Blog

Offensive security drives defensive security. We're sharing a collection of SaaS attack techniques to help defenders understand the threats they face.

Detection & response

Identity-based attacks

Tracking identity-based attacks in the wild

To keep track of how identity attacks are evolving, we’ve put together this helpful index of recent breaches, focusing on the latest identity-based techniques.

All

Identity-based attacks

Detection & response

Company news

Identity security

Release notes

Risk management

Shadow IT

Detection & response

Identity-based attacks

Investigating a recent malvertising campaign targeting Onfido customers

We recently investigated a malvertising campaign using Evilginx to target Onfido customers via Google ads.

Luke

Apr 15, 2025

Company news

Why I'm joining Push Security: Innovation with Impact

New CMO Chris Tilton writes about why he's joining the Push Security team.

Chris

Apr 15, 2025

Detection & response

Identity-based attacks

How consent phishing is evolving to defeat detection controls

Consent phishing is where attackers trick users into authorizing access for malicious OAuth apps. Here's how attackers are using this technique in the wild.

Dan

Mar 31, 2025

Detection & response

Identity-based attacks

Dissecting a recent MailChimp phishing attack

HIBP creator and well-known security person Troy Hunt recently blogged about a phish he fell for. Here’s what it tells us about how phishing is evolving.

Dan

Mar 28, 2025

Identity security

Identity-based attacks

Introducing Push password enforcement — for when weak passwords are still plaguing you

Detects when employees have weak, reused, or stolen passwords and guide them to update their password using in-browser messaging on any app.

Kelly

Mar 25, 2025

Detection & response

Identity-based attacks

6 breaches in 5 months: Why attackers are targeting Jira with stolen credentials

Attackers are persistently targeting Jira accounts with stolen credentials. What can we learn from this trend?

Dan

Mar 25, 2025

Detection & response

Identity-based attacks

Why it's time for phishing prevention to move beyond email

Modern MFA-bypass phishing attacks are routinely defeating primarily email-based security controls. Why are controls failing and what can we do about it?

Dan

Mar 20, 2025

Identity security

Identity-based attacks

5 ways attackers can use Computer-Using Agents to automate identity attacks

We're back with part 2 of our research into OpenAI Operator to share our findings on how it can be used to automate identity attacks.

Luke

Mar 13, 2025

Identity security

Identity-based attacks

How new AI agents will transform credential stuffing attacks

Credential stuffing attacks had a huge impact in 2024. But things could be dialled up even further with Computer-Using Agents like OpenAI Operator.

Dan

Mar 11, 2025

Release notes

Product release: March 2025

Here’s what’s new on the Push platform for March 2025.

Minimum Viable Identity Security

How app developers can go beyond Minimum Viable Secure Product (MVSP) to implement better identity protections and prevent identity-based attacks.

Dan

Feb 10, 2025

Identity security

Identity-based attacks

Considering the security implications of Computer-Using Agents (like OpenAI Operator)

CUAs are a new type of AI agent that drives your browser/OS for you, enabling effortless automation of web tasks — including those performed by attackers.

No more hard simple problems: Enforce MFA on third-party apps with Push

Using Push to enforce MFA on third-party apps in the browser — even where MFA enforcement isn't supported by the app itself.

How real-world attacks and research drove Push’s most popular features of 2024

How in-the-wild attacks and our own R&D inspired what we built in 2024 to stop account takeover and reduce security risks across your workforce identities.

Guide to secure browser extension deployment

How extension developers can improve their security controls to prevent extension compromise.

Jacques

Jan 14, 2025

Identity-based attacks

Looking back on identity-based breaches in 2024

Reviewing public breaches that stemmed from identity attacks in 2024.

Dan

Jan 10, 2025

Release notes

Product release: December 2024

Here’s what’s new on the Push platform for December 2024.

Automating SSO password resets using Push

Using Push to automate password resets for your most critical identities when a password vulnerability is detected.

Johann

Dec 13, 2024

Identity security

River crossing: What you can accomplish in your first 90 days with Push Security

We’ve put together the following guide for intrepid security teams as they use Push to secure against modern identity attacks.

Eliminate false positives with verified stolen credential detections using Push

Push now compares user passwords with TI feeds to alert you when valid credentials are available on the clearweb and darkweb.

Kelly

Dec 3, 2024

Identity-based attacks

Snowflake: Looking back on 2024’s landmark security event

165 Snowflake customers were targeted by criminals using stolen credentials from infostealer infections, impacting hundreds of millions of people.

Dan

Nov 29, 2024

Detection & response

Identity-based attacks

A new class of phishing: Verification phishing and cross-IdP impersonation

How phishing for email verification can be combined with cross-IdP impersonation to gain direct access to downstream SaaS and bypass hardened IdP accounts.

Luke

Nov 23, 2024

Company news

Why I’m joining Push Security, from our new Chief Revenue Officer

Push's new Chief Revenue Officer, Kevin Arsenault, shares why he decided to join the Push team.

Kevin

Nov 21, 2024

Detection & response

Identity-based attacks

Cross-IdP impersonation: Hijacking SSO to access downstream apps

Cross-IdP impersonation is a method of hijacking SSO to access downstream apps — without needing to compromise accounts on your company’s main IdP.

Dan

Nov 19, 2024

Detection & response

Identity-based attacks

How AitM phishing kits evade detection: Part 2

How attackers are breaking detection signatures designed to identify phishing sites impersonating real login pages.

Product release: November 2024

Here’s what’s new on the Push platform for November 2024.

Don’t let attackers find the keys to your kingdom in a personal password manager

Make sure sensitive corporate credentials don’t leave your corporate environment and end up in personal password managers with Push.

Alex

Nov 5, 2024

Identity security

Identity-based attacks

What we can learn from the recent ServiceNow/Microsoft disclosure

Account takeover on third-party apps is the flavor of the month for security researchers — what can we learn from it?

Dan

Nov 1, 2024

Detection & response

Identity-based attacks

Shifting detection left for more effective ITDR

Why relying on post-compromise detection and response is no longer an option for modern identity attacks.

Dan

Oct 25, 2024

Detection & response

Identity-based attacks

Detecting and blocking phishing attacks in the browser

How Push detects and blocks phishing attempts in the browser – explained in less than two minutes.

Alex

Oct 23, 2024

Detection & response

Identity-based attacks

How many vulnerable identities do you have?

Using Push data to calculate how many vulnerable identities the average organization has, and how they lead to different methods of account takeover.

Dan

Oct 15, 2024

Detection & response

Identity-based attacks

The SaaS attack matrix: A year in review

It’s been almost exactly a year since we released our open source repository of SaaS-native attack techniques. Let's reflect on what’s changed.

Dan

Aug 27, 2024

Detection & response

Identity-based attacks

Hackers don’t hack in, they log in: How to prevent account takeover with Push

How Push stops attackers from using identity attack tools and techniques to compromise your employee user accounts.

Alex

Aug 19, 2024

Identity-based attacks

Release notes

Adding cloned login page detection to your phishing defense arsenal

We've added cloned login page detection, providing yet another layer of protection against phishing attacks.

Kevin

Aug 14, 2024

Detection & response

Identity-based attacks

Our design philosophy: Detecting what matters

This is the first blog in a short series we’re putting together about the ‘why’ behind the ‘what’ at Push. This entry is focused on threat detection.

Dan

Aug 5, 2024

Detection & response

Identity-based attacks

What the rise of infostealers says about identity attacks

What the rise in popularity of infostealers tells us about the cybercrime ecosystem and the shift toward identity attacks.

Dan

Jul 31, 2024

Release notes

Push introduces support for Arc browser, securing users wherever they work

We're adding support for Arc, an increasingly popular browser with developers and engineers.

Kevin

Jul 25, 2024

Detection & response

Identity-based attacks

How AitM phishing kits evade detection

Taking a closer look at the steps that AitM phishing kits take to hide from the prying eyes of security teams and threat intelligence vendors.

Product release: July 2024

Here’s what’s new on the Push platform for July 2024.

5 reasons why Push Security shouldn’t exist

Breaking down common misconceptions about identity threats and controls like MFA, SSO, passkeys, password managers, and more.

Dan

Jul 11, 2024

Detection & response

Identity-based attacks

Ghost logins: When forgotten identities come back to haunt you

How ghost logins can be used by cyber attackers for account takeover and persistence.

Introducing set-and-forget controls that stop real-world identity attacks

Enable detections and interventions in the browser using Push’s new security controls.

Combining the powers of Push and Panther to stop identity attacks

Push is excited to partner with Panther, bringing our unique browser telemetry to your SIEM.

Introducing session token theft detection: Why browser is best

Push's browser agent identifies session token theft by adding telemetry to the user agent string to create a new high-fidelity signal for your security team.

Investigating and responding to a third-party data breach using Push

How to use Push to investigate and respond to a third-party data breach, which results in credentials being stolen and sold on criminal marketplaces.

Alex

Jun 13, 2024

Detection & response

Identity-based attacks

The web proxy is dead… long live the browser extension!

Right now the majority of detections for identity attacks rely on web proxy telemetry. Here’s why the browser can be a better alternative.

Introducing AitM phishing toolkit detection, powered by the Push browser agent

Push analyzes behavioral attributes of malware to identify phishing tools like Evilginx and NakedPages and immediately block end-users from visiting them.

Kelly

Jun 6, 2024

Detection & response

Identity-based attacks

Phishing 2.0 – how phishing toolkits are evolving with AitM

Attackers are using Adversary in the Middle (AitM) phishing toolkits to bypass MFA. We look at what AitM is, how it works, and what you can do about it.

Luke

May 23, 2024

Release notes

Product release: May 2024

Here’s what’s new on the Push platform for May 2024.

Enforce end-user security controls with our new app banner options

Use Push's variety of app banner options to control which cloud apps employees use, and how they use them.

Dev diary: Phishing prevention behind the scenes

Behind the scenes of our approach to designing and developing our latest feature, SSO password protection.

Introducing SSO Password Protection: Stop employees’ IdP credentials being exposed or phished

Use the Push browser agent’s unique vantage point to protect SSO credentials by blocking employees from entering their password into any other site.

Alex

Apr 29, 2024

Release notes

Product release: April 2024

Here’s what’s new on the Push platform for April 2024.

Identity threat detection and response (ITDR) – not another product category!

Conceptually analyzing ITDR and whether the current definition is suitable for the types of attacks being seen on cloud identities in the wild.

A year of building: Top features we shipped this year

Some highlights of what we've built over the last year on our mission of stopping identity attacks.

Andy

Mar 28, 2024

Detection & response

Identity-based attacks

Tracking identity-based attacks in the wild

To keep track of how identity attacks are evolving, we’ve put together this helpful index of recent breaches, focusing on the latest identity-based techniques.

Can my admins steal my cloud password manager secrets?

Can admins access the secrets from your corporate password manager? If so, how does this affect incident response in a compromised admin account scenario?

5 ways to defeat identity-based attacks

In this blog post we will cover what identities are, how we secure perimeters in general, and and how this maps to the identity space.

Jacques

Feb 26, 2024

Release notes

Product release: February 2024

Here’s what’s new on the Push platform for February 2024.

Introducing in-browser app banners: Set guardrails for cloud apps

Don’t leave it up to your employees to figure out how to use cloud apps securely. Guide them directly in their browsers when they access their apps.

Alex

Feb 6, 2024

Identity security

Identity-based attacks

Phishing Microsoft Teams for initial access

In this article, we will cover a number of spoofing and phishing strategies that can be employed by external attackers to target an organization using Teams.

Luke

Jan 23, 2024

Release notes

Product release: January 2024

Here’s what’s new on the Push platform for January 2024.

In this article, we'll explain what SAML SSO is, how it works, and clarify some common misconceptions.

Johann

Jan 3, 2024

Identity security

Identity-based attacks

Oktajacking

In this article, we'll show you how to use Okta to do keylogging for you, without needing to have your own malicious domain hosting your malicious SAML server.

Abusing Okta's SWA authentication

We'll cover the implications of using Okta's SWA authentication method. Learn what security teams need to know in an account breach and IR scenario.

Luke

Nov 30, 2023

Release notes

Product release: November 2023

Here’s what’s new on the Push platform for November 2023.

Understanding Third-Party Risk Management (TPRM): how to protect your organization

In this article, we define third-party risk management and explore additional approaches that can help manage third-party risk.

Sally

Oct 31, 2023

Identity security

Identity-based attacks

Slack Attack: A phisher's guide to persistence and lateral movement

In this post, we're going to demonstrate how to phish via Slack to gain persistence and move laterally.

Luke

Oct 24, 2023

Identity security

Identity-based attacks

Slack Attack: A phisher's guide to initial access

In this article, we’ll demonstrate how IM apps, specifically Slack, are an increasingly attractive target for a range of phishing & social engineering attacks.

6 ways to manage third-party access to your data with Push

Employees are self-adopting SaaS apps and creating new cloud identities without IT approval. Learn how to manage which third parties have access to your data.

Sally

Oct 11, 2023

Identity security

Identity-based attacks

6 surprising takeaways from a recent report on identity-based attacks

A new report on securing digital identities has some interesting takeaways to consider as we think about securing identities in the cloud. Here's our take.

Sally

Oct 3, 2023

Release notes

Product release: September 2023

Here’s what’s new on the Push platform for September 2023.

Andy

Sep 26, 2023

Identity security

Identity-based attacks

Credential stuffing: The most common attack against SaaS identities

Credential stuffing attacks are incredibly common, but they often go undetected. These attacks are often the entry point for attack. Learn how to prevent them.

Get out of the dark: Manage the risk of shadow identities

Employees sign up to cloud apps on their own every day. Each time, they create a new account and a new identity on that app. How do you find and secure them?

Tyrone

Sep 19, 2023

Detection & response

Identity-based attacks

The shadow workflow’s evil twin: A nearly invisible attack chain

In this article, we’re going to demonstrate how combining two of our favorite new SaaS attack techniques makes a simple, but very stealthy persistence approach.

Under the radar: The risky terrain of OAuth scopes in third-party Integrations

While OAuth scopes provide seamless online user authentication, they also carry significant risk. Watch out for these common, dangerous scopes.

Understanding Shadow IT and Shadow SaaS: Definition, security risks, and how to manage it

We’ll define shadow IT, talk through the security risks associated with it and give some actionable guidance on how to manage it.

Sally

Aug 30, 2023

Detection & response

Identity-based attacks

SAMLjacking a poisoned tenant

In this article, we’re going to demo combining two of our favorite new SaaS attack techniques to make a simple, but effective attack chain.

Focus on account and identity security to reduce SaaS risks

You’ve probably locked down the known cloud services your company is using, but what about all those other SaaS apps people in the company are using?

SaaS Security: what is it & how to manage the risk

We'll quickly define SaaS security and help you better understand how to manage the risk SaaS applications introduce to your business

Sally

Aug 3, 2023

Release notes

Product release: July 2023

Here’s what’s new on the Push platform for July 2023.

Andy

Jul 31, 2023

Detection & response

Identity-based attacks

Let’s talk about SaaS attack techniques

Offensive security drives defensive security. We're sharing a collection of SaaS attack techniques to help defenders understand the threats they face.

Free and trial SaaS applications are even riskier than paid apps

Free and trial SaaS accounts are often invisible to security teams and still interact with real, live corporate data.

The no-jargon guide to solving shadow SaaS

Adapt your thinking to secure your data. Security needs to move from being the Department of No to the Department of Yes, Unless...

7 Steps to secure your data across shadow SaaS apps

Attackers commonly target SaaS apps because they know employees sign up without running them past IT first. Learn how to adjust to secure your data.

The Push Team

Jun 26, 2023

Identity-based attacks

Shadow IT

SaaS sprawl isn't a problem - if you completely change your approach

Employees using a new work app used to be the final step of the software-onboarding process. Now it's the first. Security must adapt to secure business data.

Jacques

Jun 22, 2023

Identity-based attacks

Shadow IT

SaaS security solution buyer's guide

This article helps you hone in on which SaaS security solutions might be the best to consider for your specific needs, objectives, and environment.

The Push Team

Jun 8, 2023

Detection & response

Identity-based attacks

Half of account compromise attacks included malicious mail rules

Attackers routinely use mail rules to hide their attacks, exfiltrate sensitive data, and to get persistent access to victim accounts.

Sally

Jun 6, 2023

Release notes

Product Release: June 2023

Here’s what’s new on the Push platform for June 2023.

Want to discover the full extent of your SaaS sprawl? Embrace browser extensions

Browser extensions are the most effective SaaS discovery tool because they can capture employee SaaS use and adoption in real time, as employees sign up.

Embrace SaaS to move faster than your competitors

Look at enabling SaaS from a broader understanding of the business and not just the impact to security

Sally

Apr 21, 2023

Company news

Push it real good: Why I’m excited to join Push’s board

SaaS sprawl is not just a raw increase of apps in-use, but also due to employees self-adopting new apps. Orgs need sensible guardrails for employees.

From launch to series A

We’re proud to announce our $15M Series A round, led by GV. Here's what we've learned about what our customers need since we launched in July 2022.

Today we're launching a bold new identity for Push. Take a look behind the scenes

Sally

Mar 24, 2023

Release notes

Product Release: March 2023

Here’s what’s new on the Push platform for March 2023.

An investigation guide for assessing app-to-app OAuth integration risk

An employee has added a new integration to your Azure tenant or Google Workspace. How do you assess risk? We’ll cover a few techniques in this article.

Luke

Mar 15, 2023

Detection & response

Identity-based attacks

How attackers compromise Azure organizations through SaaS apps

This article covers common ways an app could lead to compromise in Microsoft Azure, and what to look out for when determining risk to your organization.

Password expirations don’t work. Try these best practices instead.

Password expirations are still commonly recommended, but most security pros agree that they lead to more predictable passwords. Here's what to do instead.

Tyrone

Dec 15, 2022

Release notes

Product Release: December 2022

Here’s what’s new on the Push platform for December 2022.

Andy

Dec 8, 2022

Identity-based attacks

Maintaining persistent access in a SaaS-first world

Attackers have loads of persistence options in an endpoint compromise scenario, but what changes in a SaaS-first world? We talk new attack methods in this post.

Is it safe to allow my employees to connect third-party apps to our M365/Google Workspace tenant?

Learn about the benefits and risks of SaaS integrations and get tips for how to manage the risks.

Should I let my employees login with their work Google account?

Is logging in with Google or Microsoft secure? Yes, with caveats.

NCSC 2022 Cyber Essentials puts the spotlight on SaaS

We address some of the biggest changes to the Cyber Essentials technical controls and offer guidance about how to handle these new questions.

How to kick off an incident response investigation for a compromised SaaS account

We'll walk through how to quickly detect and mitigate business email compromise (BEC) and then prevent future attacks.

Johann

Sep 20, 2022

Release notes

Product release: August 2022

Here’s what’s new on the Push platform for August 2022.

How to discover SaaS use without invading employee privacy

Learn how to manage SaaS in a way that keeps employees productive and doesn't compromise privacy.

5 steps to manage the risk of unsanctioned SaaS

Learn some lightweight ways to manage the risks SaaS introduces without relying on restrictive policies that block employees from using their preferred tools.

How to find the right SaaS security solution for your organization

In this guide, we’ll break down some major SaaS use cases and match them up with solutions that can address them, covering pros and cons for each.

Jacques

Jul 25, 2022

Company news

What we’ve been up to with our seed funding: a peek behind the curtain

Yesterday, we announced our official launch and what Push Security is all about following our $4m series seed.

Adam

Jul 20, 2022

Company news

Building a culture of trust to secure SaaS, together

We’re excited to announce our $4M seed round, led by Decibel. See how we’re building tech that allows companies to let employees freely & securely adopt SaaS.

The Push Team

Jul 19, 2022

Company news

Push Security Announces $4M Seed Round to Introduce User-Centric Approach to Securing SaaS

Launches solution that finds SaaS apps employees are using and guides them to fix issues

The Push Team

Jul 19, 2022

Release notes

Product release: July 2022

Here’s what’s new on the Push platform for July 2022.

Microsoft rolls out Security Defaults for Azure AD to secure access

Microsoft is starting to roll out Security Defaults for Azure AD for those who haven’t turned them on yet. Here’s what you need to know.

How to roll-your-own SaaS discovery

We’ve compiled some methods for discovering SaaS. Lets explore each approach and learn new ways to discover unknown SaaS, capture SaaS use, and secure it.

How to find a malicious OAuth app on Microsoft 365

How do you find a malicious Microsoft 365 OAuth app? Learn what to look for, and what to ignore, when checking your users haven't been consent phished.

Investigating user delegated OAuth tokens in Google Workspace - a ride along

Introduction to OAuth tokens in Google Workspace, how they are used, reasons you might want to review them, and a discussion of how you might go about it.

Jacques

Jul 14, 2021

Detection & response

Identity-based attacks

Consent phishing: the emerging phishing technique that can bypass 2FA

Consent phishing is an emerging technique attackers are using to compromise user accounts, even if they have Multi-factor Authentication (MFA or 2FA) enabled.

Alex

Jul 5, 2021

Identity-based attacks

Risk management

Case study: Business Email Compromise (BEC) attack nearly cost us millions

A story by the owner of an Engineering company on how they almost lost millions from a Business Email Compromise (BEC) style attack. An interesting BEC example.

Tyrone

Jun 13, 2021

Detection & response

Identity-based attacks

Email security: How hackers use mail rules to access your inbox

After phishing campaigns target Office 365 and Google Workspace users, malicious mail rules are automatically added to the user’s mailbox. Take steps to defend.

Andy

Jun 9, 2021

Detection & response

Identity-based attacks

Should you disable external email auto-forwarding?

External email auto-forwarding is a feature but also a risk; learn whether you should disable it, and, if you can't, how to manage the risk through detection.

How to set up Multi-Factor Authentication for Microsoft 365

Conditional Access, Security Defaults, or Legacy? Figuring out how to deploy MFA in Microsoft 365 can be complex. This post summarises your options.

Multi-Factor Authentication is the top security control for most small and medium-sized businesses

Why Multi-Factor Authentication (MFA aka 2FA) is so useful for small and medium-sized businesses, and how to deploy it successfully.

Which MFA methods should you use?

SMS, Authenticator apps, Security Keys, and more! We compare them from a user experience, security, cost, and security aspect.

Andy

Mar 14, 2021

Subscribe to get updates from Push

The latest news, articles, and resources, sent to your inbox

Explore use cases

Prevent identity attacks

Detect and respond to identity attacks

Blog