],{"data":2861,"marks":2862,"value":2863,"nodeType":1293},{},[],"Many apps are self-adopted by employees, leaving security teams unaware and unable to enforce SSO.  The typical organization has ",{"data":2865,"content":2866,"nodeType":1330},{"uri":1508},[2867],{"data":2868,"marks":2869,"value":2871,"nodeType":1293},{},[2870],{"type":1338},"hundreds of apps and thousands of unmanaged identities outside of SSO",{"data":2873,"marks":2874,"value":2329,"nodeType":1293},{},[],{"data":2876,"content":2877,"nodeType":1491},{},[2878],{"data":2879,"content":2880,"nodeType":1294},{},[2881,2885,2893,2897,2906],{"data":2882,"marks":2883,"value":2884,"nodeType":1293},{},[],"Most apps do not prevent users from creating additional \"",{"data":2886,"content":2887,"nodeType":1330},{"uri":2717},[2888],{"data":2889,"marks":2890,"value":2892,"nodeType":1293},{},[2891],{"type":1338},"ghost login",{"data":2894,"marks":2895,"value":2896,"nodeType":1293},{},[],"\" methods outside of SSO (especially by default), accounting for around ",{"data":2898,"content":2900,"nodeType":1330},{"uri":2899},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have/#id-identity-configurations-and-how-they-can-be-exploited_id-many-accounts-lack-the-most-basic-protections",[2901],{"data":2902,"marks":2903,"value":2905,"nodeType":1293},{},[2904],{"type":1338},"10% of all identities",{"data":2907,"marks":2908,"value":2909,"nodeType":1293},{},[]," observed by Push. ",{"data":2911,"content":2912,"nodeType":1491},{},[2913],{"data":2914,"content":2915,"nodeType":1294},{},[2916,2920,2928],{"data":2917,"marks":2918,"value":2919,"nodeType":1293},{},[],"In total, we identified that ",{"data":2921,"content":2922,"nodeType":1330},{"uri":1508},[2923],{"data":2924,"marks":2925,"value":2927,"nodeType":1293},{},[2926],{"type":1338},"37% (2 in 5) accounts have a password login set with no MFA",{"data":2929,"marks":2930,"value":2931,"nodeType":1293},{},[],", while 9% have no MFA AND a weak, breached, or reused password.",{"data":2933,"content":2934,"nodeType":1294},{},[2935],{"data":2936,"marks":2937,"value":2938,"nodeType":1293},{},[],"So, relying on locked-down IdP accounts and maximising the use of SSO is an important pillar of an effective identity security strategy, but there will always be gaps. Unless you recognize this, you may be blindsided by attackers finding them before you do. ",{"data":2940,"content":2941,"nodeType":1471},{},[2942],{"data":2943,"marks":2944,"value":2946,"nodeType":1293},{},[2945],{"type":1399},"The threat of infostealers and stolen credentials needs to be taken seriously",{"data":2948,"content":2949,"nodeType":1294},{},[2950],{"data":2951,"marks":2952,"value":2953,"nodeType":1293},{},[],"Breached credentials appearing online is not always seen as a top priority for security teams, particularly when there’s so much noise from all of the outdated or simply erroneous findings (anyone that’s ever subscribed to a credential TI feed knows the pain of this). ",{"data":2955,"content":2956,"nodeType":1294},{},[2957],{"data":2958,"marks":2959,"value":2960,"nodeType":1293},{},[],"But Snowflake serves as a stark reminder that despite all the false positives, stolen credentials are sometimes valid — and when weaponized at-scale they can be a powerful tool for attackers. ",{"data":2962,"content":2966,"nodeType":1373},{"target":2963},{"sys":2964},{"id":2965,"type":1378,"linkType":1379},"4EODpwKsqNivpvP2yMtZCd",[],{"data":2968,"content":2969,"nodeType":1471},{},[2970],{"data":2971,"marks":2972,"value":2974,"nodeType":1293},{},[2973],{"type":1399},"Don’t rely on third-parties to protect your identities for you",{"data":2976,"content":2977,"nodeType":1294},{},[2978],{"data":2979,"marks":2980,"value":2981,"nodeType":1293},{},[],"Snowflake came under fire following the attacks for not enabling MFA by default, or giving security teams sufficient tools to deal with the incident. ",{"data":2983,"content":2984,"nodeType":1294},{},[2985],{"data":2986,"marks":2987,"value":2988,"nodeType":1293},{},[],"This is perhaps justifiable, but is hardly the exception. Very few apps enforce MFA by default or provide a global MFA enforcement mechanism. Most don’t even provide audit logs (and when they do, the scope of logging is pretty limited). And we regularly encounter apps that don’t give you any information about account configuration as an admin — like which accounts have MFA, or the login methods that they’re using (e.g. SSO via SAML, SSO via OIDC, password, which IdPs are being used…) which is essential information to be able to secure your identity attack surface. ",{"data":2990,"content":2991,"nodeType":1294},{},[2992],{"data":2993,"marks":2994,"value":2995,"nodeType":1293},{},[],"Yes, it would be great if app vendors put security first and made controls available by default, for all customers (not just the premium ones). But in the absence of an industrywide shift toward security-first product development, it’s important that organizations don’t just point the finger at service providers — and take matters into their own hands when it comes to securing their user identities. ",{"data":2997,"content":2998,"nodeType":1471},{},[2999],{"data":3000,"marks":3001,"value":3003,"nodeType":1293},{},[3002],{"type":1399},"This isn’t a specific Snowflake problem — it could have been any application",{"data":3005,"content":3006,"nodeType":1294},{},[3007],{"data":3008,"marks":3009,"value":3010,"nodeType":1293},{},[],"While Snowflake was admittedly a high-value target because of the data it collected, apps with sensitive data (or with integrations connecting them to data collected in adjacent apps) are not in short supply. ",{"data":3012,"content":3013,"nodeType":1294},{},[3014],{"data":3015,"marks":3016,"value":3017,"nodeType":1293},{},[],"If we accept that many other apps are similarly desirable targets, then we should also consider that it’s unlikely that Snowflake is the only app that has valid credentials sitting around on the internet, waiting to be weaponized by criminals. Equally, it’s not the only app that doesn’t require mandatory MFA for user accounts, as we discussed above. The next Snowflake is likely to lurk in the same breached datasets, possibly even using the same credentials.",{"data":3019,"content":3020,"nodeType":1294},{},[3021],{"data":3022,"marks":3023,"value":3024,"nodeType":1293},{},[],"There’s been a clear increase in the number of infostealer and stolen credential related breaches and news stories since Snowflake as attackers wise up to the potential opportunity and start seeing the dollar signs. It would be naive to think that this was a one off event — the next Snowflake is probably not too far away. ",{"data":3026,"content":3027,"nodeType":1294},{},[3028],{"data":3029,"marks":3030,"value":3031,"nodeType":1293},{},[],"For a deep-dive analysis of the impact of Snowflake, check out our on-demand webinar from earlier this year.",{"data":3033,"content":3037,"nodeType":1373},{"target":3034},{"sys":3035},{"id":3036,"type":1378,"linkType":1379},"7LkU5DqE9HJ1PQu9BTg6Mw",[],{"data":3039,"content":3040,"nodeType":1406},{},[],{"data":3042,"content":3043,"nodeType":1410},{},[3044],{"data":3045,"marks":3046,"value":3048,"nodeType":1293},{},[3047],{"type":1399},"How to protect yourself from the next Snowflake using Push",{"data":3050,"content":3051,"nodeType":1294},{},[3052],{"data":3053,"marks":3054,"value":3055,"nodeType":1293},{},[],"Organizations looking to reduce their exposure to account takeover using stolen credentials should look to:",{"data":3057,"content":3058,"nodeType":1487},{},[3059,3069,3079],{"data":3060,"content":3061,"nodeType":1491},{},[3062],{"data":3063,"content":3064,"nodeType":1294},{},[3065],{"data":3066,"marks":3067,"value":3068,"nodeType":1293},{},[],"Identify the apps being used across the business and locate vulnerable workforce identities using weak, breached, or reused credentials, and missing MFA. Where SSO is the preferred login method, local username & password logins should ideally be removed. ",{"data":3070,"content":3071,"nodeType":1491},{},[3072],{"data":3073,"content":3074,"nodeType":1294},{},[3075],{"data":3076,"marks":3077,"value":3078,"nodeType":1293},{},[],"Where credentials appear in third-party data breaches, verify where they are still valid and ensure that the credentials are changed. ",{"data":3080,"content":3081,"nodeType":1491},{},[3082],{"data":3083,"content":3084,"nodeType":1294},{},[3085],{"data":3086,"marks":3087,"value":3088,"nodeType":1293},{},[],"Detect unauthorized access to workforce identities where sessions are initiated or resumed from unusual or unexpected locations. It should be noted that while this is a fairly common feature for larger enterprise cloud platforms with configurable access control policies, this is not typically possible for most SaaS applications.  ",{"data":3090,"content":3091,"nodeType":1294},{},[3092],{"data":3093,"marks":3094,"value":3095,"nodeType":1293},{},[],"All of these use cases can be achieved using Push. The Push browser extension detects all logins performed in employee browsers, capturing granular information about the login method and MFA types used, and enriching this data by integrating with your preferred IdP.",{"data":3097,"content":3098,"nodeType":1294},{},[3099,3103,3111],{"data":3100,"marks":3101,"value":3102,"nodeType":1293},{},[],"Push’s ",{"data":3104,"content":3106,"nodeType":1330},{"uri":3105},"https://pushsecurity.com/blog/verified-stolen-credential-detection",[3107],{"data":3108,"marks":3109,"value":3110,"nodeType":1293},{},[],"verified stolen credential detection feature",{"data":3112,"marks":3113,"value":3114,"nodeType":1293},{},[]," compares a k-anonymized hash of user passwords observed with stolen credential TI feeds to cut through the noise and identify where stolen credentials appearing online represent a genuine vulnerability.   ",{"data":3116,"content":3117,"nodeType":1294},{},[3118,3122,3131],{"data":3119,"marks":3120,"value":3121,"nodeType":1293},{},[],"On top of this, all logins made in browsers protected by the Push extension, across every app, are verified by ",{"data":3123,"content":3125,"nodeType":1330},{"uri":3124},"https://pushsecurity.com/blog/introducing-session-token-theft-detection-why-browser-is-best/",[3126],{"data":3127,"marks":3128,"value":3130,"nodeType":1293},{},[3129],{"type":1338},"adding a unique marker to the user agent string of the session",{"data":3132,"marks":3133,"value":3134,"nodeType":1293},{},[],", which will then appear in your IdP logs. This means that any session occurring outside of the Push-protected estate can be flagged to your security team via SIEM alert — including where an attacker uses stolen credentials to log into an app from a browser without the Push extension running. ",{"data":3136,"content":3140,"nodeType":1373},{"target":3137},{"sys":3138},{"id":3139,"type":1378,"linkType":1379},"3tqVk7Vr7pYLOEVukIJM2g",[],{"data":3142,"content":3143,"nodeType":1294},{},[3144],{"data":3145,"marks":3146,"value":37,"nodeType":1293},{},[],"Snowflake: Looking back on 2024’s landmark security event","165 Snowflake customers were targeted by criminals using stolen credentials from infostealer infections, impacting hundreds of millions of people. ","2024-11-29T00:00:00.000Z","snowflake-retro",{"items":3152},[3153],{"sys":3154,"name":1307},{"id":1306},{"items":3156},[3157],{"fullName":3158,"firstName":3159,"jobTitle":3160,"profilePicture":3161},"Dan Green","Dan","Threat Research",{"url":3162},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"__typename":1315,"sys":3164,"content":3166,"title":3741,"synopsis":3742,"hashTags":118,"publishedDate":3743,"slug":3744,"tagsCollection":3745,"authorsCollection":3751},{"id":3165},"3dndhjREJvJCbGRLseipak",{"json":3167},{"data":3168,"content":3169,"nodeType":1295},{},[3170,3190,3197,3204,3211,3218,3221,3229,3248,3255,3278,3285,3292,3299,3305,3308,3316,3323,3330,3337,3343,3346,3354,3361,3368,3375,3381,3384,3392,3399,3406,3412,3418,3421,3429,3436,3442,3448,3455,3458,3466,3473,3480,3487,3494,3527,3538,3544,3551,3554,3562,3569,3581,3589,3596,3603,3610,3633,3652,3655,3663,3670,3688,3694,3697,3705,3712,3730,3735],{"data":3171,"content":3172,"nodeType":1294},{},[3173,3177,3186],{"data":3174,"marks":3175,"value":3176,"nodeType":1293},{},[],"If you want the background on CUAs and OpenAI Operator ",{"data":3178,"content":3180,"nodeType":1330},{"uri":3179},"https://pushsecurity.com/blog/considering-the-impact-of-computer-using-agents/",[3181],{"data":3182,"marks":3183,"value":3185,"nodeType":1293},{},[3184],{"type":1338},"check out our recent blog post",{"data":3187,"marks":3188,"value":3189,"nodeType":1293},{},[],". But, the TL;DR is that Computer-Using Agents (CUAs) are a new type of AI agent that drives your browser/OS for you. ",{"data":3191,"content":3192,"nodeType":1294},{},[3193],{"data":3194,"marks":3195,"value":3196,"nodeType":1293},{},[],"Unlike traditional AI models that are limited to text-based interactions, CUAs can actually use a web browser like a real person. Think of them as an advanced no-code automation platform driven by AI — capable of navigating login pages, entering credentials, and interacting with SaaS applications at scale. This is a huge leap forward from the most common malicious use cases we’ve seen for AI so far. ",{"data":3198,"content":3199,"nodeType":1294},{},[3200],{"data":3201,"marks":3202,"value":3203,"nodeType":1293},{},[],"At Push, we’re fully focused on stopping identity attacks. This meant that when we saw the release of Operator, we could only think of one question: How can attackers abuse this?",{"data":3205,"content":3206,"nodeType":1294},{},[3207],{"data":3208,"marks":3209,"value":3210,"nodeType":1293},{},[],"Full disclosure, this wasn’t an ‘LLM red team’ style exercise, or even anything close. We weren’t interested in verifying how securely data is stored (I mean who cares, these wouldn’t be our credentials if we were a real attacker, right?) and frankly we assumed that the in-app guardrails wouldn’t be robust enough to stop us. And within our first 30 minutes of testing, we were proved correct. ",{"data":3212,"content":3213,"nodeType":1294},{},[3214],{"data":3215,"marks":3216,"value":3217,"nodeType":1293},{},[],"Here’s what we found. ",{"data":3219,"content":3220,"nodeType":1406},{},[],{"data":3222,"content":3223,"nodeType":1410},{},[3224],{"data":3225,"marks":3226,"value":3228,"nodeType":1293},{},[3227],{"type":1399},"You can automate (almost) the entire identity kill chain ",{"data":3230,"content":3231,"nodeType":1294},{},[3232,3236,3245],{"data":3233,"marks":3234,"value":3235,"nodeType":1293},{},[],"For our test, we looked at how Operator could be applied to identity attacks across discrete Cyber Kill Chain stages and the associated Tactics, Techniques, and Procedures (TTPs) as per the ",{"data":3237,"content":3239,"nodeType":1330},{"uri":3238},"https://github.com/pushsecurity/saas-attacks",[3240],{"data":3241,"marks":3242,"value":3244,"nodeType":1293},{},[3243],{"type":1338},"SaaS attacks matrix",{"data":3246,"marks":3247,"value":2441,"nodeType":1293},{},[],{"data":3249,"content":3250,"nodeType":1294},{},[3251],{"data":3252,"marks":3253,"value":3254,"nodeType":1293},{},[],"One of the key challenges facing attackers when it comes to scaling identity attacks is that of targeting many different internet apps — all of which are:",{"data":3256,"content":3257,"nodeType":1487},{},[3258,3268],{"data":3259,"content":3260,"nodeType":1491},{},[3261],{"data":3262,"content":3263,"nodeType":1294},{},[3264],{"data":3265,"marks":3266,"value":3267,"nodeType":1293},{},[],"Complex and highly customized, with a graphically-driven interface that is different every time.",{"data":3269,"content":3270,"nodeType":1491},{},[3271],{"data":3272,"content":3273,"nodeType":1294},{},[3274],{"data":3275,"marks":3276,"value":3277,"nodeType":1293},{},[],"Specifically designed to prevent malicious automation with things like account lockouts and bot protections like CAPTCHA. ",{"data":3279,"content":3280,"nodeType":1294},{},[3281],{"data":3282,"marks":3283,"value":3284,"nodeType":1293},{},[],"This is a big change from traditional networks, where you could simply port scan and spray credentials, encountering the same protocols and services for every environment you wanted to target.",{"data":3286,"content":3287,"nodeType":1294},{},[3288],{"data":3289,"marks":3290,"value":3291,"nodeType":1293},{},[],"Now, every app requires custom tooling that needs to be maintained as apps/pages change. Considering that there are more than 40k SaaS apps, this is no small task. ",{"data":3293,"content":3294,"nodeType":1294},{},[3295],{"data":3296,"marks":3297,"value":3298,"nodeType":1293},{},[],"But we thought: could Operator solve this problem, without any custom development or tooling whatsoever? And what else can it automate following the initial account takeover? ",{"data":3300,"content":3304,"nodeType":1373},{"target":3301},{"sys":3302},{"id":3303,"type":1378,"linkType":1379},"6169dNBRXvahtV8VRlxLCJ",[],{"data":3306,"content":3307,"nodeType":1406},{},[],{"data":3309,"content":3310,"nodeType":1410},{},[3311],{"data":3312,"marks":3313,"value":3315,"nodeType":1293},{},[3314],{"type":1399},"1: Reconnaissance",{"data":3317,"content":3318,"nodeType":1294},{},[3319],{"data":3320,"marks":3321,"value":3322,"nodeType":1293},{},[],"Recon in the world of SaaS means figuring out which SaaS apps an organization uses, how users authenticate, and where the weak spots are. ",{"data":3324,"content":3325,"nodeType":1294},{},[3326],{"data":3327,"marks":3328,"value":3329,"nodeType":1293},{},[],"For example, I asked Operator to check whether a company used BambooHR, Atlassian, or Dropbox. Within minutes, the AI had identified valid tenant names, login URLs, and authentication methods for each app.",{"data":3331,"content":3332,"nodeType":1294},{},[3333],{"data":3334,"marks":3335,"value":3336,"nodeType":1293},{},[],"While a human attacker might research a handful of targets in a day, a CUA can research thousands, tirelessly mapping out identity attack surfaces across a long list of target organizations.",{"data":3338,"content":3342,"nodeType":1373},{"target":3339},{"sys":3340},{"id":3341,"type":1378,"linkType":1379},"6Bt0cyPStlzhDzMaSdBYUp",[],{"data":3344,"content":3345,"nodeType":1406},{},[],{"data":3347,"content":3348,"nodeType":1410},{},[3349],{"data":3350,"marks":3351,"value":3353,"nodeType":1293},{},[3352],{"type":1399},"2: Initial Access",{"data":3355,"content":3356,"nodeType":1294},{},[3357],{"data":3358,"marks":3359,"value":3360,"nodeType":1293},{},[],"Once you’ve established your targets, you can automate account takeover using compromised credentials. ",{"data":3362,"content":3363,"nodeType":1294},{},[3364],{"data":3365,"marks":3366,"value":3367,"nodeType":1293},{},[],"I asked Operator to try to login using a set of compromised credentials across five different apps. It navigated to each page, attempted to login, noted the success or failure (and why), and moved on to the next app in the list. ",{"data":3369,"content":3370,"nodeType":1294},{},[3371],{"data":3372,"marks":3373,"value":3374,"nodeType":1293},{},[],"Now imagine that same process, but scaled up to tens of thousands of apps at once — with no custom development required. That’s where things start getting interesting.",{"data":3376,"content":3380,"nodeType":1373},{"target":3377},{"sys":3378},{"id":3379,"type":1378,"linkType":1379},"6jk6hKykuvc0YAA4CkP8C2",[],{"data":3382,"content":3383,"nodeType":1406},{},[],{"data":3385,"content":3386,"nodeType":1410},{},[3387],{"data":3388,"marks":3389,"value":3391,"nodeType":1293},{},[3390],{"type":1399},"3: Persistence",{"data":3393,"content":3394,"nodeType":1294},{},[3395],{"data":3396,"marks":3397,"value":3398,"nodeType":1293},{},[],"Once you take over an account, you might not be able to exploit it straight away — particularly if you’re looking to execute a broader campaign across apps/organizations. So, I asked Operator to establish persistence mechanisms that would enable me to return to the app later, even if the credentials were changed or additional auth factors were deployed. ",{"data":3400,"content":3401,"nodeType":1294},{},[3402],{"data":3403,"marks":3404,"value":3405,"nodeType":1293},{},[],"Operator was able to analyse wildly different apps/pages with different options for configuring ghost logins, and was able to do things like create an API key and record it for me — a really effective backdoor that is extremely difficult for security teams to detect. ",{"data":3407,"content":3411,"nodeType":1373},{"target":3408},{"sys":3409},{"id":3410,"type":1378,"linkType":1379},"6jtmxq2tMJIBga3hxdeDZs",[],{"data":3413,"content":3417,"nodeType":1373},{"target":3414},{"sys":3415},{"id":3416,"type":1378,"linkType":1379},"5XqqCMLn0udFeoc2CQkmy6",[],{"data":3419,"content":3420,"nodeType":1406},{},[],{"data":3422,"content":3423,"nodeType":1410},{},[3424],{"data":3425,"marks":3426,"value":3428,"nodeType":1293},{},[3427],{"type":1399},"4: Lateral Movement",{"data":3430,"content":3431,"nodeType":1294},{},[3432],{"data":3433,"marks":3434,"value":3435,"nodeType":1293},{},[],"Operator can be used to perform in-app changes which can lay the groundwork for lateral movement. One example of how this can be achieved is through SAMLjacking, effectively allowing the attacker to poison the malicious app tenant and use it as a watering hole to harvest SSO credentials. ",{"data":3437,"content":3441,"nodeType":1373},{"target":3438},{"sys":3439},{"id":3440,"type":1378,"linkType":1379},"4GTS6iIlQ0nyMfTxhXQdEg",[],{"data":3443,"content":3447,"nodeType":1373},{"target":3444},{"sys":3445},{"id":3446,"type":1378,"linkType":1379},"5awMBkBEQPtdVNtLOYiaCL",[],{"data":3449,"content":3450,"nodeType":1294},{},[3451],{"data":3452,"marks":3453,"value":3454,"nodeType":1293},{},[],"SAMLjacking is just one option though — you could also do things like identifying which OAuth integrations are already enabled that could be abused to access linked apps and accounts. ",{"data":3456,"content":3457,"nodeType":1406},{},[],{"data":3459,"content":3460,"nodeType":1410},{},[3461],{"data":3462,"marks":3463,"value":3465,"nodeType":1293},{},[3464],{"type":1399},"5: Collection & Exfiltration ",{"data":3467,"content":3468,"nodeType":1294},{},[3469],{"data":3470,"marks":3471,"value":3472,"nodeType":1293},{},[],"The final piece in the attack chain we looked at was the ability to automate actions-on-objectives. When targeting SaaS, this typically involves dumping app data. ",{"data":3474,"content":3475,"nodeType":1294},{},[3476],{"data":3477,"marks":3478,"value":3479,"nodeType":1293},{},[],"We found it would be possible to trigger things like takeout services, but this would involve an email export of the data being sent to the victim — meaning we’d need to also compromise their mailbox, and it would probably raise the alarm if noticed. ",{"data":3481,"content":3482,"nodeType":1294},{},[3483],{"data":3484,"marks":3485,"value":3486,"nodeType":1293},{},[],"Simply downloading the data directly doesn’t work too well with Operator either — downloads are stored in the VM and aren’t easy to extract (for now, anyway).",{"data":3488,"content":3489,"nodeType":1294},{},[3490],{"data":3491,"marks":3492,"value":3493,"nodeType":1293},{},[],"But this got us thinking:",{"data":3495,"content":3496,"nodeType":1487},{},[3497,3507,3517],{"data":3498,"content":3499,"nodeType":1491},{},[3500],{"data":3501,"content":3502,"nodeType":1294},{},[3503],{"data":3504,"marks":3505,"value":3506,"nodeType":1293},{},[],"Mass data exfiltration is more likely to raise the alarm than the sharing of sensitive data only.",{"data":3508,"content":3509,"nodeType":1491},{},[3510],{"data":3511,"content":3512,"nodeType":1294},{},[3513],{"data":3514,"marks":3515,"value":3516,"nodeType":1293},{},[],"Often, much of the data stolen by attackers is pretty low-value and noisy — attackers often don’t really understand the value of what they’ve taken, or how to use/leverage it (particularly when targeting organizations in specialist fields). ",{"data":3518,"content":3519,"nodeType":1491},{},[3520],{"data":3521,"content":3522,"nodeType":1294},{},[3523],{"data":3524,"marks":3525,"value":3526,"nodeType":1293},{},[],"So what if you could use Operator to understand the data you’ve accessed before dumping it, and stealthily take only what you’re interested in? ",{"data":3528,"content":3529,"nodeType":1294},{},[3530,3534],{"data":3531,"marks":3532,"value":3533,"nodeType":1293},{},[],"So, w",{"data":3535,"marks":3536,"value":3537,"nodeType":1293},{},[],"e asked Operator to analyse data in a compromised Google Drive and report back on what it found. It was able to trawl through looking for specific data of value and report its findings back for us to act on. ",{"data":3539,"content":3543,"nodeType":1373},{"target":3540},{"sys":3541},{"id":3542,"type":1378,"linkType":1379},"VAb39fl1Otlj07dkbDmpU",[],{"data":3545,"content":3546,"nodeType":1294},{},[3547],{"data":3548,"marks":3549,"value":3550,"nodeType":1293},{},[],"At this point, we could have also asked Operator to create sharing links for those files and record them for us (in case our access was revoked in future). ",{"data":3552,"content":3553,"nodeType":1406},{},[],{"data":3555,"content":3556,"nodeType":1410},{},[3557],{"data":3558,"marks":3559,"value":3561,"nodeType":1293},{},[3560],{"type":1399},"Evaluating Operator",{"data":3563,"content":3564,"nodeType":1294},{},[3565],{"data":3566,"marks":3567,"value":3568,"nodeType":1293},{},[],"Operator clearly demonstrated that it can be used to perform malicious tasks throughout the identity attack kill chain, for every site we directed it at, without requiring custom tool development. Though we didn’t conduct an exhaustive review, we were able to trivially bypass prompt restrictions. And although Operator was meant to hand back over to the user for some actions (like logging, completing CAPTCHAs, etc.) it could be convinced to perform these tasks autonomously. ",{"data":3570,"content":3571,"nodeType":1294},{},[3572,3576],{"data":3573,"marks":3574,"value":3575,"nodeType":1293},{},[],"It’s important to come back to the point that this isn’t impressive or useful because of the complexity of the tasks — on a 1:1 basis, a human operator will outperform Operator. ",{"data":3577,"marks":3578,"value":3580,"nodeType":1293},{},[3579],{"type":1399},"The key benefit is the ability to scale these actions across hundreds or even thousands of apps. ",{"data":3582,"content":3583,"nodeType":1471},{},[3584],{"data":3585,"marks":3586,"value":3588,"nodeType":1293},{},[3587],{"type":1399},"The best (worst?) is still to come",{"data":3590,"content":3591,"nodeType":1294},{},[3592],{"data":3593,"marks":3594,"value":3595,"nodeType":1293},{},[],"Yes, Operator is a bit slow at the moment, and can get confused when handling long and large tasks with complex instructions. And overall usage is capped, which might prevent attackers from scaling their identity surface discovery and exploitation infinitely (though we didn’t hit any limits during our testing). But let’s remember, it’s not even in V1 yet … ",{"data":3597,"content":3598,"nodeType":1294},{},[3599],{"data":3600,"marks":3601,"value":3602,"nodeType":1293},{},[],"Operator (and the underlying CUA tech) will inevitably get better. If you can integrate Operator within a tool framework to cover off some of its limitations, and orchestrate Operator windows to perform tasks simultaneously via API (functionality that exists for ChatGPT already) then this kind of CUA tech becomes something that can be very easily abused by attackers. And ultimately, competing CUA products (even inherently malicious ones) will emerge over time, increasing the scope for abuse. ",{"data":3604,"content":3605,"nodeType":1294},{},[3606],{"data":3607,"marks":3608,"value":3609,"nodeType":1293},{},[],"And what then? There are dual consequences:",{"data":3611,"content":3612,"nodeType":1487},{},[3613,3623],{"data":3614,"content":3615,"nodeType":1491},{},[3616],{"data":3617,"content":3618,"nodeType":1294},{},[3619],{"data":3620,"marks":3621,"value":3622,"nodeType":1293},{},[],"Lower skilled attackers with fewer resources will be able to harness identity attacks and exploit identity vulnerabilities at scale, with out-of-the-box capabilities.",{"data":3624,"content":3625,"nodeType":1491},{},[3626],{"data":3627,"content":3628,"nodeType":1294},{},[3629],{"data":3630,"marks":3631,"value":3632,"nodeType":1293},{},[],"More advanced attackers will be able to scale their operations, a bit like being a red team manager of a fleet of AI interns — they handle the grunt work while you’re freed up to perform more complex tasks, only stepping in when you need to. ",{"data":3634,"content":3635,"nodeType":1439},{},[3636],{"data":3637,"content":3638,"nodeType":1294},{},[3639,3643,3648],{"data":3640,"marks":3641,"value":3642,"nodeType":1293},{},[],"CUAs mean attackers can scale their operations, ",{"data":3644,"marks":3645,"value":3647,"nodeType":1293},{},[3646],{"type":1399},"a bit like being a red team manager of a fleet of AI interns",{"data":3649,"marks":3650,"value":3651,"nodeType":1293},{},[]," — they handle the grunt work while you’re freed up to perform more complex tasks, only stepping in when you need to. ",{"data":3653,"content":3654,"nodeType":1406},{},[],{"data":3656,"content":3657,"nodeType":1410},{},[3658],{"data":3659,"marks":3660,"value":3662,"nodeType":1293},{},[3661],{"type":1399},"The verdict",{"data":3664,"content":3665,"nodeType":1294},{},[3666],{"data":3667,"marks":3668,"value":3669,"nodeType":1293},{},[],"CUA technology has huge implications for the ability of attackers to discover and exploit identity vulnerabilities at-scale. ",{"data":3671,"content":3672,"nodeType":1294},{},[3673,3677,3685],{"data":3674,"marks":3675,"value":3676,"nodeType":1293},{},[],"The biggest impact that we identified was in terms of credential attacks — and in particular the ability of attackers to leverage compromised credentials and systemic vulnerabilities like credential reuse — which we’ve discussed in more detail ",{"data":3678,"content":3680,"nodeType":1330},{"uri":3679},"https://pushsecurity.com/blog/how-new-ai-agents-will-transform-credential-stuffing-attacks/",[3681],{"data":3682,"marks":3683,"value":3684,"nodeType":1293},{},[],"in this blog post",{"data":3686,"marks":3687,"value":2441,"nodeType":1293},{},[],{"data":3689,"content":3693,"nodeType":1373},{"target":3690},{"sys":3691},{"id":3692,"type":1378,"linkType":1379},"5wczyTsTFu9VshpzxJylgX",[],{"data":3695,"content":3696,"nodeType":1406},{},[],{"data":3698,"content":3699,"nodeType":1410},{},[3700],{"data":3701,"marks":3702,"value":3704,"nodeType":1293},{},[3703],{"type":1399},"What you can do about it",{"data":3706,"content":3707,"nodeType":1294},{},[3708],{"data":3709,"marks":3710,"value":3711,"nodeType":1293},{},[],"Thankfully, no new anti-AI capabilities are required — but it’s more important than ever that organizations look to defend their identity attack surface and find and fix identity vulnerabilities before attackers can take advantage of them. ",{"data":3713,"content":3714,"nodeType":1294},{},[3715,3718,3726],{"data":3716,"marks":3717,"value":37,"nodeType":1293},{},[],{"data":3719,"content":3720,"nodeType":1330},{"uri":2321},[3721],{"data":3722,"marks":3723,"value":3725,"nodeType":1293},{},[3724],{"type":1338},"Book a demo",{"data":3727,"marks":3728,"value":3729,"nodeType":1293},{},[]," to find out how Push helps organizations to find and fix identity vulnerabilities at-scale, and intercept identity attacks as they happen in employee browsers. ",{"data":3731,"content":3734,"nodeType":1373},{"target":3732},{"sys":3733},{"id":3303,"type":1378,"linkType":1379},[],{"data":3736,"content":3737,"nodeType":1294},{},[3738],{"data":3739,"marks":3740,"value":37,"nodeType":1293},{},[],"5 ways attackers can use Computer-Using Agents to automate identity attacks","We're back with part 2 of our research into OpenAI Operator to share our findings on how it can be used to automate identity attacks. ","2025-03-13T00:00:00.000Z","5-ways-attackers-can-use-computer-using-agents-to-automate-identity-attacks",{"items":3746},[3747,3749],{"sys":3748,"name":1307},{"id":1306},{"sys":3750,"name":2340},{"id":2339},{"items":3752},[3753],{"fullName":3754,"firstName":3755,"jobTitle":3756,"profilePicture":3757},"Luke Jennings","Luke","Vice President, R&D",{"url":3758},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg",{"items":3760},[3761],{"fullName":3158,"firstName":3159,"jobTitle":3160,"profilePicture":3762},{"url":3162},{"json":3764,"links":4454},{"nodeType":1295,"data":3765,"content":3766},{},[3767,3783,3789,3795,3801,3804,3812,3819,3912,3918,3925,3932,3935,3943,3951,3958,4011,4019,4037,4067,4074,4082,4089,4095,4114,4130,4136,4143,4169,4176,4183,4216,4223,4230,4249,4252,4260,4267,4274,4281,4289,4308,4314,4322,4341,4359,4364,4372,4379,4397,4404,4410,4413,4421,4428,4435],{"nodeType":1294,"data":3768,"content":3769},{},[3770,3774,3779],{"nodeType":1293,"value":3771,"marks":3772,"data":3773},"Since late 2024, attackers have been targeting organizations using Jira, the project management tool, taking over user accounts using compromised credentials. This has resulted in ",[],{},{"nodeType":1293,"value":3775,"marks":3776,"data":3778},"six public breaches in five months",[3777],{"type":1399},{},{"nodeType":1293,"value":3780,"marks":3781,"data":3782}," where criminals made off with sensitive data and documentation, profiting by extorting the victims and selling the data on criminal forums. ",[],{},{"nodeType":1373,"data":3784,"content":3788},{"target":3785},{"sys":3786},{"id":3787,"type":1378,"linkType":1379},"3QJBi8NiId1CccFmJrp8pu",[],{"nodeType":1294,"data":3790,"content":3791},{},[3792],{"nodeType":1293,"value":37,"marks":3793,"data":3794},[],{},{"nodeType":1373,"data":3796,"content":3800},{"target":3797},{"sys":3798},{"id":3799,"type":1378,"linkType":1379},"79uXXgsAuOK9dKwYQFb0d1",[],{"nodeType":1406,"data":3802,"content":3803},{},[],{"nodeType":1410,"data":3805,"content":3806},{},[3807],{"nodeType":1293,"value":3808,"marks":3809,"data":3811},"What happened?",[3810],{"type":1399},{},{"nodeType":1294,"data":3813,"content":3814},{},[3815],{"nodeType":1293,"value":3816,"marks":3817,"data":3818},"Six attacks where stolen credentials were used to compromise the victim’s Jira tenant have been reported since November 2024, all attributed to operators belonging to the HELLCAT threat group. ",[],{},{"nodeType":1487,"data":3820,"content":3821},{},[3822,3837,3852,3867,3882,3897],{"nodeType":1491,"data":3823,"content":3824},{},[3825],{"nodeType":1294,"data":3826,"content":3827},{},[3828,3833],{"nodeType":1293,"value":3829,"marks":3830,"data":3832},"Affinitiv (March 2025): ",[3831],{"type":1399},{},{"nodeType":1293,"value":3834,"marks":3835,"data":3836},"Attackers stole a database containing over 470k unique emails and 780k records from marketing data analytics provider Affinitiv. ",[],{},{"nodeType":1491,"data":3838,"content":3839},{},[3840],{"nodeType":1294,"data":3841,"content":3842},{},[3843,3848],{"nodeType":1293,"value":3844,"marks":3845,"data":3847},"Ascom (March 2025):",[3846],{"type":1399},{},{"nodeType":1293,"value":3849,"marks":3850,"data":3851}," Attackers stole 44GB of data including source code for multiple products, details about various projects, invoices, confidential documents, and issues from the ticketing system from global telecommunications provider Ascom.",[],{},{"nodeType":1491,"data":3853,"content":3854},{},[3855],{"nodeType":1294,"data":3856,"content":3857},{},[3858,3863],{"nodeType":1293,"value":3859,"marks":3860,"data":3862},"Jaguar Land Rover (March 2025):",[3861],{"type":1399},{},{"nodeType":1293,"value":3864,"marks":3865,"data":3866}," Attackers leaked ~700 internal documents totalling several GBs of data, including proprietary documents, source code, and employee and partner data, from vehicle manufacturer Jaguar Land Rover. The breach was linked to credentials stolen by infostealers in 2021. A second threat actor is now alleged to have re-compromized Jaguar using the same credentials and achieved a much bigger breach of ~350GB. ",[],{},{"nodeType":1491,"data":3868,"content":3869},{},[3870],{"nodeType":1294,"data":3871,"content":3872},{},[3873,3878],{"nodeType":1293,"value":3874,"marks":3875,"data":3877},"Orange (February 2025):",[3876],{"type":1399},{},{"nodeType":1293,"value":3879,"marks":3880,"data":3881}," Attackers stole almost 12,000 files totaling close to 6.5GB, which includes 380k unique email addresses, source code, invoices, contracts, customer and employee information, from telecommunications provider Orange. The attacker allegedly had access to the systems for over a month before exfiltrating company data.",[],{},{"nodeType":1491,"data":3883,"content":3884},{},[3885],{"nodeType":1294,"data":3886,"content":3887},{},[3888,3893],{"nodeType":1293,"value":3889,"marks":3890,"data":3892},"Telefonica (January 2025): ",[3891],{"type":1399},{},{"nodeType":1293,"value":3894,"marks":3895,"data":3896},"Attackers stole 2.3GB of documents, tickets, and various data from telecommunications provider Telefonica. ",[],{},{"nodeType":1491,"data":3898,"content":3899},{},[3900],{"nodeType":1294,"data":3901,"content":3902},{},[3903,3908],{"nodeType":1293,"value":3904,"marks":3905,"data":3907},"Schneider Electric (November 2024): ",[3906],{"type":1399},{},{"nodeType":1293,"value":3909,"marks":3910,"data":3911},"Attackers stole 40GB of data including 75k unique email addresses, from manufacturing provider Schneider Electric, demanding a ransom payment of $125k. ",[],{},{"nodeType":1373,"data":3913,"content":3917},{"target":3914},{"sys":3915},{"id":3916,"type":1378,"linkType":1379},"1Hm5x8QlQnJsUPgFyCkeFO",[],{"nodeType":1294,"data":3919,"content":3920},{},[3921],{"nodeType":1293,"value":3922,"marks":3923,"data":3924},"So, hundreds of gigabytes of data and thousands of breached records — all from logging in with a single set of stolen credentials for each victim. There are clear signs that these attacks are ramping up in frequency and impact too, with three of the breaches occurring in March alone. ",[],{},{"nodeType":1294,"data":3926,"content":3927},{},[3928],{"nodeType":1293,"value":3929,"marks":3930,"data":3931},"These attacks all follow the same pattern, revolving around initial access to Jira accounts using compromised credentials. Once inside, the attacker has been reported to use integrated Atlassian tools like MiniOrange to scrape customer and employee data. After dumping the data, they attempt to extort a ransom payment for the deletion of the data, and when that fails, sell it on criminal marketplaces such as dark web forums and Telegram channels. HELLCAT is also responsible for a Ransomware-as-a-Service (RaaS) offering using a custom ransomware strain. ",[],{},{"nodeType":1406,"data":3933,"content":3934},{},[],{"nodeType":1410,"data":3936,"content":3937},{},[3938],{"nodeType":1293,"value":3939,"marks":3940,"data":3942},"Why are attackers targeting Jira?",[3941],{"type":1399},{},{"nodeType":1471,"data":3944,"content":3945},{},[3946],{"nodeType":1293,"value":3947,"marks":3948,"data":3950},"It’s a goldmine for attackers",[3949],{"type":1399},{},{"nodeType":1294,"data":3952,"content":3953},{},[3954],{"nodeType":1293,"value":3955,"marks":3956,"data":3957},"Apps like Jira are a goldmine for cyber attackers. For organizations using it, Jira is a central technology that underpins core business workflows. It’s used for pretty much all aspects of project management across functions, meaning it:",[],{},{"nodeType":1487,"data":3959,"content":3960},{},[3961,3971,3981,3991,4001],{"nodeType":1491,"data":3962,"content":3963},{},[3964],{"nodeType":1294,"data":3965,"content":3966},{},[3967],{"nodeType":1293,"value":3968,"marks":3969,"data":3970},"Stores huge amounts of sensitive data, from strategic business initiatives to sensitive customer data. ",[],{},{"nodeType":1491,"data":3972,"content":3973},{},[3974],{"nodeType":1294,"data":3975,"content":3976},{},[3977],{"nodeType":1293,"value":3978,"marks":3979,"data":3980},"Contains detailed information on IT infrastructure and architecture. It often acts as an issue tracker for vulnerabilities, and frequently contains credentials and secrets accidentally pasted into tickets, enabling lateral movement and further exploitation. ",[],{},{"nodeType":1491,"data":3982,"content":3983},{},[3984],{"nodeType":1294,"data":3985,"content":3986},{},[3987],{"nodeType":1293,"value":3988,"marks":3989,"data":3990},"Has deep integrations with other Cloud and DevOps technologies like GitHub repos (also a frequent target for attackers), Bitbucket, Jenkins, CircleCI, AWS, Azure, etc. ",[],{},{"nodeType":1491,"data":3992,"content":3993},{},[3994],{"nodeType":1294,"data":3995,"content":3996},{},[3997],{"nodeType":1293,"value":3998,"marks":3999,"data":4000},"Can be exploited using native functionality by, for example, creating automated workflows containing malicious scripts or deployments, or inserting malicious links into tickets to phish users in-app. ",[],{},{"nodeType":1491,"data":4002,"content":4003},{},[4004],{"nodeType":1294,"data":4005,"content":4006},{},[4007],{"nodeType":1293,"value":4008,"marks":4009,"data":4010},"Also provides access to the broader Atlassian suite through a compromised Jira account, e.g. Confluence, Bitbucket, Trello, Opsgenie, etc. ",[],{},{"nodeType":1471,"data":4012,"content":4013},{},[4014],{"nodeType":1293,"value":4015,"marks":4016,"data":4018},"Compromised credentials are waiting to be exploited",[4017],{"type":1399},{},{"nodeType":1294,"data":4020,"content":4021},{},[4022,4025,4033],{"nodeType":1293,"value":37,"marks":4023,"data":4024},[],{},{"nodeType":1330,"data":4026,"content":4028},{"uri":4027},"https://www.verizon.com/business/resources/reports/dbir/",[4029],{"nodeType":1293,"value":4030,"marks":4031,"data":4032},"Stolen credentials were the #1 attacker action in 2023/24",[],{},{"nodeType":1293,"value":4034,"marks":4035,"data":4036},", and the breach vector for 80% of web app attacks. Not surprising when you consider the fact that billions of leaked credentials are in circulation online, and attackers can pick up the latest drop for as little as $10 on criminal forums. ",[],{},{"nodeType":1294,"data":4038,"content":4039},{},[4040,4044,4051,4055,4063],{"nodeType":1293,"value":4041,"marks":4042,"data":4043},"The criminal marketplace for stolen credentials is booming, fuelled by an unprecedented rise in infostealer activity as attackers look to replicate the success of ",[],{},{"nodeType":1330,"data":4045,"content":4046},{"uri":1741},[4047],{"nodeType":1293,"value":4048,"marks":4049,"data":4050},"high profile breaches in 2024",[],{},{"nodeType":1293,"value":4052,"marks":4053,"data":4054}," such as the attacks on ",[],{},{"nodeType":1330,"data":4056,"content":4058},{"uri":4057},"https://pushsecurity.com/blog/snowflake-retro/",[4059],{"nodeType":1293,"value":4060,"marks":4061,"data":4062},"Snowflake",[],{},{"nodeType":1293,"value":4064,"marks":4065,"data":4066}," customers — where 165 customer tenants and hundreds of millions of breached records were compromised using credentials dating found in infostealer credential dumps dating as far back as 2020.",[],{},{"nodeType":1294,"data":4068,"content":4069},{},[4070],{"nodeType":1293,"value":4071,"marks":4072,"data":4073},"Like Snowflake, attackers have clearly noticed that compromised credentials are a reliable way to access Jira accounts. And the more these attacks succeed, the stronger the signal for other attackers to look for insecure identities. ",[],{},{"nodeType":1471,"data":4075,"content":4076},{},[4077],{"nodeType":1293,"value":4078,"marks":4079,"data":4081},"But wait: This isn’t just a Jira problem",[4080],{"type":1399},{},{"nodeType":1294,"data":4083,"content":4084},{},[4085],{"nodeType":1293,"value":4086,"marks":4087,"data":4088},"If an organization isn’t relying on Jira, they’re probably using a product with similar functionality such as ServiceNow, Asana, Zendesk, Notion, Oracle, etc. These alternatives are an equally viable target for attackers. ",[],{},{"nodeType":1373,"data":4090,"content":4094},{"target":4091},{"sys":4092},{"id":4093,"type":1378,"linkType":1379},"4hgYhQiAykupZ6n7Js2zJA",[],{"nodeType":1294,"data":4096,"content":4097},{},[4098,4102,4110],{"nodeType":1293,"value":4099,"marks":4100,"data":4101},"Jira and many apps like it, fall into a category where it’s a core business app, but isn’t as well-secured (or can’t be configured as securely) as full enterprise cloud platforms — increasing the likelihood that accounts are using weak, breached, or reused credentials, and have gaps in MFA coverage. Again, there are clear similarities with the attacks on Snowflake customers last year. And more recently, breaches like ",[],{},{"nodeType":1330,"data":4103,"content":4105},{"uri":4104},"https://www.bleepingcomputer.com/news/security/oracle-denies-data-breach-after-hacker-claims-theft-of-6-million-data-records/",[4106],{"nodeType":1293,"value":4107,"marks":4108,"data":4109},"the theft of 6 million Oracle records",[],{},{"nodeType":1293,"value":4111,"marks":4112,"data":4113}," (including  passwords) provide plenty of fuel for attackers looking to take advantage of unsecured accounts. ",[],{},{"nodeType":1294,"data":4115,"content":4116},{},[4117,4121,4126],{"nodeType":1293,"value":4118,"marks":4119,"data":4120},"Using Push data, we compared the posture of accounts that ",[],{},{"nodeType":1293,"value":4122,"marks":4123,"data":4125},"use a password to log in",[4124],{"type":1399},{},{"nodeType":1293,"value":4127,"marks":4128,"data":4129}," when organizations first begin using our platform.",[],{},{"nodeType":1373,"data":4131,"content":4135},{"target":4132},{"sys":4133},{"id":4134,"type":1378,"linkType":1379},"4xOUAqait2RG4IH00vh2RM",[],{"nodeType":1294,"data":4137,"content":4138},{},[4139],{"nodeType":1293,"value":4140,"marks":4141,"data":4142},"Clearly, this isn’t just a Jira problem — and it won’t be long before attackers take advantage. ",[],{},{"nodeType":1294,"data":4144,"content":4145},{},[4146,4149,4157,4161,4166],{"nodeType":1293,"value":37,"marks":4147,"data":4148},[],{},{"nodeType":1330,"data":4150,"content":4151},{"uri":1508},[4152],{"nodeType":1293,"value":4153,"marks":4154,"data":4156},"These stats are in the ballpark of our average findings from across all apps",[4155],{"type":1338},{},{"nodeType":1293,"value":4158,"marks":4159,"data":4160}," — with 2 in 5 identities using a password to log in AND missing MFA, rising to 4 in 5 when a password is the sole login method. Considering the fact that organizations are using hundreds of apps (220+ on average), ",[],{},{"nodeType":1293,"value":4162,"marks":4163,"data":4165},"there are many, many more apps that can be targeted in a similar way to Jira",[4164],{"type":1399},{},{"nodeType":1293,"value":2441,"marks":4167,"data":4168},[],{},{"nodeType":1410,"data":4170,"content":4171},{},[4172],{"nodeType":1293,"value":4173,"marks":4174,"data":4175},"Preventing account takeover with stolen credentials",[],{},{"nodeType":1294,"data":4177,"content":4178},{},[4179],{"nodeType":1293,"value":4180,"marks":4181,"data":4182},"To ensure that your workforce identities can’t be compromised using stolen credentials, you need to:",[],{},{"nodeType":1487,"data":4184,"content":4185},{},[4186,4196,4206],{"nodeType":1491,"data":4187,"content":4188},{},[4189],{"nodeType":1294,"data":4190,"content":4191},{},[4192],{"nodeType":1293,"value":4193,"marks":4194,"data":4195},"Ensure MFA is configured for all user accounts. ",[],{},{"nodeType":1491,"data":4197,"content":4198},{},[4199],{"nodeType":1294,"data":4200,"content":4201},{},[4202],{"nodeType":1293,"value":4203,"marks":4204,"data":4205},"Ensure employees are not using weak, breached, or stolen passwords. ",[],{},{"nodeType":1491,"data":4207,"content":4208},{},[4209],{"nodeType":1294,"data":4210,"content":4211},{},[4212],{"nodeType":1293,"value":4213,"marks":4214,"data":4215},"Where possible, ensure users are using SSO to log in via your preferred identity provider (IdP).",[],{},{"nodeType":1294,"data":4217,"content":4218},{},[4219],{"nodeType":1293,"value":4220,"marks":4221,"data":4222},"This is a tricky problem to solve in Jira itself. Jira doesn’t provide the capabilities to enforce these controls — to get access to some of the required functionality, like being able to require MFA for all users within your tenant, enforce SSO logins, or see if a user has MFA enabled, you need Atlassian Access — a separate tier of identity management product for Atlassian. Even then, you can’t do things like centrally administer password resets. ",[],{},{"nodeType":1294,"data":4224,"content":4225},{},[4226],{"nodeType":1293,"value":4227,"marks":4228,"data":4229},"And as we’ve pointed out — this isn’t just a Jira problem. Very few apps provide this level of identity visibility and control (even at the premium tier) — so what about when the next app hits the headlines? ",[],{},{"nodeType":1294,"data":4231,"content":4232},{},[4233,4237,4245],{"nodeType":1293,"value":4234,"marks":4235,"data":4236},"You could ingest a compromised credential TI feed to get some visibility of what’s out there, but then you’re relying on asking every user with a breached password to change it (not really reliable or enforceable!). When we ",[],{},{"nodeType":1330,"data":4238,"content":4239},{"uri":2025},[4240],{"nodeType":1293,"value":4241,"marks":4242,"data":4244},"recently reviewed a range of TI feeds against our identity data set",[4243],{"type":1338},{},{"nodeType":1293,"value":4246,"marks":4247,"data":4248},", we found that less than 1% of the data was valid — like looking for a needle in a haystack. ",[],{},{"nodeType":1406,"data":4250,"content":4251},{},[],{"nodeType":1410,"data":4253,"content":4254},{},[4255],{"nodeType":1293,"value":4256,"marks":4257,"data":4259},"Prevent account takeover with Push",[4258],{"type":1399},{},{"nodeType":1294,"data":4261,"content":4262},{},[4263],{"nodeType":1293,"value":4264,"marks":4265,"data":4266},"Thankfully, there’s a better way. Push provides layered controls to harden your workforce identities against credential attacks, as well as other methods of account takeover like MFA-bypass phishing and session hijacking. Our lightweight, browser-based solution can be deployed in minutes across your entire user base. ",[],{},{"nodeType":1294,"data":4268,"content":4269},{},[4270],{"nodeType":1293,"value":4271,"marks":4272,"data":4273},"So when a core business app like Jira comes under fire, you can quickly take action to prevent account takeover.  ",[],{},{"nodeType":1294,"data":4275,"content":4276},{},[4277],{"nodeType":1293,"value":4278,"marks":4279,"data":4280},"Here’s how Push users can protect themselves against the threat of stolen credentials:",[],{},{"nodeType":1471,"data":4282,"content":4283},{},[4284],{"nodeType":1293,"value":4285,"marks":4286,"data":4288},"Step 1: Deploy MFA across all accounts",[4287],{"type":1399},{},{"nodeType":1294,"data":4290,"content":4291},{},[4292,4296,4304],{"nodeType":1293,"value":4293,"marks":4294,"data":4295},"Whenever an application comes under heavy scrutiny from attackers, it’s a good idea to deploy MFA across all accounts as a first response action. ",[],{},{"nodeType":1330,"data":4297,"content":4298},{"uri":2120},[4299],{"nodeType":1293,"value":4300,"marks":4301,"data":4303},"Push enables you to quickly find and close MFA gaps",[4302],{"type":1338},{},{"nodeType":1293,"value":4305,"marks":4306,"data":4307}," by prompting the user to configure MFA when they log in to the app. ",[],{},{"nodeType":1373,"data":4309,"content":4313},{"target":4310},{"sys":4311},{"id":4312,"type":1378,"linkType":1379},"4OVJU6FRSVU9j1WB9NGyJ4",[],{"nodeType":1471,"data":4315,"content":4316},{},[4317],{"nodeType":1293,"value":4318,"marks":4319,"data":4321},"Step 2: Detect when accounts are using stolen credentials and trigger a password change",[4320],{"type":1399},{},{"nodeType":1294,"data":4323,"content":4324},{},[4325,4329,4337],{"nodeType":1293,"value":4326,"marks":4327,"data":4328},"Push integrates with commercial TI feeds to see ",[],{},{"nodeType":1330,"data":4330,"content":4331},{"uri":2025},[4332],{"nodeType":1293,"value":4333,"marks":4334,"data":4336},"when your employees are actually using a breached password to log in to one of their accounts",[4335],{"type":1338},{},{"nodeType":1293,"value":4338,"marks":4339,"data":4340},", eliminating manual triage. You can also bring your own TI feed to maximize its value. ",[],{},{"nodeType":1294,"data":4342,"content":4343},{},[4344,4348,4356],{"nodeType":1293,"value":4345,"marks":4346,"data":4347},"When a stolen credential (or any other password vulnerability) is found, the next time they log into the app they will be prompted to change it via the ",[],{},{"nodeType":1330,"data":4349,"content":4351},{"uri":4350},"https://pushsecurity.com/blog/introducing-strong-password-enforcement/",[4352],{"nodeType":1293,"value":4353,"marks":4354,"data":4355},"strong password enforcement feature",[],{},{"nodeType":1293,"value":2441,"marks":4357,"data":4358},[],{},{"nodeType":1373,"data":4360,"content":4363},{"target":4361},{"sys":4362},{"id":2225,"type":1378,"linkType":1379},[],{"nodeType":1471,"data":4365,"content":4366},{},[4367],{"nodeType":1293,"value":4368,"marks":4369,"data":4371},"Step 3: Ensure employees are using SSO (and remediate ghost logins)",[4370],{"type":1399},{},{"nodeType":1294,"data":4373,"content":4374},{},[4375],{"nodeType":1293,"value":4376,"marks":4377,"data":4378},"Once you’ve secured your accounts against the risk of immediate account takeover, you can harden them further by ensuring that accounts are using your preferred SSO method and IdP. ",[],{},{"nodeType":1294,"data":4380,"content":4381},{},[4382,4386,4393],{"nodeType":1293,"value":4383,"marks":4384,"data":4385},"[Insight box: It’s not enough to have users adopt SSO, however. Local username and password accounts can continue to exist and be used alongside SSO unless specifically configured (and configurable) within the app. These local accounts are a form of ",[],{},{"nodeType":1330,"data":4387,"content":4388},{"uri":2717},[4389],{"nodeType":1293,"value":2892,"marks":4390,"data":4392},[4391],{"type":1338},{},{"nodeType":1293,"value":4394,"marks":4395,"data":4396},", providing backdoor access to your business apps without needing to breach your locked-down IdP accounts used for SSO. This is why it’s important to have MFA set at the application level if local accounts are used — you can’t just rely on your IdP being securely configured.] ",[],{},{"nodeType":1294,"data":4398,"content":4399},{},[4400],{"nodeType":1293,"value":4401,"marks":4402,"data":4403},"Once you’ve migrated to SSO, it’s best practice to have your employees remove these local accounts so they don’t lie dormant for attackers to take advantage of in the future. You can set an app banner for all users accessing the app, instructing them to log in using SSO, and to disable their local password once they’ve done so.",[],{},{"nodeType":1373,"data":4405,"content":4409},{"target":4406},{"sys":4407},{"id":4408,"type":1378,"linkType":1379},"606mt5mVoJGaMmk82mLIFH",[],{"nodeType":1406,"data":4411,"content":4412},{},[],{"nodeType":1410,"data":4414,"content":4415},{},[4416],{"nodeType":1293,"value":4417,"marks":4418,"data":4420},"Protect and defend your entire identity attack surface",[4419],{"type":1399},{},{"nodeType":1294,"data":4422,"content":4423},{},[4424],{"nodeType":1293,"value":4425,"marks":4426,"data":4427},"Push provides comprehensive identity attack detection and response capabilities across every app and workforce identity.    ",[],{},{"nodeType":1294,"data":4429,"content":4430},{},[4431],{"nodeType":1293,"value":4432,"marks":4433,"data":4434},"We stop attacks like MFA-bypass phishing, credential stuffing, password spraying and session hijacking using stolen session tokens. You can also use Push to find and fix identity vulnerabilities across every app that your employees use like: ghost logins; SSO coverage gaps; MFA gaps; weak, breached and reused passwords; risky OAuth integrations; and more. ",[],{},{"nodeType":1294,"data":4436,"content":4437},{},[4438,4442,4450],{"nodeType":1293,"value":4439,"marks":4440,"data":4441},"If you want to learn more about how Push helps you to detect and defeat common identity attack techniques, ",[],{},{"nodeType":1330,"data":4443,"content":4445},{"uri":4444},"https://pushsecurity.com/demo?utm_campaign=9983377-FY25Q1_Bleeping-Computer-Organic-Article&utm_source=bleepingcomputer&utm_medium=sponsored-content&utm_content=organic%20article",[4446],{"nodeType":1293,"value":4447,"marks":4448,"data":4449},"book some time with one of our team",[],{},{"nodeType":1293,"value":4451,"marks":4452,"data":4453}," for a live demo. ",[],{},{"entries":4455},{"hyperlink":4456,"inline":4457,"block":4458},[],[],[4459,4468,4513,4522,4549,4557,4563,4567],{"sys":4460,"__typename":4461,"title":4462,"youTubeUrl":4463,"imagePlaceholder":4464},{"id":3787},"ExternalVideo","Hellcat video","https://www.youtube.com/watch?v=jHm6wpT6mYg",{"url":4465,"width":4466,"height":4467},"https://images.ctfassets.net/y1cdw1ablpvd/5cdcvDUhgAmEpo6kMOdu9I/8abb264bf8ce77b3d7453bcbc8c09783/Slide_Front_Cover__50_.png",3840,2160,{"sys":4469,"__typename":4470,"content":4471,"name":4512,"title":118},{"id":3799},"InsightTextBlockComponent",{"json":4472},{"nodeType":1295,"data":4473,"content":4474},{},[4475,4494],{"nodeType":1294,"data":4476,"content":4477},{},[4478,4482,4490],{"nodeType":1293,"value":4479,"marks":4480,"data":4481},"Update 1: Since first writing this article, ",[],{},{"nodeType":1330,"data":4483,"content":4485},{"uri":4484},"https://hackread.com/hellcat-ransomware-firms-infostealer-stolen-jira-credentials/",[4486],{"nodeType":1293,"value":4487,"marks":4488,"data":4489},"four more victims have been claimed by Hellcat",[],{},{"nodeType":1293,"value":4491,"marks":4492,"data":4493}," (all involving Jira breaches), bringing the total to 10 breaches in 6 months. This further indicates that this is a fast moving issue and attackers are undertaking a concerted campaign against Jira accounts — that isn't going away anytime soon. ",[],{},{"nodeType":1294,"data":4495,"content":4496},{},[4497,4501,4509],{"nodeType":1293,"value":4498,"marks":4499,"data":4500},"Update 2: Jira attacks conducted by Hellcat have continued into July ",[],{},{"nodeType":1330,"data":4502,"content":4504},{"uri":4503},"https://www.bleepingcomputer.com/news/security/hacker-leaks-telef-nica-data-allegedly-stolen-in-a-new-breach/",[4505],{"nodeType":1293,"value":4506,"marks":4507,"data":4508},"with the latest victim claimed by the attackers.",[],{},{"nodeType":1293,"value":1619,"marks":4510,"data":4511},[],{},"Hellcat insight box",{"sys":4514,"__typename":4515,"title":4516,"caption":4517,"layoutMode":118,"file":4518},{"id":3916},"Image","Hellcat timeline of Jira breaches","Attacks targeting Jira using stolen credentials are ramping up",{"url":4519,"width":4520,"height":4521},"https://images.ctfassets.net/y1cdw1ablpvd/1BqkoZww9MTs41whLVPMTj/ee67f53ff51c24b7d36066641e879583/hellcat_social_graphic.png",1920,1080,{"sys":4523,"__typename":4470,"content":4524,"name":4548,"title":118},{"id":4093},{"json":4525},{"data":4526,"content":4527,"nodeType":1295},{},[4528],{"data":4529,"content":4530,"nodeType":1294},{},[4531,4535,4544],{"data":4532,"marks":4533,"value":4534,"nodeType":1293},{},[],"Attackers are already targeting these apps — we recently saw ServiceNow servers being exploited by threat groups — but actually given that most organizations access ServiceNow as a cloud app, it’s easier to go the route of identity attacks. Remember when a ",{"data":4536,"content":4538,"nodeType":1330},{"uri":4537},"https://pushsecurity.com/blog/learning-from-the-servicenow-disclosure/",[4539],{"data":4540,"marks":4541,"value":4543,"nodeType":1293},{},[4542],{"type":1338},"security researcher logged into Microsoft’s ServiceNow tenant with stolen credentials",{"data":4545,"marks":4546,"value":4547,"nodeType":1293},{},[],", accessing 1,000s of support ticket descriptions and attachments, and 250k+ employee emails?","Jira blog insight box",{"sys":4550,"__typename":4515,"title":4551,"caption":4552,"layoutMode":118,"file":4553},{"id":4134},"Comparing password vulnerabilities in Jira and other platforms","Table: What % of accounts with a password are vulnerable to account takeover through (1) MFA gaps and (2) using a breached, weak, or reused password. ",{"url":4554,"width":4555,"height":4556},"https://images.ctfassets.net/y1cdw1ablpvd/2oPkACCXFwWoIuMLfOGOkA/f676624ddce5651b09f6a768a8dd2c70/Screenshot_2025-03-24_at_10.46.49.png",1852,678,{"sys":4558,"__typename":4559,"title":4560,"arcadeDemoUrl":4561,"playText":4562},{"id":4312},"ArcadeDemo","Close MFA gaps with Push","https://demo.arcade.software/eP35OjAoajgNud5qqMGf?embed","2 mins",{"sys":4564,"__typename":4559,"title":4565,"arcadeDemoUrl":4566,"playText":4562},{"id":2225},"Arcade: Find and remediate password vulnerabilities in Atlassian","https://demo.arcade.software/O5HwAmXSXboyKZkkO6XS?embed",{"sys":4568,"__typename":4559,"title":4569,"arcadeDemoUrl":4570,"playText":4562},{"id":4408},"Create an App Banner guiding users to log in via SSO","https://demo.arcade.software/D8BrC6k3x919TcOid0qc?embed","content:blog:why-attackers-are-targeting-jira-with-stolen-credentials.json","json","content","blog/why-attackers-are-targeting-jira-with-stolen-credentials.json","blog/why-attackers-are-targeting-jira-with-stolen-credentials",1776359985450]