Blog

Analyzing a BITB phishing page linked to the Sneaky2FA Phishing-as-a-Service operation.

How "Scattered Lapsus$ Hunters" breaches demonstrate the evolution of attacker TTPs, shaping the future of cyber attacks.

Breaking down the most sophisticated ClickFix page we’ve seen in the wild — and what it tells us about the future of malicious copy-and-paste attacks.

Here’s what’s new on the Push platform for November 2025.

NYCRR Part 500 is tightening its MFA and asset management requirements. Here's what the changes means for compliance.

Diving into the latest sophisticated LinkedIn phishing campaign intercepted by Push.

Push now detects malware delivery in the browser, supporting a layered defense against endpoint attacks.

How browser data can improve detection fidelity and reduce alert fatigue, enabling SecOps teams to save time and detect more attacks.

MFA regulators, insurers, and policy-makers are getting tighter on their MFA requirements, fuelled by public cyber breaches.

Why phishing attacks are moving away from exclusively email-based delivery, and what this means for security teams.

How Push saved a company exec from a sophisticated Attacker-in-the-Middle phishing attack delivered via a LinkedIn direct message.

Here’s what’s new on the Push platform for September 2025.

What security teams need to know about the browser-based attack techniques that are the leading cause of breaches in 2025.

How attacks have moved away from endpoints and internal networks to the browser — a blind spot for traditional security tools.

Push recently identified a novel phishing attack using Active Directory Federation Services to get Microsoft to send victims to a phishing site.

Introducing our latest resource for security teams breaking down the techniques that modern phishing attacks are using to evade detection.

We’re launching a new Detections capability, enabling security teams to more effectively investigate and triage alerts, and build more effective workflows.

MFA downgrade attacks are an increasingly common technique used by attackers to bypass phishing-resistant authentication methods registered to an account.

Push now blocks URL schema obfuscation, countering a common technique used by attackers to bypass URL detections for phishing pages and malicious IPs.

Scattered Spider continues to dominate the headlines, with attacks on aviation and insurance companies worldwide.

Scattered Spider has dominated the headlines in recent months with a consistent focus on help desk scams. Here's what you need to know to protect your business.

How App-Specific Password phishing is being used in the wild to bypass phishing-resistant authentication controls like passkeys.

Attackers are routinely defeating conventional email, network, and endpoint-based security controls. Here's how browser controls can level the playing field.

Push's new Employee Identity Verification Codes feature is a simple way for your help desk to confirm they’re talking to someone from your organization.

Here’s what’s new on the Push platform for June 2025.

We’re thrilled to announce our partnership with Cribl to make it much easier to snapshot, transform, and query Push telemetry.

The HIPAA Security Rule is getting a long-overdue facelift in 2025. Here's our quick overview of the key changes and how Push can help you to be compliant.

Introducing a new era of partner-first phishing protection and identity security.

How the notorious Scattered Spider cyber criminal group are switching up their TTPs in 2025 to bypass MFA and breach cloud services via account takeover.

Why being in the browser gives defenders a key advantage over network and email phishing prevention, detection, and response tools.

Most phishing attacks involve a phishing page that has never been seen before. When detection relies on known-bad, this makes every attack feel like a zero-day.

I’m thrilled to share that Push Security has raised our Series B funding. This is a huge moment for us and our customers in the fight against identity attacks.

We recently investigated a malvertising campaign using Evilginx to target Onfido customers via Google ads.

Consent phishing is where attackers trick users into authorizing access for malicious OAuth apps. Here's how attackers are using this technique in the wild.

HIBP creator and well-known security person Troy Hunt recently blogged about a phish he fell for. Here’s what it tells us about how phishing is evolving.

Detects when employees have weak, reused, or stolen passwords and guide them to update their password using in-browser messaging on any app.

Attackers are persistently targeting Jira accounts with stolen credentials. What can we learn from this trend?

Modern MFA-bypass phishing attacks are routinely defeating primarily email-based security controls. Why are controls failing and what can we do about it?

We're back with part 2 of our research into OpenAI Operator to share our findings on how it can be used to automate identity attacks.

Credential stuffing attacks had a huge impact in 2024. But things could be dialled up even further with Computer-Using Agents like OpenAI Operator.

Here’s what’s new on the Push platform for March 2025.

How app developers can go beyond Minimum Viable Secure Product (MVSP) to implement better identity protections and prevent identity-based attacks.

CUAs are a new type of AI agent that drives your browser/OS for you, enabling effortless automation of web tasks — including those performed by attackers.

Using Push to enforce MFA on third-party apps in the browser — even where MFA enforcement isn't supported by the app itself.

How in-the-wild attacks and our own R&D inspired what we built in 2024 to stop account takeover and reduce security risks across your workforce identities.

How extension developers can improve their security controls to prevent extension compromise.

Reviewing public breaches that stemmed from identity attacks in 2024.

Here’s what’s new on the Push platform for December 2024.

Using Push to automate password resets for your most critical identities when a password vulnerability is detected.

We’ve put together the following guide for intrepid security teams as they use Push to secure against modern identity attacks.

Push now compares user passwords with TI feeds to alert you when valid credentials are available on the clearweb and darkweb.

165 Snowflake customers were targeted by criminals using stolen credentials from infostealer infections, impacting hundreds of millions of people.

How phishing for email verification can be combined with cross-IdP impersonation to gain direct access to downstream SaaS and bypass hardened IdP accounts.

Push's new Chief Revenue Officer, Kevin Arsenault, shares why he decided to join the Push team.

Cross-IdP impersonation is a method of hijacking SSO to access downstream apps — without needing to compromise accounts on your company’s main IdP.

How attackers are breaking detection signatures designed to identify phishing sites impersonating real login pages.

Here’s what’s new on the Push platform for November 2024.

Make sure sensitive corporate credentials don’t leave your corporate environment and end up in personal password managers with Push.

Account takeover on third-party apps is the flavor of the month for security researchers — what can we learn from it?

Why relying on post-compromise detection and response is no longer an option for modern identity attacks.

How Push detects and blocks phishing attempts in the browser – explained in less than two minutes.

Using Push data to calculate how many vulnerable identities the average organization has, and how they lead to different methods of account takeover.

It’s been almost exactly a year since we released our open source repository of SaaS-native attack techniques. Let's reflect on what’s changed.

How Push stops attackers from using identity attack tools and techniques to compromise your employee user accounts.

We've added cloned login page detection, providing yet another layer of protection against phishing attacks.

This is the first blog in a short series we’re putting together about the ‘why’ behind the ‘what’ at Push. This entry is focused on threat detection.

What the rise in popularity of infostealers tells us about the cybercrime ecosystem and the shift toward identity attacks.

We're adding support for Arc, an increasingly popular browser with developers and engineers.

Taking a closer look at the steps that AitM phishing kits take to hide from the prying eyes of security teams and threat intelligence vendors.

Here’s what’s new on the Push platform for July 2024.

Breaking down common misconceptions about identity threats and controls like MFA, SSO, passkeys, password managers, and more.

How ghost logins can be used by cyber attackers for account takeover and persistence.

Enable detections and interventions in the browser using Push’s new security controls.

Push is excited to partner with Panther, bringing our unique browser telemetry to your SIEM.

Push's browser agent identifies session token theft by adding telemetry to the user agent string to create a new high-fidelity signal for your security team.

How to use Push to investigate and respond to a third-party data breach, which results in credentials being stolen and sold on criminal marketplaces.

Right now the majority of detections for identity attacks rely on web proxy telemetry. Here’s why the browser can be a better alternative.

Push analyzes behavioral attributes of malware to identify phishing tools like Evilginx and NakedPages and immediately block end-users from visiting them.

Attackers are using Adversary in the Middle (AitM) phishing toolkits to bypass MFA. We look at what AitM is, how it works, and what you can do about it.

Here’s what’s new on the Push platform for May 2024.

Use Push's variety of app banner options to control which cloud apps employees use, and how they use them.

Behind the scenes of our approach to designing and developing our latest feature, SSO password protection.

Use the Push browser agent’s unique vantage point to protect SSO credentials by blocking employees from entering their password into any other site.

Here’s what’s new on the Push platform for April 2024.

Conceptually analyzing ITDR and whether the current definition is suitable for the types of attacks being seen on cloud identities in the wild.

Some highlights of what we've built over the last year on our mission of stopping identity attacks.

To keep track of how identity attacks are evolving, we’ve put together this helpful index of recent breaches, focusing on the latest identity-based techniques.

Can admins access the secrets from your corporate password manager? If so, how does this affect incident response in a compromised admin account scenario?

In this blog post we will cover what identities are, how we secure perimeters in general, and and how this maps to the identity space.

Here’s what’s new on the Push platform for February 2024.

Don’t leave it up to your employees to figure out how to use cloud apps securely. Guide them directly in their browsers when they access their apps.

In this article, we will cover a number of spoofing and phishing strategies that can be employed by external attackers to target an organization using Teams.

Here’s what’s new on the Push platform for January 2024.

In this article, we'll explain what SAML SSO is, how it works, and clarify some common misconceptions.

In this article, we'll show you how to use Okta to do keylogging for you, without needing to have your own malicious domain hosting your malicious SAML server.

We'll cover the implications of using Okta's SWA authentication method. Learn what security teams need to know in an account breach and IR scenario.

Here’s what’s new on the Push platform for November 2023.

In this article, we define third-party risk management and explore additional approaches that can help manage third-party risk.

In this post, we're going to demonstrate how to phish via Slack to gain persistence and move laterally.

In this article, we’ll demonstrate how IM apps, specifically Slack, are an increasingly attractive target for a range of phishing & social engineering attacks.

Employees are self-adopting SaaS apps and creating new cloud identities without IT approval. Learn how to manage which third parties have access to your data.

A new report on securing digital identities has some interesting takeaways to consider as we think about securing identities in the cloud. Here's our take.

Here’s what’s new on the Push platform for September 2023.

Credential stuffing attacks are incredibly common, but they often go undetected. These attacks are often the entry point for attack. Learn how to prevent them.

Employees sign up to cloud apps on their own every day. Each time, they create a new account and a new identity on that app. How do you find and secure them?

In this article, we’re going to demonstrate how combining two of our favorite new SaaS attack techniques makes a simple, but very stealthy persistence approach.

While OAuth scopes provide seamless online user authentication, they also carry significant risk. Watch out for these common, dangerous scopes.

We’ll define shadow IT, talk through the security risks associated with it and give some actionable guidance on how to manage it.

In this article, we’re going to demo combining two of our favorite new SaaS attack techniques to make a simple, but effective attack chain.

You’ve probably locked down the known cloud services your company is using, but what about all those other SaaS apps people in the company are using?

We'll quickly define SaaS security and help you better understand how to manage the risk SaaS applications introduce to your business

Here’s what’s new on the Push platform for July 2023.

Offensive security drives defensive security. We're sharing a collection of SaaS attack techniques to help defenders understand the threats they face.

Free and trial SaaS accounts are often invisible to security teams and still interact with real, live corporate data.

Adapt your thinking to secure your data. Security needs to move from being the Department of No to the Department of Yes, Unless...

Attackers commonly target SaaS apps because they know employees sign up without running them past IT first. Learn how to adjust to secure your data.

Employees using a new work app used to be the final step of the software-onboarding process. Now it's the first. Security must adapt to secure business data.

This article helps you hone in on which SaaS security solutions might be the best to consider for your specific needs, objectives, and environment.

Attackers routinely use mail rules to hide their attacks, exfiltrate sensitive data, and to get persistent access to victim accounts.

Here’s what’s new on the Push platform for June 2023.

Browser extensions are the most effective SaaS discovery tool because they can capture employee SaaS use and adoption in real time, as employees sign up.

Look at enabling SaaS from a broader understanding of the business and not just the impact to security

SaaS sprawl is not just a raw increase of apps in-use, but also due to employees self-adopting new apps. Orgs need sensible guardrails for employees.

We’re proud to announce our $15M Series A round, led by GV. Here's what we've learned about what our customers need since we launched in July 2022.

Today we're launching a bold new identity for Push. Take a look behind the scenes

Here’s what’s new on the Push platform for March 2023.

An employee has added a new integration to your Azure tenant or Google Workspace. How do you assess risk? We’ll cover a few techniques in this article.

This article covers common ways an app could lead to compromise in Microsoft Azure, and what to look out for when determining risk to your organization.

Password expirations are still commonly recommended, but most security pros agree that they lead to more predictable passwords. Here's what to do instead.

Here’s what’s new on the Push platform for December 2022.

Attackers have loads of persistence options in an endpoint compromise scenario, but what changes in a SaaS-first world? We talk new attack methods in this post.

Learn about the benefits and risks of SaaS integrations and get tips for how to manage the risks.

Is logging in with Google or Microsoft secure? Yes, with caveats.

We address some of the biggest changes to the Cyber Essentials technical controls and offer guidance about how to handle these new questions.

We'll walk through how to quickly detect and mitigate business email compromise (BEC) and then prevent future attacks.

Here’s what’s new on the Push platform for August 2022.

Learn how to manage SaaS in a way that keeps employees productive and doesn't compromise privacy.

Learn some lightweight ways to manage the risks SaaS introduces without relying on restrictive policies that block employees from using their preferred tools.

In this guide, we’ll break down some major SaaS use cases and match them up with solutions that can address them, covering pros and cons for each.

Yesterday, we announced our official launch and what Push Security is all about following our $4m series seed.

We’re excited to announce our $4M seed round, led by Decibel. See how we’re building tech that allows companies to let employees freely & securely adopt SaaS.

Launches solution that finds SaaS apps employees are using and guides them to fix issues

Here’s what’s new on the Push platform for July 2022.

Microsoft is starting to roll out Security Defaults for Azure AD for those who haven’t turned them on yet. Here’s what you need to know.

We’ve compiled some methods for discovering SaaS. Lets explore each approach and learn new ways to discover unknown SaaS, capture SaaS use, and secure it.

How do you find a malicious Microsoft 365 OAuth app? Learn what to look for, and what to ignore, when checking your users haven't been consent phished.

Introduction to OAuth tokens in Google Workspace, how they are used, reasons you might want to review them, and a discussion of how you might go about it.

Consent phishing is an emerging technique attackers are using to compromise user accounts, even if they have Multi-factor Authentication (MFA or 2FA) enabled.

A story by the owner of an Engineering company on how they almost lost millions from a Business Email Compromise (BEC) style attack. An interesting BEC example.

After phishing campaigns target Office 365 and Google Workspace users, malicious mail rules are automatically added to the user’s mailbox. Take steps to defend.

External email auto-forwarding is a feature but also a risk; learn whether you should disable it, and, if you can't, how to manage the risk through detection.

Conditional Access, Security Defaults, or Legacy? Figuring out how to deploy MFA in Microsoft 365 can be complex. This post summarises your options.

Why Multi-Factor Authentication (MFA aka 2FA) is so useful for small and medium-sized businesses, and how to deploy it successfully.

SMS, Authenticator apps, Security Keys, and more! We compare them from a user experience, security, cost, and security aspect.