[{"data":1,"prerenderedAt":4340},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":100,"navbar-resource-highlight":174,"use-case-page":220,"fa-icon-regular-faFishingRod":1242,"fa-icon-regular-faPuzzlePiece":1246,"fa-icon-regular-faUserSecret":1248,"fa-icon-regular-faRadar":1250,"fa-icon-regular-faLaptopCode":1252,"fa-icon-regular-faSatelliteDish":1254,"fa-icon-regular-faShieldCheck":1256,"fa-icon-regular-faBrainCircuit":1258,"blog/7-things-we-learned-from-troy-hunt":1260},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"s1c7pgdjdp",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":23,"createdBy":92,"lastUpdatedBy":93,"folders":94,"meta":95,"rev":99},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"url":29,"ctaText":43,"text":44,"blocks":45,"state":85},"ewrererw","testrfesssssssssss",[46,73],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Is your stack covered? 51 browser & identity attacks, mapped.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">See the matrix →\u003C/strong>\u003C/p>\n","https://pushsecurity.com/resources/browser-identity-attacks-matrix/",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":74,"@type":47,"tagName":75,"properties":76,"responsiveStyles":80},"builder-pixel-w799xxl0fjq","img",{"src":77,"aria-hidden":78,"alt":29,"role":79,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":81},{"height":68,"width":68,"display":82,"opacity":68,"overflow":83,"pointerEvents":84},"block","hidden","none",{"deviceSize":86,"location":87},"large",{"path":29,"query":88},{},{},1778612252607,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"kind":96,"hasLinks":6,"breakpoints":97,"lastPreviewUrl":98,"hasAutosaves":34,"hasErrors":6},"component",{"xsmall":31,"small":32,"medium":33},"https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","vu2mk17whmi",[101,137],{"createdDate":102,"id":103,"name":104,"modelId":105,"published":13,"stageModifiedSincePublish":6,"query":106,"data":107,"variations":130,"lastUpdated":131,"firstPublished":132,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":133,"meta":134,"rev":136},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":108,"type":109,"testimonialLink":110,"testimonial":111},{},"testimonial","/customer-stories/inductive-automation",{"@type":112,"id":113,"model":109,"value":114},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":115,"folders":116,"createdDate":117,"id":113,"name":118,"modelId":119,"published":13,"data":120,"variations":124,"lastUpdated":125,"firstPublished":126,"testRatio":23,"createdBy":92,"lastUpdatedBy":92,"meta":127,"rev":129},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":121,"jobTitle":122,"quote":118,"image":123},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":128,"hasAutosaves":34},{"small":32,"medium":33},"qh8twjddz8c",{},1776247404986,1776247404973,[],{"breakpoints":135,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"c8kt84dz6r8",{"createdDate":138,"id":139,"name":140,"modelId":105,"published":13,"meta":141,"stageModifiedSincePublish":6,"query":143,"data":144,"variations":170,"lastUpdated":171,"firstPublished":172,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":173,"rev":136},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":142,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":145,"link":164,"type":167,"title":140,"description":168,"image":169},{"@type":112,"id":146,"model":109,"value":147},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":148,"folders":149,"createdDate":150,"id":146,"name":151,"modelId":119,"published":13,"data":152,"variations":158,"lastUpdated":159,"firstPublished":160,"testRatio":23,"createdBy":92,"lastUpdatedBy":24,"meta":161,"rev":163},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":153,"jobTitle":154,"author":155,"qoute":29,"quote":156,"image":157},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":162,"hasAutosaves":34},{"small":32,"medium":33},"hpzw65sp5k",{"text":165,"url":166},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[175,198],{"createdDate":176,"id":177,"name":140,"modelId":178,"published":13,"meta":179,"stageModifiedSincePublish":6,"query":181,"data":182,"variations":193,"lastUpdated":194,"firstPublished":195,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":196,"rev":197},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":180,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":183,"link":192,"type":167,"title":140,"description":168,"image":169},{"@type":112,"id":146,"model":109,"value":184},{"query":185,"folders":186,"createdDate":150,"id":146,"name":151,"modelId":119,"published":13,"data":187,"variations":188,"lastUpdated":159,"firstPublished":160,"testRatio":23,"createdBy":92,"lastUpdatedBy":24,"meta":189,"rev":191},[],[],{"video":153,"jobTitle":154,"author":155,"qoute":29,"quote":156,"image":157},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":190,"hasAutosaves":34},{"small":32,"medium":33},"xw6i3jox3xh",{"text":165,"url":166},{},1776256937553,1776256937540,[],"x0ak99wy5v",{"createdDate":199,"id":200,"name":201,"modelId":178,"published":13,"stageModifiedSincePublish":6,"query":202,"data":203,"variations":214,"lastUpdated":215,"firstPublished":216,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":217,"meta":218,"rev":197},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":204,"type":109,"testimonial":205,"testimonialLink":110},{},{"@type":112,"id":113,"model":109,"value":206},{"query":207,"folders":208,"createdDate":117,"id":113,"name":118,"modelId":119,"published":13,"data":209,"variations":210,"lastUpdated":125,"firstPublished":126,"testRatio":23,"createdBy":92,"lastUpdatedBy":92,"meta":211,"rev":213},[],[],{"author":121,"jobTitle":122,"quote":118,"image":123},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":212,"hasAutosaves":34},{"small":32,"medium":33},"sec3hxobj4",{},1776256974140,1776256974130,[],{"breakpoints":219,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[221,405,524,643,761,881,1001,1121],{"createdDate":222,"id":223,"name":224,"modelId":225,"published":13,"stageModifiedSincePublish":6,"query":226,"data":232,"variations":393,"lastUpdated":394,"firstPublished":395,"testRatio":23,"screenshot":396,"createdBy":92,"lastUpdatedBy":397,"folders":398,"meta":399,"rev":404},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[227],{"@type":228,"property":229,"operator":230,"value":231},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":233,"customFonts":234,"seoTitle":282,"title":282,"tsCode":29,"seoDescription":283,"fontAwesomeIcon":284,"jsCode":29,"blocks":285,"url":231,"state":390},[],[235],{"family":236,"kind":237,"version":238,"lastModified":239,"files":240,"category":259,"menu":260,"subsets":261,"variants":264},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":241,"200":242,"300":243,"500":244,"600":245,"700":246,"800":247,"900":248,"800italic":249,"900italic":250,"700italic":251,"100italic":252,"italic":253,"regular":254,"200italic":255,"500italic":256,"300italic":257,"600italic":258},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[262,263],"latin","latin-ext",[265,266,267,268,269,270,72,271,272,273,274,275,276,277,278,279,280,281],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[286,385],{"@type":47,"@version":48,"tagName":287,"id":288,"children":289},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[290,307,315,322,334,349,360,371,377],{"@type":47,"@version":48,"layerName":291,"id":292,"component":293,"responsiveStyles":304},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":291,"options":294,"isRSC":62},{"title":282,"description":295,"points":296,"video":303},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[297,299,301],{"item":298},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":300},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":302},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":305},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"backgroundColor":306},"transparent",{"@type":47,"@version":48,"id":308,"component":309,"responsiveStyles":312},"builder-96634044407e491299e291ed64669e39",{"name":310,"options":311,"isRSC":62},"TrustedBy",{"AllPartners":34,"backgroundTransparent":6},{"large":313},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"backgroundColor":314},"#000",{"@type":47,"@version":48,"id":316,"component":317,"responsiveStyles":320},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":318,"options":319,"isRSC":62},"Diagonal",{"darkMode":34},{"large":321},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"@type":47,"@version":48,"layerName":323,"id":324,"component":325,"responsiveStyles":332},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":323,"tag":323,"options":326,"isRSC":62},{"darkMode":6,"maxWidth":327,"maxTextWidth":328,"title":329,"description":330,"animatedTitle":29,"image":331,"reverse":6,"descriptionPaddingHorizontal":62},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":333},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"@type":47,"@version":48,"id":335,"component":336,"responsiveStyles":344},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":337,"options":338,"isRSC":62},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":340,"title":341,"description":342,"reverse":34,"image":343},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":345},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"fontFamily":346,"paddingTop":347,"marginTop":348},"DM Sans, sans-serif","20px","0px",{"@type":47,"@version":48,"id":350,"component":351,"responsiveStyles":357},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":337,"options":352,"isRSC":62},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":353,"title":354,"description":355,"reverse":6,"image":356},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":358},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"paddingTop":359},"36px",{"@type":47,"@version":48,"layerName":337,"id":361,"component":362,"responsiveStyles":368},"builder-42c32198083f4880acb37c5cb76934da",{"name":337,"options":363,"isRSC":62},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":364,"title":365,"description":366,"reverse":34,"image":367},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":369},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"paddingTop":370},"47px",{"@type":47,"@version":48,"id":372,"component":373,"responsiveStyles":375},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":318,"options":374,"isRSC":62},{"darkMode":6},{"large":376},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"@type":47,"@version":48,"id":378,"component":379,"responsiveStyles":383},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":380,"tag":380,"options":381,"isRSC":62},"LatestResources",{"sectionHeading":29,"customClass":382},"bg-black",{"large":384},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":386,"@type":47,"tagName":75,"properties":387,"responsiveStyles":388},"builder-pixel-azfyy7alwzh",{"src":77,"aria-hidden":78,"alt":29,"role":79,"width":68,"height":68},{"large":389},{"height":68,"width":68,"display":82,"opacity":68,"overflow":83,"pointerEvents":84},{"deviceSize":86,"location":391},{"path":29,"query":392},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":400,"winningTest":62,"breakpoints":401,"kind":402,"hasLinks":6,"originalContentId":403,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"page","2daa5670b8504fc7ba4700633e8bd921","p7xxdc7e2lb",{"createdDate":406,"id":407,"name":408,"modelId":225,"published":13,"stageModifiedSincePublish":6,"query":409,"data":412,"variations":516,"lastUpdated":517,"firstPublished":518,"testRatio":23,"screenshot":519,"createdBy":92,"lastUpdatedBy":397,"folders":520,"meta":521,"rev":404},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[410],{"@type":228,"property":229,"operator":230,"value":411},"/uc/browser-extension-security",{"seoDescription":413,"jsCode":29,"fontAwesomeIcon":414,"tsCode":29,"title":408,"seoTitle":408,"customFonts":415,"inputs":420,"blocks":421,"url":411,"state":513},"Shine a light on risky browser extensions.","faPuzzlePiece",[416],{"kind":237,"family":236,"version":238,"files":417,"category":259,"lastModified":239,"subsets":418,"variants":419,"menu":260},{"100":241,"200":242,"300":243,"500":244,"600":245,"700":246,"800":247,"900":248,"100italic":252,"italic":253,"regular":254,"900italic":250,"800italic":249,"700italic":251,"200italic":255,"300italic":257,"500italic":256,"600italic":258},[262,263],[265,266,267,268,269,270,72,271,272,273,274,275,276,277,278,279,280,281],[],[422,508],{"@type":47,"@version":48,"tagName":287,"id":423,"meta":424,"children":425},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":288},[426,442,449,456,465,475,485,495,502],{"@type":47,"@version":48,"id":427,"meta":428,"component":429,"responsiveStyles":440},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":292},{"name":291,"options":430,"isRSC":62},{"title":408,"description":431,"points":432,"video":439},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[433,435,437],{"item":434},"Discover every browser extension in use",{"item":436},"Spot risky or unsanctioned behavior",{"item":438},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":441},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"backgroundColor":306},{"@type":47,"@version":48,"id":443,"meta":444,"component":445,"responsiveStyles":447},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":308},{"name":310,"options":446,"isRSC":62},{"AllPartners":34,"backgroundTransparent":6},{"large":448},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"backgroundColor":314},{"@type":47,"@version":48,"id":450,"meta":451,"component":452,"responsiveStyles":454},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":316},{"name":318,"options":453,"isRSC":62},{"darkMode":34},{"large":455},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"@type":47,"@version":48,"layerName":323,"id":457,"component":458,"responsiveStyles":463},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":323,"tag":323,"options":459,"isRSC":62},{"darkMode":6,"maxWidth":327,"maxTextWidth":328,"title":460,"description":461,"image":462,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":464},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"@type":47,"@version":48,"id":466,"meta":467,"component":468,"responsiveStyles":473},"builder-93738f98109a4009affb349afd7bb182",{"previousId":335},{"name":337,"options":469,"isRSC":62},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":340,"title":470,"description":471,"reverse":34,"image":472},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":474},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"fontFamily":346,"paddingTop":347,"marginTop":348},{"@type":47,"@version":48,"id":476,"meta":477,"component":478,"responsiveStyles":483},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":350},{"name":337,"options":479,"isRSC":62},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":353,"title":480,"description":481,"reverse":6,"image":482},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":484},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"paddingTop":359},{"@type":47,"@version":48,"layerName":337,"id":486,"meta":487,"component":488,"responsiveStyles":493},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":361},{"name":337,"options":489,"isRSC":62},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":364,"title":490,"description":491,"reverse":34,"image":492},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":494},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"paddingTop":370},{"@type":47,"@version":48,"id":496,"meta":497,"component":498,"responsiveStyles":500},"builder-1a689287d1a1418997d57db578a71105",{"previousId":372},{"name":318,"options":499,"isRSC":62},{"darkMode":6},{"large":501},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"@type":47,"@version":48,"id":503,"component":504,"responsiveStyles":506},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":380,"tag":380,"options":505,"isRSC":62},{"sectionHeading":29,"customClass":382},{"large":507},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":509,"@type":47,"tagName":75,"properties":510,"responsiveStyles":511},"builder-pixel-nvwfex6oqq",{"src":77,"aria-hidden":78,"alt":29,"role":79,"width":68,"height":68},{"large":512},{"height":68,"width":68,"display":82,"opacity":68,"overflow":83,"pointerEvents":84},{"deviceSize":86,"location":514},{"path":29,"query":515},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":402,"winningTest":62,"breakpoints":522,"lastPreviewUrl":523,"hasLinks":6,"originalContentId":223,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":525,"id":526,"name":527,"modelId":225,"published":13,"query":528,"data":531,"variations":634,"lastUpdated":635,"firstPublished":636,"testRatio":23,"screenshot":637,"createdBy":92,"lastUpdatedBy":638,"folders":639,"meta":640,"rev":404},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[529],{"@type":228,"property":229,"operator":230,"value":530},"/uc/account-takeover-detection",{"title":527,"customFonts":532,"jsCode":29,"seoTitle":527,"seoDescription":537,"fontAwesomeIcon":538,"tsCode":29,"blocks":539,"url":530,"state":631},[533],{"kind":237,"category":259,"variants":534,"menu":260,"files":535,"family":236,"subsets":536,"version":238,"lastModified":239},[265,266,267,268,269,270,72,271,272,273,274,275,276,277,278,279,280,281],{"100":241,"200":242,"300":243,"500":244,"600":245,"700":246,"800":247,"900":248,"300italic":257,"500italic":256,"800italic":249,"700italic":251,"italic":253,"900italic":250,"600italic":258,"200italic":255,"regular":254,"100italic":252},[262,263],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[540,626],{"@type":47,"@version":48,"tagName":287,"id":541,"meta":542,"children":543},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":288},[544,560,567,574,583,593,603,613,620],{"@type":47,"@version":48,"id":545,"meta":546,"component":547,"responsiveStyles":558},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":292},{"name":291,"options":548,"isRSC":62},{"title":527,"description":549,"points":550,"video":557},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[551,553,555],{"item":552},"Identify credential-based ATO as it unfolds",{"item":554},"Surface hijacked sessions and token misuse",{"item":556},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":559},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"backgroundColor":306},{"@type":47,"@version":48,"id":561,"meta":562,"component":563,"responsiveStyles":565},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":308},{"name":310,"options":564,"isRSC":62},{"AllPartners":34,"backgroundTransparent":6},{"large":566},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"backgroundColor":314},{"@type":47,"@version":48,"id":568,"meta":569,"component":570,"responsiveStyles":572},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":316},{"name":318,"options":571,"isRSC":62},{"darkMode":34},{"large":573},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"@type":47,"@version":48,"id":575,"component":576,"responsiveStyles":581},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":323,"tag":323,"options":577,"isRSC":62},{"darkMode":6,"maxWidth":327,"maxTextWidth":328,"title":578,"description":579,"image":580,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":582},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"@type":47,"@version":48,"id":584,"meta":585,"component":586,"responsiveStyles":591},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":335},{"name":337,"options":587,"isRSC":62},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":340,"title":588,"description":589,"reverse":34,"image":590},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":592},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"fontFamily":346,"paddingTop":348,"marginTop":348},{"@type":47,"@version":48,"id":594,"meta":595,"component":596,"responsiveStyles":601},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":350},{"name":337,"options":597,"isRSC":62},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":353,"title":598,"description":599,"reverse":6,"image":600},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":602},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"paddingTop":359},{"@type":47,"@version":48,"layerName":337,"id":604,"meta":605,"component":606,"responsiveStyles":611},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":361},{"name":337,"options":607,"isRSC":62},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":364,"title":608,"description":609,"reverse":34,"image":610},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":612},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"paddingTop":370},{"@type":47,"@version":48,"id":614,"meta":615,"component":616,"responsiveStyles":618},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":372},{"name":318,"options":617,"isRSC":62},{"darkMode":6},{"large":619},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"@type":47,"@version":48,"id":621,"component":622,"responsiveStyles":624},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":380,"tag":380,"options":623,"isRSC":62},{"sectionHeading":29,"customClass":382},{"large":625},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":627,"@type":47,"tagName":75,"properties":628,"responsiveStyles":629},"builder-pixel-btsbbovxynt",{"src":77,"aria-hidden":78,"alt":29,"role":79,"width":68,"height":68},{"large":630},{"height":68,"width":68,"display":82,"opacity":68,"overflow":83,"pointerEvents":84},{"deviceSize":86,"location":632},{"path":29,"query":633},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":641,"hasLinks":6,"originalContentId":223,"breakpoints":642,"winningTest":62,"kind":402,"hasAutosaves":34,"hasErrors":6},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":644,"id":645,"name":646,"modelId":225,"published":13,"query":647,"data":650,"variations":753,"lastUpdated":754,"firstPublished":755,"testRatio":23,"screenshot":756,"createdBy":92,"lastUpdatedBy":638,"folders":757,"meta":758,"rev":404},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[648],{"@type":228,"property":229,"operator":230,"value":649},"/uc/attack-path-hardening",{"tsCode":29,"seoDescription":651,"jsCode":29,"customFonts":652,"fontAwesomeIcon":657,"seoTitle":646,"title":646,"blocks":658,"url":649,"state":750},"Harden access paths with visibility,  detection, and guardrails.",[653],{"kind":237,"files":654,"version":238,"lastModified":239,"subsets":655,"menu":260,"category":259,"variants":656,"family":236},{"100":241,"200":242,"300":243,"500":244,"600":245,"700":246,"800":247,"900":248,"regular":254,"italic":253,"800italic":249,"500italic":256,"600italic":258,"200italic":255,"900italic":250,"700italic":251,"100italic":252,"300italic":257},[262,263],[265,266,267,268,269,270,72,271,272,273,274,275,276,277,278,279,280,281],"faRadar",[659,745],{"@type":47,"@version":48,"tagName":287,"id":660,"meta":661,"children":662},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":541},[663,679,686,693,702,712,722,732,739],{"@type":47,"@version":48,"id":664,"meta":665,"component":666,"responsiveStyles":677},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":545},{"name":291,"options":667,"isRSC":62},{"title":646,"description":668,"points":669,"video":676},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[670,672,674],{"item":671},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":673},"Monitor how users actually log in across apps, flows, and tools",{"item":675},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":678},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"backgroundColor":306},{"@type":47,"@version":48,"id":680,"meta":681,"component":682,"responsiveStyles":684},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":561},{"name":310,"options":683,"isRSC":62},{"AllPartners":34,"backgroundTransparent":6},{"large":685},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"backgroundColor":314},{"@type":47,"@version":48,"id":687,"meta":688,"component":689,"responsiveStyles":691},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":568},{"name":318,"options":690,"isRSC":62},{"darkMode":34},{"large":692},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"@type":47,"@version":48,"id":694,"component":695,"responsiveStyles":700},"builder-dec0246085e1485c803f7152b1922a81",{"name":323,"tag":323,"options":696,"isRSC":62},{"darkMode":6,"maxWidth":327,"maxTextWidth":328,"title":697,"description":698,"image":699,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":701},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"@type":47,"@version":48,"id":703,"meta":704,"component":705,"responsiveStyles":710},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":584},{"name":337,"options":706,"isRSC":62},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":340,"title":707,"description":708,"reverse":34,"image":709},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":711},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"fontFamily":346,"paddingTop":347,"marginTop":348},{"@type":47,"@version":48,"id":713,"meta":714,"component":715,"responsiveStyles":720},"builder-431d175c59004669b0b2776b07d71737",{"previousId":594},{"name":337,"options":716,"isRSC":62},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":353,"title":717,"description":718,"reverse":6,"image":719},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":721},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"paddingTop":359},{"@type":47,"@version":48,"layerName":337,"id":723,"meta":724,"component":725,"responsiveStyles":730},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":604},{"name":337,"options":726,"isRSC":62},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":364,"title":727,"description":728,"reverse":34,"image":729},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":731},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"paddingTop":370},{"@type":47,"@version":48,"id":733,"meta":734,"component":735,"responsiveStyles":737},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":614},{"name":318,"options":736,"isRSC":62},{"darkMode":6},{"large":738},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"@type":47,"@version":48,"id":740,"component":741,"responsiveStyles":743},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":380,"tag":380,"options":742,"isRSC":62},{"sectionHeading":29,"customClass":382},{"large":744},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":746,"@type":47,"tagName":75,"properties":747,"responsiveStyles":748},"builder-pixel-0c8xawitq8wi",{"src":77,"aria-hidden":78,"alt":29,"role":79,"width":68,"height":68},{"large":749},{"height":68,"width":68,"display":82,"opacity":68,"overflow":83,"pointerEvents":84},{"deviceSize":86,"location":751},{"path":29,"query":752},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":402,"lastPreviewUrl":759,"breakpoints":760,"hasLinks":6,"originalContentId":526,"winningTest":62,"hasAutosaves":34},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":762,"id":763,"name":764,"modelId":225,"published":13,"query":765,"data":768,"variations":873,"lastUpdated":874,"firstPublished":875,"testRatio":23,"screenshot":876,"createdBy":92,"lastUpdatedBy":638,"folders":877,"meta":878,"rev":404},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[766],{"@type":228,"property":229,"operator":230,"value":767},"/uc/clickfix-protection",{"seoDescription":769,"fontAwesomeIcon":770,"customFonts":771,"seoTitle":776,"jsCode":29,"tsCode":29,"title":776,"blocks":777,"url":767,"state":870},"Block attacks that trick users into running malicious code.","faLaptopCode",[772],{"files":773,"subsets":774,"menu":260,"version":238,"kind":237,"family":236,"lastModified":239,"variants":775,"category":259},{"100":241,"200":242,"300":243,"500":244,"600":245,"700":246,"800":247,"900":248,"200italic":255,"800italic":249,"700italic":251,"600italic":258,"100italic":252,"italic":253,"regular":254,"300italic":257,"500italic":256,"900italic":250},[262,263],[265,266,267,268,269,270,72,271,272,273,274,275,276,277,278,279,280,281],"ClickFix protection",[778,865],{"@type":47,"@version":48,"tagName":287,"id":779,"meta":780,"children":781},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":660},[782,798,805,812,822,832,842,852,859],{"@type":47,"@version":48,"id":783,"meta":784,"component":785,"responsiveStyles":796},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":664},{"name":291,"options":786,"isRSC":62},{"title":776,"description":787,"points":788,"image":795},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[789,791,793],{"item":790},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":792},"Block malicious copy-and-paste actions before code is executed",{"item":794},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":797},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"backgroundColor":306},{"@type":47,"@version":48,"id":799,"meta":800,"component":801,"responsiveStyles":803},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":680},{"name":310,"options":802,"isRSC":62},{"AllPartners":34,"backgroundTransparent":6},{"large":804},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"backgroundColor":314},{"@type":47,"@version":48,"id":806,"meta":807,"component":808,"responsiveStyles":810},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":687},{"name":318,"options":809,"isRSC":62},{"darkMode":34},{"large":811},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"@type":47,"@version":48,"id":813,"meta":814,"component":815,"responsiveStyles":820},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":694},{"name":323,"tag":323,"options":816,"isRSC":62},{"darkMode":6,"maxWidth":327,"maxTextWidth":328,"title":817,"description":818,"reverse":6,"image":819},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":821},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"@type":47,"@version":48,"id":823,"meta":824,"component":825,"responsiveStyles":830},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":703},{"name":337,"options":826,"isRSC":62},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":340,"title":827,"description":828,"reverse":34,"image":829},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":831},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"fontFamily":346,"paddingTop":347,"marginTop":348},{"@type":47,"@version":48,"id":833,"meta":834,"component":835,"responsiveStyles":840},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":713},{"name":337,"options":836,"isRSC":62},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":353,"title":837,"description":838,"reverse":6,"image":839},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":841},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"paddingTop":359},{"@type":47,"@version":48,"layerName":337,"id":843,"meta":844,"component":845,"responsiveStyles":850},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":723},{"name":337,"options":846,"isRSC":62},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":364,"title":847,"description":848,"reverse":34,"image":849},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":851},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"paddingTop":370},{"@type":47,"@version":48,"id":853,"meta":854,"component":855,"responsiveStyles":857},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":733},{"name":318,"options":856,"isRSC":62},{"darkMode":6},{"large":858},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"@type":47,"@version":48,"id":860,"component":861,"responsiveStyles":863},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":380,"tag":380,"options":862,"isRSC":62},{"sectionHeading":29,"customClass":382},{"large":864},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":866,"@type":47,"tagName":75,"properties":867,"responsiveStyles":868},"builder-pixel-x6do08ri7rb",{"src":77,"aria-hidden":78,"alt":29,"role":79,"width":68,"height":68},{"large":869},{"height":68,"width":68,"display":82,"opacity":68,"overflow":83,"pointerEvents":84},{"deviceSize":86,"location":871},{"path":29,"query":872},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":879,"originalContentId":645,"winningTest":62,"hasLinks":6,"kind":402,"breakpoints":880,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":882,"id":883,"name":884,"modelId":225,"published":13,"query":885,"data":888,"variations":993,"lastUpdated":994,"firstPublished":995,"testRatio":23,"screenshot":996,"createdBy":92,"lastUpdatedBy":638,"folders":997,"meta":998,"rev":404},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[886],{"@type":228,"property":229,"operator":230,"value":887},"/uc/incident-response",{"seoDescription":889,"customFonts":890,"title":884,"jsCode":29,"fontAwesomeIcon":895,"seoTitle":896,"tsCode":29,"blocks":897,"url":887,"state":990},"Investigate and respond faster with unique browser telemetry.",[891],{"kind":237,"subsets":892,"menu":260,"variants":893,"category":259,"family":236,"version":238,"lastModified":239,"files":894},[262,263],[265,266,267,268,269,270,72,271,272,273,274,275,276,277,278,279,280,281],{"100":241,"200":242,"300":243,"500":244,"600":245,"700":246,"800":247,"900":248,"900italic":250,"600italic":258,"200italic":255,"300italic":257,"100italic":252,"700italic":251,"800italic":249,"regular":254,"italic":253,"500italic":256},"faSatelliteDish","Browser based incident response",[898,985],{"@type":47,"@version":48,"tagName":287,"id":899,"meta":900,"children":901},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":660},[902,919,926,933,942,952,962,972,979],{"@type":47,"@version":48,"id":903,"meta":904,"component":905,"responsiveStyles":917},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":664},{"name":291,"options":906,"isRSC":62},{"title":907,"description":908,"points":909,"video":916},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[910,912,914],{"item":911},"Reconstruct what happened with real browser session context",{"item":913},"Investigate faster with real-world session context",{"item":915},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":918},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"backgroundColor":306},{"@type":47,"@version":48,"id":920,"meta":921,"component":922,"responsiveStyles":924},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":680},{"name":310,"options":923,"isRSC":62},{"AllPartners":34,"backgroundTransparent":6},{"large":925},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"backgroundColor":314},{"@type":47,"@version":48,"id":927,"meta":928,"component":929,"responsiveStyles":931},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":687},{"name":318,"options":930,"isRSC":62},{"darkMode":34},{"large":932},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"@type":47,"@version":48,"id":934,"component":935,"responsiveStyles":940},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":323,"tag":323,"options":936,"isRSC":62},{"darkMode":6,"maxWidth":327,"maxTextWidth":328,"title":937,"description":938,"image":939,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":941},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"@type":47,"@version":48,"id":943,"meta":944,"component":945,"responsiveStyles":950},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":703},{"name":337,"options":946,"isRSC":62},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":340,"title":947,"description":948,"reverse":34,"image":949},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":951},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"fontFamily":346,"paddingTop":348,"marginTop":348},{"@type":47,"@version":48,"id":953,"meta":954,"component":955,"responsiveStyles":960},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":713},{"name":337,"options":956,"isRSC":62},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":353,"title":957,"description":958,"reverse":6,"image":959},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":961},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"paddingTop":359},{"@type":47,"@version":48,"layerName":337,"id":963,"meta":964,"component":965,"responsiveStyles":970},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":723},{"name":337,"options":966,"isRSC":62},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":364,"title":967,"description":968,"reverse":34,"image":969},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":971},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"paddingTop":370},{"@type":47,"@version":48,"id":973,"meta":974,"component":975,"responsiveStyles":977},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":733},{"name":318,"options":976,"isRSC":62},{"darkMode":6},{"large":978},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"@type":47,"@version":48,"id":980,"component":981,"responsiveStyles":983},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":380,"tag":380,"options":982,"isRSC":62},{"sectionHeading":29,"customClass":382},{"large":984},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":986,"@type":47,"tagName":75,"properties":987,"responsiveStyles":988},"builder-pixel-72p1v8tgtev",{"src":77,"aria-hidden":78,"alt":29,"role":79,"width":68,"height":68},{"large":989},{"height":68,"width":68,"display":82,"opacity":68,"overflow":83,"pointerEvents":84},{"deviceSize":86,"location":991},{"path":29,"query":992},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":402,"breakpoints":999,"originalContentId":645,"winningTest":62,"lastPreviewUrl":1000,"hasLinks":6,"hasAutosaves":34,"hasErrors":6},{"xsmall":31,"small":32,"medium":33},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1002,"id":1003,"name":1004,"modelId":225,"published":13,"query":1005,"data":1008,"variations":1113,"lastUpdated":1114,"firstPublished":1115,"testRatio":23,"screenshot":1116,"createdBy":92,"lastUpdatedBy":638,"folders":1117,"meta":1118,"rev":404},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1006],{"@type":228,"property":229,"operator":230,"value":1007},"/uc/shadow-saas",{"seoTitle":1009,"seoDescription":1010,"customFonts":1011,"fontAwesomeIcon":1016,"title":1017,"jsCode":29,"tsCode":29,"blocks":1018,"url":1007,"state":1110},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1012],{"kind":237,"variants":1013,"files":1014,"family":236,"version":238,"subsets":1015,"lastModified":239,"category":259,"menu":260},[265,266,267,268,269,270,72,271,272,273,274,275,276,277,278,279,280,281],{"100":241,"200":242,"300":243,"500":244,"600":245,"700":246,"800":247,"900":248,"300italic":257,"500italic":256,"regular":254,"900italic":250,"italic":253,"100italic":252,"200italic":255,"600italic":258,"700italic":251,"800italic":249},[262,263],"faShieldCheck","Secure shadow SaaS",[1019,1105],{"@type":47,"@version":48,"tagName":287,"id":1020,"meta":1021,"children":1022},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":899},[1023,1039,1046,1053,1062,1072,1082,1092,1099],{"@type":47,"@version":48,"id":1024,"meta":1025,"component":1026,"responsiveStyles":1037},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":903},{"name":291,"options":1027,"isRSC":62},{"title":1009,"description":1028,"points":1029,"video":1036},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1030,1032,1034],{"item":1031},"Discover every SaaS app users access, managed or not",{"item":1033},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1035},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1038},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"backgroundColor":306},{"@type":47,"@version":48,"id":1040,"meta":1041,"component":1042,"responsiveStyles":1044},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":920},{"name":310,"options":1043,"isRSC":62},{"AllPartners":34,"backgroundTransparent":6},{"large":1045},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"backgroundColor":314},{"@type":47,"@version":48,"id":1047,"meta":1048,"component":1049,"responsiveStyles":1051},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":927},{"name":318,"options":1050,"isRSC":62},{"darkMode":34},{"large":1052},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"@type":47,"@version":48,"id":1054,"component":1055,"responsiveStyles":1060},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":323,"tag":323,"options":1056,"isRSC":62},{"darkMode":6,"maxWidth":327,"maxTextWidth":328,"title":1057,"description":1058,"image":1059,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1061},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"@type":47,"@version":48,"id":1063,"meta":1064,"component":1065,"responsiveStyles":1070},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":943},{"name":337,"options":1066,"isRSC":62},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":340,"title":1067,"description":1068,"reverse":34,"image":1069},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1071},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"fontFamily":346,"paddingTop":348,"marginTop":348},{"@type":47,"@version":48,"id":1073,"meta":1074,"component":1075,"responsiveStyles":1080},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":953},{"name":337,"options":1076,"isRSC":62},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":353,"title":1077,"description":1078,"reverse":6,"image":1079},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1081},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"paddingTop":359},{"@type":47,"@version":48,"layerName":337,"id":1083,"meta":1084,"component":1085,"responsiveStyles":1090},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":963},{"name":337,"options":1086,"isRSC":62},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":364,"title":1087,"description":1088,"reverse":34,"image":1089},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1091},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"paddingTop":370},{"@type":47,"@version":48,"id":1093,"meta":1094,"component":1095,"responsiveStyles":1097},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":973},{"name":318,"options":1096,"isRSC":62},{"darkMode":6},{"large":1098},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"@type":47,"@version":48,"id":1100,"component":1101,"responsiveStyles":1103},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":380,"tag":380,"options":1102,"isRSC":62},{"sectionHeading":29,"customClass":382},{"large":1104},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":1106,"@type":47,"tagName":75,"properties":1107,"responsiveStyles":1108},"builder-pixel-i9jump5glm9",{"src":77,"aria-hidden":78,"alt":29,"role":79,"width":68,"height":68},{"large":1109},{"height":68,"width":68,"display":82,"opacity":68,"overflow":83,"pointerEvents":84},{"deviceSize":86,"location":1111},{"path":29,"query":1112},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":883,"winningTest":62,"lastPreviewUrl":1119,"breakpoints":1120,"kind":402,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":1122,"id":1123,"name":1124,"modelId":225,"published":13,"stageModifiedSincePublish":6,"query":1125,"data":1128,"variations":1234,"lastUpdated":1235,"firstPublished":1236,"testRatio":23,"screenshot":1237,"createdBy":92,"lastUpdatedBy":397,"folders":1238,"meta":1239,"rev":404},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1126],{"@type":228,"property":229,"operator":230,"value":1127},"/uc/shadow-ai",{"seoTitle":1129,"fontAwesomeIcon":1130,"title":1131,"seoDescription":1132,"customFonts":1133,"tsCode":29,"jsCode":29,"blocks":1138,"url":1127,"state":1231},"Secure AI native and AI enhanced apps. ","faBrainCircuit","Secure AI","See and control AI apps in the browser.",[1134],{"version":238,"files":1135,"kind":237,"family":236,"lastModified":239,"category":259,"variants":1136,"subsets":1137,"menu":260},{"100":241,"200":242,"300":243,"500":244,"600":245,"700":246,"800":247,"900":248,"700italic":251,"100italic":252,"600italic":258,"italic":253,"300italic":257,"200italic":255,"500italic":256,"800italic":249,"900italic":250,"regular":254},[265,266,267,268,269,270,72,271,272,273,274,275,276,277,278,279,280,281],[262,263],[1139,1226],{"@type":47,"@version":48,"tagName":287,"id":1140,"meta":1141,"children":1142},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1020},[1143,1159,1166,1173,1183,1193,1203,1213,1220],{"@type":47,"@version":48,"id":1144,"meta":1145,"component":1146,"responsiveStyles":1157},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1024},{"name":291,"options":1147,"isRSC":62},{"title":1131,"description":1148,"points":1149,"image":1156},"\u003Cp>Every AI interaction traverses the browser. Employees use GenAI tools, connect AI apps to corporate accounts, and run agentic workflows, often outside security oversight. Push gives security teams the visibility to see what AI is doing across their environment and the controls to intervene before sensitive data leaves or access gets abused.\u003C/p>",[1150,1152,1154],{"item":1151},"Discover every AI tool and agent active across your workforce",{"item":1153},"Detect sensitive data being submitted to AI apps",{"item":1155},"Enforce AI policy directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1158},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"backgroundColor":306},{"@type":47,"@version":48,"id":1160,"meta":1161,"component":1162,"responsiveStyles":1164},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1040},{"name":310,"options":1163,"isRSC":62},{"AllPartners":34,"backgroundTransparent":6},{"large":1165},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"backgroundColor":314},{"@type":47,"@version":48,"id":1167,"meta":1168,"component":1169,"responsiveStyles":1171},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1047},{"name":318,"options":1170,"isRSC":62},{"darkMode":34},{"large":1172},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"@type":47,"@version":48,"id":1174,"meta":1175,"component":1176,"responsiveStyles":1181},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1054},{"name":323,"tag":323,"options":1177,"isRSC":62},{"darkMode":6,"maxWidth":327,"maxTextWidth":328,"title":1178,"description":1179,"image":1180,"reverse":6},"\u003Ch2>The browser is where AI lives\u003C/h2>","\u003Cp>AI activity doesn't happen at the network layer or the endpoint. It happens in the browser, where employees interact with AI tools, where agents execute tasks, and where sensitive data gets submitted to external services. Push captures live telemetry from inside the browser session, identifying every AI-native and AI-enhanced application in use. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1182},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"@type":47,"@version":48,"id":1184,"meta":1185,"component":1186,"responsiveStyles":1191},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1063},{"name":337,"options":1187,"isRSC":62},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":340,"title":1188,"description":1189,"reverse":34,"image":1190},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Most organisations are using far more AI than they've approved. Push identifies every AI-native and AI-enhanced application accessed across the workforce, which corporate identities are connected, and what new tools appear in the environment. Applications are categorized by risk and policy status so security teams can prioritize exposure before it becomes an incident.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F636e65ad0c4c43faa3e626c41e90d8a3",{"large":1192},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"fontFamily":346,"paddingTop":348,"marginTop":348},{"@type":47,"@version":48,"id":1194,"meta":1195,"component":1196,"responsiveStyles":1201},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1073},{"name":337,"options":1197,"isRSC":62},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":353,"title":1198,"description":1199,"reverse":6,"image":1200},"\u003Ch2>Prevent sensitive data from reaching the wrong AI tools\u003C/h2>","\u003Cp>Employees paste credentials, customer data, and internal documents into AI tools without realizing the risk. Push detects sensitive data interactions in the browser in real time, including file uploads, clipboard activity, and form submissions to unsanctioned or high-risk AI applications. Controls can be applied to warn users, require policy acknowledgment, or block the interaction entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F011332d42dab4a299f25ab3847741ed9",{"large":1202},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"paddingTop":359},{"@type":47,"@version":48,"layerName":337,"id":1204,"meta":1205,"component":1206,"responsiveStyles":1211},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1083},{"name":337,"options":1207,"isRSC":62},{"darkMode":6,"maxWidth":327,"imageMaxWidth":339,"textPaddingTop":364,"title":1208,"description":1209,"reverse":34,"image":1210},"\u003Ch2>Govern agentic AI permissions and activity\u003C/h2>","\u003Cp>AI agents operating in the browser can access applications, execute actions, and handle data on behalf of users, often with permissions that were never explicitly reviewed. Push surfaces agentic permissions and data flows so security teams can see what agents are doing, where they have access, and apply controls before that access is exploited or abused.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F71549a73d0b84f1c8cb151c05e493e8d",{"large":1212},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"paddingTop":370},{"@type":47,"@version":48,"id":1214,"meta":1215,"component":1216,"responsiveStyles":1218},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1093},{"name":318,"options":1217,"isRSC":62},{"darkMode":6},{"large":1219},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"@type":47,"@version":48,"id":1221,"component":1222,"responsiveStyles":1224},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":380,"tag":380,"options":1223,"isRSC":62},{"sectionHeading":29,"customClass":382},{"large":1225},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":1227,"@type":47,"tagName":75,"properties":1228,"responsiveStyles":1229},"builder-pixel-n3jbwe8o8f",{"src":77,"aria-hidden":78,"alt":29,"role":79,"width":68,"height":68},{"large":1230},{"height":68,"width":68,"display":82,"opacity":68,"overflow":83,"pointerEvents":84},{"deviceSize":86,"location":1232},{"path":29,"query":1233},{},{},1778073860450,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9b4d5666fc9e495a9a8de4258975cd9f",[],{"lastPreviewUrl":1240,"hasLinks":6,"originalContentId":1003,"winningTest":62,"breakpoints":1241,"kind":402,"hasAutosaves":6,"hasErrors":6},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"w":1243,"h":1244,"d":1245},448,512,"M280.4 48c-3.2 0-6.3 .5-9.3 1.4L206.6 69.2C136.1 90.9 88 156.1 88 229.8l0 42.9c22.7 3.8 40 23.6 40 47.3l0 144c0 26.5-21.5 48-48 48l-32 0c-26.5 0-48-21.5-48-48L0 320c0-23.8 17.3-43.5 40-47.3l0-42.9C40 135 101.8 51.2 192.5 23.4L256.9 3.5c7.6-2.3 15.5-3.5 23.4-3.5 44 0 79.6 35.7 79.6 79.6l0 56.4c0 13.3-10.7 24-24 24s-24-10.7-24-24l0-56.4C312 62.2 297.8 48 280.4 48zM48 320l0 144 32 0 0-144-32 0zm208 24c0-71.6 55.6-127.8 89-148.1 4.3-2.6 9.6-2.6 14 0 33.5 20.3 89 76.6 89 148.1 0 32-16 80-64 112l27.3 27.3c3 3 4.7 7.1 4.7 11.3l0 1.4c0 8.8-7.2 16-16 16l-96 0c-8.8 0-16-7.2-16-16l0-1.4c0-4.2 1.7-8.3 4.7-11.3L320 456c-48-32-64-80-64-112zm128-32a24 24 0 1 0 -48 0 24 24 0 1 0 48 0z",{"w":1244,"h":1244,"d":1247},"M201.1 57.3c-7 5.3-9.1 10.7-9.1 14.7 0 4.2 2.4 10.1 10.4 15.6 7.8 5.3 13.6 14.6 13.6 25.6 0 17-13.8 30.7-30.7 30.7L56 144c-4.4 0-8 3.6-8 8l0 52.5c7.4-2.9 15.5-4.5 24-4.5 43.1 0 72 39.4 72 80s-28.9 80-72 80c-8.5 0-16.6-1.6-24-4.5L48 456c0 4.4 3.6 8 8 8l100.5 0c-2.9-7.4-4.5-15.5-4.5-24 0-43.1 39.4-72 80-72s80 28.9 80 72c0 8.5-1.6 16.6-4.5 24l52.5 0c4.4 0 8-3.6 8-8l0-129.3c0-17 13.8-30.7 30.7-30.7 11.1 0 20.3 5.8 25.6 13.6 5.5 8 11.4 10.4 15.6 10.4 4 0 9.5-2.1 14.7-9.1s9.3-17.9 9.3-30.9-4-23.8-9.3-30.9-10.7-9.1-14.7-9.1c-4.2 0-10.1 2.4-15.6 10.4-5.3 7.8-14.6 13.6-25.6 13.6-17 0-30.7-13.8-30.7-30.7l0-81.3c0-4.4-3.6-8-8-8l-81.3 0c-17 0-30.7-13.8-30.7-30.7 0-11.1 5.8-20.3 13.6-25.6 8-5.5 10.4-11.4 10.4-15.6 0-4-2.1-9.5-9.1-14.7S245 48 232 48 208.2 52 201.1 57.3zM172.3 18.9C188.5 6.8 209.6 0 232 0S275.5 6.8 291.7 18.9 320 49.5 320 72c0 8.6-1.8 16.7-4.9 24L360 96c30.9 0 56 25.1 56 56l0 44.9c7.3-3.1 15.4-4.9 24-4.9 22.5 0 41 12.2 53.1 28.3s18.9 37.3 18.9 59.7-6.8 43.5-18.9 59.7-30.6 28.3-53.1 28.3c-8.6 0-16.7-1.8-24-4.9l0 92.9c0 30.9-25.1 56-56 56l-78.1 0c-18.7 0-33.9-15.2-33.9-33.9 0-10.1 4.5-18.5 9.9-24.2 4.2-4.3 6.1-9.2 6.1-13.9 0-9.9-10.7-24-32-24s-32 14.1-32 24c0 4.7 1.9 9.5 6.1 13.9 5.5 5.7 9.9 14.1 9.9 24.2 0 18.7-15.2 33.9-33.9 33.9L56 512c-30.9 0-56-25.1-56-56L0 329.9c0-18.7 15.2-33.9 33.9-33.9 10.1 0 18.5 4.5 24.2 9.9 4.3 4.2 9.2 6.1 13.9 6.1 9.9 0 24-10.7 24-32s-14.1-32-24-32c-4.7 0-9.5 1.9-13.9 6.1-5.7 5.5-14.1 9.9-24.2 9.9-18.7 0-33.9-15.2-33.9-33.9L0 152c0-30.9 25.1-56 56-56l92.9 0c-3.1-7.3-4.9-15.4-4.9-24 0-22.5 12.2-41 28.3-53.1z",{"w":1243,"h":1244,"d":1249},"M102.7 96c10.4-53.7 31.9-112 68.3-112 9.6 0 19 3.9 27.5 8.2 8.2 4.1 18.4 7.8 25.5 7.8s17.3-3.7 25.5-7.8c8.5-4.3 17.9-8.2 27.5-8.2 36.4 0 57.8 58.3 68.3 112L376 96c13.3 0 24 10.7 24 24s-10.7 24-24 24l-24 0 0 32c0 17-3.3 33.2-9.3 48l33.3 0c8.1 0 15.6 4 20 10.8s5.2 15.2 2.1 22.6l-31.5 74.2c48.9 31.2 81.4 86 81.4 148.5l0 8c0 13.3-10.7 24-24 24s-24-10.7-24-24l0-8c0-51.4-30.3-95.8-74.1-116.1-11.7-5.5-17-19.2-12-31.2l25.8-60.7-27.7 0c-1.1 0-2.1-.1-3.1-.2-22.6 20-52.3 32.2-84.9 32.2s-62.3-12.2-84.9-32.2c-1 .1-2.1 .2-3.1 .2l-27.7 0 25.8 60.7c5.1 11.9-.2 25.7-12 31.2-43.8 20.4-74.1 64.7-74.1 116.1l0 8c0 13.3-10.7 24-24 24S0 501.3 0 488l0-8c0-62.4 32.5-117.2 81.4-148.5L49.9 257.4c-3.2-7.4-2.4-15.9 2.1-22.6S63.9 224 72 224l33.3 0c-6-14.8-9.3-31-9.3-48l0-32-24 0c-13.3 0-24-10.7-24-24S58.7 96 72 96l30.7 0zm45.9 107c11.1 30.9 40.6 53 75.3 53s64.2-22.1 75.3-53c-5.7 3.2-12.3 5-19.3 5l-12.4 0c-16.5 0-31.1-10.6-36.3-26.2-2.3-7-12.2-7-14.5 0-5.2 15.6-19.9 26.2-36.3 26.2L168 208c-7 0-13.6-1.8-19.3-5zm44.8 133l61 0c9.7 0 17.5 7.8 17.5 17.5 0 4.2-1.5 8.2-4.2 11.4l-27.9 32.5 28.9 82.6c5.5 15.6-6.1 31.9-22.7 31.9l-44.3 0c-16.5 0-28.1-16.3-22.7-31.9l28.9-82.6-27.9-32.5c-2.7-3.2-4.2-7.2-4.2-11.4 0-9.7 7.8-17.5 17.5-17.5z",{"w":1244,"h":1244,"d":1251},"M304.8 173.3c-14.3-8.4-31-13.3-48.8-13.3-53 0-96 43-96 96s43 96 96 96 96-43 96-96l48 0c0 79.5-64.5 144-144 144s-144-64.5-144-144 64.5-144 144-144c31.1 0 59.9 9.9 83.4 26.6l45.7-45.7C349.7 64.8 304.8 48 256 48 141.1 48 48 141.1 48 256s93.1 208 208 208 208-93.1 208-208l48 0c0 141.4-114.6 256-256 256S0 397.4 0 256 114.6 0 256 0c62.1 0 118.9 22.1 163.3 58.8L463 15c9.4-9.4 24.6-9.4 33.9 0s9.4 24.6 0 33.9L273 273c-9.4 9.4-24.6 9.4-33.9 0s-9.4-24.6 0-33.9l65.7-65.7z",{"w":32,"h":1244,"d":1253},"M128 80l384 0c8.8 0 16 7.2 16 16l0 208 48 0 0-208c0-35.3-28.7-64-64-64L128 32C92.7 32 64 60.7 64 96l0 208 48 0 0-208c0-8.8 7.2-16 16-16zM52.8 400l534.4 0c-8.5 18.9-27.5 32-49.6 32l-435.2 0c-22.1 0-41.1-13.1-49.6-32zM25.6 352C11.5 352 0 363.5 0 377.6 0 434.2 45.8 480 102.4 480l435.2 0c56.6 0 102.4-45.8 102.4-102.4 0-14.1-11.5-25.6-25.6-25.6L25.6 352zM281 169c9.4-9.4 9.4-24.6 0-33.9s-24.6-9.4-33.9 0l-48 48c-9.4 9.4-9.4 24.6 0 33.9l48 48c9.4 9.4 24.6 9.4 33.9 0s9.4-24.6 0-33.9l-31-31 31-31zM393 135c-9.4-9.4-24.6-9.4-33.9 0s-9.4 24.6 0 33.9l31 31-31 31c-9.4 9.4-9.4 24.6 0 33.9s24.6 9.4 33.9 0l48-48c9.4-9.4 9.4-24.6 0-33.9l-48-48z",{"w":1244,"h":1244,"d":1255},"M232 0c-13.3 0-24 10.7-24 24s10.7 24 24 24c128.1 0 232 103.9 232 232 0 13.3 10.7 24 24 24s24-10.7 24-24C512 125.4 386.6 0 232 0zM48 256c0-23 3.7-45 10.5-65.6l263 263C301 460.3 279 464 256 464 141.1 464 48 370.9 48 256zM72.8 136.8c-14.1-14.1-37.6-12-46.5 5.8-16.9 34.2-26.4 72.6-26.4 113.3 0 141.4 114.6 256 256 256 40.7 0 79.2-9.5 113.3-26.4 17.9-8.8 19.9-32.4 5.8-46.5L241 305 281 265c9.4-9.4 9.4-24.6 0-33.9s-24.6-9.4-33.9 0L207 271 72.8 136.8zM208 120c0 13.3 10.7 24 24 24 75.1 0 136 60.9 136 136 0 13.3 10.7 24 24 24s24-10.7 24-24c0-101.6-82.4-184-184-184-13.3 0-24 10.7-24 24z",{"w":1244,"h":1244,"d":1257},"M256.1 0c4.6 0 9.2 1 13.3 2.9L457.8 82.8c22 9.3 38.4 31 38.3 57.2-.5 99.2-41.3 280.7-213.6 363.2-16.7 8-36.1 8-52.8 0-172.4-82.5-213.2-263.9-213.7-363.2-.1-26.2 16.3-47.9 38.3-57.2L242.7 2.9C246.8 1 251.4 0 256.1 0zM73.1 127c-5.9 2.5-9.1 7.7-9 12.7 .5 91.4 38.4 249.3 186.4 320.1 3.6 1.7 7.8 1.7 11.3 0 148-70.8 185.9-228.7 186.3-320.1 0-5-3.1-10.2-9-12.7l-183-77.6-183 77.6zm240.3 34.9c7.8-10.7 22.8-13.1 33.5-5.3 10.7 7.8 13.1 22.8 5.3 33.5L249.8 330.9c-4.2 5.7-10.7 9.3-17.8 9.8s-14-2.2-18.9-7.3l-46.4-48c-9.2-9.5-9-24.7 .6-33.9 9.5-9.2 24.7-8.9 33.9 .6l26.5 27.4 85.6-117.7z",{"w":1244,"h":1244,"d":1259},"M123 58.1c9.5-33.5 40.4-58.1 77-58.1 21.8 0 41.6 8.7 56 22.9 14.4-14.1 34.2-22.9 56-22.9 36.6 0 67.4 24.6 77 58.1 47.4 9.7 83 51.6 83 101.9 0 11.3-1.8 22.2-5.1 32.3 22.7 19.1 37.1 47.7 37.1 79.7 0 23.7-8 45.6-21.3 63.1 3.5 10.4 5.3 21.4 5.3 32.9 0 54-41.2 98.5-93.9 103.5-15.6 24.3-42.9 40.5-74.1 40.5-25.2 0-48-10.6-64-27.6-16 17-38.8 27.6-64 27.6-31.1 0-58.4-16.2-74.1-40.5-52.7-5.1-93.9-49.5-93.9-103.5 0-11.5 1.9-22.5 5.3-32.9-13.4-17.5-21.3-39.4-21.3-63.1 0-32 14.5-60.6 37.1-79.7-3.3-10.2-5.1-21.1-5.1-32.3 0-50.3 35.6-92.2 83-101.9zM200 48c-17.7 0-32 14.3-32 32 0 13.3-10.7 24-24 24-30.9 0-56 25.1-56 56 0 10.5 2.9 20.3 7.9 28.6 3.4 5.7 4.3 12.5 2.5 18.9s-6.2 11.7-12 14.7c-18 9.3-30.3 28.1-30.3 49.8 0 16.1 6.8 30.7 17.8 40.9 7.9 7.4 9.9 19.2 4.8 28.8-4.2 7.8-6.5 16.7-6.5 26.3 0 30.9 25.1 56 56 56 1.1 0 2.2 0 3.2-.1 10.3-.6 19.8 5.5 23.6 15 5.9 14.7 20.4 25.1 37.1 25.1 20.4 0 37.2-15.3 39.7-35 .1-.6 .2-1.3 .3-1.9l0-135.1-40 0c-6.6 0-12 5.4-12 12l0 4.4c16.5 7.6 28 24.3 28 43.6 0 26.5-21.5 48-48 48s-48-21.5-48-48c0-19.4 11.5-36.1 28-43.6l0-4.4c0-28.7 23.3-52 52-52l40 0 0-56-12.4 0c-7.6 16.5-24.3 28-43.6 28-26.5 0-48-21.5-48-48s21.5-48 48-48c19.4 0 36.1 11.5 43.6 28l12.4 0 0-76c0-17.7-14.3-32-32-32zm80 148l0 152 40 0c6.6 0 12-5.4 12-12l0-4.4c-16.5-7.6-28-24.3-28-43.6 0-26.5 21.5-48 48-48s48 21.5 48 48c0 19.4-11.5 36.1-28 43.6l0 4.4c0 28.7-23.3 52-52 52l-40 0 0 39.1c.1 .6 .2 1.2 .3 1.9 2.5 19.7 19.3 35 39.7 35 16.8 0 31.2-10.3 37.1-25.1 3.8-9.6 13.3-15.6 23.6-15 1.1 .1 2.2 .1 3.2 .1 30.9 0 56-25.1 56-56 0-9.5-2.4-18.5-6.5-26.3-5.1-9.6-3.1-21.4 4.8-28.8 11-10.2 17.8-24.8 17.8-40.9 0-21.6-12.2-40.4-30.3-49.8-5.9-3-10.2-8.4-12-14.7s-.9-13.2 2.5-18.9c5-8.4 7.9-18.1 7.9-28.6 0-30.9-25.1-56-56-56-13.3 0-24-10.7-24-24 0-17.7-14.3-32-32-32s-32 14.3-32 32l0 76 12.4 0c7.6-16.5 24.3-28 43.6-28 26.5 0 48 21.5 48 48s-21.5 48-48 48c-19.4 0-36.1-11.5-43.6-28L280 196zm56-36a16 16 0 1 0 0 32 16 16 0 1 0 0-32zm0 128a16 16 0 1 0 32 0 16 16 0 1 0 -32 0zM144 352a16 16 0 1 0 32 0 16 16 0 1 0 -32 0zm16-176a16 16 0 1 0 32 0 16 16 0 1 0 -32 0z",{"id":1261,"title":1262,"authorsCollection":1263,"content":1271,"extension":1960,"hashTags":62,"meta":1961,"metaTitle":1962,"ogImage":62,"publishedDate":1963,"relatedBlogPostsCollection":1964,"slug":4302,"stem":4303,"subtitle":62,"summary":4304,"synopsis":4327,"sys":4328,"tagsCollection":4331,"__hash__":4339},"blog/blog/7-things-we-learned-from-troy-hunt.json","Troy Hunt webinar recap: Lessons from 'Yes, you've been pwned' with Troy Hunt",{"items":1264},[1265],{"fullName":1266,"firstName":1267,"jobTitle":1268,"profilePicture":1269},"Daniel Park","Daniel","Technical Content",{"url":1270},"https://images.ctfassets.net/y1cdw1ablpvd/6Cwg1xVeCdzUvxBIMfnDO5/6b18ed126b53611e7b521da34f900d29/254-0-2.jpg",{"json":1272,"links":1948},{"data":1273,"content":1274,"nodeType":1947},{},[1275,1284,1293,1297,1307,1327,1334,1341,1372,1391,1394,1402,1409,1440,1447,1450,1458,1465,1472,1516,1523,1526,1534,1565,1572,1579,1611,1614,1622,1642,1649,1667,1670,1678,1685,1703,1746,1749,1757,1764,1804,1833,1884,1887,1895,1902,1909,1940],{"data":1276,"content":1277,"nodeType":1283},{},[1278],{"data":1279,"marks":1280,"value":1281,"nodeType":1282},{},[],"The thread running through the whole conversation was identity: how attackers get it, why defenders struggle to protect it, and what the current generation of attacks means for security teams that thought they'd solved the credential problem.","text","paragraph",{"data":1285,"content":1291,"nodeType":1292},{"target":1286},{"sys":1287},{"id":1288,"type":1289,"linkType":1290},"5dcYX9bbre53KdZOF6PsyH","Link","Entry",[],"embedded-entry-block",{"data":1294,"content":1295,"nodeType":1296},{},[],"hr",{"data":1298,"content":1299,"nodeType":1306},{},[1300],{"data":1301,"marks":1302,"value":1305,"nodeType":1282},{},[1303],{"type":1304},"bold","1. Compromised credentials are everywhere, and most organizations can't tell which ones matter","heading-1",{"data":1308,"content":1309,"nodeType":1283},{},[1310,1314,1323],{"data":1311,"marks":1312,"value":1313,"nodeType":1282},{},[],"The scale of enterprise identity is the backdrop for the entire conversation. The average employee maintains around 15 SaaS accounts, and only a fraction of those sit behind SSO. Of the last million logins observed by Push,",{"data":1315,"content":1317,"nodeType":1322},{"uri":1316},"https://pushsecurity.com/blog/the-cisos-data-problem-and-how-browser-telemetry-can-help/",[1318],{"data":1319,"marks":1320,"value":1321,"nodeType":1282},{},[]," 1 in 4 were password-based rather than SSO, 2 in 5 were not protected by MFA, and 1 in 5 used a weak, breached, or reused password","hyperlink",{"data":1324,"marks":1325,"value":1326,"nodeType":1282},{},[],". That's the starting posture — before you even account for how many of those credentials have already been stolen.",{"data":1328,"content":1329,"nodeType":1283},{},[1330],{"data":1331,"marks":1332,"value":1333,"nodeType":1282},{},[],"Troy's data suggests the answer is: most of them. \"We know credential reuse is massive,\" he said. \"We know attackers get credentials from one data breach and then they go along and they try them on all sorts of different services, and now you've got one data breach leading to multiple account takeovers.\" His service now holds billions of email addresses, monitors 400,000 domains including more than half the Fortune 500, and sends millions of breach notifications every year.",{"data":1335,"content":1336,"nodeType":1283},{},[1337],{"data":1338,"marks":1339,"value":1340,"nodeType":1282},{},[],"The problem compounds because, as Troy put it, \"data never really dies.\" Employees leave, but their credentials persist in breach datasets and across the SaaS apps they signed up for during their tenure. When an organization pulls its breach exposure data, a significant proportion of what comes back is noise — departed employees, fabricated email addresses, accounts for services that were never sanctioned. Mark described the operational reality: getting a notification that an email address has appeared in a breach \"can be very helpful context, but can also be a recipe for spending some time only to find out that maybe that person left two years ago.\"",{"data":1342,"content":1343,"nodeType":1283},{},[1344,1348,1356,1360,1368],{"data":1345,"marks":1346,"value":1347,"nodeType":1282},{},[],"The proof is in the breaches. The",{"data":1349,"content":1351,"nodeType":1322},{"uri":1350},"https://pushsecurity.com/blog/snowflake-retro/",[1352],{"data":1353,"marks":1354,"value":1355,"nodeType":1282},{},[]," Snowflake incident",{"data":1357,"marks":1358,"value":1359,"nodeType":1282},{},[]," was the watershed example — 80% of the compromised accounts had prior breach exposure in datasets dating back to 2020, but without MFA enforcement and without visibility into which credentials were actively in use, those warnings went unanswered while attackers walked in through the front door. The accounts still had local, password-based logins enabled —",{"data":1361,"content":1363,"nodeType":1322},{"uri":1362},"https://pushsecurity.com/blog/ghost-logins-when-forgotten-identities-come-back-to-haunt-you/",[1364],{"data":1365,"marks":1366,"value":1367,"nodeType":1282},{},[]," ghost logins",{"data":1369,"marks":1370,"value":1371,"nodeType":1282},{},[]," that persisted even in environments that thought they'd moved to SSO.",{"data":1373,"content":1374,"nodeType":1283},{},[1375,1379,1387],{"data":1376,"marks":1377,"value":1378,"nodeType":1282},{},[],"Push's approach is to",{"data":1380,"content":1382,"nodeType":1322},{"uri":1381},"https://pushsecurity.com/blog/verified-stolen-credential-detection/",[1383],{"data":1384,"marks":1385,"value":1386,"nodeType":1282},{},[]," match breach intelligence against observed login behavior",{"data":1388,"marks":1389,"value":1390,"nodeType":1282},{},[]," — correlating stolen credential feeds with the authentication events Push sees in the browser, so that a compromised credential only generates an alert when someone is actively logging in with it. That eliminates 99% of the false positives that make raw breach feeds so painful to operationalize, and turns a low-fidelity data source into something security teams can actually act on.",{"data":1392,"content":1393,"nodeType":1296},{},[],{"data":1395,"content":1396,"nodeType":1306},{},[1397],{"data":1398,"marks":1399,"value":1401,"nodeType":1282},{},[1400],{"type":1304},"2. Attacks aren't slowing down — they're industrializing",{"data":1403,"content":1404,"nodeType":1283},{},[1405],{"data":1406,"marks":1407,"value":1408,"nodeType":1282},{},[],"With that many vulnerable credentials sitting in circulation, the question is how easily attackers can exploit them — and the answer, as Troy described it, is easier than ever. \"There's almost like the democratization of hacking tools,\" he said. \"When you get all of these things as a service — phishing as a service, ransomware as a service — you don't need to be particularly technically smart if you can go and pay someone else for access to their infrastructure.\"",{"data":1410,"content":1411,"nodeType":1283},{},[1412,1416,1424,1428,1436],{"data":1413,"marks":1414,"value":1415,"nodeType":1282},{},[],"The criminal tooling ecosystem now mirrors legitimate SaaS: turnkey platforms with tiered pricing, customer support, and continuous development cycles. Phishing-as-a-Service kits like",{"data":1417,"content":1419,"nodeType":1322},{"uri":1418},"https://pushsecurity.com/blog/2025-top-phishing-trends/",[1420],{"data":1421,"marks":1422,"value":1423,"nodeType":1282},{},[]," Tycoon2FA",{"data":1425,"marks":1426,"value":1427,"nodeType":1282},{},[]," — responsible for 62% of phishing blocked by Microsoft — offer turnkey AiTM infrastructure that intercepts session tokens in real time and bypasses MFA out of the box. The kits are also converging: AiTM platforms are adding device code phishing modules, credential harvesting kits are adding session token capture, and",{"data":1429,"content":1431,"nodeType":1322},{"uri":1430},"https://pushsecurity.com/blog/introducing-the-browser-and-identity-attacks-matrix/",[1432],{"data":1433,"marks":1434,"value":1435,"nodeType":1282},{},[]," 60–70% of phishing attacks now originate from PhaaS platforms",{"data":1437,"marks":1438,"value":1439,"nodeType":1282},{},[],". The sophistication of the attack no longer reflects the sophistication of the attacker.",{"data":1441,"content":1442,"nodeType":1283},{},[1443],{"data":1444,"marks":1445,"value":1446,"nodeType":1282},{},[],"As Troy said: \"If you look at this through the lens of the moral neutrality of technology, that rising tide lifts all boats. And some of those boats are criminals who can now do things easier than before.\"",{"data":1448,"content":1449,"nodeType":1296},{},[],{"data":1451,"content":1452,"nodeType":1306},{},[1453],{"data":1454,"marks":1455,"value":1457,"nodeType":1282},{},[1456],{"type":1304},"3. You don't need to be a hacker to breach a Fortune 100 company",{"data":1459,"content":1460,"nodeType":1283},{},[1461],{"data":1462,"marks":1463,"value":1464,"nodeType":1282},{},[],"One of the most striking threads in the conversation was Troy's observation about who is actually behind these breaches — and how little technical sophistication they bring to the table. \"The average age of people that are being arrested for a lot of these data breach style activities is around about 19,\" he said. \"Fortune 100 companies are being breached by a kid in his bedroom. That is wild.\"",{"data":1466,"content":1467,"nodeType":1283},{},[1468],{"data":1469,"marks":1470,"value":1471,"nodeType":1282},{},[],"The leverage is disproportionate precisely because the attacks don't require deep technical skill. \"A lot of the attacks lately have been social engineering attacks,\" Troy continued, noting with parental familiarity that \"kids are great at social engineering — if you've got kids, you know how good they are at social engineering.\"",{"data":1473,"content":1474,"nodeType":1283},{},[1475,1479,1489,1493,1501,1505,1512],{"data":1476,"marks":1477,"value":1478,"nodeType":1282},{},[],"The ",{"data":1480,"content":1482,"nodeType":1322},{"uri":1481},"https://pushsecurity.com/blog/analyzing-the-instructure-breach/",[1483],{"data":1484,"marks":1485,"value":1488,"nodeType":1282},{},[1486],{"type":1487},"underline","ShinyHunters",{"data":1490,"marks":1491,"value":1492,"nodeType":1282},{},[]," ecosystem — the group Troy and Mark discussed as the dominant threat actor at the time of recording — exemplifies this pattern. They're getting into Salesforce instances via voice phishing, not through zero-day exploits, and the tooling behind their campaigns is industrialized enough that Push's research team was able to",{"data":1494,"content":1496,"nodeType":1322},{"uri":1495},"https://pushsecurity.com/blog/inside-criminal-phishing-panel/",[1497],{"data":1498,"marks":1499,"value":1500,"nodeType":1282},{},[]," infiltrate one of their criminal phishing panels",{"data":1502,"marks":1503,"value":1504,"nodeType":1282},{},[]," and observe real-time victim targeting across four distinct infrastructure clusters and over 400 linked domains. Our",{"data":1506,"content":1507,"nodeType":1322},{"uri":1481},[1508],{"data":1509,"marks":1510,"value":1511,"nodeType":1282},{},[]," analysis of the Instructure breach",{"data":1513,"marks":1514,"value":1515,"nodeType":1282},{},[]," broke down the three core techniques behind these campaigns — credential phishing, AiTM attacks, and account takeover — none of which require particular technical sophistication to execute.",{"data":1517,"content":1518,"nodeType":1283},{},[1519],{"data":1520,"marks":1521,"value":1522,"nodeType":1282},{},[],"The reproducible playbook Troy described is an identity attack pattern, not a software vulnerability. \"Once you do get a group that manages to find a reproducible pattern to gain access to these things, the same pattern is used by so many different organizations\". And identity attacks scale precisely because they target the weakest link in the chain: the way people actually log in.",{"data":1524,"content":1525,"nodeType":1296},{},[],{"data":1527,"content":1528,"nodeType":1306},{},[1529],{"data":1530,"marks":1531,"value":1533,"nodeType":1282},{},[1532],{"type":1304},"4. Your attack surface is bigger than your org chart",{"data":1535,"content":1536,"nodeType":1283},{},[1537,1541,1549,1553,1561],{"data":1538,"marks":1539,"value":1540,"nodeType":1282},{},[],"Troy connected the credential problem to the broader reality of modern enterprise architecture: the attack surface isn't defined by your systems anymore — it's defined by every external dependency your employees touch. \"We're seeing attacks against the likes of Okta, because obviously Okta holds identity,\" he said. \"",{"data":1542,"content":1543,"nodeType":1322},{"uri":1481},[1544],{"data":1545,"marks":1546,"value":1548,"nodeType":1282},{},[1547],{"type":1487},"Salesforce",{"data":1550,"marks":1551,"value":1552,"nodeType":1282},{},[],", a couple of years ago it was things like ",{"data":1554,"content":1555,"nodeType":1322},{"uri":1350},[1556],{"data":1557,"marks":1558,"value":1560,"nodeType":1282},{},[1559],{"type":1487},"Snowflake",{"data":1562,"marks":1563,"value":1564,"nodeType":1282},{},[]," — these external dependencies, and then you have so many different entry points into them.\"",{"data":1566,"content":1567,"nodeType":1283},{},[1568],{"data":1569,"marks":1570,"value":1571,"nodeType":1282},{},[],"When Troy tried to describe the resulting complexity, the metaphor was telling: \"If you put all of this up on the board, sort of like crime fighter style and you draw the lines between everything, it's just an absolute spider web of interdependencies and access rights.\"",{"data":1573,"content":1574,"nodeType":1283},{},[1575],{"data":1576,"marks":1577,"value":1578,"nodeType":1282},{},[],"Mark made the point that the attack chain itself has shifted accordingly: \"The first part of the attack, the infostealer, might not even be something that happened in your environment. You're just gonna see the tail end of that attack chain.\" An employee's credentials get harvested from a personal device, sit in a criminal marketplace for months, and then get used to log into a SaaS app that your IdP doesn't even know exists — because the employee signed up with their corporate email and a reused password. With the average employee maintaining around 15 SaaS accounts, the organizational identity surface extends far beyond what any single IdP directory shows, and most of it is completely unmanaged.",{"data":1580,"content":1581,"nodeType":1283},{},[1582,1586,1595,1599,1607],{"data":1583,"marks":1584,"value":1585,"nodeType":1282},{},[],"This is the identity surface area Push is built to make visible: ",{"data":1587,"content":1589,"nodeType":1322},{"uri":1588},"https://pushsecurity.com/uc/shadow-saas",[1590],{"data":1591,"marks":1592,"value":1594,"nodeType":1282},{},[1593],{"type":1487},"shadow SaaS",{"data":1596,"marks":1597,"value":1598,"nodeType":1282},{},[]," discovered through actual login events, authentication methods observed at the point of login, and the gap between what your IdP thinks is happening and ",{"data":1600,"content":1601,"nodeType":1322},{"uri":1362},[1602],{"data":1603,"marks":1604,"value":1606,"nodeType":1282},{},[1605],{"type":1487},"how people are actually authenticating",{"data":1608,"marks":1609,"value":1610,"nodeType":1282},{},[],".",{"data":1612,"content":1613,"nodeType":1296},{},[],{"data":1615,"content":1616,"nodeType":1306},{},[1617],{"data":1618,"marks":1619,"value":1621,"nodeType":1282},{},[1620],{"type":1304},"5. Even Troy Hunt got phished, showing the need for stronger technical protections, not just more awareness training ",{"data":1623,"content":1624,"nodeType":1283},{},[1625,1629,1638],{"data":1626,"marks":1627,"value":1628,"nodeType":1282},{},[],"Troy recounted the story of his ",{"data":1630,"content":1632,"nodeType":1322},{"uri":1631},"https://pushsecurity.com/blog/dissecting-a-recent-mailchimp-phishing-attack/",[1633],{"data":1634,"marks":1635,"value":1637,"nodeType":1282},{},[1636],{"type":1487},"own phishing incident",{"data":1639,"marks":1640,"value":1641,"nodeType":1282},{},[],". \"My password out of 1Password got phished. My OTP out of 1Password got phished because it was a phishable form of 2FA,\" he said. \"And as a result, my mailing list got exposed. So I had to put my own mailing list into Have I Been Pwned and then email all my subscribers, which was, to be honest, slightly embarrassing.\"",{"data":1643,"content":1644,"nodeType":1283},{},[1645],{"data":1646,"marks":1647,"value":1648,"nodeType":1282},{},[],"If the person who runs Have I Been Pwned — someone who has spent over a decade immersed in breach data and credential security — can get phished, the lesson clearly isn't \"pay more attention.\" Troy was explicit about the takeaway: \"It reinforces the need for technical controls that are separate and complementary to the human controls. In my own case, the human controls broke down. Unfortunately there weren't sufficient technical controls in order to save me from myself.\"",{"data":1650,"content":1651,"nodeType":1283},{},[1652,1656,1663],{"data":1653,"marks":1654,"value":1655,"nodeType":1282},{},[],"Mark pushed the point further during the Q&A: \"Expecting users, even well-educated ones, even security practitioners, to be able to differentiate — I think that's just not a reasonable expectation.\" When phishing arrives from",{"data":1657,"content":1658,"nodeType":1322},{"uri":1430},[1659],{"data":1660,"marks":1661,"value":1662,"nodeType":1282},{},[]," legitimate domains via notification pipeline abuse",{"data":1664,"marks":1665,"value":1666,"nodeType":1282},{},[],", from compromised contacts on LinkedIn, and from sponsored Google search results  the signals users were trained to look for simply don't exist anymore. Training remains valuable as a layer, but the structural argument for technical controls inside the browser was reinforced throughout the session.",{"data":1668,"content":1669,"nodeType":1296},{},[],{"data":1671,"content":1672,"nodeType":1306},{},[1673],{"data":1674,"marks":1675,"value":1677,"nodeType":1282},{},[1676],{"type":1304},"6. MFA is necessary but it's not the finish line",{"data":1679,"content":1680,"nodeType":1283},{},[1681],{"data":1682,"marks":1683,"value":1684,"nodeType":1282},{},[],"Both speakers returned to MFA multiple times, and the consensus was clear: any MFA beats no MFA, but treating it as a solved problem is dangerous. Troy was direct: \"You can have the world's best non-phishable 2FA. But an infostealer gets you cookie material and they can replay that and it had browser fingerprints and things in it as well, then you've still got a problem.\" ",{"data":1686,"content":1687,"nodeType":1283},{},[1688,1692,1699],{"data":1689,"marks":1690,"value":1691,"nodeType":1282},{},[],"Mark reinforced this: \"We're seeing a lot of post-authentication attacks — session hijacking, consent attacks — where you can have the strongest authentication methods available, but if you're sidestepping or doing a post-authentication action, that's really not gonna matter.\" And with",{"data":1693,"content":1694,"nodeType":1322},{"uri":1316},[1695],{"data":1696,"marks":1697,"value":1698,"nodeType":1282},{},[]," 2 in 5 logins observed by Push still lacking MFA at all",{"data":1700,"marks":1701,"value":1702,"nodeType":1282},{},[],", many organizations haven't yet reached the baseline where post-authentication attacks are even the primary concern — they're still exposed to straightforward credential-based compromise at scale.",{"data":1704,"content":1705,"nodeType":1283},{},[1706,1710,1718,1722,1730,1734,1742],{"data":1707,"marks":1708,"value":1709,"nodeType":1282},{},[],"Push addresses both halves:",{"data":1711,"content":1713,"nodeType":1322},{"uri":1712},"https://pushsecurity.com/blog/introducing-set-and-forget-controls-that-stop-real-world-identity-attacks/",[1714],{"data":1715,"marks":1716,"value":1717,"nodeType":1282},{},[]," MFA enforcement guardrails",{"data":1719,"marks":1720,"value":1721,"nodeType":1282},{},[]," surface where MFA is missing and guide users toward enrollment, while",{"data":1723,"content":1725,"nodeType":1322},{"uri":1724},"https://pushsecurity.com/blog/guide-how-to-use-push-controls-to-protect-your-users-from-modern-attacks/",[1726],{"data":1727,"marks":1728,"value":1729,"nodeType":1282},{},[]," session hijacking detection",{"data":1731,"marks":1732,"value":1733,"nodeType":1282},{},[]," and",{"data":1735,"content":1737,"nodeType":1322},{"uri":1736},"https://pushsecurity.com/blog/device-code-phishing/",[1738],{"data":1739,"marks":1740,"value":1741,"nodeType":1282},{},[]," authorization attack protections",{"data":1743,"marks":1744,"value":1745,"nodeType":1282},{},[]," — including device code phishing detection and OAuth consent monitoring — catch the post-authentication attacks MFA was never designed to stop.",{"data":1747,"content":1748,"nodeType":1296},{},[],{"data":1750,"content":1751,"nodeType":1306},{},[1752],{"data":1753,"marks":1754,"value":1756,"nodeType":1282},{},[1755],{"type":1304},"7. The ClickFix-to-infostealer-to-account takeover flywheel",{"data":1758,"content":1759,"nodeType":1283},{},[1760],{"data":1761,"marks":1762,"value":1763,"nodeType":1282},{},[],"The final thread that ran through the conversation was the self-reinforcing nature of the modern attack chain. Mark laid out the cycle explicitly: \"ClickFix to infostealer to account takeover, which results then in maybe more ad account takeover, so we distribute more ClickFix and it just kind of has this compounding effect.\"",{"data":1765,"content":1766,"nodeType":1283},{},[1767,1771,1779,1783,1789,1793,1800],{"data":1768,"marks":1769,"value":1770,"nodeType":1282},{},[],"This isn't a linear attack path — it's a flywheel.",{"data":1772,"content":1774,"nodeType":1322},{"uri":1773},"https://pushsecurity.com/blog/introducing-malicious-copy-paste-detection/",[1775],{"data":1776,"marks":1777,"value":1778,"nodeType":1282},{},[]," ClickFix",{"data":1780,"marks":1781,"value":1782,"nodeType":1282},{},[]," silently injects a malicious command into the victim's clipboard and instructs them to paste and execute it, delivering infostealer malware that harvests credentials and session tokens from the browser. Those stolen credentials fuel credential stuffing attacks across every SaaS app the victim has accounts on — particularly apps with",{"data":1784,"content":1785,"nodeType":1322},{"uri":1362},[1786],{"data":1787,"marks":1788,"value":1367,"nodeType":1282},{},[],{"data":1790,"marks":1791,"value":1792,"nodeType":1282},{},[]," where local password-based authentication still works even after SSO was configured. Compromised advertising and social media accounts are then used to distribute more ClickFix lures through",{"data":1794,"content":1795,"nodeType":1322},{"uri":1430},[1796],{"data":1797,"marks":1798,"value":1799,"nodeType":1282},{},[]," Google search results, malvertising, and compromised websites",{"data":1801,"marks":1802,"value":1803,"nodeType":1282},{},[],", and the cycle starts again.",{"data":1805,"content":1806,"nodeType":1283},{},[1807,1811,1818,1822,1829],{"data":1808,"marks":1809,"value":1810,"nodeType":1282},{},[],"The scale compounds with every rotation, and the numbers suggest the flywheel is already spinning fast —",{"data":1812,"content":1813,"nodeType":1322},{"uri":1430},[1814],{"data":1815,"marks":1816,"value":1817,"nodeType":1282},{},[]," 54% of all ransomware attacks in 2025 traced back to infostealer-enabled credential theft",{"data":1819,"marks":1820,"value":1821,"nodeType":1282},{},[],", and ClickFix was identified as",{"data":1823,"content":1824,"nodeType":1322},{"uri":1430},[1825],{"data":1826,"marks":1827,"value":1828,"nodeType":1282},{},[]," the most common initial access vector",{"data":1830,"marks":1831,"value":1832,"nodeType":1282},{},[]," by Microsoft last year.",{"data":1834,"content":1835,"nodeType":1283},{},[1836,1840,1847,1851,1858,1862,1869,1873,1880],{"data":1837,"marks":1838,"value":1839,"nodeType":1282},{},[],"Push breaks the chain at multiple points: detecting",{"data":1841,"content":1842,"nodeType":1322},{"uri":1773},[1843],{"data":1844,"marks":1845,"value":1846,"nodeType":1282},{},[]," ClickFix clipboard injection",{"data":1848,"marks":1849,"value":1850,"nodeType":1282},{},[]," before the payload reaches the endpoint,",{"data":1852,"content":1853,"nodeType":1322},{"uri":1381},[1854],{"data":1855,"marks":1856,"value":1857,"nodeType":1282},{},[]," identifying stolen credentials",{"data":1859,"marks":1860,"value":1861,"nodeType":1282},{},[]," when they're actively used in login attempts, flagging",{"data":1863,"content":1864,"nodeType":1322},{"uri":1712},[1865],{"data":1866,"marks":1867,"value":1868,"nodeType":1282},{},[]," accounts missing MFA",{"data":1870,"marks":1871,"value":1872,"nodeType":1282},{},[],", and",{"data":1874,"content":1875,"nodeType":1322},{"uri":1724},[1876],{"data":1877,"marks":1878,"value":1879,"nodeType":1282},{},[]," detecting session hijacking",{"data":1881,"marks":1882,"value":1883,"nodeType":1282},{},[]," when stolen tokens are replayed outside the protected browser.",{"data":1885,"content":1886,"nodeType":1296},{},[],{"data":1888,"content":1889,"nodeType":1306},{},[1890],{"data":1891,"marks":1892,"value":1894,"nodeType":1282},{},[1893],{"type":1304},"The bigger picture",{"data":1896,"content":1897,"nodeType":1283},{},[1898],{"data":1899,"marks":1900,"value":1901,"nodeType":1282},{},[],"The conversation with Troy reinforced something we see in our own data every day: the credential problem isn't just an awareness problem — and better technical controls are needed. Organizations know credentials get compromised, they subscribe to breach notification services, and they run security awareness training, but without the ability to match that intelligence against what's actually happening in the browser — which credentials are in active use, which accounts lack MFA, which logins bypass SSO entirely — the gap between knowing about a compromised credential and being able to do anything about it remains vast.",{"data":1903,"content":1904,"nodeType":1283},{},[1905],{"data":1906,"marks":1907,"value":1908,"nodeType":1282},{},[],"Troy's work at Have I Been Pwned has made that gap more visible than anyone else could, and the conversation is worth watching in full for the practitioner-level detail he brings to a problem most organizations are still underestimating.",{"data":1910,"content":1911,"nodeType":1283},{},[1912,1915,1924,1928,1936],{"data":1913,"marks":1914,"value":29,"nodeType":1282},{},[],{"data":1916,"content":1918,"nodeType":1322},{"uri":1917},"https://pushsecurity.com/resources/yes-youve-been-pwned",[1919],{"data":1920,"marks":1921,"value":1923,"nodeType":1282},{},[1922],{"type":1487},"Watch the full webinar",{"data":1925,"marks":1926,"value":1927,"nodeType":1282},{},[]," to hear the full conversation — or",{"data":1929,"content":1931,"nodeType":1322},{"uri":1930},"https://pushsecurity.com/demo",[1932],{"data":1933,"marks":1934,"value":1935,"nodeType":1282},{},[]," book a demo",{"data":1937,"marks":1938,"value":1939,"nodeType":1282},{},[]," to see how Push turns credential intelligence into actionable detections.",{"data":1941,"content":1942,"nodeType":1283},{},[1943],{"data":1944,"marks":1945,"value":1946,"nodeType":1282},{},[],"\n","document",{"entries":1949},{"hyperlink":1950,"inline":1951,"block":1952},[],[],[1953],{"sys":1954,"__typename":1955,"type":1956,"ctaText":1957,"buttonLabel":1958,"buttonColour":1959,"buttonUrl":1917},{"id":1288},"CtaWidget","Custom","Watch the full webinar on demand.","Click here","sunny orange","json",{},"7 things we learned from our conversation with Troy Hunt","2026-05-20T00:00:00.000Z",{"items":1965},[1966,2554,3421],{"__typename":1967,"sys":1968,"content":1970,"title":2536,"synopsis":2537,"hashTags":62,"publishedDate":2538,"slug":2539,"tagsCollection":2540,"authorsCollection":2550},"BlogPosts",{"id":1969},"6V12IJexyAkFFVIrbwlNPq",{"json":1971},{"data":1972,"content":1973,"nodeType":1947},{},[1974,1994,2000,2003,2011,2062,2069,2072,2080,2099,2106,2131,2149,2152,2160,2179,2186,2193,2200,2203,2211,2242,2260,2263,2271,2290,2297,2304,2307,2315,2334,2341,2359,2366,2369,2377,2394,2401,2408,2420,2437,2440,2448,2455,2502,2530],{"data":1975,"content":1976,"nodeType":1283},{},[1977,1981,1990],{"data":1978,"marks":1979,"value":1980,"nodeType":1282},{},[],"We recently sat down with ",{"data":1982,"content":1984,"nodeType":1322},{"uri":1983},"https://www.youtube.com/@_JohnHammond",[1985],{"data":1986,"marks":1987,"value":1989,"nodeType":1282},{},[1988],{"type":1487},"John Hammond",{"data":1991,"marks":1992,"value":1993,"nodeType":1282},{},[]," — Senior Principal Security Researcher at Huntress — for a live deep-dive into the browser-based attack techniques defining the 2026 threat landscape. The session covered AiTM phishing, ClickFix, ConsentFix, device code phishing, and the structural shifts making traditional security controls less effective against all of them. Here are seven takeaways.",{"data":1995,"content":1999,"nodeType":1292},{"target":1996},{"sys":1997},{"id":1998,"type":1289,"linkType":1290},"5lJ49aLY0nApDeY69tNvUi",[],{"data":2001,"content":2002,"nodeType":1296},{},[],{"data":2004,"content":2005,"nodeType":1306},{},[2006],{"data":2007,"marks":2008,"value":2010,"nodeType":1282},{},[2009],{"type":1304},"1. Browser attacks are evolving faster than defenses can adapt",{"data":2012,"content":2013,"nodeType":1283},{},[2014,2018,2025,2029,2036,2040,2047,2051,2059],{"data":2015,"marks":2016,"value":2017,"nodeType":1282},{},[],"The overriding theme of the session wasn't any single technique — it was the pace of change across all of them. AiTM phishing has been",{"data":2019,"content":2020,"nodeType":1322},{"uri":1418},[2021],{"data":2022,"marks":2023,"value":2024,"nodeType":1282},{},[]," the dominant phishing technique",{"data":2026,"marks":2027,"value":2028,"nodeType":1282},{},[]," for a couple of years now, but the variants layered on top of it are arriving faster than most security teams can evaluate, let alone deploy defenses against. ClickFix went from novel to",{"data":2030,"content":2031,"nodeType":1322},{"uri":1430},[2032],{"data":2033,"marks":2034,"value":2035,"nodeType":1282},{},[]," the most common initial access vector observed by Microsoft",{"data":2037,"marks":2038,"value":2039,"nodeType":1282},{},[]," within about a year. Device code phishing went from near-zero to",{"data":2041,"content":2042,"nodeType":1322},{"uri":1736},[2043],{"data":2044,"marks":2045,"value":2046,"nodeType":1282},{},[]," at least 12 distinct kits",{"data":2048,"marks":2049,"value":2050,"nodeType":1282},{},[]," in a matter of months. ConsentFix was detected as a zero-day technique by Push in late 2025 and has already been",{"data":2052,"content":2054,"nodeType":1322},{"uri":2053},"https://pushsecurity.com/blog/consentfix-v3-analyzing-a-new-toolkit/",[2055],{"data":2056,"marks":2057,"value":2058,"nodeType":1282},{},[]," operationalized on criminal forums",{"data":2060,"marks":2061,"value":1610,"nodeType":1282},{},[],{"data":2063,"content":2064,"nodeType":1283},{},[2065],{"data":2066,"marks":2067,"value":2068,"nodeType":1282},{},[],"As Luke put it toward the end of the session: \"I've seen this develop so fast over the last two years. This isn't what's coming — this is now. This is where the battleground is.\"",{"data":2070,"content":2071,"nodeType":1296},{},[],{"data":2073,"content":2074,"nodeType":1306},{},[2075],{"data":2076,"marks":2077,"value":2079,"nodeType":1282},{},[2078],{"type":1304},"2. AiTM phishing is table stakes for attackers ",{"data":2081,"content":2082,"nodeType":1283},{},[2083,2087,2095],{"data":2084,"marks":2085,"value":2086,"nodeType":1282},{},[],"Adversary-in-the-middle phishing — where a reverse proxy sits between the victim and the real login page, intercepting session tokens in real time to bypass MFA — is no longer an advanced technique. It's available as a commodity for-hire through Phishing-as-a-Service platforms like Tycoon2FA, Sneaky2FA, and others",{"data":2088,"content":2089,"nodeType":1322},{"uri":1418},[2090],{"data":2091,"marks":2092,"value":2094,"nodeType":1282},{},[2093],{"type":1487},",",{"data":2096,"marks":2097,"value":2098,"nodeType":1282},{},[]," and the kits are getting harder to detect through traditional means.",{"data":2100,"content":2101,"nodeType":1283},{},[2102],{"data":2103,"marks":2104,"value":2105,"nodeType":1282},{},[],"Luke demoed the attacker's perspective using Evilginx — an open-source tool now commonly seen in criminal operations — showing how session tokens are captured in real time even when the victim enters their MFA code correctly. From the victim's side, the login feels completely normal.",{"data":2107,"content":2108,"nodeType":1283},{},[2109,2114,2118,2127],{"data":2110,"marks":2111,"value":2113,"nodeType":1282},{},[2112],{"type":1304},"One of the key focuses in the session was how attackers are abusing legitimate infrastructure for both hosting and delivery of phishing pages. .",{"data":2115,"marks":2116,"value":2117,"nodeType":1282},{},[]," The in-the-wild examples showed attack chains routing through multiple legitimate services — file-sharing platforms, TinyURL, Cloudflare Turnstile, Google Search redirects — before finally landing on the phishing page. This is a well established technique for ",{"data":2119,"content":2121,"nodeType":1322},{"uri":2120},"https://phishing-techniques.pushsecurity.com/",[2122],{"data":2123,"marks":2124,"value":2126,"nodeType":1282},{},[2125],{"type":1487},"detection evasion",{"data":2128,"marks":2129,"value":2130,"nodeType":1282},{},[],". ",{"data":2132,"content":2133,"nodeType":1283},{},[2134,2138,2145],{"data":2135,"marks":2136,"value":2137,"nodeType":1282},{},[],"As John observed, \"the end user doesn't have that wherewithal or that observability understanding of how far they drove around across the internet\" before arriving at the credential-harvesting page. Push reconstructs these multi-hop chains into a",{"data":2139,"content":2140,"nodeType":1322},{"uri":1724},[2141],{"data":2142,"marks":2143,"value":2144,"nodeType":1282},{},[]," complete timeline",{"data":2146,"marks":2147,"value":2148,"nodeType":1282},{},[],", mapping the full redirect sequence even when individual hops are through trusted domains that wouldn't trigger any reputation-based alert — and crucially, detects malicious content on the phishing page itself rather than relying on known-bad IP and domain based checks that can only see the known-good sites used early in the chain.",{"data":2150,"content":2151,"nodeType":1296},{},[],{"data":2153,"content":2154,"nodeType":1306},{},[2155],{"data":2156,"marks":2157,"value":2159,"nodeType":1282},{},[2158],{"type":1304},"3. Email is losing its market share as a delivery vector",{"data":2161,"content":2162,"nodeType":1283},{},[2163,2167,2175],{"data":2164,"marks":2165,"value":2166,"nodeType":1282},{},[],"One of the most striking examples in the webinar was a targeted AiTM campaign",{"data":2168,"content":2170,"nodeType":1322},{"uri":2169},"https://pushsecurity.com/blog/new-phishing-campaign-identified-targeting-linkedin-users/",[2171],{"data":2172,"marks":2173,"value":2174,"nodeType":1282},{},[]," Push detected last year",{"data":2176,"marks":2177,"value":2178,"nodeType":1282},{},[]," that was delivered entirely via LinkedIn. Senior executives at tech companies received direct messages from compromised contacts — people they already knew, in some cases other employees of the same companies — offering involvement in private equity fundraising rounds connected to companies they had real involvement with. The targeting was precise and personal, and the redirect chain ran through sites.google.com and Microsoft Dynamics before landing on a cloned login page.",{"data":2180,"content":2181,"nodeType":1283},{},[2182],{"data":2183,"marks":2184,"value":2185,"nodeType":1282},{},[],"As Luke noted, LinkedIn occupies an unusual middle ground: \"It's this great way of targeting companies, but through a vector that can't really be monitored in the same way as other corporate systems, because it's kind of a personal platform.\" It's personal enough that companies can't realistically monitor it, but professional enough that employees routinely access it from corporate devices.",{"data":2187,"content":2188,"nodeType":1283},{},[2189],{"data":2190,"marks":2191,"value":2192,"nodeType":1282},{},[],"LinkedIn is only part of the shift. ClickFix attacks most commonly arrive via search results in 4 of 5 cases based on Push data. Luke noted \"not even malvertising, just organic search, uncovering legit websites that have been compromised.\" InstallFix pages appear as sponsored Google ads. ConsentFix pages were seeded on compromised websites found through normal browsing. In every case, the email gateway never sees the lure because the lure was never in an email. And of course, even if a compromised website is reported and removed, it’s easier than ever for an attacker to quickly tear down and rotate their sites to stay ahead of blocklists. ",{"data":2194,"content":2195,"nodeType":1283},{},[2196],{"data":2197,"marks":2198,"value":2199,"nodeType":1282},{},[],"As John put it: \"You could set up this lure or this trap out on the open internet so that anyone could fall for it at any point.\"",{"data":2201,"content":2202,"nodeType":1296},{},[],{"data":2204,"content":2205,"nodeType":1306},{},[2206],{"data":2207,"marks":2208,"value":2210,"nodeType":1282},{},[2209],{"type":1304},"4. ClickFix keeps evolving with multiple *Fix derivatives",{"data":2212,"content":2213,"nodeType":1283},{},[2214,2218,2226,2230,2238],{"data":2215,"marks":2216,"value":2217,"nodeType":1282},{},[],"ClickFix — where a malicious page silently writes a payload to the victim's clipboard and instructs them to paste and execute it — ",{"data":2219,"content":2220,"nodeType":1322},{"uri":1773},[2221],{"data":2222,"marks":2223,"value":2225,"nodeType":1282},{},[2224],{"type":1487},"spawned an entire family of variants since its emergence, according to Push’s research",{"data":2227,"marks":2228,"value":2229,"nodeType":1282},{},[],". The webinar showed how far the social engineering has come: Luke demonstrated a",{"data":2231,"content":2233,"nodeType":1322},{"uri":2232},"https://pushsecurity.com/blog/the-most-advanced-clickfix-yet/",[2234],{"data":2235,"marks":2236,"value":2237,"nodeType":1282},{},[]," particularly sophisticated variant",{"data":2239,"marks":2240,"value":2241,"nodeType":1282},{},[]," on a compromised legitimate website with an embedded instructional video and a countdown timer to manufacture urgency, targeting macOS. As John noted: \"It can be cross-platform because you're just preying on the human weakness. The video smooths it over for the user experience.\"",{"data":2243,"content":2244,"nodeType":1283},{},[2245,2249,2256],{"data":2246,"marks":2247,"value":2248,"nodeType":1282},{},[],"The more important point was structural. Because the user manually pastes and executes the command, \"from the EDR's perspective, the user just manually ran this command,\" Luke explained. \"It actually breaks that link from an EDR's perspective.\" EDR behavioral detections weigh execution context heavily — a PowerShell command spawned from a browser process tree is suspicious, but the same command initiated through the Run dialog looks like normal activity. Push",{"data":2250,"content":2251,"nodeType":1322},{"uri":1773},[2252],{"data":2253,"marks":2254,"value":2255,"nodeType":1282},{},[]," detects ClickFix at the clipboard-injection stage",{"data":2257,"marks":2258,"value":2259,"nodeType":1282},{},[],", before the payload ever reaches the endpoint, to bolster endpoint-level detections and extend protection to machines like BYOD, contractor, or developer devices where EDR is often missing or tuned-down.",{"data":2261,"content":2262,"nodeType":1296},{},[],{"data":2264,"content":2265,"nodeType":1306},{},[2266],{"data":2267,"marks":2268,"value":2270,"nodeType":1282},{},[2269],{"type":1304},"5. InstallFix turned the AI tool boom into an attack surface overnight",{"data":2272,"content":2273,"nodeType":1283},{},[2274,2277,2286],{"data":2275,"marks":2276,"value":29,"nodeType":1282},{},[],{"data":2278,"content":2280,"nodeType":1322},{"uri":2279},"https://pushsecurity.com/blog/installfix/",[2281],{"data":2282,"marks":2283,"value":2285,"nodeType":1282},{},[2284],{"type":1487},"InstallFix",{"data":2287,"marks":2288,"value":2289,"nodeType":1282},{},[]," — a ClickFix variant that clones legitimate developer tool installation pages and swaps the install command for a malicious payload — was one of the clearest examples of how quickly a new attack pattern can go from zero to dominant. Luke showed side-by-side comparisons of real and fake Claude Code installation pages that were visually identical except for the payload itself, and fake Notebook LM pages appearing as top Google sponsored results.",{"data":2291,"content":2292,"nodeType":1283},{},[2293],{"data":2294,"marks":2295,"value":2296,"nodeType":1282},{},[],"The trajectory Luke described was striking: \"It literally started one day and then it's just been nonstop for the last couple of months since it started. It obviously is working really well.\" John added that the Claude Code variant in particular has been \"running rampant,\" and that he personally knows someone who fell for it.",{"data":2298,"content":2299,"nodeType":1283},{},[2300],{"data":2301,"marks":2302,"value":2303,"nodeType":1282},{},[],"What makes InstallFix effective is that it exploits a workflow that's become completely normalized — the rise of AI tools has encouraged even non-technical users to install software via terminal commands copied from documentation pages. When the fake page looks identical to the real one and the install method is exactly what you'd expect, the only tell is a base64-encoded payload that most users wouldn't think to scrutinize.",{"data":2305,"content":2306,"nodeType":1296},{},[],{"data":2308,"content":2309,"nodeType":1306},{},[2310],{"data":2311,"marks":2312,"value":2314,"nodeType":1282},{},[2313],{"type":1304},"6. ConsentFix plays out entirely in the browser, and criminals just got the playbook",{"data":2316,"content":2317,"nodeType":1283},{},[2318,2321,2330],{"data":2319,"marks":2320,"value":29,"nodeType":1282},{},[],{"data":2322,"content":2324,"nodeType":1322},{"uri":2323},"https://pushsecurity.com/blog/consentfix/",[2325],{"data":2326,"marks":2327,"value":2329,"nodeType":1282},{},[2328],{"type":1487},"ConsentFix",{"data":2331,"marks":2332,"value":2333,"nodeType":1282},{},[]," was a key focus in the webinar, and for good reason — it represents a fundamentally different class of browser attack. Rather than proxying credentials (AiTM) or injecting endpoint payloads (ClickFix), ConsentFix abuses the OAuth authorization code flow via the Azure CLI's localhost redirect to obtain access tokens without ever touching a password or MFA prompt. As John put it: \"This one is really tricky because the entire attack and technique lives only within the browser. There are no little EDR artifacts to poke and play at.\"",{"data":2335,"content":2336,"nodeType":1283},{},[2337],{"data":2338,"marks":2339,"value":2340,"nodeType":1282},{},[],"Luke described how Push first detected ConsentFix in the wild — a genuine zero-day discovery that took multiple encounters to fully understand. The attackers were fingerprinting visitors by IP and browser, triggering the payload only once per visitor across all compromised sites, and performing conditional access checks on the email address provided before deciding whether to proceed. \"It took us seeing it a few times before we cracked it,\" Luke explained. \"And then we were like — wow. What is this? I've never seen this before.\"",{"data":2342,"content":2343,"nodeType":1283},{},[2344,2348,2355],{"data":2345,"marks":2346,"value":2347,"nodeType":1282},{},[],"The session then took an interesting turn when John revealed something he hadn't previously shared publicly: a",{"data":2349,"content":2350,"nodeType":1322},{"uri":2053},[2351],{"data":2352,"marks":2353,"value":2354,"nodeType":1282},{},[]," ConsentFix v3 toolkit",{"data":2356,"marks":2357,"value":2358,"nodeType":1282},{},[]," posted on a well-known criminal forum, complete with a tutorial video, step-by-step instructions, and a zero-infrastructure approach using Cloudflare Workers for hosting, Dropbox for PDF delivery, and Pipedream as an automated exfiltration channel. \"They don’t need any infrastructure,\" John noted. \"They don’t have to host any servers or VPS. They could just cast this out to the whole wide world on the open internet.\"",{"data":2360,"content":2361,"nodeType":1283},{},[2362],{"data":2363,"marks":2364,"value":2365,"nodeType":1282},{},[],"Luke's assessment was measured but clear: \"When we published our first article, we were thinking, surely we're going to see a huge increase in this technique. We haven't really — until now.\" With the criminal ecosystem now tooled up, the expectation is that ConsentFix will follow the same commoditization arc as other techniques discussed in the session.",{"data":2367,"content":2368,"nodeType":1296},{},[],{"data":2370,"content":2371,"nodeType":1306},{},[2372],{"data":2373,"marks":2374,"value":2376,"nodeType":1282},{},[2375],{"type":1304},"7. Device code phishing is the technique both speakers fear most (and it's just getting started)",{"data":2378,"content":2379,"nodeType":1283},{},[2380,2384,2391],{"data":2381,"marks":2382,"value":2383,"nodeType":1282},{},[],"When John asked Luke which technique felt most dangerous, the answer was immediate:",{"data":2385,"content":2386,"nodeType":1322},{"uri":1736},[2387],{"data":2388,"marks":2389,"value":2390,"nodeType":1282},{},[]," device code phishing",{"data":2392,"marks":2393,"value":2130,"nodeType":1282},{},[],{"data":2395,"content":2396,"nodeType":1283},{},[2397],{"data":2398,"marks":2399,"value":2400,"nodeType":1282},{},[],"The technique abuses the OAuth 2.0 device authorization grant flow — originally designed for input-constrained devices like TVs, but now primarily used in enterprise environments for CLI tool authentication (Azure CLI, GitHub CLI, AWS CLI). That everyday enterprise usage is exactly what makes the phishing so effective: users in developer-heavy organizations are already habituated to entering short codes as part of their normal workflow. The victim enters a code on a legitimate Microsoft login page, and if they're already authenticated, the entire compromise happens without entering a password or completing an MFA challenge.",{"data":2402,"content":2403,"nodeType":1283},{},[2404],{"data":2405,"marks":2406,"value":2407,"nodeType":1282},{},[],"Push is now tracking at least 12 distinct device code phishing kits, \"literally within the last couple of months — from basically zero to this.\" EvilTokens dominates at an estimated 90–95% of detected volume, but the kit landscape is diversifying fast. Luke's theory: every existing AiTM vendor is adding device code phishing as a module. When Push investigated the Venom kit, its AiTM component triggered existing Sneaky2FA detections — suggesting the same actors or codebase behind both. \"That's why we've seen such a rapid increase — it's worked so well that everyone is just doing the same thing now.\"",{"data":2409,"content":2410,"nodeType":1283},{},[2411,2416],{"data":2412,"marks":2413,"value":2415,"nodeType":1282},{},[2414],{"type":1304},"What makes device code phishing uniquely dangerous is how little friction it presents to the victim.",{"data":2417,"marks":2418,"value":2419,"nodeType":1282},{},[]," As Luke explained: \"It's purely identity-driven. It completely bypasses 2FA, even bypasses phishing-resistant factors like passkeys. And it's just not something that seems malicious to your average user. We haven't trained people to worry about being given a code and being told to type that code.\"",{"data":2421,"content":2422,"nodeType":1283},{},[2423,2427,2434],{"data":2424,"marks":2425,"value":2426,"nodeType":1282},{},[],"John's closing take: \"It still feels early and emergent, even though the technique has been known for a while. It hasn't been weaponized like it has right now. I think device code is just at the starting gun.\" The blast radius extends beyond Microsoft too — GitHub, Salesforce, and other platforms support the same underlying flow, and was exploited in 2025’s massive Salesforce campaign operated by ",{"data":2428,"content":2429,"nodeType":1322},{"uri":1481},[2430],{"data":2431,"marks":2432,"value":1488,"nodeType":1282},{},[2433],{"type":1487},{"data":2435,"marks":2436,"value":1610,"nodeType":1282},{},[],{"data":2438,"content":2439,"nodeType":1296},{},[],{"data":2441,"content":2442,"nodeType":1306},{},[2443],{"data":2444,"marks":2445,"value":2447,"nodeType":1282},{},[2446],{"type":1304},"What ties all of this together",{"data":2449,"content":2450,"nodeType":1283},{},[2451],{"data":2452,"marks":2453,"value":2454,"nodeType":1282},{},[],"Every technique covered in the webinar — AiTM, ClickFix, InstallFix, ConsentFix, device code phishing — is designed to operate in or through the browser, abuse legitimate infrastructure and authentication flows, and evade the traditional security stack. Email gateways don't see them because the delivery vector increasingly isn't email. EDR doesn't reliably block them because the attack either breaks the process tree attribution (ClickFix) or never touches the endpoint at all (ConsentFix, device code phishing). Network proxies don't see them because the attack plays out in client-side page content, DOM interactions, and OAuth flows that are invisible to traffic inspection.",{"data":2456,"content":2457,"nodeType":1283},{},[2458,2462,2469,2472,2479,2482,2489,2492,2498],{"data":2459,"marks":2460,"value":2461,"nodeType":1282},{},[],"Push detects all of them —",{"data":2463,"content":2464,"nodeType":1322},{"uri":1724},[2465],{"data":2466,"marks":2467,"value":2468,"nodeType":1282},{},[]," AiTM phishing",{"data":2470,"marks":2471,"value":2094,"nodeType":1282},{},[],{"data":2473,"content":2474,"nodeType":1322},{"uri":1773},[2475],{"data":2476,"marks":2477,"value":2478,"nodeType":1282},{},[]," ClickFix and the *Fix family",{"data":2480,"marks":2481,"value":2094,"nodeType":1282},{},[],{"data":2483,"content":2484,"nodeType":1322},{"uri":2323},[2485],{"data":2486,"marks":2487,"value":2488,"nodeType":1282},{},[]," ConsentFix",{"data":2490,"marks":2491,"value":1872,"nodeType":1282},{},[],{"data":2493,"content":2494,"nodeType":1322},{"uri":1736},[2495],{"data":2496,"marks":2497,"value":2390,"nodeType":1282},{},[],{"data":2499,"marks":2500,"value":2501,"nodeType":1282},{},[]," — through behavioral detection at the browser layer, regardless of delivery channel, domain reputation, or infrastructure rotation. The detections target technique-class behaviors rather than specific kits or indicators, which is why Push detected ConsentFix as a zero-day and why new kit variants are typically caught by existing detection logic before a kit-specific rule is even written.",{"data":2503,"content":2504,"nodeType":1283},{},[2505,2508,2516,2520,2526],{"data":2506,"marks":2507,"value":29,"nodeType":1282},{},[],{"data":2509,"content":2511,"nodeType":1322},{"uri":2510},"https://pushsecurity.com/resources/browser-attacks-why-browser-new-battleground",[2512],{"data":2513,"marks":2514,"value":1923,"nodeType":1282},{},[2515],{"type":1487},{"data":2517,"marks":2518,"value":2519,"nodeType":1282},{},[]," to see the demos, attack chain timelines, and in-the-wild examples discussed in this post — or",{"data":2521,"content":2522,"nodeType":1322},{"uri":1930},[2523],{"data":2524,"marks":2525,"value":1935,"nodeType":1282},{},[],{"data":2527,"marks":2528,"value":2529,"nodeType":1282},{},[]," to see how Push handles them.",{"data":2531,"content":2532,"nodeType":1283},{},[2533],{"data":2534,"marks":2535,"value":1946,"nodeType":1282},{},[],"7 things we learned from ‘Why the browser is the new battleground’ with John Hammond","Here are 7 things we learned from our conversation with John Hammond on the \"Why the browser is the new battleground\" webinar. ","2026-05-19T00:00:00.000Z","7-things-we-learned-from-john-hammond",{"items":2541},[2542,2546],{"sys":2543,"name":2545},{"id":2544},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":2547,"name":2549},{"id":2548},"3pjES4THCIfSAwhGdNwBcy","Browser security",{"items":2551},[2552],{"fullName":1266,"firstName":1267,"jobTitle":1268,"profilePicture":2553},{"url":1270},{"__typename":1967,"sys":2555,"content":2557,"title":3401,"synopsis":3402,"hashTags":62,"publishedDate":3403,"slug":3404,"tagsCollection":3405,"authorsCollection":3413},{"id":2556},"211Dd0EIrXPOFpvRgs0fEE",{"json":2558},{"nodeType":1947,"data":2559,"content":2560},{},[2561,2580,2599,2617,2623,2626,2634,2641,2648,2655,2662,2670,2673,2681,2688,2695,2702,2708,2717,2735,2742,2749,2765,2773,2804,2820,2827,2855,2863,2893,2900,2908,2926,2933,2940,2946,2953,2961,2980,2987,3006,3013,3016,3024,3031,3122,3129,3145,3148,3178,3197,3204,3211,3214,3222,3241,3248,3255,3273,3276,3284,3291,3324,3331,3348,3367,3373,3376,3383],{"nodeType":1283,"data":2562,"content":2563},{},[2564,2568,2576],{"nodeType":1282,"value":2565,"marks":2566,"data":2567},"When we released the",[],{},{"nodeType":1322,"data":2569,"content":2571},{"uri":2570},"https://pushsecurity.com/blog/saas-attack-techniques/",[2572],{"nodeType":1282,"value":2573,"marks":2574,"data":2575}," SaaS attack matrix",[],{},{"nodeType":1282,"value":2577,"marks":2578,"data":2579}," in 2023, we were anticipating a shift that was just beginning to take shape. The techniques that attackers were using to compromise cloud applications and identities weren't well represented in existing frameworks, and many of the ones we documented hadn't yet been widely observed in the wild.",[],{},{"nodeType":1283,"data":2581,"content":2582},{},[2583,2587,2595],{"nodeType":1282,"value":2584,"marks":2585,"data":2586},"A year later, we",[],{},{"nodeType":1322,"data":2588,"content":2590},{"uri":2589},"https://pushsecurity.com/blog/the-saas-attack-matrix-one-year-on/",[2591],{"nodeType":1282,"value":2592,"marks":2593,"data":2594}," reviewed what had changed",[],{},{"nodeType":1282,"value":2596,"marks":2597,"data":2598}," and found that the initial access phase — the techniques designed to compromise an identity in the first place — was where almost all of the attacker innovation was concentrated. And two years on, that trend has become the story of the modern threat landscape. ",[],{},{"nodeType":1283,"data":2600,"content":2601},{},[2602,2606,2613],{"nodeType":1282,"value":2603,"marks":2604,"data":2605},"Today, we're re-releasing the matrix as the",[],{},{"nodeType":1322,"data":2607,"content":2608},{"uri":61},[2609],{"nodeType":1282,"value":2610,"marks":2611,"data":2612}," Browser & Identity Attacks Matrix",[],{},{"nodeType":1282,"value":2614,"marks":2615,"data":2616},". The name change isn't cosmetic. It reflects that the attacks driving the most consequential breaches are browser-based and identity-first.",[],{},{"nodeType":1292,"data":2618,"content":2622},{"target":2619},{"sys":2620},{"id":2621,"type":1289,"linkType":1290},"MSnrBRJtiQxpv2qxFLCVE",[],{"nodeType":1296,"data":2624,"content":2625},{},[],{"nodeType":1306,"data":2627,"content":2628},{},[2629],{"nodeType":1282,"value":2630,"marks":2631,"data":2633},"Why the scope needed to change",[2632],{"type":1304},{},{"nodeType":1283,"data":2635,"content":2636},{},[2637],{"nodeType":1282,"value":2638,"marks":2639,"data":2640},"The original SaaS attack matrix was built around a specific insight: that attacks targeting modern business applications played out entirely over the internet, without touching endpoints or internal networks in any way that EDR or network detection tools would recognize.",[],{},{"nodeType":1283,"data":2642,"content":2643},{},[2644],{"nodeType":1282,"value":2645,"marks":2646,"data":2647},"That framing was useful, and it remains true. But it anchored the matrix to the post-access phase — what attackers do once they're inside a SaaS application — and didn't give enough weight to the initial access techniques that determine whether attackers get there in the first place.",[],{},{"nodeType":1283,"data":2649,"content":2650},{},[2651],{"nodeType":1282,"value":2652,"marks":2653,"data":2654},"The problem is that initial access is where the overwhelming majority of attacker innovation and investment is concentrated, and the techniques being used to achieve it are best understood as browser and identity attacks rather than SaaS-specific ones. AiTM phishing, ClickFix and its growing family of clipboard-injection variants, device code phishing, OAuth consent abuse, credential stuffing powered by infostealer supply chains, malicious browser extensions all happen in or via the browser.",[],{},{"nodeType":1283,"data":2656,"content":2657},{},[2658],{"nodeType":1282,"value":2659,"marks":2660,"data":2661},"Another issue is that \"SaaS\" has arguably ceased to be a meaningful category. When we consider that most organizations run the majority of their business on cloud applications, the difference between what constitutes \"SaaS\" versus cloud versus just \"business IT\" is pretty blurry (and feels like an academic rather than practical difference).",[],{},{"nodeType":1283,"data":2663,"content":2664},{},[2665],{"nodeType":1282,"value":2666,"marks":2667,"data":2669},"So it's less about whether an attack is a \"SaaS attack\" and more about how these attacks actually play out. ",[2668],{"type":1304},{},{"nodeType":1296,"data":2671,"content":2672},{},[],{"nodeType":1306,"data":2674,"content":2675},{},[2676],{"nodeType":1282,"value":2677,"marks":2678,"data":2680},"The technique landscape has transformed",[2679],{"type":1304},{},{"nodeType":1283,"data":2682,"content":2683},{},[2684],{"nodeType":1282,"value":2685,"marks":2686,"data":2687},"The second part to the change is the fact that scale and speed of attacker innovation in the space justifies it.",[],{},{"nodeType":1283,"data":2689,"content":2690},{},[2691],{"nodeType":1282,"value":2692,"marks":2693,"data":2694},"When we launched the matrix in mid-2023, AiTM phishing was emerging as a serious concern but was far from ubiquitous. ClickFix didn't exist as a named technique. Device code phishing was a curiosity documented by a handful of researchers. ConsentFix was years away from being discovered. Browser extension supply chain attacks were rare enough to be individually notable.",[],{},{"nodeType":1283,"data":2696,"content":2697},{},[2698],{"nodeType":1282,"value":2699,"marks":2700,"data":2701},"In the two and a half years since, every one of these has become a mainstream, industrialized attack technique — and several have converged in ways that would have been hard to predict.",[],{},{"nodeType":1292,"data":2703,"content":2707},{"target":2704},{"sys":2705},{"id":2706,"type":1289,"linkType":1290},"5Kw2kSrL8u4VyslxK8HCtR",[],{"nodeType":2709,"data":2710,"content":2711},"heading-2",{},[2712],{"nodeType":1282,"value":2713,"marks":2714,"data":2716},"AiTM phishing has become the default phishing method",[2715],{"type":1304},{},{"nodeType":1283,"data":2718,"content":2719},{},[2720,2724,2731],{"nodeType":1282,"value":2721,"marks":2722,"data":2723},"AiTM phishing is now the standard, powered by Phishing-as-a-Service kits that operate with the release cycles and customer support of legitimate SaaS products. Tycoon 2FA alone accounted for",[],{},{"nodeType":1322,"data":2725,"content":2726},{"uri":1418},[2727],{"nodeType":1282,"value":2728,"marks":2729,"data":2730}," 62% of phishing detected by Microsoft",[],{},{"nodeType":1282,"value":2732,"marks":2733,"data":2734}," and over 64,000 confirmed incidents, with Sneaky2FA, FlowerStorm, Evilginx, and a growing roster of competitors filling out the marketplace.",[],{},{"nodeType":1283,"data":2736,"content":2737},{},[2738],{"nodeType":1282,"value":2739,"marks":2740,"data":2741},"AiTM is constantly evolving, with vendors adding new features, capabilities, detection evasion techniques, and so on. Abuse of legitimate platforms, and increasingly AI-assisted development means that it’s trivial for attackers to spin up and tear down infrastructure, scale their campaigns, target specific organizations with crafted pages and lures, and generally means that attackers can operate highly sophisticated attacks with minimal effort and complexity. This makes AiTM and other PhaaS-powered techniques extremely accessible to all kinds of criminals.  ",[],{},{"nodeType":1283,"data":2743,"content":2744},{},[2745],{"nodeType":1282,"value":2746,"marks":2747,"data":2748},"These kits are delivered across several browser-based channels — not just email. Push data consistently shows that roughly 1 in 3 phishing payloads we intercept arrive via social media, search ads, messaging apps, or other non-email vectors.",[],{},{"nodeType":1283,"data":2750,"content":2751},{},[2752,2756,2761],{"nodeType":1282,"value":2753,"marks":2754,"data":2755},"Vishing has also surged as a delivery channel — CrowdStrike documented a ",[],{},{"nodeType":1282,"value":2757,"marks":2758,"data":2760},"442% year-over-year increase",[2759],{"type":1304},{},{"nodeType":1282,"value":2762,"marks":2763,"data":2764},", and Mandiant found it was the single most common initial vector in cloud compromises at 23%. But the trend that matters isn't voice calls in isolation; it's voice calls combined with browser-based payloads, where a live operator guides the victim into an AiTM page or device code flow that the call alone could not execute.",[],{},{"nodeType":2709,"data":2766,"content":2767},{},[2768],{"nodeType":1282,"value":2769,"marks":2770,"data":2772},"ClickFix is the top reported initial access vector",[2771],{"type":1304},{},{"nodeType":1283,"data":2774,"content":2775},{},[2776,2780,2788,2792,2800],{"nodeType":1282,"value":2777,"marks":2778,"data":2779},"ClickFix has gone from nonexistent to one of the most prevalent initial access techniques in under 18 months. Microsoft reported it as the",[],{},{"nodeType":1322,"data":2781,"content":2783},{"uri":2782},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf",[2784],{"nodeType":1282,"value":2785,"marks":2786,"data":2787}," most common initial access vector in 2025",[],{},{"nodeType":1282,"value":2789,"marks":2790,"data":2791},", accounting for 47% of observed attacks, while CrowdStrike documented a",[],{},{"nodeType":1322,"data":2793,"content":2795},{"uri":2794},"https://www.crowdstrike.com/explore/2026-global-threat-report",[2796],{"nodeType":1282,"value":2797,"marks":2798,"data":2799}," 563% increase",[],{},{"nodeType":1282,"value":2801,"marks":2802,"data":2803}," in fake CAPTCHA lures (a top ClickFix style).",[],{},{"nodeType":1283,"data":2805,"content":2806},{},[2807,2811,2816],{"nodeType":1282,"value":2808,"marks":2809,"data":2810},"ClickFix is admittedly an outlier in a browser attacks matrix — the payload ultimately executes on the endpoint, not in the browser — but the delivery is overwhelmingly browser-based: ",[],{},{"nodeType":1282,"value":2812,"marks":2813,"data":2815},"4 in 5 ClickFix payloads",[2814],{"type":1304},{},{"nodeType":1282,"value":2817,"marks":2818,"data":2819}," intercepted by Push arrive via search engines as a result of malvertising or compromised web pages, not email, which means the browser is the only control point that actually sees the attack before the user pastes the malicious command.",[],{},{"nodeType":1283,"data":2821,"content":2822},{},[2823],{"nodeType":1282,"value":2824,"marks":2825,"data":2826},"ClickFix is now the primary delivery mechanism for infostealer malware, which is in turn the primary source of the stolen credentials and session tokens that power credential stuffing and session hijacking — which means the technique sits at the start of a cycle where one class of browser-delivered attack generates the raw material for the next.",[],{},{"nodeType":1283,"data":2828,"content":2829},{},[2830,2834,2841,2845,2851],{"nodeType":1282,"value":2831,"marks":2832,"data":2833},"The success of ClickFix has predictably spawned a growing family of derivatives — FileFix, CrashFix,",[],{},{"nodeType":1322,"data":2835,"content":2836},{"uri":2279},[2837],{"nodeType":1282,"value":2838,"marks":2839,"data":2840}," InstallFix",[],{},{"nodeType":1282,"value":2842,"marks":2843,"data":2844}," — and much of the naming is marketing hype around variations on the same clipboard-injection mechanic. But",[],{},{"nodeType":1322,"data":2846,"content":2847},{"uri":2323},[2848],{"nodeType":1282,"value":2488,"marks":2849,"data":2850},[],{},{"nodeType":1282,"value":2852,"marks":2853,"data":2854}," was a genuinely novel development.",[],{},{"nodeType":2709,"data":2856,"content":2857},{},[2858],{"nodeType":1282,"value":2859,"marks":2860,"data":2862},"Browser-native ClickFix: ConsentFix",[2861],{"type":1304},{},{"nodeType":1283,"data":2864,"content":2865},{},[2866,2870,2878,2882,2889],{"nodeType":1282,"value":2867,"marks":2868,"data":2869},"ConsentFix is a fully browser-native attack that merged ClickFix-style social engineering with OAuth consent abuse, compromising accounts through a legitimate Microsoft authorization flow with no endpoint component at all. ConsentFix was",[],{},{"nodeType":1322,"data":2871,"content":2873},{"uri":2872},"https://pushsecurity.com/blog/consentfix-debrief/",[2874],{"nodeType":1282,"value":2875,"marks":2876,"data":2877}," traced to APT29",[],{},{"nodeType":1282,"value":2879,"marks":2880,"data":2881}," and has since been",[],{},{"nodeType":1322,"data":2883,"content":2884},{"uri":2053},[2885],{"nodeType":1282,"value":2886,"marks":2887,"data":2888}," commercialized on criminal forums",[],{},{"nodeType":1282,"value":2890,"marks":2891,"data":2892},", following the same path from state-sponsored technique to commodity criminal tooling that we've seen repeatedly in this space.",[],{},{"nodeType":1283,"data":2894,"content":2895},{},[2896],{"nodeType":1282,"value":2897,"marks":2898,"data":2899},"ConsentFix demonstrates that the clipboard-injection mechanic can evolve into something that operates entirely within the browser, eliminating the endpoint detection surface that traditional ClickFix still exposed.",[],{},{"nodeType":2709,"data":2901,"content":2902},{},[2903],{"nodeType":1282,"value":2904,"marks":2905,"data":2907},"Attackers have pivoted to authorization attacks to get around login controls",[2906],{"type":1304},{},{"nodeType":1283,"data":2909,"content":2910},{},[2911,2915,2922],{"nodeType":1282,"value":2912,"marks":2913,"data":2914},"Authorization attacks like device code phishing have seen a",[],{},{"nodeType":1322,"data":2916,"content":2917},{"uri":1736},[2918],{"nodeType":1282,"value":2919,"marks":2920,"data":2921}," 37.5x increase",[],{},{"nodeType":1282,"value":2923,"marks":2924,"data":2925}," since the start of 2026, with at least 12 distinct kits now offering the technique. It bypasses standard authentication controls — including passkeys — because the attack occurs through the OAuth device authorization flow rather than the standard login flow. ",[],{},{"nodeType":1283,"data":2927,"content":2928},{},[2929],{"nodeType":1282,"value":2930,"marks":2931,"data":2932},"The technique was first associated with nation-state actors like Storm-2372, but went from espionage-grade to commodity PhaaS tooling in roughly eighteen months, with kits like EvilTokens and Venom now offering turnkey device code phishing as a service.",[],{},{"nodeType":1283,"data":2934,"content":2935},{},[2936],{"nodeType":1282,"value":2937,"marks":2938,"data":2939},"The device code authorization is effectively performed post-authentication. If you already have an active session in your browser, entering the device code and selecting your account from a drop-down menu is all that's needed. No password or MFA required. You can see an example in the video below.",[],{},{"nodeType":1292,"data":2941,"content":2945},{"target":2942},{"sys":2943},{"id":2944,"type":1289,"linkType":1290},"2WPb41lNRajdpt5pogQg8M",[],{"nodeType":1283,"data":2947,"content":2948},{},[2949],{"nodeType":1282,"value":2950,"marks":2951,"data":2952},"And the ecosystem is adapting to this opportunity: established AiTM vendors like Tycoon are adding authorization-focused options alongside their existing credential-harvesting capabilities, which points toward multi-technique platforms where operators pick the right tool for whatever defenses the target has in place.",[],{},{"nodeType":2709,"data":2954,"content":2955},{},[2956],{"nodeType":1282,"value":2957,"marks":2958,"data":2960},"Malicious and hacked browser extensions are one of the fastest growing threats",[2959],{"type":1304},{},{"nodeType":1283,"data":2962,"content":2963},{},[2964,2968,2976],{"nodeType":1282,"value":2965,"marks":2966,"data":2967},"Malicious browser extensions have matured from an occasional nuisance into a scalable supply chain attack vector. The",[],{},{"nodeType":1322,"data":2969,"content":2971},{"uri":2970},"https://pushsecurity.com/blog/why-browser-extension-risk-scoring-wont-predict-your-next-breach/",[2972],{"nodeType":1282,"value":2973,"marks":2974,"data":2975}," Cyberhaven compromise",[],{},{"nodeType":1282,"value":2977,"marks":2978,"data":2979}," in December 2024 — where approximately 35 extensions were weaponized through a single OAuth phishing campaign targeting developers — impacted 2.6 million users and demonstrated that extension supply chain attacks can achieve the kind of reach that used to require a compromised software update server.",[],{},{"nodeType":1283,"data":2981,"content":2982},{},[2983],{"nodeType":1282,"value":2984,"marks":2985,"data":2986},"Since Cyberhaven, the pace has only accelerated. In 2026 alone, researchers have publicly disclosed at least 250 confirmed malicious browser extensions affecting roughly 1.75 million users, alongside a further 370+ extensions engaged in undisclosed or policy-disclosed data harvesting affecting an additional 44 million users. That doesn't count the extensions from late-2025 campaigns (DarkSpectre, AITOPIA, Trust Wallet) whose impacts carried into 2026.",[],{},{"nodeType":1283,"data":2988,"content":2989},{},[2990,2994,3002],{"nodeType":1282,"value":2991,"marks":2992,"data":2993},"The attack paths have also expanded. Beyond phishing developers for take over Web Store accounts (the Cyberhaven playbook), attackers are buying existing extensions from developers, waiting for ownership transfers or abandonments to take over, and increasingly vibe-coding their own functional extensions from scratch to build an audience that can later be weaponized. The common thread is that ",[],{},{"nodeType":1322,"data":2995,"content":2996},{"uri":2970},[2997],{"nodeType":1282,"value":2998,"marks":2999,"data":3001},"most malicious extensions didn't start out malicious",[3000],{"type":1487},{},{"nodeType":1282,"value":3003,"marks":3004,"data":3005}," — they started as legitimate tools and were turned into weapons after the fact.",[],{},{"nodeType":1283,"data":3007,"content":3008},{},[3009],{"nodeType":1282,"value":3010,"marks":3011,"data":3012},"None of this is happening in isolation. The threat landscape has reoriented around browser-based initial access and identity compromise — and the matrix needed to catch up.",[],{},{"nodeType":1296,"data":3014,"content":3015},{},[],{"nodeType":1306,"data":3017,"content":3018},{},[3019],{"nodeType":1282,"value":3020,"marks":3021,"data":3023},"The evolution is playing out in public breaches",[3022],{"type":1304},{},{"nodeType":1283,"data":3025,"content":3026},{},[3027],{"nodeType":1282,"value":3028,"marks":3029,"data":3030},"It’s worth reinforcing that when the SaaS matrix was first released, many of these attacks hadn’t been seen in the wild. The change today is staggering:",[],{},{"nodeType":3032,"data":3033,"content":3034},"unordered-list",{},[3035,3058,3080,3100],{"nodeType":3036,"data":3037,"content":3038},"list-item",{},[3039],{"nodeType":1283,"data":3040,"content":3041},{},[3042,3046,3054],{"nodeType":1282,"value":3043,"marks":3044,"data":3045},"When",[],{},{"nodeType":1322,"data":3047,"content":3049},{"uri":3048},"https://pushsecurity.com/blog/scattered-lapsus-hunters/",[3050],{"nodeType":1282,"value":3051,"marks":3052,"data":3053}," Scattered Lapsus$ Hunters",[],{},{"nodeType":1282,"value":3055,"marks":3056,"data":3057}," compromised over a thousand organizations' Salesforce tenants through device code phishing, the attack started with a phone call, moved through a browser-based authorization flow for the attacker’s app, and ended with mass data exfiltration via API.",[],{},{"nodeType":3036,"data":3059,"content":3060},{},[3061],{"nodeType":1283,"data":3062,"content":3063},{},[3064,3068,3076],{"nodeType":1282,"value":3065,"marks":3066,"data":3067},"When the same collective launched",[],{},{"nodeType":1322,"data":3069,"content":3071},{"uri":3070},"https://pushsecurity.com/blog/unpacking-the-latest-slh-campaign/",[3072],{"nodeType":1282,"value":3073,"marks":3074,"data":3075}," AiTM phishing campaigns",[],{},{"nodeType":1282,"value":3077,"marks":3078,"data":3079}," targeting Okta and Entra SSO, the phishing page was operated by a human in real time and delivered over a voice call — not email.",[],{},{"nodeType":3036,"data":3081,"content":3082},{},[3083],{"nodeType":1283,"data":3084,"content":3085},{},[3086,3089,3096],{"nodeType":1282,"value":3043,"marks":3087,"data":3088},[],{},{"nodeType":1322,"data":3090,"content":3091},{"uri":2323},[3092],{"nodeType":1282,"value":3093,"marks":3094,"data":3095}," APT29 deployed ConsentFix",[],{},{"nodeType":1282,"value":3097,"marks":3098,"data":3099}," across dozens of compromised websites, the entire attack chain was browser-native, abusing a legitimate Microsoft OAuth flow to bypass MFA without proxying a single credential.",[],{},{"nodeType":3036,"data":3101,"content":3102},{},[3103],{"nodeType":1283,"data":3104,"content":3105},{},[3106,3110,3118],{"nodeType":1282,"value":3107,"marks":3108,"data":3109},"The",[],{},{"nodeType":1322,"data":3111,"content":3113},{"uri":3112},"https://pushsecurity.com/blog/identity-attacks-in-the-wild/#id-snowflake-june-2024",[3114],{"nodeType":1282,"value":3115,"marks":3116,"data":3117}," Snowflake breach",[],{},{"nodeType":1282,"value":3119,"marks":3120,"data":3121}," — arguably the most consequential credential-based campaign of the past several years — saw 165 organizations breached using credentials that had been sitting in infostealer dumps for years, replayed against Snowflake tenants that lacked mandatory MFA. The attack surface wasn't Snowflake's application logic; it was the identity hygiene gap that every organization carries across hundreds of apps.",[],{},{"nodeType":1283,"data":3123,"content":3124},{},[3125],{"nodeType":1282,"value":3126,"marks":3127,"data":3128},"And that’s just the big picture. Every month we’re tracking new public breaches involving browser and identity TTPs — which again, are just the tip of the iceberg when you consider that many breaches are settled quietly without hitting the headlines. ",[],{},{"nodeType":1283,"data":3130,"content":3131},{},[3132,3136,3141],{"nodeType":1282,"value":3133,"marks":3134,"data":3135},"One of the key drivers here is the shrinking time-to-exploit. CrowdStrike's average e-crime breakout time is down to ",[],{},{"nodeType":1282,"value":3137,"marks":3138,"data":3140},"29 minutes",[3139],{"type":1304},{},{"nodeType":1282,"value":3142,"marks":3143,"data":3144},", with the fastest recorded at 27 seconds. When attackers can move from initial access to data exfiltration within minutes, the window for post-compromise detection collapses to near zero. The best chance of stopping the attack is at the point of initial access before the identity is compromised.",[],{},{"nodeType":1296,"data":3146,"content":3147},{},[],{"nodeType":1306,"data":3149,"content":3150},{},[3151,3156,3162,3167,3173],{"nodeType":1282,"value":3152,"marks":3153,"data":3155},"Sidenote: why we're looking at attacks ",[3154],{"type":1304},{},{"nodeType":1282,"value":3157,"marks":3158,"data":3161},"in",[3159,3160],{"type":276},{"type":1304},{},{"nodeType":1282,"value":3163,"marks":3164,"data":3166}," the browser, not ",[3165],{"type":1304},{},{"nodeType":1282,"value":3168,"marks":3169,"data":3172},"on",[3170,3171],{"type":276},{"type":1304},{},{"nodeType":1282,"value":3174,"marks":3175,"data":3177}," the browser",[3176],{"type":1304},{},{"nodeType":1283,"data":3179,"content":3180},{},[3181,3185,3193],{"nodeType":1282,"value":3182,"marks":3183,"data":3184},"Calling this a \"browser attacks\" matrix needs clarification. We're not talking about browser exploits — RCE vulnerabilities, sandbox escapes, memory corruption bugs. Those attacks target the browser itself, they're extraordinarily expensive to develop, and they're increasingly rare. Browser zero-days hit a",[],{},{"nodeType":1322,"data":3186,"content":3188},{"uri":3187},"https://cloud.google.com/blog/topics/threat-intelligence/2025-zero-day-review",[3189],{"nodeType":1282,"value":3190,"marks":3191,"data":3192}," historic low of 9%",[],{},{"nodeType":1282,"value":3194,"marks":3195,"data":3196}," of all zero-days reported to Google, and a Chrome RCE commands a $250,000 bug bounty.",[],{},{"nodeType":1283,"data":3198,"content":3199},{},[3200],{"nodeType":1282,"value":3201,"marks":3202,"data":3203},"In comparison, a one-year phishing kit rental costs $1,000. A bulk stolen credential list costs $15. An initial-access-broker-provided IdP admin account costs $3,000. When it costs orders of magnitude less to exploit the person using the browser than to exploit the browser itself, attackers will take the cheaper option every time.",[],{},{"nodeType":1283,"data":3205,"content":3206},{},[3207],{"nodeType":1282,"value":3208,"marks":3209,"data":3210},"It's worth heading off the obvious counterargument: won't AI-assisted vulnerability discovery eventually make browser exploits cheaper? Perhaps — but it will simultaneously make them easier for browser vendors to find and patch, and vendors like Google and Microsoft have the engineering capacity and financial incentive to scale AI-driven remediation far faster than attackers can scale exploit development.",[],{},{"nodeType":1296,"data":3212,"content":3213},{},[],{"nodeType":1306,"data":3215,"content":3216},{},[3217],{"nodeType":1282,"value":3218,"marks":3219,"data":3221},"What hasn't changed",[3220],{"type":1304},{},{"nodeType":1283,"data":3223,"content":3224},{},[3225,3229,3237],{"nodeType":1282,"value":3226,"marks":3227,"data":3228},"The matrix remains open-source, community-maintained, and available on",[],{},{"nodeType":1322,"data":3230,"content":3232},{"uri":3231},"https://github.com/pushsecurity/saas-attacks",[3233],{"nodeType":1282,"value":3234,"marks":3235,"data":3236}," GitHub",[],{},{"nodeType":1282,"value":3238,"marks":3239,"data":3240},". The goal is the same as it was in 2023: to give offensive and defensive security teams a shared reference point for the techniques that matter most.",[],{},{"nodeType":1283,"data":3242,"content":3243},{},[3244],{"nodeType":1282,"value":3245,"marks":3246,"data":3247},"We built it because there was a gap in how the industry talked about these techniques, and that gap still exists — MITRE ATT&CK remains essential for endpoint and network TTPs, but the browser-based, identity-first techniques behind most modern breaches are still underrepresented in traditional frameworks.",[],{},{"nodeType":1283,"data":3249,"content":3250},{},[3251],{"nodeType":1282,"value":3252,"marks":3253,"data":3254},"We continue to maintain the matrix with input from red teams, detection engineers, and threat researchers across the community. Some of the most valuable additions over the past two years have come from practitioners who encountered a technique on an engagement or in an investigation and contributed it back to the repository.",[],{},{"nodeType":1283,"data":3256,"content":3257},{},[3258,3262,3270],{"nodeType":1282,"value":3259,"marks":3260,"data":3261},"If you're an offensive security professional using these techniques on engagements, or a defender building detections against them, we want to hear from you. Submit a PR, open a discussion, or flag a technique we've missed on ",[],{},{"nodeType":1322,"data":3263,"content":3265},{"uri":3264},"https://github.com/pushsecurity/browser-identity-attacks-matrix",[3266],{"nodeType":1282,"value":3267,"marks":3268,"data":3269},"GitHub",[],{},{"nodeType":1282,"value":1610,"marks":3271,"data":3272},[],{},{"nodeType":1296,"data":3274,"content":3275},{},[],{"nodeType":1306,"data":3277,"content":3278},{},[3279],{"nodeType":1282,"value":3280,"marks":3281,"data":3283},"Looking ahead",[3282],{"type":1304},{},{"nodeType":1283,"data":3285,"content":3286},{},[3287],{"nodeType":1282,"value":3288,"marks":3289,"data":3290},"The pace of attacker innovation in browser-based initial access techniques over the past 18 months has been unlike anything we've tracked before — technique after technique moving from research curiosity to industrialized criminal tooling within months, not years.",[],{},{"nodeType":3032,"data":3292,"content":3293},{},[3294,3304,3314],{"nodeType":3036,"data":3295,"content":3296},{},[3297],{"nodeType":1283,"data":3298,"content":3299},{},[3300],{"nodeType":1282,"value":3301,"marks":3302,"data":3303},"AiTM platforms are adding authorization-based attack options alongside their credential-harvesting capabilities.",[],{},{"nodeType":3036,"data":3305,"content":3306},{},[3307],{"nodeType":1283,"data":3308,"content":3309},{},[3310],{"nodeType":1282,"value":3311,"marks":3312,"data":3313},"ClickFix has spawned fully browser-native variants.",[],{},{"nodeType":3036,"data":3315,"content":3316},{},[3317],{"nodeType":1283,"data":3318,"content":3319},{},[3320],{"nodeType":1282,"value":3321,"marks":3322,"data":3323},"AI is lowering the cost of producing convincing social engineering and phishing infrastructure at scale.",[],{},{"nodeType":1283,"data":3325,"content":3326},{},[3327],{"nodeType":1282,"value":3328,"marks":3329,"data":3330},"We don't see any of this slowing down, and that's exactly why thinking about these attacks as a browser problem instead of siloing them across email, endpoint, network, and cloud categories, each with a partial view of the picture (and still missing the whole when combined).",[],{},{"nodeType":1283,"data":3332,"content":3333},{},[3334,3338,3345],{"nodeType":1282,"value":3335,"marks":3336,"data":3337},"The Browser & Identity Attacks Matrix is our contribution to keeping that shared understanding current. You can",[],{},{"nodeType":1322,"data":3339,"content":3340},{"uri":61},[3341],{"nodeType":1282,"value":3342,"marks":3343,"data":3344}," explore the matrix here",[],{},{"nodeType":1282,"value":1610,"marks":3346,"data":3347},[],{},{"nodeType":1283,"data":3349,"content":3350},{},[3351,3355,3363],{"nodeType":1282,"value":3352,"marks":3353,"data":3354},"You can also read our recent",[],{},{"nodeType":1322,"data":3356,"content":3358},{"uri":3357},"https://pushsecurity.com/thank-you/browser-attacks-report",[3359],{"nodeType":1282,"value":3360,"marks":3361,"data":3362}," browser attack techniques report",[],{},{"nodeType":1282,"value":3364,"marks":3365,"data":3366}," for more information.",[],{},{"nodeType":1292,"data":3368,"content":3372},{"target":3369},{"sys":3370},{"id":3371,"type":1289,"linkType":1290},"1hx6sxpyEzxn4F4jc1RGQi",[],{"nodeType":1296,"data":3374,"content":3375},{},[],{"nodeType":1283,"data":3377,"content":3378},{},[3379],{"nodeType":1282,"value":3380,"marks":3381,"data":3382},"Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser — high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required. Security teams use Push to detect and stop advanced browser-based attacks like AiTM phishing, ClickFix, and session hijacking; gain visibility and control over AI tool usage across their workforce; harden identities by surfacing credential reuse, SSO gaps, and shadow IT; and support data loss and insider investigations with browser-layer telemetry that other tools can't see.",[],{},{"nodeType":1283,"data":3384,"content":3385},{},[3386,3390,3397],{"nodeType":1282,"value":3387,"marks":3388,"data":3389},"Book a",[],{},{"nodeType":1322,"data":3391,"content":3392},{"uri":1930},[3393],{"nodeType":1282,"value":3394,"marks":3395,"data":3396}," live demo",[],{},{"nodeType":1282,"value":3398,"marks":3399,"data":3400}," to learn more.",[],{},"Introducing the Browser & Identity Attacks Matrix","We're re-releasing the SaaS attack matrix as the Browser & Identity Attacks Matrix. Here's why we've decided to make the change and what it means.","2026-05-08T00:00:00.000Z","introducing-the-browser-and-identity-attacks-matrix",{"items":3406},[3407,3409],{"sys":3408,"name":2545},{"id":2544},{"sys":3410,"name":3412},{"id":3411},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":3414},[3415],{"fullName":3416,"firstName":3417,"jobTitle":3418,"profilePicture":3419},"Dan Green","Dan","Threat Research",{"url":3420},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"__typename":1967,"sys":3422,"content":3424,"title":4289,"synopsis":4290,"hashTags":62,"publishedDate":3403,"slug":4291,"tagsCollection":4292,"authorsCollection":4298},{"id":3423},"3jF1fypt08TNlSoWuoMWhj",{"json":3425},{"nodeType":1947,"data":3426,"content":3427},{},[3428,3446,3489,3496,3527,3570,3576,3588,3591,3599,3649,3656,3679,3685,3688,3696,3724,3731,3739,3745,3748,3756,3763,3781,3788,3831,3838,3841,3849,3867,3875,3882,3905,3928,3952,3960,3967,3970,3977,3984,4001,4004,4012,4030,4283],{"nodeType":1283,"data":3429,"content":3430},{},[3431,3435,3442],{"nodeType":1282,"value":3432,"marks":3433,"data":3434},"ShinyHunters and the broader SLH (",[],{},{"nodeType":1322,"data":3436,"content":3437},{"uri":3048},[3438],{"nodeType":1282,"value":3439,"marks":3440,"data":3441},"Scattered Lapsus$ Hunters",[],{},{"nodeType":1282,"value":3443,"marks":3444,"data":3445},") collective have claimed breaches at thousands of organizations over the past twelve months across retail, technology, aviation, financial services, media, gaming, and education, in what amounts to the most sustained data theft and extortion operation in recent cybercrime history. ",[],{},{"nodeType":1283,"data":3447,"content":3448},{},[3449,3453,3461,3465,3473,3477,3485],{"nodeType":1282,"value":3450,"marks":3451,"data":3452},"The confirmed victim list reads like a Fortune 500 directory: Coca-Cola, Cisco, Qantas, Coinbase, ADT, Aflac, SoundCloud, Rockstar Games, and recently ",[],{},{"nodeType":1322,"data":3454,"content":3456},{"uri":3455},"https://www.bleepingcomputer.com/news/security/instructure-confirms-data-breach-shinyhunters-claims-attack/",[3457],{"nodeType":1282,"value":3458,"marks":3459,"data":3460},"Instructure",[],{},{"nodeType":1282,"value":3462,"marks":3463,"data":3464}," — whose breach ",[],{},{"nodeType":1322,"data":3466,"content":3468},{"uri":3467},"https://krebsonsecurity.com/2026/05/canvas-breach-disrupts-schools-colleges-nationwide/",[3469],{"nodeType":1282,"value":3470,"marks":3471,"data":3472},"disrupted schools and universities nationwide",[],{},{"nodeType":1282,"value":3474,"marks":3475,"data":3476}," during final exams — among dozens more named publicly and likely many more that haven't been (breaches settled quickly behind closed doors don't always make it into the public eye). ShinyHunters alone claimed over 1.5 billion stolen Salesforce records from a single campaign targeting more than 1,000 organizations, and this follows the ",[],{},{"nodeType":1322,"data":3478,"content":3480},{"uri":3479},"https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/",[3481],{"nodeType":1282,"value":3482,"marks":3483,"data":3484},"2024 Snowflake breach",[],{},{"nodeType":1282,"value":3486,"marks":3487,"data":3488}," where the same group used infostealer-harvested credentials to compromise over 165 customer environments (and another billion-plus records).",[],{},{"nodeType":1283,"data":3490,"content":3491},{},[3492],{"nodeType":1282,"value":3493,"marks":3494,"data":3495},"SLH operates as a distributed criminal collective. Its genealogy traces through a merger of Scattered Spider, Lapsus$, and ShinyHunters, itself part of the Com, a broader community of English-speaking cybercriminals with international criminal affiliations. ",[],{},{"nodeType":1283,"data":3497,"content":3498},{},[3499,3503,3511,3515,3523],{"nodeType":1282,"value":3500,"marks":3501,"data":3502},"Additional operating clusters, including Cordial Spider and Snarky Spider (which CrowdStrike ",[],{},{"nodeType":1322,"data":3504,"content":3506},{"uri":3505},"https://cyberscoop.com/crowdstrike-cordial-spider-snarky-spider-extortion-attacks/",[3507],{"nodeType":1282,"value":3508,"marks":3509,"data":3510},"characterizes as the new generation of Scattered Spider",[],{},{"nodeType":1282,"value":3512,"marks":3513,"data":3514},") run parallel campaigns against different target sectors, unified not by shared infrastructure but by a shared playbook of techniques that exploit the structural weakness in modern SaaS-first organizations. ",[],{},{"nodeType":1322,"data":3516,"content":3518},{"uri":3517},"https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-03-12-Vishing-Campaigns-Lead-to-Data-Theft-and-Extortion.txt",[3519],{"nodeType":1282,"value":3520,"marks":3521,"data":3522},"Unit 42 documented",[],{},{"nodeType":1282,"value":3524,"marks":3525,"data":3526}," these groups moving from initial compromise to complete data exfiltration in under an hour — faster than most organizations can even begin to respond. ",[],{},{"nodeType":1283,"data":3528,"content":3529},{},[3530,3534,3542,3546,3554,3558,3566],{"nodeType":1282,"value":3531,"marks":3532,"data":3533},"Not every SLH breach is browser-based — the Instructure breach (275 million individuals, ~330 school login portals defaced) began with a Salesforce tenant compromise in September 2025, but resurfaced in May 2026 after attackers exploited a ",[],{},{"nodeType":1322,"data":3535,"content":3537},{"uri":3536},"https://www.bitdefender.com/en-gb/blog/businessinsights/technical-advisory-shinyhunters-breach-instructure-canvas-lms",[3538],{"nodeType":1282,"value":3539,"marks":3540,"data":3541},"vulnerability affecting Canvas's Free-For-Teacher program",[],{},{"nodeType":1282,"value":3543,"marks":3544,"data":3545}," (it's now been confirmed that Instructure \"",[],{},{"nodeType":1322,"data":3547,"content":3549},{"uri":3548},"https://www.instructure.com/incident_update",[3550],{"nodeType":1282,"value":3551,"marks":3552,"data":3553},"reached a settlement",[],{},{"nodeType":1282,"value":3555,"marks":3556,"data":3557},"\" for the deletion of the data, and shut down the free account tier), while the Coinbase breach cost ",[],{},{"nodeType":1322,"data":3559,"content":3561},{"uri":3560},"https://www.bleepingcomputer.com/news/security/coinbase-discloses-breach-faces-up-to-400-million-in-losses/",[3562],{"nodeType":1282,"value":3563,"marks":3564,"data":3565},"$180M–400M through insider bribery",[],{},{"nodeType":1282,"value":3567,"marks":3568,"data":3569}," — but these are the exceptions that prove the rule. ",[],{},{"nodeType":1292,"data":3571,"content":3575},{"target":3572},{"sys":3573},{"id":3574,"type":1289,"linkType":1290},"4qNrbDyMJIumQfdbh9YVkU",[],{"nodeType":1283,"data":3577,"content":3578},{},[3579,3584],{"nodeType":1282,"value":3580,"marks":3581,"data":3583},"The vast majority of SLH campaigns over the past year converge on three browser-based attack vectors: vishing combined with AiTM phishing, device code phishing exploiting account authorization flows, and OAuth supply chain attacks through compromised third-party integrators.",[3582],{"type":1304},{},{"nodeType":1282,"value":3585,"marks":3586,"data":3587}," Each is well-documented, each has produced confirmed victims at scale, and each is detectable or preventable through browser-layer security controls. This post examines all three.",[],{},{"nodeType":1296,"data":3589,"content":3590},{},[],{"nodeType":1306,"data":3592,"content":3593},{},[3594],{"nodeType":1282,"value":3595,"marks":3596,"data":3598},"Vector 1: Vishing combined with AiTM phishing",[3597],{"type":1304},{},{"nodeType":1283,"data":3600,"content":3601},{},[3602,3606,3614,3617,3625,3628,3635,3639,3646],{"nodeType":1282,"value":3603,"marks":3604,"data":3605},"The most visible campaign right now pairs targeted voice calls with adversary-in-the-middle phishing pages — an approach that",[],{},{"nodeType":1322,"data":3607,"content":3609},{"uri":3608},"https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft",[3610],{"nodeType":1282,"value":3611,"marks":3612,"data":3613}," Mandiant",[],{},{"nodeType":1282,"value":2094,"marks":3615,"data":3616},[],{},{"nodeType":1322,"data":3618,"content":3620},{"uri":3619},"https://www.crowdstrike.com/en-us/blog/defending-against-cordial-spider-and-snarky-spider-with-falcon-shield/",[3621],{"nodeType":1282,"value":3622,"marks":3623,"data":3624}," CrowdStrike",[],{},{"nodeType":1282,"value":1872,"marks":3626,"data":3627},[],{},{"nodeType":1322,"data":3629,"content":3630},{"uri":3517},[3631],{"nodeType":1282,"value":3632,"marks":3633,"data":3634}," Unit 42",[],{},{"nodeType":1282,"value":3636,"marks":3637,"data":3638}," have all documented from the incident response side, and which Push has",[],{},{"nodeType":1322,"data":3640,"content":3641},{"uri":1495},[3642],{"nodeType":1282,"value":3643,"marks":3644,"data":3645}," documented from inside the attacker's own operator panels",[],{},{"nodeType":1282,"value":1610,"marks":3647,"data":3648},[],{},{"nodeType":1283,"data":3650,"content":3651},{},[3652],{"nodeType":1282,"value":3653,"marks":3654,"data":3655},"An attacker impersonating IT support calls the target employee, establishes urgency — often citing a \"mandatory passkey rollout\" or a \"security compliance update\" — and directs them to a victim-branded AiTM phishing page (typically at a domain like \u003Ccompany>sso.com or \u003Ccompany>internal.com). The attack is processed by a live human in real time, relaying credentials and MFA codes to the legitimate identity provider as they are entered, capturing the resulting session token, and granting the attacker an authenticated session. ",[],{},{"nodeType":1283,"data":3657,"content":3658},{},[3659,3663,3670,3674],{"nodeType":1282,"value":3660,"marks":3661,"data":3662},"One of the reasons that this method is becoming so widespread is the commoditization of effective tools. Push's ",[],{},{"nodeType":1322,"data":3664,"content":3665},{"uri":1495},[3666],{"nodeType":1282,"value":3667,"marks":3668,"data":3669},"infiltration of the criminal phishing panels",[],{},{"nodeType":1282,"value":3671,"marks":3672,"data":3673}," identified over 400 linked domains across four distinct infrastructure clusters. ",[],{},{"nodeType":1282,"value":3675,"marks":3676,"data":3678},"This mirrors the pattern that turned AiTM phishing from a specialist capability into an industrialized market with competing PhaaS platforms, but with the added complication that voice phishing as the delivery vector makes the attack invisible to traditional anti-phishing controls at the email layer.",[3677],{"type":1304},{},{"nodeType":1292,"data":3680,"content":3684},{"target":3681},{"sys":3682},{"id":3683,"type":1289,"linkType":1290},"1Yhthl0PILGW7EmCcZUrNv",[],{"nodeType":1296,"data":3686,"content":3687},{},[],{"nodeType":1306,"data":3689,"content":3690},{},[3691],{"nodeType":1282,"value":3692,"marks":3693,"data":3695},"Vector 2: Vishing combined with device code phishing",[3694],{"type":1304},{},{"nodeType":1283,"data":3697,"content":3698},{},[3699,3702,3709,3713,3720],{"nodeType":1282,"value":3107,"marks":3700,"data":3701},[],{},{"nodeType":1322,"data":3703,"content":3704},{"uri":3070},[3705],{"nodeType":1282,"value":3706,"marks":3707,"data":3708}," ShinyHunters Salesforce campaign",[],{},{"nodeType":1282,"value":3710,"marks":3711,"data":3712}," that ran through 2025 and into 2026 used device code phishing as one of its core methods,",[],{},{"nodeType":1322,"data":3714,"content":3715},{"uri":3479},[3716],{"nodeType":1282,"value":3717,"marks":3718,"data":3719}," compromising over 1,000 organizations and claiming 1.5 billion stolen records",[],{},{"nodeType":1282,"value":3721,"marks":3722,"data":3723}," — including an attempted extortion of Salesforce itself. The attack involved registering an attacker-controlled \"DataLoader\" application mimicking a legitimate Salesforce tool, configuring it to request broad OAuth scopes including full API access and refresh token generation, and guiding victims through the device authorization flow via vishing calls.",[],{},{"nodeType":1283,"data":3725,"content":3726},{},[3727],{"nodeType":1282,"value":3728,"marks":3729,"data":3730},"Device code phishing exploits the OAuth 2.0 device authorization grant — a flow designed for devices without browsers, like smart TVs, but used in a wide range of scenarios including CLI logins — by tricking users into entering a code on Microsoft's (or another identity provider's) legitimate verification page. Since the victim is usually signed into the app in their browser, there’s no login at all. They simply navigate to the app’s device code login page and enter an attacker-provided code to grant the attacker an access token. ",[],{},{"nodeType":1283,"data":3732,"content":3733},{},[3734],{"nodeType":1282,"value":3735,"marks":3736,"data":3738},"This is what makes device code phishing structurally different from AiTM: it defeats all MFA (including passkeys) because the attack doesn’t target the login, but the authorization layer instead.",[3737],{"type":1304},{},{"nodeType":1292,"data":3740,"content":3744},{"target":3741},{"sys":3742},{"id":3743,"type":1289,"linkType":1290},"3ElQz8sLATnR8RY5nVlBGM",[],{"nodeType":1296,"data":3746,"content":3747},{},[],{"nodeType":1306,"data":3749,"content":3750},{},[3751],{"nodeType":1282,"value":3752,"marks":3753,"data":3755},"Vector 3: OAuth supply chain attacks through compromised integrators",[3754],{"type":1304},{},{"nodeType":1283,"data":3757,"content":3758},{},[3759],{"nodeType":1282,"value":3760,"marks":3761,"data":3762},"The third vector does not require the attacker to phish the victim organization's employees at all. Instead, it exploits the OAuth trust relationships that organizations create when they connect third-party SaaS vendors into their environments — and the consequence is that every organization that authorized one of these integrations effectively extended its security boundary to include the vendor's own security posture.",[],{},{"nodeType":1283,"data":3764,"content":3765},{},[3766,3769,3777],{"nodeType":1282,"value":3107,"marks":3767,"data":3768},[],{},{"nodeType":1322,"data":3770,"content":3772},{"uri":3771},"https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift",[3773],{"nodeType":1282,"value":3774,"marks":3775,"data":3776}," Salesloft/Drift supply chain attack",[],{},{"nodeType":1282,"value":3778,"marks":3779,"data":3780}," demonstrated this at scale in 2025: in an extension of the previously mentioned device code phishing campaign, the attacker compromised Salesloft's GitHub environment, used TruffleHog to find secrets, stole Drift OAuth tokens, and used them to access downstream Salesforce environments. The same pattern was later repeated at Gainsight. ",[],{},{"nodeType":1283,"data":3782,"content":3783},{},[3784],{"nodeType":1282,"value":3785,"marks":3786,"data":3787},"Along with the previously mentioned device code phishing attacks,  more than 1000 organizations were breached. The attackers then harvested AWS keys, Snowflake credentials, and stored passwords from breached Salesforce instances, compounding the access into progressively wider reach.",[],{},{"nodeType":1283,"data":3789,"content":3790},{},[3791,3795,3803,3807,3815,3819,3827],{"nodeType":1282,"value":3792,"marks":3793,"data":3794},"The same structural pattern has continued into 2026 with the Anodot supply chain compromise, which has produced confirmed breaches at",[],{},{"nodeType":1322,"data":3796,"content":3798},{"uri":3797},"https://www.bleepingcomputer.com/news/security/vimeo-data-breach-exposes-personal-information-of-119-000-people/",[3799],{"nodeType":1282,"value":3800,"marks":3801,"data":3802}," Vimeo",[],{},{"nodeType":1282,"value":3804,"marks":3805,"data":3806}," (119,000 users), Rockstar Games (78.6 million records), and",[],{},{"nodeType":1322,"data":3808,"content":3810},{"uri":3809},"https://www.bleepingcomputer.com/news/security/zara-data-breach-exposed-personal-information-of-197-000-people/",[3811],{"nodeType":1282,"value":3812,"marks":3813,"data":3814}," Zara/Inditex",[],{},{"nodeType":1282,"value":3816,"marks":3817,"data":3818}," (197,000 people), with further downstream victims likely still emerging. The",[],{},{"nodeType":1322,"data":3820,"content":3822},{"uri":3821},"https://pushsecurity.com/blog/unpacking-the-vercel-breach/",[3823],{"nodeType":1282,"value":3824,"marks":3825,"data":3826}," Vercel breach",[],{},{"nodeType":1282,"value":3828,"marks":3829,"data":3830}," demonstrates this too, which involved compromised OAuth tokens from Context.ai cascading into Google Workspace, reinforces the same attack pattern (though it was likely not a ShinyHunters operation despite being claimed by someone pretending to be them).",[],{},{"nodeType":1283,"data":3832,"content":3833},{},[3834],{"nodeType":1282,"value":3835,"marks":3836,"data":3837},"A forgotten SaaS integration can easily become the pivot point for downstream compromise. The moment you authorize a third-party integration, your security boundary extends to include that vendor. If the third-party is compromised, every downstream customer organization with an active integration is exposed.",[],{},{"nodeType":1296,"data":3839,"content":3840},{},[],{"nodeType":1306,"data":3842,"content":3843},{},[3844],{"nodeType":1282,"value":3845,"marks":3846,"data":3848},"These attacks all happen in the browser",[3847],{"type":1304},{},{"nodeType":1283,"data":3850,"content":3851},{},[3852,3856,3863],{"nodeType":1282,"value":3853,"marks":3854,"data":3855},"Every one of these attack chains is a browser-based attack that either occurs in the browser (AiTM phishing, device code phishing) or could have been prevented at the browser layer (OAuth consent governance). The techniques are interchangeable — the",[],{},{"nodeType":1322,"data":3857,"content":3858},{"uri":1736},[3859],{"nodeType":1282,"value":3860,"marks":3861,"data":3862}," same criminal kits now offer AiTM and device code phishing side by side",[],{},{"nodeType":1282,"value":3864,"marks":3865,"data":3866},", and the same threat actor (ShinyHunters) has used all three vectors across different campaigns within the same twelve-month period.",[],{},{"nodeType":2709,"data":3868,"content":3869},{},[3870],{"nodeType":1282,"value":3871,"marks":3872,"data":3874},"How Push can help",[3873],{"type":1304},{},{"nodeType":1283,"data":3876,"content":3877},{},[3878],{"nodeType":1282,"value":3879,"marks":3880,"data":3881},"Push operates at the exact point in each of these attack chains where automated intervention can still prevent the compromise. ",[],{},{"nodeType":1283,"data":3883,"content":3884},{},[3885,3890,3894,3901],{"nodeType":1282,"value":3886,"marks":3887,"data":3889},"For vishing + AiTM attacks, ",[3888],{"type":1304},{},{"nodeType":1282,"value":3891,"marks":3892,"data":3893},"Push's",[],{},{"nodeType":1322,"data":3895,"content":3896},{"uri":1495},[3897],{"nodeType":1282,"value":3898,"marks":3899,"data":3900}," behavioral phishing detection",[],{},{"nodeType":1282,"value":3902,"marks":3903,"data":3904}," analyzes and blocks the phishing page in real time by detecting it from the user's browser — regardless of the domains used, hosting infrastructure, or where the URL was delivered.  ",[],{},{"nodeType":1283,"data":3906,"content":3907},{},[3908,3913,3917,3924],{"nodeType":1282,"value":3909,"marks":3910,"data":3912},"For device code phishing,",[3911],{"type":1304},{},{"nodeType":1282,"value":3914,"marks":3915,"data":3916}," Push detects the phishing pages associated with ",[],{},{"nodeType":1322,"data":3918,"content":3919},{"uri":1736},[3920],{"nodeType":1282,"value":3921,"marks":3922,"data":3923},"device code phishing kits",[],{},{"nodeType":1282,"value":3925,"marks":3926,"data":3927}," — including generic, technique-class detections that catch new kits without requiring kit-specific signatures. Second, Push provides an additional layer of protection on the legitimate device code authentication pages themselves, preventing users from entering attacker-supplied codes into them. Together, these detections cover both the kit-operated phishing infrastructure and the legitimate auth pages that the attack flow depends on.",[],{},{"nodeType":1283,"data":3929,"content":3930},{},[3931,3936,3940,3948],{"nodeType":1282,"value":3932,"marks":3933,"data":3935},"For OAuth supply chain attacks,",[3934],{"type":1304},{},{"nodeType":1282,"value":3937,"marks":3938,"data":3939}," Push's ",[],{},{"nodeType":1322,"data":3941,"content":3943},{"uri":3942},"https://site.dev.pushsecurity.com/contentful-preview/?blogSlug=analyzing-the-instructure-breach",[3944],{"nodeType":1282,"value":3945,"marks":3946,"data":3947},"detects and controls OAuth consent flows",[],{},{"nodeType":1282,"value":3949,"marks":3950,"data":3951}," at the browser layer — capturing which application is requesting access, what scopes it's requesting, and whether the grant should be permitted under organizational policy. Push customers can also block OAuth connection requests as they transit the browser, enabling security teams to stop unwanted integrations being added in the first place. ",[],{},{"nodeType":2709,"data":3953,"content":3954},{},[3955],{"nodeType":1282,"value":3956,"marks":3957,"data":3959},"Closing thoughts",[3958],{"type":1304},{},{"nodeType":1283,"data":3961,"content":3962},{},[3963],{"nodeType":1282,"value":3964,"marks":3965,"data":3966},"The campaigns documented in this post are not historical — they are ongoing, with new victims surfacing weekly and the underlying criminal infrastructure still actively developing. But the defensive strategy does not require anticipating which specific group, vector, or target sector comes next, because all three converge on the same control point: the browser, where the attack begins or the integration decision is made. Organizations with browser-layer detection and OAuth governance in place have defense-in-depth against the full range of techniques these groups employ, regardless of which specific vector any given campaign uses.",[],{},{"nodeType":1296,"data":3968,"content":3969},{},[],{"nodeType":1283,"data":3971,"content":3972},{},[3973],{"nodeType":1282,"value":3974,"marks":3975,"data":3976},"Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser — high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required. ",[],{},{"nodeType":1283,"data":3978,"content":3979},{},[3980],{"nodeType":1282,"value":3981,"marks":3982,"data":3983},"Security teams use Push to detect and stop advanced browser-based attacks like AiTM phishing, ClickFix, and session hijacking; gain visibility and control over AI tool usage across their workforce; harden identities by surfacing credential reuse, SSO gaps, and shadow IT; and support data loss and insider investigations with browser-layer telemetry that other tools can't see.",[],{},{"nodeType":1283,"data":3985,"content":3986},{},[3987,3990,3998],{"nodeType":1282,"value":29,"marks":3988,"data":3989},[],{},{"nodeType":1322,"data":3991,"content":3993},{"uri":3992},"https://pushsecurity.com/demo/",[3994],{"nodeType":1282,"value":3995,"marks":3996,"data":3997},"Book a live demo to learn more.",[],{},{"nodeType":1282,"value":29,"marks":3999,"data":4000},[],{},{"nodeType":1296,"data":4002,"content":4003},{},[],{"nodeType":1306,"data":4005,"content":4006},{},[4007],{"nodeType":1282,"value":4008,"marks":4009,"data":4011},"Appendix: named ShinyHunters victims since May 2025",[4010],{"type":1304},{},{"nodeType":1283,"data":4013,"content":4014},{},[4015,4019,4026],{"nodeType":1282,"value":4016,"marks":4017,"data":4018},"To give an indication of the scale, the following table documents all publicly named victims attributed to ShinyHunters specifically since the Salesforce campaign began in May 2025. It is not exhaustive: ShinyHunters has claimed over 1,000 organizations in aggregate across its Salesforce campaigns alone, and many victims have not been publicly named. This list also doesn’t include the billion-plus records compromised in the 2024 Snowflake breaches. The major ransomware attacks executed against M&S, Co-op, and Jaguar Land Rover claimed by the ",[],{},{"nodeType":1322,"data":4020,"content":4021},{"uri":3048},[4022],{"nodeType":1282,"value":4023,"marks":4024,"data":4025},"Scattered Lapsus$ Hunters \"brand\"",[],{},{"nodeType":1282,"value":4027,"marks":4028,"data":4029}," also aren't listed below. ",[],{},{"nodeType":4031,"data":4032,"content":4033},"table",{},[4034,4083,4140,4188,4236],{"nodeType":4035,"data":4036,"content":4037},"table-row",{},[4038,4050,4061,4072],{"nodeType":4039,"data":4040,"content":4041},"table-cell",{},[4042],{"nodeType":1283,"data":4043,"content":4044},{},[4045],{"nodeType":1282,"value":4046,"marks":4047,"data":4049},"Campaign",[4048],{"type":1304},{},{"nodeType":4039,"data":4051,"content":4052},{},[4053],{"nodeType":1283,"data":4054,"content":4055},{},[4056],{"nodeType":1282,"value":4057,"marks":4058,"data":4060},"Began",[4059],{"type":1304},{},{"nodeType":4039,"data":4062,"content":4063},{},[4064],{"nodeType":1283,"data":4065,"content":4066},{},[4067],{"nodeType":1282,"value":4068,"marks":4069,"data":4071},"Named victims",[4070],{"type":1304},{},{"nodeType":4039,"data":4073,"content":4074},{},[4075],{"nodeType":1283,"data":4076,"content":4077},{},[4078],{"nodeType":1282,"value":4079,"marks":4080,"data":4082},"Confirmed impact",[4081],{"type":1304},{},{"nodeType":4035,"data":4084,"content":4085},{},[4086,4110,4120,4130],{"nodeType":4039,"data":4087,"content":4088},{},[4089],{"nodeType":1283,"data":4090,"content":4091},{},[4092,4097,4101,4106],{"nodeType":1282,"value":4093,"marks":4094,"data":4096},"ShinyHunters Salesforce Vishing",[4095],{"type":1304},{},{"nodeType":1282,"value":4098,"marks":4099,"data":4100}," (vishing + device code phishing → Salesforce connected app authorization) \n\n& ",[],{},{"nodeType":1282,"value":4102,"marks":4103,"data":4105},"Salesloft/Drift Supply Chain",[4104],{"type":1304},{},{"nodeType":1282,"value":4107,"marks":4108,"data":4109}," (stolen OAuth tokens → downstream Salesforce access)",[],{},{"nodeType":4039,"data":4111,"content":4112},{},[4113],{"nodeType":1283,"data":4114,"content":4115},{},[4116],{"nodeType":1282,"value":4117,"marks":4118,"data":4119},"May 2025",[],{},{"nodeType":4039,"data":4121,"content":4122},{},[4123],{"nodeType":1283,"data":4124,"content":4125},{},[4126],{"nodeType":1282,"value":4127,"marks":4128,"data":4129},"Coca-Cola Europacific Partners, Cisco, Qantas, LVMH, Adidas, Google, Chanel, Pandora, Allianz Life, Air France-KLM, Farmers Insurance, Workday, TransUnion, Stellantis, Kering, Odido, Hallmark, Salesloft (origin), Toast, Avalara, Fastly, Cato Networks, Cloudflare, Palo Alto Networks, Zscaler, Tenable, Elastic, JFrog, CyberArk, Rubrik, BeyondTrust, Proofpoint, Workiva, Mercer Advisors, Beacon Pointe, Ameriprise, Kemper, Udemy, 7-Eleven, Mytheresa, Marcus & Millichap, Carnival, Pitney Bowes, Alert 360, Amtrak, McGraw-Hill, Canada Life",[],{},{"nodeType":4039,"data":4131,"content":4132},{},[4133],{"nodeType":1283,"data":4134,"content":4135},{},[4136],{"nodeType":1282,"value":4137,"marks":4138,"data":4139},"48 named victims. Confirmed individual impact includes 23M+ records (Coca-Cola), 5.7M records (Qantas), 6.2M customers (Odido), 4.4M consumers (TransUnion), up to 18M records (Stellantis), 13.5M emails (McGraw-Hill), 8.2M emails (Pitney Bowes), 7.5M emails (Carnival). ShinyHunters claims 1.5B+ Salesforce records across 1,000+ organizations total.",[],{},{"nodeType":4035,"data":4141,"content":4142},{},[4143,4158,4168,4178],{"nodeType":4039,"data":4144,"content":4145},{},[4146],{"nodeType":1283,"data":4147,"content":4148},{},[4149,4154],{"nodeType":1282,"value":4150,"marks":4151,"data":4153},"Vishing + AiTM SSO",[4152],{"type":1304},{},{"nodeType":1282,"value":4155,"marks":4156,"data":4157}," (vishing → AiTM phishing page → SSO session capture → SaaS data exfiltration)",[],{},{"nodeType":4039,"data":4159,"content":4160},{},[4161],{"nodeType":1283,"data":4162,"content":4163},{},[4164],{"nodeType":1282,"value":4165,"marks":4166,"data":4167},"Aug 2025",[],{},{"nodeType":4039,"data":4169,"content":4170},{},[4171],{"nodeType":1283,"data":4172,"content":4173},{},[4174],{"nodeType":1282,"value":4175,"marks":4176,"data":4177},"SoundCloud, GrubHub, Panera Bread, Match Group, Crunchbase, Betterment, CarMax, Edmunds, CarGurus, Hims & Hers, University of Pennsylvania, Harvard University, Optimizely, TELUS Digital, Crunchyroll, ADT",[],{},{"nodeType":4039,"data":4179,"content":4180},{},[4181],{"nodeType":1283,"data":4182,"content":4183},{},[4184],{"nodeType":1282,"value":4185,"marks":4186,"data":4187},"16 named victims. Confirmed individual impact includes ~30M records (SoundCloud), ~14M records (Panera), 10M+ records (Match Group), ~20M records (Betterment), 5.5M people (ADT), 1M+ records (UPenn), ~1PB stolen from TELUS Digital ($65M ransom refused).",[],{},{"nodeType":4035,"data":4189,"content":4190},{},[4191,4206,4216,4226],{"nodeType":4039,"data":4192,"content":4193},{},[4194],{"nodeType":1283,"data":4195,"content":4196},{},[4197,4202],{"nodeType":1282,"value":4198,"marks":4199,"data":4201},"Anodot Supply Chain",[4200],{"type":1304},{},{"nodeType":1282,"value":4203,"marks":4204,"data":4205}," (stolen OAuth tokens → downstream Snowflake/BigQuery access)",[],{},{"nodeType":4039,"data":4207,"content":4208},{},[4209],{"nodeType":1283,"data":4210,"content":4211},{},[4212],{"nodeType":1282,"value":4213,"marks":4214,"data":4215},"Apr 2026",[],{},{"nodeType":4039,"data":4217,"content":4218},{},[4219],{"nodeType":1283,"data":4220,"content":4221},{},[4222],{"nodeType":1282,"value":4223,"marks":4224,"data":4225},"Anodot/Glassbox (origin), Rockstar Games, Vimeo, Zara/Inditex",[],{},{"nodeType":4039,"data":4227,"content":4228},{},[4229],{"nodeType":1283,"data":4230,"content":4231},{},[4232],{"nodeType":1282,"value":4233,"marks":4234,"data":4235},"4 named victims (12+ total claimed). 78.6M records (Rockstar Games), 197K individuals (Zara), 119K individuals (Vimeo).",[],{},{"nodeType":4035,"data":4237,"content":4238},{},[4239,4254,4263,4273],{"nodeType":4039,"data":4240,"content":4241},{},[4242],{"nodeType":1283,"data":4243,"content":4244},{},[4245,4250],{"nodeType":1282,"value":4246,"marks":4247,"data":4249},"Other SLH-attributed",[4248],{"type":1304},{},{"nodeType":1282,"value":4251,"marks":4252,"data":4253}," (misc. vectors including infostealer chains, CI/CD supply chain, SaaS platform compromise)",[],{},{"nodeType":4039,"data":4255,"content":4256},{},[4257],{"nodeType":1283,"data":4258,"content":4259},{},[4260],{"nodeType":1282,"value":4117,"marks":4261,"data":4262},[],{},{"nodeType":4039,"data":4264,"content":4265},{},[4266],{"nodeType":1283,"data":4267,"content":4268},{},[4269],{"nodeType":1282,"value":4270,"marks":4271,"data":4272},"UK Legal Aid Agency, Mixpanel, Wynn Resorts, Woflow, Vercel, European Commission, Mercor, Medtronic, Instructure",[],{},{"nodeType":4039,"data":4274,"content":4275},{},[4276],{"nodeType":1283,"data":4277,"content":4278},{},[4279],{"nodeType":1282,"value":4280,"marks":4281,"data":4282},"10 named victims across varied vectors. Notable: Vercel (Lumma Stealer → Context.ai OAuth app → Google Workspace), European Commission (poisoned Trivy GitHub Action → 340GB across 71 EU entities)",[],{},{"nodeType":1283,"data":4284,"content":4285},{},[4286],{"nodeType":1282,"value":29,"marks":4287,"data":4288},[],{},"The three attack techniques behind ShinyHunters' 2026 campaigns ","ShinyHunters' breach of Instructure is the latest in a long series of attacks. Here's our view of the big picture. ","analyzing-the-instructure-breach",{"items":4293},[4294,4296],{"sys":4295,"name":2545},{"id":2544},{"sys":4297,"name":3412},{"id":3411},{"items":4299},[4300],{"fullName":3416,"firstName":3417,"jobTitle":3418,"profilePicture":4301},{"url":3420},"7-things-we-learned-from-troy-hunt","blog/7-things-we-learned-from-troy-hunt",{"json":4305},{"data":4306,"content":4307,"nodeType":1947},{},[4308],{"data":4309,"content":4310,"nodeType":1283},{},[4311,4315,4323],{"data":4312,"marks":4313,"value":4314,"nodeType":1282},{},[],"Troy Hunt — founder of ",{"data":4316,"content":4318,"nodeType":1322},{"uri":4317},"https://haveibeenpwned.com/",[4319],{"data":4320,"marks":4321,"value":4322,"nodeType":1282},{},[],"Have I Been Pwned",{"data":4324,"marks":4325,"value":4326,"nodeType":1282},{},[],", and the person who has probably collected more breach data than anyone in history — joined Push field CTO Mark Orlando to talk about why credential-based attacks keep working, what breach data actually tells us about organizational risk, and why even the best human defenses aren't enough on their own.","Here are 7 things we learned from our conversation with Troy Hunt on the \"Yes, you've been pwned\" webinar. ",{"id":4329,"publishedAt":4330},"1a7lydXCDm3UakeiWQVPfQ","2026-05-20T14:58:31.888Z",{"items":4332},[4333,4335],{"sys":4334,"name":2545},{"id":2544},{"sys":4336,"name":4338},{"id":4337},"1gZi8NrRy2v9OqPV7C4dwD","Risk management","divRIzLCM3s2Bp3JyURTuUx85GYQReajTxKWx1UmFlQ",1779300464940]